summaryrefslogtreecommitdiff
path: root/usr.bin
diff options
context:
space:
mode:
authorMarkus Friedl <markus@cvs.openbsd.org>2003-10-11 08:24:09 +0000
committerMarkus Friedl <markus@cvs.openbsd.org>2003-10-11 08:24:09 +0000
commit71c688d733c6338fddc0b48a555c52b7b407c840 (patch)
tree1071d6061654964111eb6928f75e8b440d1acee3 /usr.bin
parent86a80e300f68c1014752fdb73aa9675f5aa58b7e (diff)
remote x11 clients are now untrusted by default, uses xauth(8) to generate
untrusted cookies; ForwardX11Trusted=yes restores old behaviour. ok deraadt; feedback and ok djm/fries
Diffstat (limited to 'usr.bin')
-rw-r--r--usr.bin/ssh/readconf.c12
-rw-r--r--usr.bin/ssh/readconf.h3
-rw-r--r--usr.bin/ssh/ssh.17
-rw-r--r--usr.bin/ssh/ssh.c92
-rw-r--r--usr.bin/ssh/ssh_config.524
5 files changed, 106 insertions, 32 deletions
diff --git a/usr.bin/ssh/readconf.c b/usr.bin/ssh/readconf.c
index cacfef567de..2492ac6c3ed 100644
--- a/usr.bin/ssh/readconf.c
+++ b/usr.bin/ssh/readconf.c
@@ -12,7 +12,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: readconf.c,v 1.122 2003/10/08 15:21:24 markus Exp $");
+RCSID("$OpenBSD: readconf.c,v 1.123 2003/10/11 08:24:07 markus Exp $");
#include "ssh.h"
#include "xmalloc.h"
@@ -89,7 +89,7 @@ RCSID("$OpenBSD: readconf.c,v 1.122 2003/10/08 15:21:24 markus Exp $");
typedef enum {
oBadOption,
- oForwardAgent, oForwardX11, oGatewayPorts,
+ oForwardAgent, oForwardX11, oForwardX11Trusted, oGatewayPorts,
oPasswordAuthentication, oRSAAuthentication,
oChallengeResponseAuthentication, oXAuthLocation,
oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
@@ -116,6 +116,7 @@ static struct {
} keywords[] = {
{ "forwardagent", oForwardAgent },
{ "forwardx11", oForwardX11 },
+ { "forwardx11trusted", oForwardX11Trusted },
{ "xauthlocation", oXAuthLocation },
{ "gatewayports", oGatewayPorts },
{ "useprivilegedport", oUsePrivilegedPort },
@@ -340,6 +341,10 @@ parse_flag:
intptr = &options->forward_x11;
goto parse_flag;
+ case oForwardX11Trusted:
+ intptr = &options->forward_x11_trusted;
+ goto parse_flag;
+
case oGatewayPorts:
intptr = &options->gateway_ports;
goto parse_flag;
@@ -804,6 +809,7 @@ initialize_options(Options * options)
memset(options, 'X', sizeof(*options));
options->forward_agent = -1;
options->forward_x11 = -1;
+ options->forward_x11_trusted = -1;
options->xauth_location = NULL;
options->gateway_ports = -1;
options->use_privileged_port = -1;
@@ -870,6 +876,8 @@ fill_default_options(Options * options)
options->forward_agent = 0;
if (options->forward_x11 == -1)
options->forward_x11 = 0;
+ if (options->forward_x11_trusted == -1)
+ options->forward_x11_trusted = 0;
if (options->xauth_location == NULL)
options->xauth_location = _PATH_XAUTH;
if (options->gateway_ports == -1)
diff --git a/usr.bin/ssh/readconf.h b/usr.bin/ssh/readconf.h
index 60287f710c4..8aab2e6066f 100644
--- a/usr.bin/ssh/readconf.h
+++ b/usr.bin/ssh/readconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.h,v 1.55 2003/09/01 18:15:50 markus Exp $ */
+/* $OpenBSD: readconf.h,v 1.56 2003/10/11 08:24:08 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -30,6 +30,7 @@ typedef struct {
typedef struct {
int forward_agent; /* Forward authentication agent. */
int forward_x11; /* Forward X11 display. */
+ int forward_x11_trusted; /* Trust Forward X11 display. */
char *xauth_location; /* Location for xauth program */
int gateway_ports; /* Allow remote connects to forwarded ports. */
int use_privileged_port; /* Don't use privileged port if false. */
diff --git a/usr.bin/ssh/ssh.1 b/usr.bin/ssh/ssh.1
index 2ba7fa6fdbb..10784153383 100644
--- a/usr.bin/ssh/ssh.1
+++ b/usr.bin/ssh/ssh.1
@@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh.1,v 1.177 2003/10/08 08:27:36 jmc Exp $
+.\" $OpenBSD: ssh.1,v 1.178 2003/10/11 08:24:08 markus Exp $
.Dd September 25, 1999
.Dt SSH 1
.Os
@@ -43,7 +43,7 @@
.Nd OpenSSH SSH client (remote login program)
.Sh SYNOPSIS
.Nm ssh
-.Op Fl 1246AaCfgkNnqsTtVvXx
+.Op Fl 1246AaCfgkNnqsTtVvXxY
.Op Fl b Ar bind_address
.Op Fl c Ar cipher_spec
.Op Fl D Ar port
@@ -624,6 +624,7 @@ For full details of the options listed below, and their possible values, see
.It EscapeChar
.It ForwardAgent
.It ForwardX11
+.It ForwardX11Trusted
.It GatewayPorts
.It GlobalKnownHostsFile
.It GSSAPIAuthentication
@@ -732,6 +733,8 @@ can access the local X11 display through the forwarded connection.
