summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDarren Tucker <dtucker@zip.com.au>2003-10-15 15:54:32 +1000
committerDarren Tucker <dtucker@zip.com.au>2003-10-15 15:54:32 +1000
commit0a118da00eff14f018a055b3c187f27aa7d78ecd (patch)
tree6904bb2738a1a8a00c545fac7d4fec7b74bee870
parenta044f47679c27ca77b3ec19a6e0e148deb50a427 (diff)
- markus@cvs.openbsd.org 2003/10/11 08:24:08
[readconf.c readconf.h ssh.1 ssh.c ssh_config.5] remote x11 clients are now untrusted by default, uses xauth(8) to generate untrusted cookies; ForwardX11Trusted=yes restores old behaviour. ok deraadt; feedback and ok djm/fries
-rw-r--r--ChangeLog7
-rw-r--r--readconf.c12
-rw-r--r--readconf.h3
-rw-r--r--ssh.17
-rw-r--r--ssh.c92
-rw-r--r--ssh_config.524
6 files changed, 112 insertions, 33 deletions
diff --git a/ChangeLog b/ChangeLog
index 6dbe21d3e..dc5885854 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -11,6 +11,11 @@
11 - markus@cvs.openbsd.org 2003/10/08 15:21:24 11 - markus@cvs.openbsd.org 2003/10/08 15:21:24
12 [readconf.c ssh_config.5] 12 [readconf.c ssh_config.5]
13 default GSS API to no in client, too; ok jakob, deraadt@ 13 default GSS API to no in client, too; ok jakob, deraadt@
14 - markus@cvs.openbsd.org 2003/10/11 08:24:08
15 [readconf.c readconf.h ssh.1 ssh.c ssh_config.5]
16 remote x11 clients are now untrusted by default, uses xauth(8) to generate
17 untrusted cookies; ForwardX11Trusted=yes restores old behaviour.
18 ok deraadt; feedback and ok djm/fries
14 19
1520031009 2020031009
16 - (dtucker) [sshd_config.5] UsePAM defaults to "no". ok djm@ 21 - (dtucker) [sshd_config.5] UsePAM defaults to "no". ok djm@
@@ -1328,4 +1333,4 @@
1328 - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. 1333 - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
1329 Report from murple@murple.net, diagnosis from dtucker@zip.com.au 1334 Report from murple@murple.net, diagnosis from dtucker@zip.com.au
1330 1335
1331$Id: ChangeLog,v 1.3071 2003/10/15 05:52:03 dtucker Exp $ 1336$Id: ChangeLog,v 1.3072 2003/10/15 05:54:32 dtucker Exp $
diff --git a/readconf.c b/readconf.c
index 5a7084fe8..e5f2620a7 100644
--- a/readconf.c
+++ b/readconf.c
@@ -12,7 +12,7 @@
12 */ 12 */
13 13
14#include "includes.h" 14#include "includes.h"
15RCSID("$OpenBSD: readconf.c,v 1.122 2003/10/08 15:21:24 markus Exp $"); 15RCSID("$OpenBSD: readconf.c,v 1.123 2003/10/11 08:24:07 markus Exp $");
16 16
17#include "ssh.h" 17#include "ssh.h"
18#include "xmalloc.h" 18#include "xmalloc.h"
@@ -89,7 +89,7 @@ RCSID("$OpenBSD: readconf.c,v 1.122 2003/10/08 15:21:24 markus Exp $");
89 89
90typedef enum { 90typedef enum {
91 oBadOption, 91 oBadOption,
92 oForwardAgent, oForwardX11, oGatewayPorts, 92 oForwardAgent, oForwardX11, oForwardX11Trusted, oGatewayPorts,
93 oPasswordAuthentication, oRSAAuthentication, 93 oPasswordAuthentication, oRSAAuthentication,
94 oChallengeResponseAuthentication, oXAuthLocation, 94 oChallengeResponseAuthentication, oXAuthLocation,
95 oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward, 95 oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
@@ -116,6 +116,7 @@ static struct {
116} keywords[] = { 116} keywords[] = {
117 { "forwardagent", oForwardAgent }, 117 { "forwardagent", oForwardAgent },
118 { "forwardx11", oForwardX11 }, 118 { "forwardx11", oForwardX11 },
119 { "forwardx11trusted", oForwardX11Trusted },
119 { "xauthlocation", oXAuthLocation }, 120 { "xauthlocation", oXAuthLocation },
120 { "gatewayports", oGatewayPorts }, 121 { "gatewayports", oGatewayPorts },
121 { "useprivilegedport", oUsePrivilegedPort }, 122 { "useprivilegedport", oUsePrivilegedPort },
@@ -342,6 +343,10 @@ parse_flag:
342 intptr = &options->forward_x11; 343 intptr = &options->forward_x11;
