summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDamien Miller <djm@cvs.openbsd.org>2010-06-25 23:15:37 +0000
committerDamien Miller <djm@cvs.openbsd.org>2010-06-25 23:15:37 +0000
commit37b7c4178ce4de69ad41a48888a3aa5d8165bf8e (patch)
tree7336646978c813d26219442c6bc55604b8320c42
parent526de9c160c5b187a1106695c0bedfa263e00eb4 (diff)
Add X11ForwardTimeout option to specify timeout for untrusted X11
authentication cookies to avoid fallback in X11 code to fully-trusted implicit authentication using SO_PEERCRED described at: http://lists.x.org/archives/xorg-devel/2010-May/008636.html After the X11ForwardTimeout has expired the client will now refuse incoming X11 channel opens. based on patch from Tavis Ormandy; "nice" markus@
-rw-r--r--usr.bin/ssh/clientloop.c26
-rw-r--r--usr.bin/ssh/clientloop.h4
-rw-r--r--usr.bin/ssh/mux.c9
-rw-r--r--usr.bin/ssh/readconf.c14
-rw-r--r--usr.bin/ssh/readconf.h3
-rw-r--r--usr.bin/ssh/ssh.c9
-rw-r--r--usr.bin/ssh/ssh_config.514
7 files changed, 59 insertions, 20 deletions
diff --git a/usr.bin/ssh/clientloop.c b/usr.bin/ssh/clientloop.c
index ff00211b909..be01467e9d4 100644
--- a/usr.bin/ssh/clientloop.c
+++ b/usr.bin/ssh/clientloop.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.c,v 1.220 2010/04/10 02:08:44 djm Exp $ */
+/* $OpenBSD: clientloop.c,v 1.221 2010/06/25 23:15:36 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -147,11 +147,12 @@ static int stdin_eof; /* EOF has been encountered on stderr. */
static Buffer stdin_buffer; /* Buffer for stdin data. */
static Buffer stdout_buffer; /* Buffer for stdout data. */
static Buffer stderr_buffer; /* Buffer for stderr data. */
-static u_int buffer_high;/* Soft max buffer size. */
+static u_int buffer_high; /* Soft max buffer size. */
static int connection_in; /* Connection to server (input). */
static int connection_out; /* Connection to server (output). */
static int need_rekeying; /* Set to non-zero if rekeying is requested. */
-static int session_closed = 0; /* In SSH2: login session closed. */
+static int session_closed; /* In SSH2: login session closed. */
+static int x11_refuse_time; /* If >0, refuse x11 opens after this time. */
static void client_init_dispatch(void);
int session_ident = -1;
@@ -246,7 +247,7 @@ get_current_time(void)
#define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1"
void
client_x11_get_proto(const char *display, const char *xauth_path,
- u_int trusted, char **_proto, char **_data)
+ u_int trusted, u_int timeout, char **_proto, char **_data)
{
char cmd[1024];
char line[512];
@@ -256,6 +257,7 @@ client_x11_get_proto(const char *display, const char *xauth_path,
int got_data = 0, generated = 0, do_unlink = 0, i;
char *xauthdir, *xauthfile;
struct stat st;
+ u_int now;
xauthdir = xauthfile = NULL;
*_proto = proto;
@@ -291,11 +293,18 @@ client_x11_get_proto(const char *display, const char *xauth_path,
xauthdir);
snprintf(cmd, sizeof(cmd),
"%s -f %s generate %s " SSH_X11_PROTO
- " untrusted timeout 1200 2>" _PATH_DEVNULL,
- xauth_path, xauthfile, display);
+ " untrusted timeout %u 2>" _PATH_DEVNULL,
+ xauth_path, xauthfile, display, timeout);
debug2("x11_get_proto: %s", cmd);
if (system(cmd) == 0)
generated = 1;
+ if (x11_refuse_time == 0) {
+ now = time(NULL) + 1;
+ if (UINT_MAX - timeout < now)
+ x11_refuse_time = UINT_MAX;
+ else
+ x11_refuse_time = now + timeout;
+ }
}
}
@@ -1674,6 +1683,11 @@ client_request_x11(const char *request_type, int rchan)
"malicious server.");
return NULL;
}
