From 51ca2864ae49cc2eee406820dd555d657650c721 Mon Sep 17 00:00:00 2001 From: Roman Tkachenko Date: Wed, 19 Jul 2017 11:09:07 +0300 Subject: [PATCH 1/3] Backport SSH connection deadline fix to 2.2 --- lib/utils/proxy/proxy.go | 31 +++++++++++++++++++++++++++++-- 1 file changed, 29 insertions(+), 2 deletions(-) diff --git a/lib/utils/proxy/proxy.go b/lib/utils/proxy/proxy.go index a90268ffaaf41..a5cd2abfe9d55 100644 --- a/lib/utils/proxy/proxy.go +++ b/lib/utils/proxy/proxy.go @@ -23,6 +23,7 @@ import ( "net/url" "os" "strings" + "time" "github.com/gravitational/teleport" "github.com/gravitational/trace" @@ -32,6 +33,27 @@ import ( log "github.com/Sirupsen/logrus" ) +// DialWithDeadline works around the case when net.DialWithTimeout +// succeeds, but key exchange hangs. Setting deadline on connection +// prevents this case from happening +func DialWithDeadline(network string, addr string, config *ssh.ClientConfig) (*ssh.Client, error) { + conn, err := net.DialTimeout(network, addr, config.Timeout) + if err != nil { + return nil, err + } + if config.Timeout > 0 { + conn.SetReadDeadline(time.Now().Add(config.Timeout)) + } + c, chans, reqs, err := ssh.NewClientConn(conn, addr, config) + if err != nil { + return nil, err + } + if config.Timeout > 0 { + conn.SetReadDeadline(time.Time{}) + } + return ssh.NewClient(c, chans, reqs), nil +} + // A Dialer is a means for a client to establish a SSH connection. type Dialer interface { // Dial establishes a client connection to a SSH server. @@ -42,7 +64,7 @@ type directDial struct{} // Dial calls ssh.Dial directly. func (d directDial) Dial(network string, addr string, config *ssh.ClientConfig) (*ssh.Client, error) { - return ssh.Dial(network, addr, config) + return DialWithDeadline(network, addr, config) } type proxyDial struct { @@ -57,12 +79,17 @@ func (d proxyDial) Dial(network string, addr string, config *ssh.ClientConfig) ( if err != nil { return nil, trace.Wrap(err) } - + if config.Timeout > 0 { + pconn.SetReadDeadline(time.Now().Add(config.Timeout)) + } // do the same as ssh.Dial but pass in proxy connection c, chans, reqs, err := ssh.NewClientConn(pconn, addr, config) if err != nil { return nil, trace.Wrap(err) } + if config.Timeout > 0 { + pconn.SetReadDeadline(time.Time{}) + } return ssh.NewClient(c, chans, reqs), nil } From f26d510956ae5ddc48016ae5a67bf2aed3d04bd6 Mon Sep 17 00:00:00 2001 From: Roman Tkachenko Date: Wed, 19 Jul 2017 11:20:55 +0300 Subject: [PATCH 2/3] Update changelog and bump version --- CHANGELOG.md | 12 +++++++++--- Makefile | 19 +++++++++---------- version.go | 2 +- 3 files changed, 19 insertions(+), 14 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 64b0829a42327..647fce7083c29 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,11 @@ # Changelog +## 2.2.6 + +#### Bug fixes + +* Fixed issue with SSH dial potentially hanging indefinitely. [#1153](https://github.com/gravitational/teleport/issues/1153) + ## 2.2.5 #### Bug fixes @@ -74,7 +80,7 @@ Teleport 2.0.5 contains a variety of security fixes. We strongly encourage anyone running Teleport 2.0.0 and above to upgrade to 2.0.5. -The most pressing issues (a phishing attack which can potentially be used to extract plaintext credentials and an attack where an already authenticated user can escalate privileges) can be resolved by upgrading the web proxy. However, however all nodes need to be upgraded to mitigate all vulnerabilities. +The most pressing issues (a phishing attack which can potentially be used to extract plaintext credentials and an attack where an already authenticated user can escalate privileges) can be resolved by upgrading the web proxy. However, however all nodes need to be upgraded