343 goto parse_flag; 344 goto parse_flag;
344 345
346 case oForwardX11Trusted:
347 intptr = &options->forward_x11_trusted;
348 goto parse_flag;
349
345 case oGatewayPorts: 350 case oGatewayPorts:
346 intptr = &options->gateway_ports; 351 intptr = &options->gateway_ports;
347 goto parse_flag; 352 goto parse_flag;
@@ -806,6 +811,7 @@ initialize_options(Options * options)
806 memset(options, 'X', sizeof(*options)); 811 memset(options, 'X', sizeof(*options));
807 options->forward_agent = -1; 812 options->forward_agent = -1;
808 options->forward_x11 = -1; 813 options->forward_x11 = -1;
814 options->forward_x11_trusted = -1;
809 options->xauth_location = NULL; 815 options->xauth_location = NULL;
810 options->gateway_ports = -1; 816 options->gateway_ports = -1;
811 options->use_privileged_port = -1; 817 options->use_privileged_port = -1;
@@ -872,6 +878,8 @@ fill_default_options(Options * options)
872 options->forward_agent = 0; 878 options->forward_agent = 0;
873 if (options->forward_x11 == -1) 879 if (options->forward_x11 == -1)
874 options->forward_x11 = 0; 880 options->forward_x11 = 0;
881 if (options->forward_x11_trusted == -1)
882 options->forward_x11_trusted = 0;
875 if (options->xauth_location == NULL) 883 if (options->xauth_location == NULL)
876 options->xauth_location = _PATH_XAUTH; 884 options->xauth_location = _PATH_XAUTH;
877 if (options->gateway_ports == -1) 885 if (options->gateway_ports == -1)
diff --git a/readconf.h b/readconf.h
index 60287f710..8aab2e606 100644
--- a/readconf.h
+++ b/readconf.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: readconf.h,v 1.55 2003/09/01 18:15:50 markus Exp $ */ 1/* $OpenBSD: readconf.h,v 1.56 2003/10/11 08:24:08 markus Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -30,6 +30,7 @@ typedef struct {
30typedef struct { 30typedef struct {
31 int forward_agent; /* Forward authentication agent. */ 31 int forward_agent; /* Forward authentication agent. */
32 int forward_x11; /* Forward X11 display. */ 32 int forward_x11; /* Forward X11 display. */
33 int forward_x11_trusted; /* Trust Forward X11 display. */
33 char *xauth_location; /* Location for xauth program */ 34 char *xauth_location; /* Location for xauth program */
34 int gateway_ports; /* Allow remote connects to forwarded ports. */ 35 int gateway_ports; /* Allow remote connects to forwarded ports. */
35 int use_privileged_port; /* Don't use privileged port if false. */ 36 int use_privileged_port; /* Don't use privileged port if false. */
diff --git a/ssh.1 b/ssh.1
index 2ba7fa6fd..107841533 100644
--- a/ssh.1
+++ b/ssh.1
@@ -34,7 +34,7 @@
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\" 36.\"
37.\" $OpenBSD: ssh.1,v 1.177 2003/10/08 08:27:36 jmc Exp $ 37.\" $OpenBSD: ssh.1,v 1.178 2003/10/11 08:24:08 markus Exp $
38.Dd September 25, 1999 38.Dd September 25, 1999
39.Dt SSH 1 39.Dt SSH 1
40.Os 40.Os
@@ -43,7 +43,7 @@
43.Nd OpenSSH SSH client (remote login program) 43.Nd OpenSSH SSH client (remote login program)
44.Sh SYNOPSIS 44.Sh SYNOPSIS
45.Nm ssh 45.Nm ssh
46.Op Fl 1246AaCfgkNnqsTtVvXx 46.Op Fl 1246AaCfgkNnqsTtVvXxY
47.Op Fl b Ar bind_address 47.Op Fl b Ar bind_address
48.Op Fl c Ar cipher_spec 48.Op Fl c Ar cipher_spec
49.Op Fl D Ar port 49.Op Fl D Ar port
@@ -624,6 +624,7 @@ For full details of the options listed below, and their possible values, see
624.It EscapeChar 624.It EscapeChar
625.It ForwardAgent 625.It ForwardAgent
626.It ForwardX11 626.It ForwardX11
627.It ForwardX11Trusted
627.It GatewayPorts 628.It GatewayPorts
628.It GlobalKnownHostsFile 629.It GlobalKnownHostsFile
629.It GSSAPIAuthentication 630.It GSSAPIAuthentication
@@ -732,6 +733,8 @@ can access the local X11 display through the forwarded connection.
