Bug 1785 - configurable timeout for x11 cookies
Summary: configurable timeout for x11 cookies
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: ssh (show other bugs)
Version: 5.5p1
Hardware: All Linux
: P2 enhancement
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks: V_5_6
  Show dependency treegraph
 
Reported: 2010-06-20 21:24 AEST by Tavis Ormandy
Modified: 2011-01-24 12:33 AEDT (History)
1 user (show)

See Also:

Attachments
Possible implementation of ForwardX11Timeout (6.50 KB, patch)
2010-06-20 21:24 AEST, Tavis Ormandy 		no flags Details | Diff
/home/djm/ssh-x11forwardtimeout2.diff (8.65 KB, patch)
2010-06-25 13:33 AEST, Damien Miller 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Tavis Ormandy 2010-06-20 21:24:46 AEST 
Created attachment 1877 [details]
Possible implementation of ForwardX11Timeout

On several popular Linux distributions (like redhat), x11 access control is performed using SO_PEERCRED credentials, this breaks ssh -X, as once the untrusted cookie expires, the untrusted connection becomes trusted.

I posted about this to the Xorg devel list.

http://lists.x.org/archives/xorg-devel/2010-May/008636.html

I don't think openssh is to blame, but it would be great if a workaround was available. Because X will prefer the authentication data ssh sends before the fallback, perhaps providing an option to make sure it doesn't expire while the connection exists is a reasonable workaround?

Patch against cvs attached that might be acceptable, and is generally useful even for people not affected by this issue (the default hardcoded timeout of 2 hours is a little short imho).

This only applies to untrusted cookies, which are of low value to attackers (at least, they're a supported security boundary).

The X developers did not have any useful suggestions to work around this problem, but perhaps you guys can think of one? An alternative might be just to refuse to work when requested to forward untrusted X11 connections to a machine using si:localuser access.

Any help appreciated, I'm happy to write some code, test, etc.

Patch tested like so:

$ xhost
access control enabled, only authorized clients can connect
SI:localuser:taviso
$ ./ssh -oForwardX11Timeout=10 -X untrusted@localhost
Last login: Sun Jun 20 13:17:34 2010 from insomniac.lan
$ xwd -root > /dev/null; echo $?
X Error of failed request:  BadWindow (invalid Window parameter)
  Major opcode of failed request:  3 (X_GetWindowAttributes)
  Resource id in failed request:  0x300001
  Serial number of failed request:  17
  Current serial number in output stream:  18
1
$ sleep 10
$ xwd -root > /dev/null; echo $?
0
Comment 1 Damien Miller 2010-06-25 12:30:57 AEST 
Additionally, we can make the client refuse X11 connection requests for untrusted channels when it knows the cookie is scheduled to expire (- a few seconds to be safe)
Comment 2 Damien Miller 2010-06-25 13:33:57 AEST 
Created attachment 1886 [details]
/home/djm/ssh-x11forwardtimeout2.diff

Make client refuse X11 connections after timeout has expired
Comment 3 Tavis Ormandy 2010-06-25 22:07:54 AEST 
Oops, 20 minutes, not two hours, my mistake.

Your patch looks good to me, a much better solution.
Comment 4 Damien Miller 2010-06-26 09:17:51 AEST 
patch applied - this will be in OpenSSH-5.6. Thanks!
Comment 5 Damien Miller 2011-01-24 12:33:59 AEDT 
Move resolved bugs to CLOSED after 5.7 release