Attachment #1886 for bug #1785




static Buffer stdin_buffer;	/* Buffer for stdin data. */
static Buffer stdout_buffer;	/* Buffer for stdout data. */
static Buffer stderr_buffer;	/* Buffer for stderr data. */
static u_int buffer_high;	/* Soft max buffer size. */
static int connection_in;	/* Connection to server (input). */
static int connection_out;	/* Connection to server (output). */
static int need_rekeying;	/* Set to non-zero if rekeying is requested. */
static int session_closed;	/* In SSH2: login session closed. */
static int x11_refuse_time;	/* If >0, refuse x11 opens after this time. */

static void client_init_dispatch(void);
int	session_ident = -1;

#define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1"
void
client_x11_get_proto(const char *display, const char *xauth_path,
    u_int trusted, u_int timeout, char **_proto, char **_data)
{
	char cmd[1024];
	char line[512];

	int got_data = 0, generated = 0, do_unlink = 0, i;
	char *xauthdir, *xauthfile;
	struct stat st;
	u_int now;

	xauthdir = xauthfile = NULL;
	*_proto = proto;

				    xauthdir);
				snprintf(cmd, sizeof(cmd),
				    "%s -f %s generate %s " SSH_X11_PROTO
				    " untrusted timeout %u 2>" _PATH_DEVNULL,
				    xauth_path, xauthfile, display, timeout);
				debug2("x11_get_proto: %s", cmd);
				if (system(cmd) == 0)
					generated = 1;
				if (x11_refuse_time == 0) {
					now = time(NULL) + 1;
					if (UINT_MAX - timeout < now)
						x11_refuse_time = UINT_MAX;
					else
						x11_refuse_time = now + timeout;
				}
			}
		}


		error("Warning: ssh server tried X11 forwarding.");
		error("Warning: this is probably a break-in attempt by a "
		    "malicious server.");
		return NULL;
	}
	if (x11_refuse_time != 0 && time(NULL) >= x11_refuse_time) {
		verbose("Rejected X11 connection after ForwardX11Timeout "
		    "expired");
		return NULL;
	}
	originator = packet_get_string(NULL);

Lines 39-45 Link Here

(-)clientloop.h (-1 / +1 lines)
39		39
40	/* Client side main loop for the interactive session. */	40	/* Client side main loop for the interactive session. */
41	int client_loop(int, int, int);	41	int client_loop(int, int, int);
42	void client_x11_get_proto(const char , const char , u_int,	42	void client_x11_get_proto(const char , const char , u_int, u_int,
43	char , char );	43	char , char );
44	void client_global_request_reply_fwd(int, u_int32_t, void *);	44	void client_global_request_reply_fwd(int, u_int32_t, void *);
45	void client_session2_setup(int, int, int, const char , struct termios ,	45	void client_session2_setup(int, int, int, const char , struct termios ,

Lines 1095-1101 mux_session_confirm(int id, int success, Link Here

(-)mux.c (-1 / +1 lines)
1095	char proto, data;	1095	char proto, data;
1096	/* Get reasonable local authentication information. */	1096	/* Get reasonable local authentication information. */
1097	client_x11_get_proto(display, options.xauth_location,	1097	client_x11_get_proto(display, options.xauth_location,
1098	options.forward_x11_trusted, &proto, &data);	1098	options.forward_x11_trusted, options.forward_x11_timeout, &proto, &data);
1099	/* Request forwarding with authentication spoofing. */	1099	/* Request forwarding with authentication spoofing. */
1100	debug("Requesting X11 forwarding with authentication spoofing.");	1100	debug("Requesting X11 forwarding with authentication spoofing.");
1101	x11_request_forwarding_with_spoofing(id, display, proto, data);	1101	x11_request_forwarding_with_spoofing(id, display, proto, data);