+ if (x11_refuse_time != 0 && time(NULL) >= x11_refuse_time) {
+ verbose("Rejected X11 connection after ForwardX11Timeout "
+ "expired");
+ return NULL;
+ }
originator = packet_get_string(NULL);
if (datafellows & SSH_BUG_X11FWD) {
debug2("buggy server: x11 request w/o originator_port");
diff --git a/usr.bin/ssh/clientloop.h b/usr.bin/ssh/clientloop.h
index a5bc246a343..52115db6ec8 100644
--- a/usr.bin/ssh/clientloop.h
+++ b/usr.bin/ssh/clientloop.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.h,v 1.24 2010/05/16 12:55:51 markus Exp $ */
+/* $OpenBSD: clientloop.h,v 1.25 2010/06/25 23:15:36 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -39,7 +39,7 @@
/* Client side main loop for the interactive session. */
int client_loop(int, int, int);
-void client_x11_get_proto(const char *, const char *, u_int,
+void client_x11_get_proto(const char *, const char *, u_int, u_int,
char **, char **);
void client_global_request_reply_fwd(int, u_int32_t, void *);
void client_session2_setup(int, int, int, const char *, struct termios *,
diff --git a/usr.bin/ssh/mux.c b/usr.bin/ssh/mux.c
index 71557a8b37b..92de5636dab 100644
--- a/usr.bin/ssh/mux.c
+++ b/usr.bin/ssh/mux.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: mux.c,v 1.20 2010/06/25 07:14:46 djm Exp $ */
+/* $OpenBSD: mux.c,v 1.21 2010/06/25 23:15:36 djm Exp $ */
/*
* Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org>
*
@@ -1089,11 +1089,14 @@ mux_session_confirm(int id, int success, void *arg)
display = getenv("DISPLAY");
if (cctx->want_x_fwd && options.forward_x11 && display != NULL) {
char *proto, *data;
+
/* Get reasonable local authentication information. */
client_x11_get_proto(display, options.xauth_location,
- options.forward_x11_trusted, &proto, &data);
+ options.forward_x11_trusted, options.forward_x11_timeout,
+ &proto, &data);
/* Request forwarding with authentication spoofing. */
- debug("Requesting X11 forwarding with authentication spoofing.");
+ debug("Requesting X11 forwarding with authentication "
+ "spoofing.");
x11_request_forwarding_with_spoofing(id, display, proto, data);
/* XXX wait for reply */
}
diff --git a/usr.bin/ssh/readconf.c b/usr.bin/ssh/readconf.c
index c5474132f8e..da717e6462c 100644
--- a/usr.bin/ssh/readconf.c
+++ b/usr.bin/ssh/readconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.185 2010/06/25 07:14:46 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.186 2010/06/25 23:15:36 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -107,8 +107,8 @@
typedef enum {
oBadOption,
- oForwardAgent, oForwardX11, oForwardX11Trusted, oGatewayPorts,
- oExitOnForwardFailure,
+ oForwardAgent, oForwardX11, oForwardX11Trusted, oForwardX11Timeout,
+ oGatewayPorts, oExitOnForwardFailure,
oPasswordAuthentication, oRSAAuthentication,
oChallengeResponseAuthentication, oXAuthLocation,
oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
@@ -140,6 +140,7 @@ static struct {
{ "forwardagent", oForwardAgent },
{ "forwardx11", oForwardX11 },
{ "forwardx11trusted", oForwardX11Trusted },
+ { "forwardx11timeout", oForwardX11Timeout },
{ "exitonforwardfailure", oExitOnForwardFailure },
{ "xauthlocation", oXAuthLocation },
{ "gatewayports", oGatewayPorts },
@@ -410,6 +411,10 @@ parse_flag:
case oForwardX11Trusted:
intptr = &options->forward_x11_trusted;
goto parse_flag;
+
+ case oForwardX11Timeout:
+ intptr = &options->forward_x11_timeout;
+ goto parse_time;
case oGatewayPorts:
intptr = &options->gateway_ports;
@@ -1014,6 +1019,7 @@ initialize_options(Options * options)
