sshd X11 fake server will now listen on localhost by default:

$ echo $DISPLAY
localhost:12.0
$ netstat -an|grep 6012
tcp        0      0  127.0.0.1.6012         *.*                    LISTEN
tcp6       0      0  ::1.6012               *.*                    LISTEN
sshd_config gatewayports=yes can be used to revert back to the old
behavior.  will control this with another option later.  ok markus@

3 files changed, 49 insertions, 40 deletions

diff --git a/usr.bin/ssh/channels.c b/usr.bin/ssh/channels.c
index 3e7ba4c7e28..f93e4850e13 100644
--- a/usr.bin/ssh/channels.c
+++ b/usr.bin/ssh/channels.c
@@ -39,7 +39,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: channels.c,v 1.140 2001/10/10 22:18:47 markus Exp $");
+RCSID("$OpenBSD: channels.c,v 1.141 2001/11/29 21:10:51 stevesk Exp $");
 
 #include "ssh.h"
 #include "ssh1.h"
@@ -2390,19 +2390,17 @@ channel_connect_to(const char *host, u_short port)
 
 /*
  * Creates an internet domain socket for listening for X11 connections.
- * Returns a suitable value for the DISPLAY variable, or NULL if an error
- * occurs.
+ * Returns a suitable display number for the DISPLAY variable, or -1 if
+ * an error occurs.
  */
-char *
-x11_create_display_inet(int screen_number, int x11_display_offset)
+int
+x11_create_display_inet(int x11_display_offset, int gateway_ports)
 {
 	int display_number, sock;
 	u_short port;
 	struct addrinfo hints, *ai, *aitop;
 	char strport[NI_MAXSERV];
 	int gaierr, n, num_socks = 0, socks[NUM_SOCKS];
-	char display[512];
-	char hostname[MAXHOSTNAMELEN];
 
 	for (display_number = x11_display_offset;
 	     display_number < MAX_DISPLAYS;
@@ -2410,12 +2408,12 @@ x11_create_display_inet(int screen_number, int x11_display_offset)
 		port = 6000 + display_number;
 		memset(&hints, 0, sizeof(hints));
 		hints.ai_family = IPv4or6;
-		hints.ai_flags = AI_PASSIVE;		/* XXX loopback only ? */
+		hints.ai_flags = gateway_ports ? AI_PASSIVE : 0;
 		hints.ai_socktype = SOCK_STREAM;
 		snprintf(strport, sizeof strport, "%d", port);
 		if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0) {
 			error("getaddrinfo: %.100s", gai_strerror(gaierr));
-			return NULL;
+			return -1;
 		}
 		for (ai = aitop; ai; ai = ai->ai_next) {
 			if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
@@ -2423,7 +2421,7 @@ x11_create_display_inet(int screen_number, int x11_display_offset)
 			sock = socket(ai->ai_family, SOCK_STREAM, 0);
 			if (sock < 0) {
 				error("socket: %.100s", strerror(errno));
-				return NULL;
+				return -1;
 			}
 			if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
 				debug("bind port %d: %.100s", port, strerror(errno));
@@ -2446,7 +2444,7 @@ x11_create_display_inet(int screen_number, int x11_display_offset)
 	}
 	if (display_number >= MAX_DISPLAYS) {
 		error("Failed to allocate internet-domain X11 display socket.");
-		return NULL;
+		return -1;
 	}
 	/* Start listening for connections on the socket. */
 	for (n = 0; n < num_socks; n++) {
@@ -2455,16 +2453,10 @@ x11_create_display_inet(int screen_number, int x11_display_offset)
 			error("listen: %.100s", strerror(errno));
 			shutdown(sock, SHUT_RDWR);
 			close(sock);
-			return NULL;
+			return -1;
 		}
 	}
 
-	/* Set up a suitable value for the DISPLAY variable. */
-	if (gethostname(hostname, sizeof(hostname)) < 0)
-		fatal("gethostname: %.100s", strerror(errno));
-	snprintf(display, sizeof display, "%.400s:%d.%d", hostname,
-		 display_number, screen_number);
-
 	/* Allocate a channel for each socket. */
 	for (n = 0; n < num_socks; n++) {
 		sock = socks[n];
@@ -2474,8 +2466,8 @@ x11_create_display_inet(int screen_number, int x11_display_offset)
 		    0, xstrdup("X11 inet listener"), 1);
 	}
 
-	/* Return a suitable value for the DISPLAY environment variable. */
-	return xstrdup(display);
+	/* Return the display number for the DISPLAY environment variable. */
+	return display_number;
 }
 
 #ifndef X_UNIX_PATH
diff --git a/usr.bin/ssh/channels.h b/usr.bin/ssh/channels.h
index f58c7283cfb..840268fcf85 100644
--- a/usr.bin/ssh/channels.h
+++ b/usr.bin/ssh/channels.h
@@ -32,7 +32,7 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
-/* RCSID("$OpenBSD: channels.h,v 1.52 2001/11/29 19:06:39 stevesk Exp $"); */
+/* RCSID("$OpenBSD: channels.h,v 1.53 2001/11/29 21:10:51 stevesk Exp $"); */
 
 #ifndef CHANNEL_H
 #define CHANNEL_H
@@ -197,7 +197,7 @@ channel_request_forwarding(const char *, u_short, const char *, u_short, int,
 /* x11 forwarding */
 
 int	 x11_connect_display(void);
-char	*x11_create_display_inet(int, int);
+int	 x11_create_display_inet(int, int);
 void     x11_input_open(int, int, void *);
 void     x11_request_forwarding(void);
 void	 x11_request_forwarding_with_spoofing(int, const char *, const char *);
diff --git a/usr.bin/ssh/session.c b/usr.bin/ssh/session.c
index b9753dba16b..993251cf706 100644
--- a/usr.bin/ssh/session.c
+++ b/usr.bin/ssh/session.c
@@ -33,7 +33,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: session.c,v 1.108 2001/10/11 13:45:21 markus Exp $");
+RCSID("$OpenBSD: session.c,v 1.109 2001/11/29 21:10:51 stevesk Exp $");
 
 #include "ssh.h"
 #include "ssh1.h"
@@ -73,8 +73,10 @@ struct Session {
 	int	row, col, xpixel, ypixel;
 	char	tty[TTYSZ];
 	/* X11 */
+	int	display_number;
 	char	*display;
 	int	screen;
+	char	*auth_display;
 	char	*auth_proto;
 	char	*auth_data;
 	int	single_connection;
@@ -1030,33 +1032,20 @@ do_child(Session *s, const char *command)
 				    _PATH_SSH_SYSTEM_RC);
 		} else if (do_xauth && options.xauth_location != NULL) {
 			/* Add authority data to .Xauthority if appropriate. */
-			char *screen = strchr(s->display, ':');
 
 			if (debug_flag) {
 				fprintf(stderr,
 				    "Running %.100s add "
 				    "%.100s %.100s %.100s\n",
-				    options.xauth_location, s->display,
+				    options.xauth_location, s->auth_display,
 				    s->auth_proto, s->auth_data);
-				if (screen != NULL)
-					fprintf(stderr,
-					    "Adding %.*s/unix%s %s %s\n",
-					    (int)(screen - s->display),
-					    s->display, screen,
-					    s->auth_proto, s->auth_data);
 			}
 			snprintf(cmd, sizeof cmd, "%s -q -",
 			    options.xauth_location);
 			f = popen(cmd, "w");
 			if (f) {
-				fprintf(f, "add %s %s %s\n", s->display,
+				fprintf(f, "add %s %s %s\n", s->auth_display,
 				    s->auth_proto, s->auth_data);
-				if (screen != NULL)
-					fprintf(f, "add %.*s/unix%s %s %s\n",
-					    (int)(screen - s->display),
-					    s->display, screen,
-					    s->auth_proto,
-					    s->auth_data);
 				pclose(f);
 			} else {
 				fprintf(stderr, "Could not run %s\n",
@@ -1549,6 +1538,8 @@ session_close(Session *s)
 		xfree(s->term);
 	if (s->display)
 		xfree(s->display);
+	if (s->auth_display)
+		xfree(s->auth_display);
 	if (s->auth_data)
 		xfree(s->auth_data);
 	if (s->auth_proto)
@@ -1644,6 +1635,8 @@ int
 session_setup_x11fwd(Session *s)
 {
 	struct stat st;
+	char display[512], auth_display[512];
+	char hostname[MAXHOSTNAMELEN];
 
 	if (no_x11_forwarding_flag) {
 		packet_send_debug("X11 forwarding disabled in user configuration file.");
@@ -1667,11 +1660,35 @@ session_setup_x11fwd(Session *s)
 		debug("X11 display already set.");
 		return 0;
 	}
-	s->display = x11_create_display_inet(s->screen, options.x11_display_offset);
-	if (s->display == NULL) {
+	s->display_number = x11_create_display_inet(options.x11_display_offset,
+	    options.gateway_ports);
+	if (s->display_number == -1) {
 		debug("x11_create_display_inet failed.");
 		return 0;
 	}
+
+	/* Set up a suitable value for the DISPLAY variable. */
+	if (gethostname(hostname, sizeof(hostname)) < 0)
+		fatal("gethostname: %.100s", strerror(errno));
+	/*
+	 * auth_display must be used as the displayname when the
+	 * authorization entry is added with xauth(1).  This will be
+	 * different than the DISPLAY string for localhost displays.
+	 */
+	if (!options.gateway_ports) {
+		snprintf(display, sizeof display, "localhost:%d.%d",
+		    s->display_number, s->screen);
+		snprintf(auth_display, sizeof auth_display, "%.400s/unix:%d.%d",
+		    hostname, s->display_number, s->screen);
+		s->display = xstrdup(display);
+		s->auth_display = xstrdup(auth_display);
+	} else {
+		snprintf(display, sizeof display, "%.400s:%d.%d", hostname,
+		    s->display_number, s->screen);
+		s->display = xstrdup(display);
+		s->auth_display = xstrdup(display);
+	}
+
 	return 1;
 }