Lines 107-114 Link Here

(-)readconf.c (-2 / +10 lines)
107		107
108	typedef enum {	108	typedef enum {
109	oBadOption,	109	oBadOption,
110	oForwardAgent, oForwardX11, oForwardX11Trusted, oGatewayPorts,	110	oForwardAgent, oForwardX11, oForwardX11Trusted, oForwardX11Timeout,
111	oExitOnForwardFailure,	111	oGatewayPorts, oExitOnForwardFailure,
112	oPasswordAuthentication, oRSAAuthentication,	112	oPasswordAuthentication, oRSAAuthentication,
113	oChallengeResponseAuthentication, oXAuthLocation,	113	oChallengeResponseAuthentication, oXAuthLocation,
114	oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,	114	oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
Lines 140-145 static struct { Link Here
140	{ "forwardagent", oForwardAgent },	140	{ "forwardagent", oForwardAgent },
141	{ "forwardx11", oForwardX11 },	141	{ "forwardx11", oForwardX11 },
142	{ "forwardx11trusted", oForwardX11Trusted },	142	{ "forwardx11trusted", oForwardX11Trusted },
		143	{ "forwardx11timeout", oForwardX11Timeout },
143	{ "exitonforwardfailure", oExitOnForwardFailure },	144	{ "exitonforwardfailure", oExitOnForwardFailure },
144	{ "xauthlocation", oXAuthLocation },	145	{ "xauthlocation", oXAuthLocation },
145	{ "gatewayports", oGatewayPorts },	146	{ "gatewayports", oGatewayPorts },
Lines 399-404 parse_flag: Link Here
399	case oForwardX11Trusted:	400	case oForwardX11Trusted:
400	intptr = &options->forward_x11_trusted;	401	intptr = &options->forward_x11_trusted;
401	goto parse_flag;	402	goto parse_flag;
		403
		404	case oForwardX11Timeout:
		405	intptr = &options->forward_x11_timeout;
		406	goto parse_time;
402		407
403	case oGatewayPorts:	408	case oGatewayPorts:
404	intptr = &options->gateway_ports;	409	intptr = &options->gateway_ports;
Lines 1003-1008 initialize_options(Options * options) Link Here
1003	options->forward_agent = -1;	1008	options->forward_agent = -1;
1004	options->forward_x11 = -1;	1009	options->forward_x11 = -1;
1005	options->forward_x11_trusted = -1;	1010	options->forward_x11_trusted = -1;
		1011	options->forward_x11_timeout = -1;
1006	options->exit_on_forward_failure = -1;	1012	options->exit_on_forward_failure = -1;
1007	options->xauth_location = NULL;	1013	options->xauth_location = NULL;
1008	options->gateway_ports = -1;	1014	options->gateway_ports = -1;
Lines 1087-1092 fill_default_options(Options * options) Link Here
1087	options->forward_x11 = 0;	1093	options->forward_x11 = 0;
1088	if (options->forward_x11_trusted == -1)	1094	if (options->forward_x11_trusted == -1)
1089	options->forward_x11_trusted = 0;	1095	options->forward_x11_trusted = 0;
		1096	if (options->forward_x11_timeout == -1)
		1097	options->forward_x11_timeout = 1200;
1090	if (options->exit_on_forward_failure == -1)	1098	if (options->exit_on_forward_failure == -1)
1091	options->exit_on_forward_failure = 0;	1099	options->exit_on_forward_failure = 0;
1092	if (options->xauth_location == NULL)	1100	if (options->xauth_location == NULL)

Lines 32-37 typedef struct { Link Here

(-)readconf.h (+1 lines)
32	typedef struct {	32	typedef struct {
33	int forward_agent; /* Forward authentication agent. */	33	int forward_agent; /* Forward authentication agent. */
34	int forward_x11; /* Forward X11 display. */	34	int forward_x11; /* Forward X11 display. */
		35	int forward_x11_timeout; /* Expiration for Cookies */
35	int forward_x11_trusted; /* Trust Forward X11 display. */	36	int forward_x11_trusted; /* Trust Forward X11 display. */
36	int exit_on_forward_failure; /* Exit if bind(2) fails for -L/-R */	37	int exit_on_forward_failure; /* Exit if bind(2) fails for -L/-R */
37	char xauth_location; / Location for xauth program */	38	char xauth_location; / Location for xauth program */

Lines 1077-1083 ssh_session(void) Link Here

(-)ssh.c (-2 / +5 lines)
1077	char proto, data;	1077	char proto, data;
1078	/* Get reasonable local authentication information. */	1078	/* Get reasonable local authentication information. */
1079	client_x11_get_proto(display, options.xauth_location,	1079	client_x11_get_proto(display, options.xauth_location,
1080	options.forward_x11_trusted, &proto, &data);	1080	options.forward_x11_trusted,
		1081	options.forward_x11_timeout,
		1082	&proto, &data);
1081	/* Request forwarding with authentication spoofing. */	1083	/* Request forwarding with authentication spoofing. */
1082	debug("Requesting X11 forwarding with authentication "	1084	debug("Requesting X11 forwarding with authentication "
1083	"spoofing.");	1085	"spoofing.");
Lines 1173-1179 ssh_session2_setup(int id, int success, Link Here
1173	char proto, data;	1175	char proto, data;
1174	/* Get reasonable local authentication information. */	1176	/* Get reasonable local authentication information. */
1175	client_x11_get_proto(display, options.xauth_location,	1177	client_x11_get_proto(display, options.xauth_location,
1176	options.forward_x11_trusted, &proto, &data);	1178	options.forward_x11_trusted,
		1179	options.forward_x11_timeout, &proto, &data);
1177	/* Request forwarding with authentication spoofing. */	1180	/* Request forwarding with authentication spoofing. */
1178	debug("Requesting X11 forwarding with authentication "	1181	debug("Requesting X11 forwarding with authentication "
1179	"spoofing.");	1182	"spoofing.");




if the
.Cm ForwardX11Trusted
option is also enabled.
.It Cm ForwardX11Timeout
Specify a timeout for untrusted X11 forwarding using the format described in
.Sx TIME FORMATS
section of
.Xr sshd_config 5 .
X11 connections received by
.Xr ssh 1
after this time will be refused.
The default is to disable untrusted X11 forwarding after twenty minutes has
elapsed.
.It Cm ForwardX11Trusted
If this option is set to
.Dq yes ,