options->forward_agent = -1;
options->forward_x11 = -1;
options->forward_x11_trusted = -1;
+ options->forward_x11_timeout = -1;
options->exit_on_forward_failure = -1;
options->xauth_location = NULL;
options->gateway_ports = -1;
@@ -1100,6 +1106,8 @@ fill_default_options(Options * options)
options->forward_x11 = 0;
if (options->forward_x11_trusted == -1)
options->forward_x11_trusted = 0;
+ if (options->forward_x11_timeout == -1)
+ options->forward_x11_timeout = 1200;
if (options->exit_on_forward_failure == -1)
options->exit_on_forward_failure = 0;
if (options->xauth_location == NULL)
diff --git a/usr.bin/ssh/readconf.h b/usr.bin/ssh/readconf.h
index 3c8eae9d2d4..66acafdefa1 100644
--- a/usr.bin/ssh/readconf.h
+++ b/usr.bin/ssh/readconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.h,v 1.84 2010/06/25 07:14:46 djm Exp $ */
+/* $OpenBSD: readconf.h,v 1.85 2010/06/25 23:15:36 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -32,6 +32,7 @@ typedef struct {
typedef struct {
int forward_agent; /* Forward authentication agent. */
int forward_x11; /* Forward X11 display. */
+ int forward_x11_timeout; /* Expiration for Cookies */
int forward_x11_trusted; /* Trust Forward X11 display. */
int exit_on_forward_failure; /* Exit if bind(2) fails for -L/-R */
char *xauth_location; /* Location for xauth program */
diff --git a/usr.bin/ssh/ssh.c b/usr.bin/ssh/ssh.c
index c9f87053a57..b6aa87c40f9 100644
--- a/usr.bin/ssh/ssh.c
+++ b/usr.bin/ssh/ssh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.c,v 1.339 2010/06/25 23:10:30 djm Exp $ */
+/* $OpenBSD: ssh.c,v 1.340 2010/06/25 23:15:36 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1084,7 +1084,9 @@ ssh_session(void)
char *proto, *data;
/* Get reasonable local authentication information. */
client_x11_get_proto(display, options.xauth_location,
- options.forward_x11_trusted, &proto, &data);
+ options.forward_x11_trusted,
+ options.forward_x11_timeout,
+ &proto, &data);
/* Request forwarding with authentication spoofing. */
debug("Requesting X11 forwarding with authentication "
"spoofing.");
@@ -1180,7 +1182,8 @@ ssh_session2_setup(int id, int success, void *arg)
char *proto, *data;
/* Get reasonable local authentication information. */
client_x11_get_proto(display, options.xauth_location,
- options.forward_x11_trusted, &proto, &data);
+ options.forward_x11_trusted,
+ options.forward_x11_timeout, &proto, &data);
/* Request forwarding with authentication spoofing. */
debug("Requesting X11 forwarding with authentication "
"spoofing.");
diff --git a/usr.bin/ssh/ssh_config.5 b/usr.bin/ssh/ssh_config.5
index 2df948e62ae..6968a4488c6 100644
--- a/usr.bin/ssh/ssh_config.5
+++ b/usr.bin/ssh/ssh_config.5
@@ -34,8 +34,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh_config.5,v 1.133 2010/04/16 06:45:01 jmc Exp $
-.Dd $Mdocdate: April 16 2010 $
+.\" $OpenBSD: ssh_config.5,v 1.134 2010/06/25 23:15:36 djm Exp $
+.Dd $Mdocdate: June 25 2010 $
.Dt SSH_CONFIG 5
.Os
.Sh NAME
@@ -432,6 +432,16 @@ An attacker may then be able to perform activities such as keystroke monitoring
if the
.Cm ForwardX11Trusted
option is also enabled.
+.It Cm ForwardX11Timeout
+Specify a timeout for untrusted X11 forwarding using the format described in
+.Sx TIME FORMATS
+section of
+.Xr sshd_config 5 .
+X11 connections received by
+.Xr ssh 1
+after this time will be refused.
+The default is to disable untrusted X11 forwarding after twenty minutes has
+elapsed.
.It Cm ForwardX11Trusted
If this option is set to
.Dq yes ,