Bug 1785

Summary: configurable timeout for x11 cookies
Product: Portable OpenSSH Reporter: Tavis Ormandy <taviso>
Component: sshAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED FIXED    
Severity: enhancement CC: djm
Priority: P2    
Version: 5.5p1   
Hardware: All   
OS: Linux   
Bug Depends on:    
Bug Blocks: 1708    
Attachments:
Description Flags
Possible implementation of ForwardX11Timeout
none
/home/djm/ssh-x11forwardtimeout2.diff none

Description Tavis Ormandy 2010-06-20 21:24:46 AEST 
Created attachment 1877 [details]
Possible implementation of ForwardX11Timeout

On several popular Linux distributions (like redhat), x11 access control is performed using SO_PEERCRED credentials, this breaks ssh -X, as once the untrusted cookie expires, the untrusted connection becomes trusted.

I posted about this to the Xorg devel list.

http://lists.x.org/archives/xorg-devel/2010-May/008636.html

I don't think openssh is to blame, but it would be great if a workaround was available. Because X will prefer the authentication data ssh sends before the fallback, perhaps providing an option to make sure it doesn't expire while the connection exists is a reasonable workaround?

Patch against cvs attached that might be acceptable, and is generally useful even for people not affected by this issue (the default hardcoded timeout of 2 hours is a little short imho).

This only applies to untrusted cookies, which are of low value to attackers (at least, they're a supported security boundary).

The X developers did not have any useful suggestions to work around this problem, but perhaps you guys can think of one? An alternative might be just to refuse to work when requested to forward untrusted X11 connections to a machine using si:localuser access.

Any help appreciated, I'm happy to write some code, test, etc.

Patch tested like so:

$ xhost
access control enabled, only authorized clients can connect
SI:localuser:taviso
$ ./ssh -oForwardX11Timeout=10 -X untrusted@localhost
Last login: Sun Jun 20 13:17:34 2010 from insomniac.lan
$ xwd -root > /dev/null; echo $?
X Error of failed request:  BadWindow (invalid Window parameter)
  Major opcode of failed request:  3 (X_GetWindowAttributes)
  Resource id in failed request:  0x300001
  Serial number of failed request:  17
  Current serial number in output stream:  18
1
$ sleep 10
$ xwd -root > /dev/null; echo $?
0
Comment 1 Damien Miller 2010-06-25 12:30:57 AEST 
Additionally, we can make the client refuse X11 connection requests for untrusted channels when it knows the cookie is scheduled to expire (- a few seconds to be safe)
Comment 2 Damien Miller 2010-06-25 13:33:57 AEST 
Created attachment 1886 [details]
/home/djm/ssh-x11forwardtimeout2.diff

Make client refuse X11 connections after timeout has expired
Comment 3 Tavis Ormandy 2010-06-25 22:07:54 AEST 
Oops, 20 minutes, not two hours, my mistake.

Your patch looks good to me, a much better solution.
Comment 4 Damien Miller 2010-06-26 09:17:51 AEST 
patch applied - this will be in OpenSSH-5.6. Thanks!
Comment 5 Damien Miller 2011-01-24 12:33:59 AEDT 
Move resolved bugs to CLOSED after 5.7 release