An attacker may then be able to perform activities such as keystroke monitoring.
.It Fl x
Disables X11 forwarding.
+.It Fl Y
+Enables trusted X11 forwarding.
.El
.Sh CONFIGURATION FILES
.Nm
diff --git a/usr.bin/ssh/ssh.c b/usr.bin/ssh/ssh.c
index 941c0ae18ec..29729c60b69 100644
--- a/usr.bin/ssh/ssh.c
+++ b/usr.bin/ssh/ssh.c
@@ -13,7 +13,7 @@
* called by a name other than "ssh" or "Secure Shell".
*
* Copyright (c) 1999 Niels Provos. All rights reserved.
- * Copyright (c) 2000, 2001, 2002 Markus Friedl. All rights reserved.
+ * Copyright (c) 2000, 2001, 2002, 2003 Markus Friedl. All rights reserved.
*
* Modified to work with SSL by Niels Provos <provos@citi.umich.edu>
* in Canada (German citizen).
@@ -40,7 +40,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: ssh.c,v 1.201 2003/09/01 18:15:50 markus Exp $");
+RCSID("$OpenBSD: ssh.c,v 1.202 2003/10/11 08:24:08 markus Exp $");
#include <openssl/evp.h>
#include <openssl/err.h>
@@ -151,6 +151,7 @@ usage(void)
fprintf(stderr, " -A Enable authentication agent forwarding.\n");
fprintf(stderr, " -a Disable authentication agent forwarding (default).\n");
fprintf(stderr, " -X Enable X11 connection forwarding.\n");
+ fprintf(stderr, " -Y Enable trusted X11 connection forwarding.\n");
fprintf(stderr, " -x Disable X11 connection forwarding (default).\n");
fprintf(stderr, " -i file Identity for public key authentication "
"(default: ~/.ssh/identity)\n");
@@ -255,7 +256,7 @@ main(int ac, char **av)
again:
while ((opt = getopt(ac, av,
- "1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:L:NPR:TVX")) != -1) {
+ "1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:L:NPR:TVXY")) != -1) {
switch (opt) {
case '1':
options.protocol = SSH_PROTO_1;
@@ -282,6 +283,10 @@ again:
case 'X':
options.forward_x11 = 1;
break;
+ case 'Y':
+ options.forward_x11 = 1;
+ options.forward_x11_trusted = 1;
+ break;
case 'g':
options.gateway_ports = 1;
break;
@@ -706,19 +711,25 @@ again:
return exit_status;
}
+#define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1"
+
static void
x11_get_proto(char **_proto, char **_data)
{
+ char cmd[1024];
char line[512];
+ char xdisplay[512];
static char proto[512], data[512];
FILE *f;
- int got_data = 0, i;
- char *display;
+ int got_data = 0, generated = 0, do_unlink = 0, i;
+ char *display, *xauthdir, *xauthfile;
struct stat st;
+ xauthdir = xauthfile = NULL;
*_proto = proto;
*_data = data;
proto[0] = data[0] = '\0';
+
if (!options.xauth_location ||
(stat(options.xauth_location, &st) == -1)) {
debug("No xauth program.");
@@ -727,28 +738,59 @@ x11_get_proto(char **_proto, char **_data)
debug("x11_get_proto: DISPLAY not set");
return;
}
- /* Try to get Xauthority information for the display. */
- if (strncmp(display, "localhost:", 10) == 0)
- /*
- * Handle FamilyLocal case where $DISPLAY does
- * not match an authorization entry. For this we
- * just try "xauth list unix:displaynum.screennum".
- * XXX: "localhost" match to determine FamilyLocal
- * is not perfect.
