Skip to content

Commit

Permalink
Merge pull request #1154 from gravitational/roman/2.2/deadline
Browse files Browse the repository at this point in the history
Backport SSH dial deadline to 2.2
r0mant authored Jul 19, 2017
2 parents 3dd0054 + 1ed9cf1 commit 08a7b49
Showing 4 changed files with 48 additions and 16 deletions.
12 changes: 9 additions & 3 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,11 @@
# Changelog

## 2.2.6

#### Bug fixes

* Fixed issue with SSH dial potentially hanging indefinitely. [#1153](https://github.com/gravitational/teleport/issues/1153)

## 2.2.5

#### Bug fixes
@@ -74,7 +80,7 @@

Teleport 2.0.5 contains a variety of security fixes. We strongly encourage anyone running Teleport 2.0.0 and above to upgrade to 2.0.5.

The most pressing issues (a phishing attack which can potentially be used to extract plaintext credentials and an attack where an already authenticated user can escalate privileges) can be resolved by upgrading the web proxy. However, however all nodes need to be upgraded to mitigate all vulnerabilities.
The most pressing issues (a phishing attack which can be used to extract plaintext credentials and an attack where an already authenticated user can escalate privileges) can be resolved by upgrading the web proxy. However, all nodes need to be upgraded to mitigate all vulnerabilities.

### Bugfixes

@@ -218,8 +224,8 @@ certificates did not work correctly in this release due to #529
### Bugfixes

* Wrong url to register new users. #497
* Logged in users inherit Teleport supplemental groups bug security. #507
* Joining a session running on a trusted cluster does not work. #504
* Logged in users inherit Teleport supplemental groups bug security. #507
* Joining a session running on a trusted cluster does not work. #504

## 1.0.4

19 changes: 9 additions & 10 deletions Makefile
Original file line number Diff line number Diff line change
@@ -2,7 +2,7 @@
# Naming convention:
# for stable releases we use "1.0.0" format
# for pre-releases, we use "1.0.0-beta.2" format
VERSION=2.2.5
VERSION=2.2.6

# These are standard autotools variables, don't change them please
BUILDDIR ?= build
@@ -24,7 +24,7 @@ LIBS = $(shell find lib -type f -name '*.go') *.go
# Default target: builds all 3 executables and plaaces them in a current directory
#
.PHONY: all
all: $(VERSRC) $(BINARIES)
all: $(VERSRC) $(BINARIES)

$(BUILDDIR)/tctl: $(LIBS) $(TOOLS) tool/tctl/common/*.go tool/tctl/*go
go build -o $(BUILDDIR)/tctl -i $(BUILDFLAGS) ./tool/tctl
@@ -42,8 +42,8 @@ goinstall:
go install github.com/gravitational/teleport/tool/tctl

#
# make install will installs system-wide teleport
#
# make install will installs system-wide teleport
#
.PHONY: install
install: build
@echo "\n** Make sure to run 'make install' as root! **\n"
@@ -82,7 +82,7 @@ run-docs:
#
.PHONY: test
test: FLAGS ?=
test:
test:
go test -v ./tool/tsh/... \
./lib/... \
./tool/teleport... $(FLAGS) $(ADDFLAGS)
@@ -92,7 +92,7 @@ test:
# integration tests. need a TTY to work and not compatible with a race detector
#
.PHONY: integration
integration:
integration:
go test -v ./integration/...

# This rule triggers re-generation of version.go and gitref.go if Makefile changes
@@ -111,9 +111,9 @@ tag:
@echo "Run this:\n> git tag $(GITTAG)\n> git push --tags"

#
# make release - produces a binary release tarball
#
.PHONY:
# make release - produces a binary release tarball
#
.PHONY:
release: clean all $(BUILDDIR)/webassets.zip
cp -f build.assets/release.mk $(BUILDDIR)/Makefile
cat $(BUILDDIR)/webassets.zip >> $(BUILDDIR)/teleport
@@ -201,4 +201,3 @@ buildbox-grpc:
cd $(GRPC_API) && protoc -I=.:$$PROTO_INCLUDE \
--gofast_out=plugins=grpc:.\
*.proto

31 changes: 29 additions & 2 deletions lib/utils/proxy/proxy.go
Original file line number Diff line number Diff line change
@@ -23,6 +23,7 @@ import (
"net/url"
"os"
"strings"
"time"

"github.com/gravitational/teleport"
"github.com/gravitational/trace"
@@ -32,6 +33,27 @@ import (
log "github.com/Sirupsen/logrus"
)

// DialWithDeadline works around the case when net.DialWithTimeout
// succeeds, but key exchange hangs. Setting deadline on connection
// prevents this case from happening
func DialWithDeadline(network string, addr string, config *ssh.ClientConfig) (*ssh.Client, error) {
conn, err := net.DialTimeout(network, addr, config.Timeout)
if err != nil {
return nil, err
}
if config.Timeout > 0 {
conn.SetReadDeadline(time.Now().Add(config.Timeout))
}
c, chans, reqs, err := ssh.NewClientConn(conn, addr, config)
if err != nil {
return nil, err
}
if config.Timeout > 0 {
conn.SetReadDeadline(time.Time{})
}
return ssh.NewClient(c, chans, reqs), nil
}

// A Dialer is a means for a client to establish a SSH connection.
type Dialer interface {
// Dial establishes a client connection to a SSH server.
@@ -42,7 +64,7 @@ type directDial struct{}

// Dial calls ssh.Dial directly.
func (d directDial) Dial(network string, addr string, config *ssh.ClientConfig) (*ssh.Client, error) {
return ssh.Dial(network, addr, config)
return DialWithDeadline(network, addr, config)
}

type proxyDial struct {
@@ -57,12 +79,17 @@ func (d proxyDial) Dial(network string, addr string, config *ssh.ClientConfig) (
if err != nil {
return nil, trace.Wrap(err)
}

if config.Timeout > 0 {
pconn.SetReadDeadline(time.Now().Add(config.Timeout))
}
// do the same as ssh.Dial but pass in proxy connection
c, chans, reqs, err := ssh.NewClientConn(pconn, addr, config)
if err != nil {
return nil, trace.Wrap(err)
}
if config.Timeout > 0 {
pconn.SetReadDeadline(time.Time{})
}
return ssh.NewClient(c, chans, reqs), nil
}

2 changes: 1 addition & 1 deletion version.go
Original file line number Diff line number Diff line change
@@ -3,7 +3,7 @@
package teleport

const (
Version = "2.2.5"
Version = "2.2.6"
)

// Gitref variable is automatically set to the output of git-describe

0 comments on commit 08a7b49

Please sign in to comment.