Mailing List Archive: Size of the Banner file allowed

Size of the Banner file allowed

Jun 23, 2021, 2:49 PM

Post #1 of 3 (307 views)

Hi,

I was wondering what the max size of the banner file is and this is what I
found out:

It is explicitly limited by 1Mb here:
if ((fd = open(options.banner, O_RDONLY)) == -1)
return (NULL);
if (fstat(fd, &st) == -1) {
close(fd);
return (NULL);
}
if (st.st_size <= 0 || st.st_size > 1*1024*1024) {
close(fd);
return (NULL);
}

and by 256K here:

mm_request_receive(int sock, struct sshbuf *m)
{
u_char buf[4], *p = NULL;
u_int msg_len;
int r;

debug3("%s entering", __func__);

if (atomicio(read, sock, buf, sizeof(buf)) != sizeof(buf)) {
if (errno == EPIPE)
cleanup_exit(255);
fatal("%s: read: %s", __func__, strerror(errno));
}
msg_len = PEEK_U32(buf);
if (msg_len > 256 * 1024)
fatal("%s: read: bad msg_len %d", __func__, msg_len);

while in reality it fails to send anything above ~25K over the socket:

debug3: mm_inform_authserv entering [preauth]
debug3: mm_request_send entering: type 4 [preauth]
debug3: mm_auth2_read_banner entering [preauth]
debug3: mm_request_send entering: type 10 [preauth]
debug3: mm_request_receive_expect entering: type 11 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 4
debug3: mm_answer_authserv: service=ssh-connection, style=
debug2: monitor_read: 4 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 10
debug3: mm_request_send entering: type 11
mm_request_send: write: Broken pipe
debug1: do_cleanup
debug1: Killing privsep child 16723

Am I missing something or is there anything wrong with the Unix sockets in
our Linux (Yocto, 4.19)?

Thanks,

-Oleg
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: Size of the Banner file allowed [ In reply to ]

mouring at offwriting

Jun 23, 2021, 3:20 PM

Post #2 of 3 (307 views)

Permalink

Using the native OpenSSH 8.0p1 in CentOS 8 Stream. If the file is over
1Mb it is ignored, if it between 256k - 1Mb returns "Connection closed
by 10.0.0.104 port 22", and if under 256k it display the banner.

So I suspect a bit from Column A and a bit from Column B.

Ben

Oleg NewYorker wrote on 6/23/21 4:49 PM:
> Hi,
>
> I was wondering what the max size of the banner file is and this is what I
> found out:
>
> It is explicitly limited by 1Mb here:
> if ((fd = open(options.banner, O_RDONLY)) == -1)
> return (NULL);
> if (fstat(fd, &st) == -1) {
> close(fd);
> return (NULL);
> }
> if (st.st_size <= 0 || st.st_size > 1*1024*1024) {
> close(fd);
> return (NULL);
> }
>
>
> and by 256K here:
>
> mm_request_receive(int sock, struct sshbuf *m)
> {
> u_char buf[4], *p = NULL;
> u_int msg_len;
> int r;
>
> debug3("%s entering", __func__);
>
> if (atomicio(read, sock, buf, sizeof(buf)) != sizeof(buf)) {
> if (errno == EPIPE)
> cleanup_exit(255);
> fatal("%s: read: %s", __func__, strerror(errno));
> }
> msg_len = PEEK_U32(buf);
> if (msg_len > 256 * 1024)
> fatal("%s: read: bad msg_len %d", __func__, msg_len);
>
> while in reality it fails to send anything above ~25K over the socket:
>
> debug3: mm_inform_authserv entering [preauth]
> debug3: mm_request_send entering: type 4 [preauth]
> debug3: mm_auth2_read_banner entering [preauth]
> debug3: mm_request_send entering: type 10 [preauth]
> debug3: mm_request_receive_expect entering: type 11 [preauth]
> debug3: mm_request_receive entering [preauth]
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 4
> debug3: mm_answer_authserv: service=ssh-connection, style=
> debug2: monitor_read: 4 used once, disabling now
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 10
> debug3: mm_request_send entering: type 11
> mm_request_send: write: Broken pipe
> debug1: do_cleanup
> debug1: Killing privsep child 16723
>
> Am I missing something or is there anything wrong with the Unix sockets in
> our Linux (Yocto, 4.19)?
>
> Thanks,
>
> -Oleg
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: Size of the Banner file allowed [ In reply to ]

djm at mindrot

Jun 23, 2021, 8:13 PM

Post #3 of 3 (307 views)

Permalink

On Wed, 23 Jun 2021, Oleg NewYorker wrote:

> Hi,
>
> I was wondering what the max size of the banner file is and this is what I
> found out:
>
> It is explicitly limited by 1Mb here:
[snip]

> and by 256K here:
[snip]

> while in reality it fails to send anything above ~25K over the socket:

That's weird, because we do regularly test longer banners up to 100k in
regress/banner.sh. Maybe it's something to do with yocto itself, which
AFAIK is not one of the platforms we regularly test.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev