As I was starting to add support for detecting non-interactive

SSH channels, I noticed that I hand't ever finished the terminal type/size "stuff", and while fixing that, I noticed that the hack for SyncTERM was done wrong. Fix the whole thing, and now Synchronet and SyncTERM both properly support terminal type and size over SSH. It also looks trivial to support the SSH window size change message, but I'm not doing that tonight. Unfortunately, this is a patch on a patch, so is a bit fragile. It should really have the patches merged at some point.

As I was starting to add support for detecting non-interactive
df6698d9 · Deucе · a8e54aba · df6698d9 · df6698d9 · df6698d9
Commit df6698d9 authored 1 year ago by Deucе
--- a/3rdp/build/GNUmakefile
+++ b/3rdp/build/GNUmakefile
@@ -88,7 +88,7 @@ $(CRYPT_SRC): | $(3RDPSRCDIR)
 $(CRYPT_IDIR): | $(3RDPODIR)
 	$(QUIET)$(IFNOTEXIST) mkdir $(CRYPT_IDIR)
-$(CRYPTLIB_BUILD): $(3RDP_ROOT)/dist/cryptlib.zip $(3RDP_ROOT)/build/terminal-params.patch $(3RDP_ROOT)/build/cl-mingw32-static.patch $(3RDP_ROOT)/build/cl-ranlib.patch $(3RDP_ROOT)/build/cl-win32-noasm.patch $(3RDP_ROOT)/build/cl-zz-country.patch $(3RDP_ROOT)/build/cl-algorithms.patch $(3RDP_ROOT)/build/cl-allow-duplicate-ext.patch $(3RDP_ROOT)/build/cl-macosx-minver.patch $(3RDP_ROOT)/build/cl-endian.patch $(3RDP_ROOT)/build/cl-cryptodev.patch $(3RDP_ROOT)/build/cl-posix-me-gently.patch $(3RDP_ROOT)/build/cl-tpm-linux.patch $(3RDP_ROOT)/build/cl-PAM-noprompts.patch $(3RDP_ROOT)/build/cl-zlib.patch $(3RDP_ROOT)/build/Dynamic-linked-static-lib.patch $(3RDP_ROOT)/build/SSL-fix.patch $(3RDP_ROOT)/build/cl-bigger-maxattribute.patch $(3RDP_ROOT)/build/cl-vcxproj.patch $(3RDP_ROOT)/build/cl-mingw-vcver.patch $(3RDP_ROOT)/build/cl-win32-build-fix.patch $(3RDP_ROOT)/build/cl-gcc-non-const-time-val.patch $(3RDP_ROOT)/build/cl-no-odbc.patch $(3RDP_ROOT)/build/cl-noasm-defines.patch $(3RDP_ROOT)/build/cl-bn-noasm64-fix.patch $(3RDP_ROOT)/build/cl-no-RSA-suites.patch $(3RDP_ROOT)/build/cl-fix-ECC-RSA.patch $(3RDP_ROOT)/build/cl-prefer-ECC.patch $(3RDP_ROOT)/build/cl-prefer-ECC-harder.patch $(3RDP_ROOT)/build/cl-more-RSA-ECC-fixes.patch $(3RDP_ROOT)/build/cl-DH-key-init.patch $(3RDP_ROOT)/build/cl-clear-GCM-flag.patch $(3RDP_ROOT)/build/cl-use-ssh-ctr.patch $(3RDP_ROOT)/build/cl-ssh-list-ctr-modes.patch $(3RDP_ROOT)/build/cl-ssh-incCtr.patch $(3RDP_ROOT)/build/cl-ssl-suite-blocksizes.patch $(3RDP_ROOT)/build/cl-no-tpm.patch $(3RDP_ROOT)/build/cl-no-via-aes.patch $(3RDP_ROOT)/build/cl-fix-ssh-ecc-ephemeral.patch $(3RDP_ROOT)/build/cl-just-use-cc.patch $(3RDP_ROOT)/build/cl-learn-numbers.patch $(3RDP_ROOT)/build/cl-no-safe-stack.patch $(3RDP_ROOT)/build/cl-allow-pkcs12.patch $(3RDP_ROOT)/build/cl-uint64_t-redefine.patch $(3RDP_ROOT)/build/cl-random-openbsd.patch $(3RDP_ROOT)/build/cl-openbsd-threads.patch $(3RDP_ROOT)/build/cl-allow-none-auth.patch $(3RDP_ROOT)/build/cl-mingw-add-m32.patch $(3RDP_ROOT)/build/cl-poll-not-select.patch $(3RDP_ROOT)/build/cl-check-before-use.patch $(3RDP_ROOT)/build/cl-linux-yield.patch $(3RDP_ROOT)/build/cl-good-sockets.patch $(3RDP_ROOT)/build/cl-moar-objects.patch $(3RDP_ROOT)/build/cl-pthread_yield.patch $(3RDP_ROOT)/build/cl-check-cert-dont-modify.patch | $(CRYPT_SRC) $(CRYPT_IDIR) $(3RDP_ROOT)/build/cl-remove-march.patch
+$(CRYPTLIB_BUILD): $(3RDP_ROOT)/dist/cryptlib.zip $(3RDP_ROOT)/build/terminal-params.patch $(3RDP_ROOT)/build/cl-mingw32-static.patch $(3RDP_ROOT)/build/cl-ranlib.patch $(3RDP_ROOT)/build/cl-win32-noasm.patch $(3RDP_ROOT)/build/cl-zz-country.patch $(3RDP_ROOT)/build/cl-algorithms.patch $(3RDP_ROOT)/build/cl-allow-duplicate-ext.patch $(3RDP_ROOT)/build/cl-macosx-minver.patch $(3RDP_ROOT)/build/cl-endian.patch $(3RDP_ROOT)/build/cl-cryptodev.patch $(3RDP_ROOT)/build/cl-posix-me-gently.patch $(3RDP_ROOT)/build/cl-tpm-linux.patch $(3RDP_ROOT)/build/cl-PAM-noprompts.patch $(3RDP_ROOT)/build/cl-zlib.patch $(3RDP_ROOT)/build/Dynamic-linked-static-lib.patch $(3RDP_ROOT)/build/SSL-fix.patch $(3RDP_ROOT)/build/cl-bigger-maxattribute.patch $(3RDP_ROOT)/build/cl-vcxproj.patch $(3RDP_ROOT)/build/cl-mingw-vcver.patch $(3RDP_ROOT)/build/cl-win32-build-fix.patch $(3RDP_ROOT)/build/cl-gcc-non-const-time-val.patch $(3RDP_ROOT)/build/cl-no-odbc.patch $(3RDP_ROOT)/build/cl-noasm-defines.patch $(3RDP_ROOT)/build/cl-bn-noasm64-fix.patch $(3RDP_ROOT)/build/cl-no-RSA-suites.patch $(3RDP_ROOT)/build/cl-fix-ECC-RSA.patch $(3RDP_ROOT)/build/cl-prefer-ECC.patch $(3RDP_ROOT)/build/cl-prefer-ECC-harder.patch $(3RDP_ROOT)/build/cl-more-RSA-ECC-fixes.patch $(3RDP_ROOT)/build/cl-DH-key-init.patch $(3RDP_ROOT)/build/cl-clear-GCM-flag.patch $(3RDP_ROOT)/build/cl-use-ssh-ctr.patch $(3RDP_ROOT)/build/cl-ssh-list-ctr-modes.patch $(3RDP_ROOT)/build/cl-ssh-incCtr.patch $(3RDP_ROOT)/build/cl-ssl-suite-blocksizes.patch $(3RDP_ROOT)/build/cl-no-tpm.patch $(3RDP_ROOT)/build/cl-no-via-aes.patch $(3RDP_ROOT)/build/cl-fix-ssh-ecc-ephemeral.patch $(3RDP_ROOT)/build/cl-just-use-cc.patch $(3RDP_ROOT)/build/cl-learn-numbers.patch $(3RDP_ROOT)/build/cl-no-safe-stack.patch $(3RDP_ROOT)/build/cl-allow-pkcs12.patch $(3RDP_ROOT)/build/cl-uint64_t-redefine.patch $(3RDP_ROOT)/build/cl-random-openbsd.patch $(3RDP_ROOT)/build/cl-openbsd-threads.patch $(3RDP_ROOT)/build/cl-allow-none-auth.patch $(3RDP_ROOT)/build/cl-mingw-add-m32.patch $(3RDP_ROOT)/build/cl-poll-not-select.patch $(3RDP_ROOT)/build/cl-check-before-use.patch $(3RDP_ROOT)/build/cl-linux-yield.patch $(3RDP_ROOT)/build/cl-good-sockets.patch $(3RDP_ROOT)/build/cl-moar-objects.patch $(3RDP_ROOT)/build/cl-pthread_yield.patch $(3RDP_ROOT)/build/cl-check-cert-dont-modify.patch $(3RDP_ROOT)/build/cl-server-term-support.patch | $(CRYPT_SRC) $(CRYPT_IDIR) $(3RDP_ROOT)/build/cl-remove-march.patch
 	@echo Creating $@ ...
 	$(QUIET)-rm -rf $(CRYPT_SRC)/*
 	$(QUIET)unzip -oa $(3RDPDISTDIR)/cryptlib.zip -d $(CRYPT_SRC)
@@ -147,6 +147,7 @@ $(CRYPTLIB_BUILD): $(3RDP_ROOT)/dist/cryptlib.zip $(3RDP_ROOT)/build/terminal-pa
 	$(QUIET)patch -b -p0 -d $(CRYPT_SRC) < cl-moar-objects.patch
 	$(QUIET)patch -b -p0 -d $(CRYPT_SRC) < cl-remove-march.patch
 	$(QUIET)patch -b -p0 -d $(CRYPT_SRC) < cl-pthread_yield.patch
+	$(QUIET)patch -b -p0 -d $(CRYPT_SRC) < cl-server-term-support.patch
 ifeq ($(os),win32)
 	$(QUIET)cd $(CRYPT_SRC) && env - PATH="$(PATH)" CC="$(CC)" AR="$(AR)" RANLIB="$(RANLIB)" make directories
 	$(QUIET)cd $(CRYPT_SRC) && env - PATH="$(PATH)" CC="$(CC)" AR="$(AR)" RANLIB="$(RANLIB)" make toolscripts

--- a/3rdp/build/cl-server-term-support.patch
+++ b/3rdp/build/cl-server-term-support.patch
+--- session/ssh2_chn.c.orig	2019-02-05 18:18:26.000000000 -0500
+++ session/ssh2_chn.c	2023-12-24 08:09:36.669204000 -0500
+@@ -59,6 +59,9 @@
+ 	/* Channel extra data.  This contains encoded oddball protocol-specific
+ 	   SSH packets to be sent or having been received */
+	BUFFER( CRYPT_MAX_TEXTSIZE, terminalLen ) \
+	char terminal[ CRYPT_MAX_TEXTSIZE + 8 ];
+	int terminalLen, width, height;
+ 	BUFFER_FIXED( UINT_SIZE + CRYPT_MAX_TEXTSIZE + ( UINT_SIZE * 4 ) ) \
+ 	BYTE extraData[ ( UINT_SIZE + CRYPT_MAX_TEXTSIZE ) + \
+ 					( UINT_SIZE * 4 ) + 8 ];
+@@ -239,6 +242,21 @@
+ 					doContinue = FALSE;
+ 				break;
+			case CRYPT_SESSINFO_SSH_CHANNEL_TERMINAL:
+				if ( channelInfoPtr->terminalLen > 0 )
+					doContinue = FALSE;
+				break;
+
+			case CRYPT_SESSINFO_SSH_CHANNEL_WIDTH:
+				if ( channelInfoPtr->width > 0)
+					doContinue = FALSE;
+				break;
+
+			case CRYPT_SESSINFO_SSH_CHANNEL_HEIGHT:
+				if ( channelInfoPtr->height > 0)
+					doContinue = FALSE;
+				break;
+
+ 			default:
+ 				retIntError();
+ 			}
+@@ -479,6 +497,14 @@
+ 		case CRYPT_SESSINFO_SSH_CHANNEL_ACTIVE:
+ 			*value = isActiveChannel( channelInfoPtr ) ? TRUE : FALSE;
+ 			return( CRYPT_OK );
+
+		case CRYPT_SESSINFO_SSH_CHANNEL_WIDTH:
+			*value = channelInfoPtr->width;
+			return( CRYPT_OK );
+
+		case CRYPT_SESSINFO_SSH_CHANNEL_HEIGHT:
+			*value = channelInfoPtr->height;
+			return( CRYPT_OK );
+ 		}
+ 	retIntError();
+@@ -532,6 +558,11 @@
+ 			return( attributeCopyParams( data, dataMaxLength, dataLength,
+ 										 channelInfoPtr->arg2,
+ 										 channelInfoPtr->arg2Len ) );
+
+		case CRYPT_SESSINFO_SSH_CHANNEL_TERMINAL:
+			return( attributeCopyParams( data, dataMaxLength, dataLength,
+										 channelInfoPtr->terminal,
+										 channelInfoPtr->terminalLen ) );
+ 		}
+ 	retIntError();
+@@ -596,7 +627,21 @@
+ 		return( selectChannel( sessionInfoPtr, channelInfoPtr->writeChannelNo,
+ 							   CHANNEL_WRITE ) );
+ 		}
+	channelInfoPtr = ( SSH_CHANNEL_INFO * ) \
+				getCurrentChannelInfo( sessionInfoPtr, CHANNEL_READ );
+	REQUIRES( channelInfoPtr != NULL );
+	if( isNullChannel( channelInfoPtr ) )
+		return( CRYPT_ERROR_NOTFOUND );
+	if( attribute == CRYPT_SESSINFO_SSH_CHANNEL_WIDTH ) {
+		channelInfoPtr->width = value;
+		return CRYPT_OK;
+	}
+	if( attribute == CRYPT_SESSINFO_SSH_CHANNEL_HEIGHT ) {
+		channelInfoPtr->height = value;
+		return CRYPT_OK;
+	}
+
+ 	retIntError();
+ 	}
+@@ -639,6 +684,11 @@
+ 			return( attributeCopyParams( channelInfoPtr->arg2, 
+ 										 CRYPT_MAX_TEXTSIZE,
+ 										 &channelInfoPtr->arg2Len, 
+										 data, dataLength ) );
+		case CRYPT_SESSINFO_SSH_CHANNEL_TERMINAL:
+			return( attributeCopyParams( channelInfoPtr->terminal, 
+										 CRYPT_MAX_TEXTSIZE,
+										 &channelInfoPtr->terminalLen, 
+ 										 data, dataLength ) );
+ 		}
+--- session/ssh.c.orig	2023-12-24 07:59:01.180636000 -0500
+++ session/ssh.c	2023-12-24 08:11:02.562401000 -0500
+@@ -978,7 +978,10 @@
+ 			  type == CRYPT_SESSINFO_SSH_CHANNEL_TYPE || \
+ 			  type == CRYPT_SESSINFO_SSH_CHANNEL_ARG1 || \
+ 			  type == CRYPT_SESSINFO_SSH_CHANNEL_ARG2 || \
+-			  type == CRYPT_SESSINFO_SSH_CHANNEL_ACTIVE );
+			  type == CRYPT_SESSINFO_SSH_CHANNEL_ACTIVE || \
+			  type == CRYPT_SESSINFO_SSH_CHANNEL_WIDTH || \
+			  type == CRYPT_SESSINFO_SSH_CHANNEL_HEIGHT || \
+			  type == CRYPT_SESSINFO_SSH_CHANNEL_TERMINAL);
+ 	if( type == CRYPT_SESSINFO_SSH_OPTIONS )
+ 		{
+@@ -993,7 +996,9 @@
+ 		}
+ 	if( type == CRYPT_SESSINFO_SSH_CHANNEL || \
+-		type == CRYPT_SESSINFO_SSH_CHANNEL_ACTIVE )
+		type == CRYPT_SESSINFO_SSH_CHANNEL_ACTIVE || \
+		type == CRYPT_SESSINFO_SSH_CHANNEL_WIDTH || \
+		type == CRYPT_SESSINFO_SSH_CHANNEL_HEIGHT)
+ 		{
+ 		status = getChannelAttribute( sessionInfoPtr, type, data );
+ 		}
+@@ -1023,12 +1028,17 @@
+ 			  type == CRYPT_SESSINFO_SSH_CHANNEL_ARG1 || \
+ 			  type == CRYPT_SESSINFO_SSH_CHANNEL_ARG2 || \
+ 			  type == CRYPT_SESSINFO_SSH_OPTIONS || \
+-			  type == CRYPT_SESSINFO_SSH_CHANNEL_ACTIVE );
+			  type == CRYPT_SESSINFO_SSH_CHANNEL_ACTIVE || \
+			  type == CRYPT_SESSINFO_SSH_CHANNEL_WIDTH || \
+			  type == CRYPT_SESSINFO_SSH_CHANNEL_HEIGHT || \
+			  type == CRYPT_SESSINFO_SSH_CHANNEL_TERMINAL);
+ 	/* Get the data value if it's an integer parameter */
+ 	if( type == CRYPT_SESSINFO_SSH_CHANNEL || \
+ 		type == CRYPT_SESSINFO_SSH_CHANNEL_ACTIVE || \
+-		type == CRYPT_SESSINFO_SSH_OPTIONS)
+		type == CRYPT_SESSINFO_SSH_OPTIONS || \
+		type == CRYPT_SESSINFO_SSH_CHANNEL_HEIGHT || \
+		type == CRYPT_SESSINFO_SSH_CHANNEL_WIDTH) 
+ 		value = *( ( int * ) data );
+ 	/* If we're selecting a channel and there's unwritten data from a
+@@ -1069,7 +1079,9 @@
+ 		return( closeChannel( sessionInfoPtr, FALSE ) );
+ 		}
+-	if( type == CRYPT_SESSINFO_SSH_CHANNEL )
+	if( type == CRYPT_SESSINFO_SSH_CHANNEL || \
+		type == CRYPT_SESSINFO_SSH_CHANNEL_WIDTH || \
+		type == CRYPT_SESSINFO_SSH_CHANNEL_HEIGHT)
+ 		status = setChannelAttribute( sessionInfoPtr, type, value );
+ 	else
+ 		{
+--- session/ssh2_msgc.c.orig	2023-12-24 07:59:00.803690000 -0500
+++ session/ssh2_msgc.c	2023-12-24 08:12:21.955372000 -0500
+@@ -553,15 +553,15 @@
+ 	writeUint32( stream, channelNo );
+ 	writeString32( stream, "pty-req", 7 );
+ 	sputc( stream, 0 );					/* No reply */
+-	if( cryptStatusError( status = getSessionAttributeS( sessionInfoPtr, &term, CRYPT_SESSINFO_SSH_TERMINAL) ) )
+	if( cryptStatusError( status = getChannelAttributeS( sessionInfoPtr, CRYPT_SESSINFO_SSH_CHANNEL_TERMINAL, term.data, sizeof(termString), &term.length) ) || term.length == 0 )
+ 		writeString32( stream, "xterm", 5 );/* Generic */
+ 	else
+ 		writeString32( stream, term.data, term.length );/* Generic */
+-	if( cryptStatusError( getSessionAttribute( sessionInfoPtr, &value, CRYPT_SESSINFO_SSH_WIDTH ) ) )
+	if( cryptStatusError( getChannelAttribute( sessionInfoPtr, CRYPT_SESSINFO_SSH_CHANNEL_WIDTH, &value ) ) || value == 0 )
+ 		writeUint32( stream, 80 );
+ 	else
+ 		writeUint32( stream, value);
+-	if( cryptStatusError( getSessionAttribute( sessionInfoPtr, &value, CRYPT_SESSINFO_SSH_HEIGHT ) ) )
+	if( cryptStatusError( getChannelAttribute( sessionInfoPtr, CRYPT_SESSINFO_SSH_CHANNEL_HEIGHT, &value ) ) || value == 0 )
+ 		writeUint32( stream, 48 );		/* 48 x 80 (24 x 80 is so 1970s) */
+ 	else
+ 		writeUint32( stream, value);
+--- session/ssh2_msgs.c.orig	2019-02-05 18:18:26.000000000 -0500
+++ session/ssh2_msgs.c	2023-12-24 08:15:19.887857000 -0500
+@@ -655,8 +655,20 @@
+ 	   problem but just deny the request */
+ 	switch( requestInfoPtr->requestType )
+ 		{
+-		case REQUEST_SHELL:
+ 		case REQUEST_PTY:
+			readString32( stream, stringBuffer, CRYPT_MAX_TEXTSIZE, &stringLength );
+			if (stringLength > 0)
+				setChannelAttributeS(sessionInfoPtr, CRYPT_SESSINFO_SSH_CHANNEL_TERMINAL, stringBuffer, stringLength);
+			status = readUint32(stream);
+			if (status > 0)
+				setChannelAttribute(sessionInfoPtr, CRYPT_SESSINFO_SSH_CHANNEL_WIDTH, status);
+			status = readUint32(stream);
+			if (status > 0)
+				setChannelAttribute(sessionInfoPtr, CRYPT_SESSINFO_SSH_CHANNEL_HEIGHT, status);
+			break;
+		case REQUEST_SHELL:
+			//setChannelAttribute(sessionInfoPtr, status, CRYPT_SESSINFO_SSH_SHELL);
+			break;
+ 		case REQUEST_NOOP:
+ 			/* Generic requests containing extra information that we're not
+ 			   interested in */
+--- cryptlib.h.orig	2023-12-24 08:16:11.665165000 -0500
+++ cryptlib.h	2023-12-24 08:16:59.952861000 -0500
+@@ -1224,9 +1224,9 @@
+ 	CRYPT_SESSINFO_TSP_MSGIMPRINT,	/* TSP message imprint */
+ 	/* Terminal attributes */
+-	CRYPT_SESSINFO_SSH_TERMINAL,	/* TERM string sent to remote */
+-	CRYPT_SESSINFO_SSH_WIDTH,	/* Terminal width */
+-	CRYPT_SESSINFO_SSH_HEIGHT,	/* Terminal height */
+	CRYPT_SESSINFO_SSH_CHANNEL_TERMINAL,	/* TERM string sent to remote */