Return to bug 1785

Lines 147-157 static int stdin_eof; /* EOF has been e Link Here

(-)clientloop.c (-5 / +19 lines)
147	static Buffer stdin_buffer; /* Buffer for stdin data. */	147	static Buffer stdin_buffer; /* Buffer for stdin data. */
148	static Buffer stdout_buffer; /* Buffer for stdout data. */	148	static Buffer stdout_buffer; /* Buffer for stdout data. */
149	static Buffer stderr_buffer; /* Buffer for stderr data. */	149	static Buffer stderr_buffer; /* Buffer for stderr data. */
150	static u_int buffer_high;/* Soft max buffer size. */	150	static u_int buffer_high; /* Soft max buffer size. */
151	static int connection_in; /* Connection to server (input). */	151	static int connection_in; /* Connection to server (input). */
152	static int connection_out; /* Connection to server (output). */	152	static int connection_out; /* Connection to server (output). */
153	static int need_rekeying; /* Set to non-zero if rekeying is requested. */	153	static int need_rekeying; /* Set to non-zero if rekeying is requested. */
154	static int session_closed = 0; /* In SSH2: login session closed. */	154	static int session_closed; /* In SSH2: login session closed. */
		155	static int x11_refuse_time; /* If >0, refuse x11 opens after this time. */
155		156
156	static void client_init_dispatch(void);	157	static void client_init_dispatch(void);
157	int session_ident = -1;	158	int session_ident = -1;
Lines 246-252 get_current_time(void) Link Here
246	#define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1"	247	#define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1"
247	void	248	void
248	client_x11_get_proto(const char display, const char xauth_path,	249	client_x11_get_proto(const char display, const char xauth_path,
249	u_int trusted, char _proto, char _data)	250	u_int trusted, u_int timeout, char _proto, char _data)
250	{	251	{
251	char cmd[1024];	252	char cmd[1024];
252	char line[512];	253	char line[512];
Lines 256-261 client_x11_get_proto(const char *display Link Here
256	int got_data = 0, generated = 0, do_unlink = 0, i;	257	int got_data = 0, generated = 0, do_unlink = 0, i;
257	char xauthdir, xauthfile;	258	char xauthdir, xauthfile;
258	struct stat st;	259	struct stat st;
		260	u_int now;
259		261
260	xauthdir = xauthfile = NULL;	262	xauthdir = xauthfile = NULL;
261	*_proto = proto;	263	*_proto = proto;
Lines 291-301 client_x11_get_proto(const char *display Link Here
291	xauthdir);	293	xauthdir);
292	snprintf(cmd, sizeof(cmd),	294	snprintf(cmd, sizeof(cmd),
293	"%s -f %s generate %s " SSH_X11_PROTO	295	"%s -f %s generate %s " SSH_X11_PROTO
294	" untrusted timeout 1200 2>" _PATH_DEVNULL,	296	" untrusted timeout %u 2>" _PATH_DEVNULL,
295	xauth_path, xauthfile, display);	297	xauth_path, xauthfile, display, timeout);
296	debug2("x11_get_proto: %s", cmd);	298	debug2("x11_get_proto: %s", cmd);
297	if (system(cmd) == 0)	299	if (system(cmd) == 0)
298	generated = 1;	300	generated = 1;
		301	if (x11_refuse_time == 0) {
		302	now = time(NULL) + 1;
		303	if (UINT_MAX - timeout < now)
		304	x11_refuse_time = UINT_MAX;
		305	else
		306	x11_refuse_time = now + timeout;
		307	}
299	}	308	}
300	}	309	}
301		310
Lines 1672-1677 client_request_x11(const char *request_t Link Here
1672	error("Warning: ssh server tried X11 forwarding.");	1681	error("Warning: ssh server tried X11 forwarding.");
1673	error("Warning: this is probably a break-in attempt by a "	1682	error("Warning: this is probably a break-in attempt by a "
1674	"malicious server.");	1683	"malicious server.");
		1684	return NULL;
		1685	}
		1686	if (x11_refuse_time != 0 && time(NULL) >= x11_refuse_time) {
		1687	verbose("Rejected X11 connection after ForwardX11Timeout "
		1688	"expired");
1675	return NULL;	1689	return NULL;
1676	}	1690	}
1677	originator = packet_get_string(NULL);	1691	originator = packet_get_string(NULL);

Lines 432-437 An attacker may then be able to perform Link Here

(-)ssh_config.5 (+10 lines)
432	if the	432	if the
433	.Cm ForwardX11Trusted	433	.Cm ForwardX11Trusted
434	option is also enabled.	434	option is also enabled.
		435	.It Cm ForwardX11Timeout
		436	Specify a timeout for untrusted X11 forwarding using the format described in
		437	.Sx TIME FORMATS
		438	section of
		439	.Xr sshd_config 5 .
		440	X11 connections received by
		441	.Xr ssh 1
		442	after this time will be refused.
		443	The default is to disable untrusted X11 forwarding after twenty minutes has
		444	elapsed.
435	.It Cm ForwardX11Trusted	445	.It Cm ForwardX11Trusted
436	If this option is set to	446	If this option is set to
437	.Dq yes ,	447	.Dq yes ,