Bugzilla – Attachment 1886 Details for
Bug 1785
configurable timeout for x11 cookies
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
/home/djm/ssh-x11forwardtimeout2.diff
ssh-x11forwardtimeout2.diff (text/plain), 8.65 KB, created by
Damien Miller
on 2010-06-25 13:33:57 AEST
(
hide
)
Description:
/home/djm/ssh-x11forwardtimeout2.diff
Filename:
MIME Type:
Creator:
Damien Miller
Created:
2010-06-25 13:33:57 AEST
Size:
8.65 KB
patch
obsolete
>Index: clientloop.c >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/clientloop.c,v >retrieving revision 1.220 >diff -u -p -r1.220 clientloop.c >--- clientloop.c 10 Apr 2010 02:08:44 -0000 1.220 >+++ clientloop.c 25 Jun 2010 03:30:33 -0000 >@@ -147,11 +147,12 @@ static int stdin_eof; /* EOF has been e > static Buffer stdin_buffer; /* Buffer for stdin data. */ > static Buffer stdout_buffer; /* Buffer for stdout data. */ > static Buffer stderr_buffer; /* Buffer for stderr data. */ >-static u_int buffer_high;/* Soft max buffer size. */ >+static u_int buffer_high; /* Soft max buffer size. */ > static int connection_in; /* Connection to server (input). */ > static int connection_out; /* Connection to server (output). */ > static int need_rekeying; /* Set to non-zero if rekeying is requested. */ >-static int session_closed = 0; /* In SSH2: login session closed. */ >+static int session_closed; /* In SSH2: login session closed. */ >+static int x11_refuse_time; /* If >0, refuse x11 opens after this time. */ > > static void client_init_dispatch(void); > int session_ident = -1; >@@ -246,7 +247,7 @@ get_current_time(void) > #define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1" > void > client_x11_get_proto(const char *display, const char *xauth_path, >- u_int trusted, char **_proto, char **_data) >+ u_int trusted, u_int timeout, char **_proto, char **_data) > { > char cmd[1024]; > char line[512]; >@@ -256,6 +257,7 @@ client_x11_get_proto(const char *display > int got_data = 0, generated = 0, do_unlink = 0, i; > char *xauthdir, *xauthfile; > struct stat st; >+ u_int now; > > xauthdir = xauthfile = NULL; > *_proto = proto; >@@ -291,11 +293,18 @@ client_x11_get_proto(const char *display > xauthdir); > snprintf(cmd, sizeof(cmd), > "%s -f %s generate %s " SSH_X11_PROTO >- " untrusted timeout 1200 2>" _PATH_DEVNULL, >- xauth_path, xauthfile, display); >+ " untrusted timeout %u 2>" _PATH_DEVNULL, >+ xauth_path, xauthfile, display, timeout); > debug2("x11_get_proto: %s", cmd); > if (system(cmd) == 0) > generated = 1; >+ if (x11_refuse_time == 0) { >+ now = time(NULL) + 1; >+ if (UINT_MAX - timeout < now) >+ x11_refuse_time = UINT_MAX; >+ else >+ x11_refuse_time = now + timeout; >+ } > } > } > >@@ -1672,6 +1681,11 @@ client_request_x11(const char *request_t > error("Warning: ssh server tried X11 forwarding."); > error("Warning: this is probably a break-in attempt by a " > "malicious server."); >+ return NULL; >+ } >+ if (x11_refuse_time != 0 && time(NULL) >= x11_refuse_time) { >+ verbose("Rejected X11 connection after ForwardX11Timeout " >+ "expired"); > return NULL; > } > originator = packet_get_string(NULL); >Index: clientloop.h >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/clientloop.h,v >retrieving revision 1.24 >diff -u -p -r1.24 clientloop.h >--- clientloop.h 16 May 2010 12:55:51 -0000 1.24 >+++ clientloop.h 25 Jun 2010 03:30:33 -0000 >@@ -39,7 +39,7 @@ > > /* Client side main loop for the interactive session. */ > int client_loop(int, int, int); >-void client_x11_get_proto(const char *, const char *, u_int, >+void client_x11_get_proto(const char *, const char *, u_int, u_int, > char **, char **); > void client_global_request_reply_fwd(int, u_int32_t, void *); > void client_session2_setup(int, int, int, const char *, struct termios *, >Index: mux.c >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/mux.c,v >retrieving revision 1.19 >diff -u -p -r1.19 mux.c >--- mux.c 17 Jun 2010 07:07:30 -0000 1.19 >+++ mux.c 25 Jun 2010 03:30:33 -0000 >@@ -1095,7 +1095,7 @@ mux_session_confirm(int id, int success, > char *proto, *data; > /* Get reasonable local authentication information. */ > client_x11_get_proto(display, options.xauth_location, >- options.forward_x11_trusted, &proto, &data); >+ options.forward_x11_trusted, options.forward_x11_timeout, &proto, &data); > /* Request forwarding with authentication spoofing. */ > debug("Requesting X11 forwarding with authentication spoofing."); > x11_request_forwarding_with_spoofing(id, display, proto, data); >Index: readconf.c >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/readconf.c,v >retrieving revision 1.184 >diff -u -p -r1.184 readconf.c >--- readconf.c 16 May 2010 12:55:51 -0000 1.184 >+++ readconf.c 25 Jun 2010 03:30:33 -0000 >@@ -107,8 +107,8 @@ > > typedef enum { > oBadOption, >- oForwardAgent, oForwardX11, oForwardX11Trusted, oGatewayPorts, >- oExitOnForwardFailure, >+ oForwardAgent, oForwardX11, oForwardX11Trusted, oForwardX11Timeout, >+ oGatewayPorts, oExitOnForwardFailure, > oPasswordAuthentication, oRSAAuthentication, > oChallengeResponseAuthentication, oXAuthLocation, > oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward, >@@ -140,6 +140,7 @@ static struct { > { "forwardagent", oForwardAgent }, > { "forwardx11", oForwardX11 }, > { "forwardx11trusted", oForwardX11Trusted }, >+ { "forwardx11timeout", oForwardX11Timeout }, > { "exitonforwardfailure", oExitOnForwardFailure }, > { "xauthlocation", oXAuthLocation }, > { "gatewayports", oGatewayPorts }, >@@ -399,6 +400,10 @@ parse_flag: > case oForwardX11Trusted: > intptr = &options->forward_x11_trusted; > goto parse_flag; >+ >+ case oForwardX11Timeout: >+ intptr = &options->forward_x11_timeout; >+ goto parse_time; > > case oGatewayPorts: > intptr = &options->gateway_ports; >@@ -1003,6 +1008,7 @@ initialize_options(Options * options) > options->forward_agent = -1; > options->forward_x11 = -1; > options->forward_x11_trusted = -1; >+ options->forward_x11_timeout = -1; > options->exit_on_forward_failure = -1; > options->xauth_location = NULL; > options->gateway_ports = -1; >@@ -1087,6 +1093,8 @@ fill_default_options(Options * options) > options->forward_x11 = 0; > if (options->forward_x11_trusted == -1) > options->forward_x11_trusted = 0; >+ if (options->forward_x11_timeout == -1) >+ options->forward_x11_timeout = 1200; > if (options->exit_on_forward_failure == -1) > options->exit_on_forward_failure = 0; > if (options->xauth_location == NULL) >Index: readconf.h >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/readconf.h,v >retrieving revision 1.83 >diff -u -p -r1.83 readconf.h >--- readconf.h 16 May 2010 12:55:51 -0000 1.83 >+++ readconf.h 25 Jun 2010 03:30:33 -0000 >@@ -32,6 +32,7 @@ typedef struct { > typedef struct { > int forward_agent; /* Forward authentication agent. */ > int forward_x11; /* Forward X11 display. */ >+ int forward_x11_timeout; /* Expiration for Cookies */ > int forward_x11_trusted; /* Trust Forward X11 display. */ > int exit_on_forward_failure; /* Exit if bind(2) fails for -L/-R */ > char *xauth_location; /* Location for xauth program */ >Index: ssh.c >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/ssh.c,v >retrieving revision 1.338 >diff -u -p -r1.338 ssh.c >--- ssh.c 16 May 2010 12:55:51 -0000 1.338 >+++ ssh.c 25 Jun 2010 03:30:34 -0000 >@@ -1077,7 +1077,9 @@ ssh_session(void) > char *proto, *data; > /* Get reasonable local authentication information. */ > client_x11_get_proto(display, options.xauth_location, >- options.forward_x11_trusted, &proto, &data); >+ options.forward_x11_trusted, >+ options.forward_x11_timeout, >+ &proto, &data); > /* Request forwarding with authentication spoofing. */ > debug("Requesting X11 forwarding with authentication " > "spoofing."); >@@ -1173,7 +1175,8 @@ ssh_session2_setup(int id, int success, > char *proto, *data; > /* Get reasonable local authentication information. */ > client_x11_get_proto(display, options.xauth_location, >- options.forward_x11_trusted, &proto, &data); >+ options.forward_x11_trusted, >+ options.forward_x11_timeout, &proto, &data); > /* Request forwarding with authentication spoofing. */ > debug("Requesting X11 forwarding with authentication " > "spoofing."); >Index: ssh_config.5 >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/ssh_config.5,v >retrieving revision 1.133 >diff -u -p -r1.133 ssh_config.5 >--- ssh_config.5 16 Apr 2010 06:45:01 -0000 1.133 >+++ ssh_config.5 25 Jun 2010 03:30:34 -0000 >@@ -432,6 +432,16 @@ An attacker may then be able to perform > if the > .Cm ForwardX11Trusted > option is also enabled. >+.It Cm ForwardX11Timeout >+Specify a timeout for untrusted X11 forwarding using the format described in >+.Sx TIME FORMATS >+section of >+.Xr sshd_config 5 . >+X11 connections received by >+.Xr ssh 1 >+after this time will be refused. >+The default is to disable untrusted X11 forwarding after twenty minutes has >+elapsed. > .It Cm ForwardX11Trusted > If this option is set to > .Dq yes ,
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=1886">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1785
:
1877
| 1886