+	CRYPT_SESSINFO_SSH_CHANNEL_WIDTH,	/* Terminal width */
+	CRYPT_SESSINFO_SSH_CHANNEL_HEIGHT,	/* Terminal height */
+ 	/* Used internally */
+ 	CRYPT_SESSINFO_LAST, CRYPT_USERINFO_FIRST = 7000,
+@@ -1373,7 +1373,7 @@
+ 	CRYPT_CERTINFO_FIRST_CMS = CRYPT_CERTINFO_CMS_CONTENTTYPE,
+ 	CRYPT_CERTINFO_LAST_CMS = CRYPT_CERTINFO_LAST - 1,
+ 	CRYPT_SESSINFO_FIRST_SPECIFIC = CRYPT_SESSINFO_REQUEST,
+-	CRYPT_SESSINFO_LAST_SPECIFIC = CRYPT_SESSINFO_TSP_MSGIMPRINT
+	CRYPT_SESSINFO_LAST_SPECIFIC = CRYPT_SESSINFO_SSH_CHANNEL_HEIGHT
+ 	/* Point at which private-use values start.  Attribute values sometimes
+ 	   need to be extended with additional pseudo-values in object-specific
+--- session/sess_attr.c.orig	2023-12-24 08:19:43.874119000 -0500
+++ session/sess_attr.c	2023-12-24 08:21:50.844733000 -0500
+@@ -567,8 +567,6 @@
+ 								   SESSION_FLAG_ISOPEN ) ? TRUE : FALSE;
+ 			return( CRYPT_OK );
+-		case CRYPT_SESSINFO_SSH_HEIGHT:
+-		case CRYPT_SESSINFO_SSH_WIDTH:
+ 		case CRYPT_SESSINFO_SERVER_PORT:
+ 		case CRYPT_SESSINFO_CLIENT_PORT:
+ 			{
+@@ -643,7 +641,6 @@
+ 			return( CRYPT_ERROR_NOTFOUND );
+ 			}
+-		case CRYPT_SESSINFO_SSH_TERMINAL:
+ 		case CRYPT_SESSINFO_USERNAME:
+ 		case CRYPT_SESSINFO_PASSWORD:
+ 			/* If the session was resumed from cached information then the
+@@ -802,13 +799,6 @@
+ 			return( status );
+ 			}
+-		case CRYPT_SESSINFO_SSH_WIDTH:
+-			return( addSessionInfo( sessionInfoPtr,
+-									CRYPT_SESSINFO_SSH_WIDTH, value ) );
+-		case CRYPT_SESSINFO_SSH_HEIGHT:
+-			return( addSessionInfo( sessionInfoPtr,
+-									CRYPT_SESSINFO_SSH_HEIGHT, value ) );
+-
+ 		case CRYPT_SESSINFO_SERVER_PORT:
+ 			/* If there's already a network socket specified then we can't 
+ 			   set a port as well */
+@@ -966,9 +956,6 @@
+ 			return( addCredential( sessionInfoPtr, data, dataLength, 
+ 								   attribute ) );
+-		case CRYPT_SESSINFO_SSH_TERMINAL:
+-		case CRYPT_SESSINFO_SSH_WIDTH:
+-		case CRYPT_SESSINFO_SSH_HEIGHT:
+ 		case CRYPT_SESSINFO_SERVER_FINGERPRINT_SHA1:
+ 			/* Remember the value */
+ 			return( addSessionInfoS( sessionInfoPtr, attribute, data, 
+@@ -1031,7 +1018,6 @@
+ 			sessionInfoPtr->writeTimeout = CRYPT_ERROR;
+ 			return( CRYPT_OK );
+-		case CRYPT_SESSINFO_SSH_TERMINAL:
+ 		case CRYPT_SESSINFO_USERNAME:
+ 		case CRYPT_SESSINFO_PASSWORD:
+ 		case CRYPT_SESSINFO_SERVER_NAME:
+--- kernel/attr_acl.c.orig	2023-12-24 08:27:15.033674000 -0500
+++ kernel/attr_acl.c	2023-12-24 08:30:04.633826000 -0500
+@@ -3564,6 +3564,49 @@
+ 	MKACL_END_SUBACL(), MKACL_END_SUBACL()
+ 	};
+static const ATTRIBUTE_ACL subACL_SessinfoSSHChannelTerminal[] = {
+	MKACL_S(	/* SSH client: Read/write */
+		/* Shortest valid name = "sftp" */
+		CRYPT_SESSINFO_SSH_CHANNEL_TERMINAL,
+		ST_NONE, ST_NONE, ST_SESS_SSH, 
+		MKPERM_SSH_EXT( RWx_RWx ),
+		ROUTE( OBJECT_TYPE_SESSION ), RANGE( 1, CRYPT_MAX_TEXTSIZE ) ),
