dilim/openssh-portable
1
0
Fork 0
mirror of https://github.com/openssh/openssh-portable.git synced 2026-06-24 08:48:18 +00:00
Code Issues Packages Projects Releases Wiki Activity

upstream: mention that compression could potentially leak

Browse Source 
information about session contents (cf. the CRIME attack on TLS) if a
connection allows attacker- controlled traffic over it alongside trused
traffic. This might occur in some forwarding scenarios.

with deraadt@

OpenBSD-Commit-ID: 03d145cdbf3a8713e8309724b5c9a9b76c317749
This commit is contained in:
djm@openbsd.org
2026-05-21 04:04:57 +00:00
committed by Damien Miller
parent e5c9cf9ac7
commit a5a1b7e753
2 changed files with 18 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
ssh_config.5
View File

@@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.\" $OpenBSD: ssh_config.5,v 1.423 2026/03/23 01:33:46 djm Exp $ .\" $OpenBSD: ssh_config.5,v 1.424 2026/05/21 04:04:57 djm Exp $
.Dd $Mdocdate: March 23 2026 $ .Dd $Mdocdate: May 21 2026 $
.Dt SSH_CONFIG 5 .Dt SSH_CONFIG 5
.Os .Os
.Sh NAME .Sh NAME
@@ -648,6 +648,13 @@ The argument must be
or or
.Cm no .Cm no
(the default). (the default).
.Pp
Compression applies to all traffic that flows over the SSH connection.
If untrusted traffic (such as an open port-forward) is permitted over the
connection alongside trusted traffic, then compression may leak information
about session contents.
For this reason, it is not recommended to enable compression for connections
that share trusted and untrusted traffic.
.It Cm ConnectionAttempts .It Cm ConnectionAttempts
Specifies the number of tries (one per second) to make before exiting. Specifies the number of tries (one per second) to make before exiting.
The argument must be an integer. The argument must be an integer.

11
sshd_config.5
View File

@@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.\" $OpenBSD: sshd_config.5,v 1.397 2026/03/28 05:07:12 djm Exp $ .\" $OpenBSD: sshd_config.5,v 1.398 2026/05/21 04:04:57 djm Exp $
.Dd $Mdocdate: March 28 2026 $ .Dd $Mdocdate: May 21 2026 $
.Dt SSHD_CONFIG 5 .Dt SSHD_CONFIG 5
.Os .Os
.Sh NAME .Sh NAME
@@ -633,6 +633,13 @@ or
.Cm no . .Cm no .
The default is The default is
.Cm yes . .Cm yes .
.Pp
Compression applies to all traffic that flows over the SSH connection.
If untrusted traffic (such as an open port-forward) is permitted over the
connection alongside trusted traffic, then compression may leak information
about session contents.
For this reason, it is not recommended to enable compression for connections
that share trusted and untrusted traffic.
.It Cm DenyGroups .It Cm DenyGroups
This keyword can be followed by a list of group name patterns, separated This keyword can be followed by a list of group name patterns, separated
by spaces. by spaces.