732An attacker may then be able to perform activities such as keystroke monitoring. 733An attacker may then be able to perform activities such as keystroke monitoring.
733.It Fl x 734.It Fl x
734Disables X11 forwarding. 735Disables X11 forwarding.
736.It Fl Y
737Enables trusted X11 forwarding.
735.El 738.El
736.Sh CONFIGURATION FILES 739.Sh CONFIGURATION FILES
737.Nm 740.Nm
diff --git a/ssh.c b/ssh.c
index 35418f693..39d1b2f6a 100644
--- a/ssh.c
+++ b/ssh.c
@@ -13,7 +13,7 @@
13 * called by a name other than "ssh" or "Secure Shell". 13 * called by a name other than "ssh" or "Secure Shell".
14 * 14 *
15 * Copyright (c) 1999 Niels Provos. All rights reserved. 15 * Copyright (c) 1999 Niels Provos. All rights reserved.
16 * Copyright (c) 2000, 2001, 2002 Markus Friedl. All rights reserved. 16 * Copyright (c) 2000, 2001, 2002, 2003 Markus Friedl. All rights reserved.
17 * 17 *
18 * Modified to work with SSL by Niels Provos <provos@citi.umich.edu> 18 * Modified to work with SSL by Niels Provos <provos@citi.umich.edu>
19 * in Canada (German citizen). 19 * in Canada (German citizen).
@@ -40,7 +40,7 @@
40 */ 40 */
41 41
42#include "includes.h" 42#include "includes.h"
43RCSID("$OpenBSD: ssh.c,v 1.201 2003/09/01 18:15:50 markus Exp $"); 43RCSID("$OpenBSD: ssh.c,v 1.202 2003/10/11 08:24:08 markus Exp $");
44 44
45#include <openssl/evp.h> 45#include <openssl/evp.h>
46#include <openssl/err.h> 46#include <openssl/err.h>
@@ -155,6 +155,7 @@ usage(void)
155 fprintf(stderr, " -A Enable authentication agent forwarding.\n"); 155 fprintf(stderr, " -A Enable authentication agent forwarding.\n");
156 fprintf(stderr, " -a Disable authentication agent forwarding (default).\n"); 156 fprintf(stderr, " -a Disable authentication agent forwarding (default).\n");
157 fprintf(stderr, " -X Enable X11 connection forwarding.\n"); 157 fprintf(stderr, " -X Enable X11 connection forwarding.\n");
158 fprintf(stderr, " -Y Enable trusted X11 connection forwarding.\n");
158 fprintf(stderr, " -x Disable X11 connection forwarding (default).\n"); 159 fprintf(stderr, " -x Disable X11 connection forwarding (default).\n");
159 fprintf(stderr, " -i file Identity for public key authentication " 160 fprintf(stderr, " -i file Identity for public key authentication "
160 "(default: ~/.ssh/identity)\n"); 161 "(default: ~/.ssh/identity)\n");
@@ -264,7 +265,7 @@ main(int ac, char **av)
264 265
265again: 266again:
266 while ((opt = getopt(ac, av, 267 while ((opt = getopt(ac, av,
267 "1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:L:NPR:TVX")) != -1) { 268 "1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:L:NPR:TVXY")) != -1) {
268 switch (opt) { 269 switch (opt) {
269 case '1': 270 case '1':
270 options.protocol = SSH_PROTO_1; 271 options.protocol = SSH_PROTO_1;
@@ -291,6 +292,10 @@ again:
291 case 'X': 292 case 'X':
292 options.forward_x11 = 1; 293 options.forward_x11 = 1;
293 break; 294 break;
295 case 'Y':
296 options.forward_x11 = 1;
297 options.forward_x11_trusted = 1;
298 break;
294 case 'g': 299 case 'g':
295 options.gateway_ports = 1; 300 options.gateway_ports = 1;
296 break; 301 break;
@@ -721,19 +726,25 @@ again:
721 return exit_status; 726 return exit_status;
722} 727}
723 728