+	MKACL_S(	/* SSH server: Read-only info from client */
+		CRYPT_SESSINFO_SSH_CHANNEL_TERMINAL,
+		ST_NONE, ST_NONE, ST_SESS_SSH_SVR, 
+		MKPERM_SSH_EXT( RWx_xxx ),
+		ROUTE( OBJECT_TYPE_SESSION ), RANGE( 1, CRYPT_MAX_TEXTSIZE ) ),
+	MKACL_END_SUBACL(), MKACL_END_SUBACL()
+	};
+
+static const ATTRIBUTE_ACL subACL_SessinfoSSHChannelWidth[] = {
+	MKACL_N(	/* SSH client: Read/write */
+		CRYPT_SESSINFO_SSH_CHANNEL_WIDTH,
+		ST_NONE, ST_NONE, ST_SESS_SSH, 
+		MKPERM_SSH_EXT( RWx_RWx ),
+		ROUTE( OBJECT_TYPE_SESSION ), RANGE( 0, 800 ) ),
+	MKACL_N(	/* SSH server: Read-only info from client */
+		CRYPT_SESSINFO_SSH_CHANNEL_WIDTH,
+		ST_NONE, ST_NONE, ST_SESS_SSH_SVR, 
+		MKPERM_SSH_EXT( RWx_xxx ),
+		ROUTE( OBJECT_TYPE_SESSION ), RANGE( 0, 800 ) ),
+	MKACL_END_SUBACL(), MKACL_END_SUBACL()
+	};
+
+static const ATTRIBUTE_ACL subACL_SessinfoSSHChannelHeight[] = {
+	MKACL_N(	/* SSH client: Read/write */
+		CRYPT_SESSINFO_SSH_CHANNEL_HEIGHT,
+		ST_NONE, ST_NONE, ST_SESS_SSH, 
+		MKPERM_SSH_EXT( RWx_RWx ),
+		ROUTE( OBJECT_TYPE_SESSION ), RANGE( 0, 800 ) ),
+	MKACL_N(	/* SSH server: Read-only info from client */
+		CRYPT_SESSINFO_SSH_CHANNEL_HEIGHT,
+		ST_NONE, ST_NONE, ST_SESS_SSH_SVR, 
+		MKPERM_SSH_EXT( RWx_xxx ),
+		ROUTE( OBJECT_TYPE_SESSION ), RANGE( 0, 800 ) ),
+	MKACL_END_SUBACL(), MKACL_END_SUBACL()
+	};
+
+ /* Session attributes */
+ static const ATTRIBUTE_ACL sessionACL[] = {
+@@ -3774,24 +3817,24 @@
+ 		MKPERM_TSP( xWD_xWD ),
+ 		ROUTE( OBJECT_TYPE_SESSION ), &objectCtxHash ),
+-	MKACL_S(	/* SSH client: Read/write */
+-		CRYPT_SESSINFO_SSH_TERMINAL,
+-		ST_NONE, ST_NONE, ST_SESS_SSH, 
+-		0xffffffff /*MKPERM_SSH_EXT( RWD_RWD )*/,
+	MKACL_X(	/* SSH client: Read/write */
+		CRYPT_SESSINFO_SSH_CHANNEL_TERMINAL,
+		ST_NONE, ST_NONE, ST_SESS_SSH | ST_SESS_SSH_SVR, 
+		MKPERM_SSH_EXT( RWx_RWx ),
+ 		ROUTE( OBJECT_TYPE_SESSION ),
+-		RANGE( 1, CRYPT_MAX_TEXTSIZE ) ),
+-	MKACL_N(	/* SSH client: Read/write */
+-		CRYPT_SESSINFO_SSH_WIDTH,
+-		ST_NONE, ST_NONE, ST_SESS_SSH, 
+-		0xffffffff /*MKPERM_SSH_EXT( RWD_RWD )*/,
+		subACL_SessinfoSSHChannelTerminal ),
+	MKACL_X(	/* SSH client: Read/write */
+		CRYPT_SESSINFO_SSH_CHANNEL_WIDTH,
+		ST_NONE, ST_NONE, ST_SESS_SSH | ST_SESS_SSH_SVR, 
+		MKPERM_SSH_EXT( RWx_RWx ),
+ 		ROUTE( OBJECT_TYPE_SESSION ),
+-		RANGE( 1, 800 ) ),
+-	MKACL_N(	/* SSH client: Read/write */
+-		CRYPT_SESSINFO_SSH_HEIGHT,
+-		ST_NONE, ST_NONE, ST_SESS_SSH, 
+-		0xffffffff /*MKPERM_SSH_EXT( RWD_RWD )*/,
+		subACL_SessinfoSSHChannelWidth ),
+	MKACL_X(	/* SSH client: Read/write */
+		CRYPT_SESSINFO_SSH_CHANNEL_HEIGHT,
+		ST_NONE, ST_NONE, ST_SESS_SSH | ST_SESS_SSH_SVR, 
+		MKPERM_SSH_EXT( RWx_RWx ),
+ 		ROUTE( OBJECT_TYPE_SESSION ),
+-		RANGE( 1, 800 ) ),
+		subACL_SessinfoSSHChannelHeight ),
+ 	MKACL_END(), MKACL_END()
+ 	};
+@@ -4659,7 +4702,7 @@
+ 	static_assert( CRYPT_CERTINFO_FIRST_EXTENSION == 2200, "Attribute value" );