- */
- snprintf(line, sizeof line, "%s list unix:%s 2>"
- _PATH_DEVNULL, options.xauth_location, display+10);
- else
- snprintf(line, sizeof line, "%s list %.200s 2>"
- _PATH_DEVNULL, options.xauth_location, display);
- debug2("x11_get_proto: %s", line);
- f = popen(line, "r");
+ /*
+ * Handle FamilyLocal case where $DISPLAY does
+ * not match an authorization entry. For this we
+ * just try "xauth list unix:displaynum.screennum".
+ * XXX: "localhost" match to determine FamilyLocal
+ * is not perfect.
+ */
+ if (strncmp(display, "localhost:", 10) == 0) {
+ snprintf(xdisplay, sizeof(xdisplay), "unix:%s",
+ display + 10);
+ display = xdisplay;
+ }
+ if (options.forward_x11_trusted == 0) {
+ xauthdir = xmalloc(MAXPATHLEN);
+ xauthfile = xmalloc(MAXPATHLEN);
+ strlcpy(xauthdir, "/tmp/ssh-XXXXXXXXXX", MAXPATHLEN);
+ if (mkdtemp(xauthdir) != NULL) {
+ do_unlink = 1;
+ snprintf(xauthfile, MAXPATHLEN, "%s/xauthfile",
+ xauthdir);
+ snprintf(cmd, sizeof(cmd),
+ "%s -f %s generate %s " SSH_X11_PROTO
+ " untrusted timeout 120 2>" _PATH_DEVNULL,
+ options.xauth_location, xauthfile, display);
+ debug2("x11_get_proto: %s", cmd);
+ if (system(cmd) == 0)
+ generated = 1;
+ }
+ }
+ snprintf(cmd, sizeof(cmd),
+ "%s %s%s list %s . 2>" _PATH_DEVNULL,
+ options.xauth_location,
+ generated ? "-f " : "" ,
+ generated ? xauthfile : "",
+ display);
+ debug2("x11_get_proto: %s", cmd);
+ f = popen(cmd, "r");
if (f && fgets(line, sizeof(line), f) &&
sscanf(line, "%*s %511s %511s", proto, data) == 2)
got_data = 1;
if (f)
pclose(f);
}
+
+ if (do_unlink) {
+ unlink(xauthfile);
+ rmdir(xauthdir);
+ }
+ if (xauthdir)
+ xfree(xauthdir);
+ if (xauthfile)
+ xfree(xauthfile);
+
/*
* If we didn't get authentication data, just make up some
* data. The forwarding code will check the validity of the
@@ -760,12 +802,14 @@ x11_get_proto(char **_proto, char **_data)
if (!got_data) {
u_int32_t rand = 0;
- logit("Warning: No xauth data; using fake authentication data for X11 forwarding.");
- strlcpy(proto, "MIT-MAGIC-COOKIE-1", sizeof proto);
+ logit("Warning: No xauth data; "
+ "using fake authentication data for X11 forwarding.");
+ strlcpy(proto, SSH_X11_PROTO, sizeof proto);
for (i = 0; i < 16; i++) {
if (i % 4 == 0)
rand = arc4random();
- snprintf(data + 2 * i, sizeof data - 2 * i, "%02x", rand & 0xff);
+ snprintf(data + 2 * i, sizeof data - 2 * i, "%02x",
+ rand & 0xff);
rand >>= 8;
}
}
diff --git a/usr.bin/ssh/ssh_config.5 b/usr.bin/ssh/ssh_config.5
index da162499b85..7f3c7064a15 100644
--- a/usr.bin/ssh/ssh_config.5
+++ b/usr.bin/ssh/ssh_config.5
@@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh_config.5,v 1.21 2003/10/08 15:21:24 markus Exp $
+.\" $OpenBSD: ssh_config.5,v 1.22 2003/10/11 08:24:08 markus Exp $
.Dd September 25, 1999
.Dt SSH_CONFIG 5
.Os
@@ -306,9 +306,27 @@ The default is
.Pp
X11 forwarding should be enabled with caution.
Users with the ability to bypass file permissions on the remote host
-(for the user's X authorization database)
+(for the user's X11 authorization database)
can access the local X11 display through the forwarded connection.
-An attacker may then be able to perform activities such as keystroke monitoring.
+An attacker may then be able to perform activities such as keystroke monitoring
+if the
+.Cm ForwardX11Trusted
+option is also enabled.
+.It Cm ForwardX11Trusted
+If the this option is set to
+.Dq yes
+then remote X11 clients will have full access to the original X11 display.
+If this option is set to
+.Dq no
+then remote X11 clients will be considered untrusted and prevented
+from stealing or tampering with data belonging to trusted X11
+clients.
+.Pp
+The default is
+.Dq no .
+.Pp
+See the X11 SECURITY extension specification for full details on
+the restrictions imposed on untrusted clients.
.It Cm GatewayPorts
Specifies whether remote hosts are allowed to connect to local
forwarded ports.