729#define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1"
730
724static void 731static void
725x11_get_proto(char **_proto, char **_data) 732x11_get_proto(char **_proto, char **_data)
726{ 733{
734 char cmd[1024];
727 char line[512]; 735 char line[512];
736 char xdisplay[512];
728 static char proto[512], data[512]; 737 static char proto[512], data[512];
729 FILE *f; 738 FILE *f;
730 int got_data = 0, i; 739 int got_data = 0, generated = 0, do_unlink = 0, i;
731 char *display; 740 char *display, *xauthdir, *xauthfile;
732 struct stat st; 741 struct stat st;
733 742
743 xauthdir = xauthfile = NULL;
734 *_proto = proto; 744 *_proto = proto;
735 *_data = data; 745 *_data = data;
736 proto[0] = data[0] = '\0'; 746 proto[0] = data[0] = '\0';
747
737 if (!options.xauth_location || 748 if (!options.xauth_location ||
738 (stat(options.xauth_location, &st) == -1)) { 749 (stat(options.xauth_location, &st) == -1)) {
739 debug("No xauth program."); 750 debug("No xauth program.");
@@ -742,28 +753,59 @@ x11_get_proto(char **_proto, char **_data)
742 debug("x11_get_proto: DISPLAY not set"); 753 debug("x11_get_proto: DISPLAY not set");
743 return; 754 return;
744 } 755 }
745 /* Try to get Xauthority information for the display. */ 756 /*
746 if (strncmp(display, "localhost:", 10) == 0) 757 * Handle FamilyLocal case where $DISPLAY does
747 /* 758 * not match an authorization entry. For this we
748 * Handle FamilyLocal case where $DISPLAY does 759 * just try "xauth list unix:displaynum.screennum".
749 * not match an authorization entry. For this we 760 * XXX: "localhost" match to determine FamilyLocal
750 * just try "xauth list unix:displaynum.screennum". 761 * is not perfect.
751 * XXX: "localhost" match to determine FamilyLocal 762 */
752 * is not perfect. 763 if (strncmp(display, "localhost:", 10) == 0) {
753 */ 764 snprintf(xdisplay, sizeof(xdisplay), "unix:%s",
754 snprintf(line, sizeof line, "%s list unix:%s 2>" 765 display + 10);
755 _PATH_DEVNULL, options.xauth_location, display+10); 766 display = xdisplay;
756 else 767 }
757 snprintf(line, sizeof line, "%s list %.200s 2>" 768 if (options.forward_x11_trusted == 0) {
758 _PATH_DEVNULL, options.xauth_location, display); 769 xauthdir = xmalloc(MAXPATHLEN);
759 debug2("x11_get_proto: %s", line); 770 xauthfile = xmalloc(MAXPATHLEN);
760 f = popen(line, "r"); 771 strlcpy(xauthdir, "/tmp/ssh-XXXXXXXXXX", MAXPATHLEN);
772 if (mkdtemp(xauthdir) != NULL) {
773 do_unlink = 1;
774 snprintf(xauthfile, MAXPATHLEN, "%s/xauthfile",
775 xauthdir);
776 snprintf(cmd, sizeof(cmd),
777 "%s -f %s generate %s " SSH_X11_PROTO
778 " untrusted timeout 120 2>" _PATH_DEVNULL,
779 options.xauth_location, xauthfile, display);
780 debug2("x11_get_proto: %s", cmd);
781 if (system(cmd) == 0)
782 generated = 1;
783 }
784 }
785 snprintf(cmd, sizeof(cmd),
786 "%s %s%s list %s . 2>" _PATH_DEVNULL,
787 options.xauth_location,
788 generated ? "-f " : "" ,
789 generated ? xauthfile : "",
790 display);
791 debug2("x11_get_proto: %s", cmd);
792 f = popen(cmd, "r");
761 if (f && fgets(line, sizeof(line), f) && 793 if (f && fgets(line, sizeof(line), f) &&
762 sscanf(line, "%*s %511s %511s", proto, data) == 2) 794 sscanf(line, "%*s %511s %511s", proto, data) == 2)
