Bugzilla – Attachment 1877 Details for
Bug 1785
configurable timeout for x11 cookies
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Possible implementation of ForwardX11Timeout
x11-timeout-patch.diff (text/plain), 6.50 KB, created by
Tavis Ormandy
on 2010-06-20 21:24:46 AEST
(
hide
)
Description:
Possible implementation of ForwardX11Timeout
Filename:
MIME Type:
Creator:
Tavis Ormandy
Created:
2010-06-20 21:24:46 AEST
Size:
6.50 KB
patch
obsolete
>? x11-timeout-patch.diff >Index: clientloop.c >=================================================================== >RCS file: /cvs/openssh/clientloop.c,v >retrieving revision 1.209 >diff -u -r1.209 clientloop.c >--- clientloop.c 16 Apr 2010 05:53:23 -0000 1.209 >+++ clientloop.c 20 Jun 2010 11:23:56 -0000 >@@ -254,7 +254,7 @@ > #define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1" > void > client_x11_get_proto(const char *display, const char *xauth_path, >- u_int trusted, char **_proto, char **_data) >+ u_int trusted, u_int timeout, char **_proto, char **_data) > { > char cmd[1024]; > char line[512]; >@@ -299,8 +299,8 @@ > xauthdir); > snprintf(cmd, sizeof(cmd), > "%s -f %s generate %s " SSH_X11_PROTO >- " untrusted timeout 1200 2>" _PATH_DEVNULL, >- xauth_path, xauthfile, display); >+ " untrusted timeout %u 2>" _PATH_DEVNULL, >+ xauth_path, xauthfile, display, timeout); > debug2("x11_get_proto: %s", cmd); > if (system(cmd) == 0) > generated = 1; >Index: clientloop.h >=================================================================== >RCS file: /cvs/openssh/clientloop.h,v >retrieving revision 1.24 >diff -u -r1.24 clientloop.h >--- clientloop.h 21 May 2010 04:57:35 -0000 1.24 >+++ clientloop.h 20 Jun 2010 11:23:56 -0000 >@@ -39,7 +39,7 @@ > > /* Client side main loop for the interactive session. */ > int client_loop(int, int, int); >-void client_x11_get_proto(const char *, const char *, u_int, >+void client_x11_get_proto(const char *, const char *, u_int, u_int, > char **, char **); > void client_global_request_reply_fwd(int, u_int32_t, void *); > void client_session2_setup(int, int, int, const char *, struct termios *, >Index: mux.c >=================================================================== >RCS file: /cvs/openssh/mux.c,v >retrieving revision 1.20 >diff -u -r1.20 mux.c >--- mux.c 21 May 2010 04:57:35 -0000 1.20 >+++ mux.c 20 Jun 2010 11:23:56 -0000 >@@ -1113,7 +1113,7 @@ > char *proto, *data; > /* Get reasonable local authentication information. */ > client_x11_get_proto(display, options.xauth_location, >- options.forward_x11_trusted, &proto, &data); >+ options.forward_x11_trusted, options.forward_x11_timeout, &proto, &data); > /* Request forwarding with authentication spoofing. */ > debug("Requesting X11 forwarding with authentication spoofing."); > x11_request_forwarding_with_spoofing(id, display, proto, data); >Index: readconf.c >=================================================================== >RCS file: /cvs/openssh/readconf.c,v >retrieving revision 1.163 >diff -u -r1.163 readconf.c >--- readconf.c 21 May 2010 04:57:35 -0000 1.163 >+++ readconf.c 20 Jun 2010 11:23:57 -0000 >@@ -111,7 +111,7 @@ > typedef enum { > oBadOption, > oForwardAgent, oForwardX11, oForwardX11Trusted, oGatewayPorts, >- oExitOnForwardFailure, >+ oForwardX11Timeout, oExitOnForwardFailure, > oPasswordAuthentication, oRSAAuthentication, > oChallengeResponseAuthentication, oXAuthLocation, > oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward, >@@ -143,6 +143,7 @@ > { "forwardagent", oForwardAgent }, > { "forwardx11", oForwardX11 }, > { "forwardx11trusted", oForwardX11Trusted }, >+ { "forwardx11timeout", oForwardX11Timeout }, > { "exitonforwardfailure", oExitOnForwardFailure }, > { "xauthlocation", oXAuthLocation }, > { "gatewayports", oGatewayPorts }, >@@ -404,6 +405,10 @@ > case oForwardX11Trusted: > intptr = &options->forward_x11_trusted; > goto parse_flag; >+ >+ case oForwardX11Timeout: >+ intptr = &options->forward_x11_timeout; >+ goto parse_time; > > case oGatewayPorts: > intptr = &options->gateway_ports; >@@ -1008,6 +1013,7 @@ > options->forward_agent = -1; > options->forward_x11 = -1; > options->forward_x11_trusted = -1; >+ options->forward_x11_timeout = -1; > options->exit_on_forward_failure = -1; > options->xauth_location = NULL; > options->gateway_ports = -1; >@@ -1092,6 +1098,8 @@ > options->forward_x11 = 0; > if (options->forward_x11_trusted == -1) > options->forward_x11_trusted = 0; >+ if (options->forward_x11_timeout == -1) >+ options->forward_x11_timeout = 1200; > if (options->exit_on_forward_failure == -1) > options->exit_on_forward_failure = 0; > if (options->xauth_location == NULL) >Index: readconf.h >=================================================================== >RCS file: /cvs/openssh/readconf.h,v >retrieving revision 1.75 >diff -u -r1.75 readconf.h >--- readconf.h 21 May 2010 04:57:35 -0000 1.75 >+++ readconf.h 20 Jun 2010 11:23:57 -0000 >@@ -32,6 +32,7 @@ > typedef struct { > int forward_agent; /* Forward authentication agent. */ > int forward_x11; /* Forward X11 display. */ >+ int forward_x11_timeout; /* Expiration for Cookies */ > int forward_x11_trusted; /* Trust Forward X11 display. */ > int exit_on_forward_failure; /* Exit if bind(2) fails for -L/-R */ > char *xauth_location; /* Location for xauth program */ >Index: ssh.c >=================================================================== >RCS file: /cvs/openssh/ssh.c,v >retrieving revision 1.330 >diff -u -r1.330 ssh.c >--- ssh.c 21 May 2010 04:57:35 -0000 1.330 >+++ ssh.c 20 Jun 2010 11:23:57 -0000 >@@ -1096,7 +1096,9 @@ > char *proto, *data; > /* Get reasonable local authentication information. */ > client_x11_get_proto(display, options.xauth_location, >- options.forward_x11_trusted, &proto, &data); >+ options.forward_x11_trusted, >+ options.forward_x11_timeout, >+ &proto, &data); > /* Request forwarding with authentication spoofing. */ > debug("Requesting X11 forwarding with authentication " > "spoofing."); >@@ -1192,7 +1194,8 @@ > char *proto, *data; > /* Get reasonable local authentication information. */ > client_x11_get_proto(display, options.xauth_location, >- options.forward_x11_trusted, &proto, &data); >+ options.forward_x11_trusted, >+ options.forward_x11_timeout, &proto, &data); > /* Request forwarding with authentication spoofing. */ > debug("Requesting X11 forwarding with authentication " > "spoofing."); >Index: ssh_config.5 >=================================================================== >RCS file: /cvs/openssh/ssh_config.5,v >retrieving revision 1.133 >diff -u -r1.133 ssh_config.5 >--- ssh_config.5 17 Apr 2010 22:07:43 -0000 1.133 >+++ ssh_config.5 20 Jun 2010 11:23:57 -0000 >@@ -432,6 +432,10 @@ > if the > .Cm ForwardX11Trusted > option is also enabled. >+.It Cm ForwardX11Timeout >+The timeout (in seconds) used for untrusted X11 authentication data. The >+default is 1200 seconds. Long timeouts may be used to workaround broken X ACLs >+from making untrusted connections fallback to trusted after expiration. > .It Cm ForwardX11Trusted > If this option is set to > .Dq yes ,
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=1877">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1785
: 1877 |
1886