+ 	static_assert( CRYPT_CERTINFO_FIRST_CMS == 2500, "Attribute value" );
+ 	static_assert( CRYPT_SESSINFO_FIRST_SPECIFIC == 6016, "Attribute value" );
+-	static_assert( CRYPT_SESSINFO_LAST_SPECIFIC == 6032, "Attribute value" );
+	static_assert( CRYPT_SESSINFO_LAST_SPECIFIC == 6035, "Attribute value" );
+ 	static_assert( CRYPT_CERTFORMAT_LAST == 12, "Attribute value" );
+ 	/* Perform a consistency check on the attribute ACLs.  The ACLs are
--- a/src/sbbs3/answer.cpp
+++ b/src/sbbs3/answer.cpp
@@ -255,6 +255,22 @@ bool sbbs_t::answer()
 				lprintf(LOG_NOTICE, "SSH !UNKNOWN USER: '%s'", rlogin_name);
 			badlogin(rlogin_name, tmp);
 		}
+		if (cryptStatusOK(cryptGetAttribute(ssh_session, CRYPT_SESSINFO_SSH_CHANNEL_WIDTH, &l)) && l > 0) {
+			cols = l;
+			lprintf(LOG_DEBUG, "%04d SSH [%s] height %d", client_socket, client.addr, cols);
+		}
+		if (cryptStatusOK(cryptGetAttribute(ssh_session, CRYPT_SESSINFO_SSH_CHANNEL_HEIGHT, &l)) && l > 0) {
+			rows = l;
+			lprintf(LOG_DEBUG, "%04d SSH [%s] height %d", client_socket, client.addr, rows);
+		}
+		l = 0;
+		if (cryptStatusOK(cryptGetAttributeString(ssh_session, CRYPT_SESSINFO_SSH_CHANNEL_TERMINAL, terminal, &l)) && l > 0) {
+			if (l < sizeof(terminal))
+				terminal[l] = 0;
+			else
+				terminal[sizeof(terminal)-1] = 0;
+			lprintf(LOG_DEBUG, "%04d SSH [%s] term: %s", client_socket, client.addr, terminal);
+		}
 	}
 #endif

--- a/src/syncterm/ssh.c
+++ b/src/syncterm/ssh.c
@@ -274,12 +274,26 @@ ssh_connect(struct bbslist *bbs)
 		return -1;
 	}
+	if (!bbs->hidepopups) {
+		uifc.pop(NULL);
+		uifc.pop("Setting Channel");
+	}
+	cl.SetAttribute(ssh_session, CRYPT_SESSINFO_SSH_CHANNEL, CRYPT_UNUSED);
+	if (!bbs->hidepopups) {
+		uifc.pop(NULL);
+		uifc.pop("Setting Channel Type");
+	}
+	cl.SetAttributeString(ssh_session, CRYPT_SESSINFO_SSH_CHANNEL_TYPE, "session", 7);
 	if (!bbs->hidepopups) {
 		uifc.pop(NULL);
 		uifc.pop("Setting Terminal Type");
 	}
 	term = get_emulation_str(get_emulation(bbs));
-	status = cl.SetAttributeString(ssh_session, CRYPT_SESSINFO_SSH_TERMINAL, term, strlen(term));
+	status = cl.SetAttributeString(ssh_session, CRYPT_SESSINFO_SSH_CHANNEL_TERMINAL, term, strlen(term));
 	get_term_win_size(&cols, &rows, NULL, NULL, &bbs->nostatus);
@@ -287,13 +301,13 @@ ssh_connect(struct bbslist *bbs)
 		uifc.pop(NULL);
 		uifc.pop("Setting Terminal Width");
 	}
-	status = cl.SetAttribute(ssh_session, CRYPT_SESSINFO_SSH_WIDTH, cols);
+	status = cl.SetAttribute(ssh_session, CRYPT_SESSINFO_SSH_CHANNEL_WIDTH, cols);
 	if (!bbs->hidepopups) {
 		uifc.pop(NULL);
 		uifc.pop("Setting Terminal Height");
 	}
-	status = cl.SetAttribute(ssh_session, CRYPT_SESSINFO_SSH_HEIGHT, rows);
+	status = cl.SetAttribute(ssh_session, CRYPT_SESSINFO_SSH_CHANNEL_HEIGHT, rows);
 	cl.SetAttribute(ssh_session, CRYPT_OPTION_NET_READTIMEOUT, 1);