763 got_data = 1; 795 got_data = 1;
764 if (f) 796 if (f)
765 pclose(f); 797 pclose(f);
766 } 798 }
799
800 if (do_unlink) {
801 unlink(xauthfile);
802 rmdir(xauthdir);
803 }
804 if (xauthdir)
805 xfree(xauthdir);
806 if (xauthfile)
807 xfree(xauthfile);
808
767 /* 809 /*
768 * If we didn't get authentication data, just make up some 810 * If we didn't get authentication data, just make up some
769 * data. The forwarding code will check the validity of the 811 * data. The forwarding code will check the validity of the
@@ -775,12 +817,14 @@ x11_get_proto(char **_proto, char **_data)
775 if (!got_data) { 817 if (!got_data) {
776 u_int32_t rand = 0; 818 u_int32_t rand = 0;
777 819
778 logit("Warning: No xauth data; using fake authentication data for X11 forwarding."); 820 logit("Warning: No xauth data; "
779 strlcpy(proto, "MIT-MAGIC-COOKIE-1", sizeof proto); 821 "using fake authentication data for X11 forwarding.");
822 strlcpy(proto, SSH_X11_PROTO, sizeof proto);
780 for (i = 0; i < 16; i++) { 823 for (i = 0; i < 16; i++) {
781 if (i % 4 == 0) 824 if (i % 4 == 0)
782 rand = arc4random(); 825 rand = arc4random();
783 snprintf(data + 2 * i, sizeof data - 2 * i, "%02x", rand & 0xff); 826 snprintf(data + 2 * i, sizeof data - 2 * i, "%02x",
827 rand & 0xff);
784 rand >>= 8; 828 rand >>= 8;
785 } 829 }
786 } 830 }
diff --git a/ssh_config.5 b/ssh_config.5
index da162499b..7f3c7064a 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -34,7 +34,7 @@
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\" 36.\"
37.\" $OpenBSD: ssh_config.5,v 1.21 2003/10/08 15:21:24 markus Exp $ 37.\" $OpenBSD: ssh_config.5,v 1.22 2003/10/11 08:24:08 markus Exp $
38.Dd September 25, 1999 38.Dd September 25, 1999
39.Dt SSH_CONFIG 5 39.Dt SSH_CONFIG 5
40.Os 40.Os
@@ -306,9 +306,27 @@ The default is
306.Pp 306.Pp
307X11 forwarding should be enabled with caution. 307X11 forwarding should be enabled with caution.
308Users with the ability to bypass file permissions on the remote host 308Users with the ability to bypass file permissions on the remote host
309(for the user's X authorization database) 309(for the user's X11 authorization database)
310can access the local X11 display through the forwarded connection. 310can access the local X11 display through the forwarded connection.
311An attacker may then be able to perform activities such as keystroke monitoring. 311An attacker may then be able to perform activities such as keystroke monitoring
312if the
313.Cm ForwardX11Trusted
314option is also enabled.
315.It Cm ForwardX11Trusted
316If the this option is set to
317.Dq yes
318then remote X11 clients will have full access to the original X11 display.
319If this option is set to
320.Dq no
321then remote X11 clients will be considered untrusted and prevented
322from stealing or tampering with data belonging to trusted X11
323clients.
324.Pp
325The default is
326.Dq no .
327.Pp
328See the X11 SECURITY extension specification for full details on
329the restrictions imposed on untrusted clients.
312.It Cm GatewayPorts 330.It Cm GatewayPorts
313Specifies whether remote hosts are allowed to connect to local 331Specifies whether remote hosts are allowed to connect to local
314forwarded ports. 332forwarded ports.