to mitigate all vulnerabilities. ### Bugfixes @@ -218,8 +224,8 @@ certificates did not work correctly in this release due to #529 ### Bugfixes * Wrong url to register new users. #497 -* Logged in users inherit Teleport supplemental groups bug security. #507 -* Joining a session running on a trusted cluster does not work. #504 +* Logged in users inherit Teleport supplemental groups bug security. #507 +* Joining a session running on a trusted cluster does not work. #504 ## 1.0.4 diff --git a/Makefile b/Makefile index addb8535da686..4a214376af622 100644 --- a/Makefile +++ b/Makefile @@ -2,7 +2,7 @@ # Naming convention: # for stable releases we use "1.0.0" format # for pre-releases, we use "1.0.0-beta.2" format -VERSION=2.2.5 +VERSION=2.2.6 # These are standard autotools variables, don't change them please BUILDDIR ?= build @@ -24,7 +24,7 @@ LIBS = $(shell find lib -type f -name '*.go') *.go # Default target: builds all 3 executables and plaaces them in a current directory # .PHONY: all -all: $(VERSRC) $(BINARIES) +all: $(VERSRC) $(BINARIES) $(BUILDDIR)/tctl: $(LIBS) $(TOOLS) tool/tctl/common/*.go tool/tctl/*go go build -o $(BUILDDIR)/tctl -i $(BUILDFLAGS) ./tool/tctl @@ -42,8 +42,8 @@ goinstall: go install github.com/gravitational/teleport/tool/tctl # -# make install will installs system-wide teleport -# +# make install will installs system-wide teleport +# .PHONY: install install: build @echo "\n** Make sure to run 'make install' as root! **\n" @@ -82,7 +82,7 @@ run-docs: # .PHONY: test test: FLAGS ?= -test: +test: go test -v ./tool/tsh/... \ ./lib/... \ ./tool/teleport... $(FLAGS) $(ADDFLAGS) @@ -92,7 +92,7 @@ test: # integration tests. need a TTY to work and not compatible with a race detector # .PHONY: integration -integration: +integration: go test -v ./integration/... # This rule triggers re-generation of version.go and gitref.go if Makefile changes @@ -111,9 +111,9 @@ tag: @echo "Run this:\n> git tag $(GITTAG)\n> git push --tags" # -# make release - produces a binary release tarball -# -.PHONY: +# make release - produces a binary release tarball +# +.PHONY: release: clean all $(BUILDDIR)/webassets.zip cp -f build.assets/release.mk $(BUILDDIR)/Makefile cat $(BUILDDIR)/webassets.zip >> $(BUILDDIR)/teleport @@ -201,4 +201,3 @@ buildbox-grpc: cd $(GRPC_API) && protoc -I=.:$$PROTO_INCLUDE \ --gofast_out=plugins=grpc:.\ *.proto - diff --git a/version.go b/version.go index 4b0b94fff9b91..0745e0f356a86 100644 --- a/version.go +++ b/version.go @@ -3,7 +3,7 @@ package teleport const ( - Version = "2.2.5" + Version = "2.2.6" ) // Gitref variable is automatically set to the output of git-describe From 1ed9cf18a032b6f94486cd43b892f797e9866ba5 Mon Sep 17 00:00:00 2001 From: Roman Tkachenko Date: Wed, 19 Jul 2017 12:23:04 +0300 Subject: [PATCH 3/3] Fix typos --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 647fce7083c29..aafaaf065380f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -80,7 +80,7 @@ Teleport 2.0.5 contains a variety of security fixes. We strongly encourage anyone running Teleport 2.0.0 and above to upgrade to 2.0.5. -The most pressing issues (a phishing attack which can potentially be used to extract plaintext credentials and an attack where an already authenticated user can escalate privileges) can be resolved by upgrading the web proxy. However, however all nodes need to be upgraded to mitigate all vulnerabilities. +The most pressing issues (a phishing attack which can be used to extract plaintext credentials and an attack where an already authenticated user can escalate privileges) can be resolved by upgrading the web proxy. However, all nodes need to be upgraded to mitigate all vulnerabilities. ### Bugfixes