upstream: Allow ssh_config ForwardX11Timeout=0 to disable the

timeout and allow X11 connections in untrusted mode indefinitely. ok dtucker@ OpenBSD-Commit-ID: ea1ceed3f540b48e5803f933e59a03b20db10c69
author: djm@openbsd.org <djm@openbsd.org> 2018-09-21 12:46:22 +0000
committer: Damien Miller <djm@mindrot.org> 2018-09-21 22:49:27 +1000
commit: b5e412a8993ad17b9e1141c78408df15d3d987e1 (patch)
tree: 3dc7a5be35019f5afac2d4fa1587a9befd3e7d9b
parent: cb24d9fcc901429d77211f274031653476864ec6 (diff)
2 files changed, 33 insertions, 16 deletions
diff --git a/clientloop.c b/clientloop.c
index ad35cb7ba..8d312cdaa 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.c,v 1.317 2018/07/11 18:53:29 markus Exp $ */
+/* $OpenBSD: clientloop.c,v 1.318 2018/09/21 12:46:22 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -279,7 +279,7 @@ client_x11_get_proto(struct ssh *ssh, const char *display,
    const char *xauth_path, u_int trusted, u_int timeout,
    char **_proto, char **_data)
 {
-        char cmd[1024], line[512], xdisplay[512];
+        char *cmd, line[512], xdisplay[512];
        char xauthfile[PATH_MAX], xauthdir[PATH_MAX];
        static char proto[512], data[512];
        FILE *f;
@@ -343,19 +343,30 @@ client_x11_get_proto(struct ssh *ssh, const char *display,
                                return -1;
                        }
-                        if (timeout >= UINT_MAX - X11_TIMEOUT_SLACK)
+                        if (timeout == 0) {
-                                x11_timeout_real = UINT_MAX;
+                                /* auth doesn't time out */
-                        else
+                                xasprintf(&cmd, "%s -f %s generate %s %s "
-                                x11_timeout_real = timeout + X11_TIMEOUT_SLACK;
+                                    "untrusted 2>%s",
-                        if ((r = snprintf(cmd, sizeof(cmd),
+                                    xauth_path, xauthfile, display,
-                            "%s -f %s generate %s " SSH_X11_PROTO
+                                    SSH_X11_PROTO, _PATH_DEVNULL);
-                            " untrusted timeout %u 2>" _PATH_DEVNULL,
+                        } else {
-                            xauth_path, xauthfile, display,
+                                /* Add some slack to requested expiry */
-                            x11_timeout_real)) < 0 ||
+                                if (timeout < UINT_MAX - X11_TIMEOUT_SLACK)
-                            (size_t)r >= sizeof(cmd))
+                                        x11_timeout_real = timeout +
-                                fatal("%s: cmd too long", __func__);
+                                            X11_TIMEOUT_SLACK;
+                                else {
+                                        /* Don't overflow on long timeouts */
+                                        x11_timeout_real = UINT_MAX;
+                                }
+                                xasprintf(&cmd, "%s -f %s generate %s %s "
+                                    "untrusted timeout %u 2>%s",
+                                    xauth_path, xauthfile, display,
+                                    SSH_X11_PROTO, x11_timeout_real,
+                                    _PATH_DEVNULL);
+                        }
                        debug2("%s: %s", __func__, cmd);
-                        if (x11_refuse_time == 0) {
+                        if (timeout != 0 && x11_refuse_time == 0) {
                                now = monotime() + 1;
                                if (UINT_MAX - timeout < now)
                                        x11_refuse_time = UINT_MAX;
@@ -366,6 +377,7 @@ client_x11_get_proto(struct ssh *ssh, const char *display,
                        }
                        if (system(cmd) == 0)
                                generated = 1;
+                        free(cmd);
                }
                /*
@@ -374,7 +386,7 @@ client_x11_get_proto(struct ssh *ssh, const char *display,
                 * above.
                 */
                if (trusted || generated) {
-                        snprintf(cmd, sizeof(cmd),
+                        xasprintf(&cmd,
                            "%s %s%s list %s 2>" _PATH_DEVNULL,
                            xauth_path,
                            generated ? "-f " : "" ,
@@ -387,6 +399,7 @@ client_x11_get_proto(struct ssh *ssh, const char *display,
                                got_data = 1;
                        if (f)
                                pclose(f);
+                        free(cmd);
                }
        }
diff --git a/ssh_config.5 b/ssh_config.5
index 2df1165f1..27136dbd6 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,7 +33,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.284 2018/09/21 03:11:36 djm Exp $
+.\" $OpenBSD: ssh_config.5,v 1.285 2018/09/21 12:46:22 djm Exp $
 .Dd $Mdocdate: September 21 2018 $
 .Dt SSH_CONFIG 5
 .Os
@@ -686,6 +686,10 @@ section of
 X11 connections received by
 .Xr ssh 1
 after this time will be refused.
+Setting
+.Cm ForwardX11Timeout
+to zero will disable the timeout and permit X11 forwarding for the life
+of the connection.
 The default is to disable untrusted X11 forwarding after twenty minutes has
 elapsed.
 .It Cm ForwardX11Trusted
author	djm@openbsd.org <djm@openbsd.org>	2018-09-21 12:46:22 +0000
committer	Damien Miller <djm@mindrot.org>	2018-09-21 22:49:27 +1000
commit	b5e412a8993ad17b9e1141c78408df15d3d987e1 (patch)
tree	3dc7a5be35019f5afac2d4fa1587a9befd3e7d9b
parent	cb24d9fcc901429d77211f274031653476864ec6 (diff)

diff --git a/clientloop.c b/clientloop.c index ad35cb7ba..8d312cdaa 100644 --- a/clientloop.c +++ b/clientloop.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: clientloop.c,v 1.317 2018/07/11 18:53:29 markus Exp $ */	1	/* $OpenBSD: clientloop.c,v 1.318 2018/09/21 12:46:22 djm Exp $ */
2	/*	2	/*
3	* Author: Tatu Ylonen <ylo@cs.hut.fi>	3	* Author: Tatu Ylonen <ylo@cs.hut.fi>
4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	4	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -279,7 +279,7 @@ client_x11_get_proto(struct ssh ssh, const char display,
279	const char *xauth_path, u_int trusted, u_int timeout,	279	const char *xauth_path, u_int trusted, u_int timeout,
280	char _proto, char _data)	280	char _proto, char _data)
281	{	281	{
282	char cmd[1024], line[512], xdisplay[512];	282	char *cmd, line[512], xdisplay[512];
283	char xauthfile[PATH_MAX], xauthdir[PATH_MAX];	283	char xauthfile[PATH_MAX], xauthdir[PATH_MAX];
284	static char proto[512], data[512];	284	static char proto[512], data[512];
285	FILE *f;	285	FILE *f;
@@ -343,19 +343,30 @@ client_x11_get_proto(struct ssh ssh, const char display,
343	return -1;	343	return -1;
344	}	344	}
345		345
346	if (timeout >= UINT_MAX - X11_TIMEOUT_SLACK)	346	if (timeout == 0) {
347	x11_timeout_real = UINT_MAX;	347	/* auth doesn't time out */
348	else	348	xasprintf(&cmd, "%s -f %s generate %s %s "
349	x11_timeout_real = timeout + X11_TIMEOUT_SLACK;	349	"untrusted 2>%s",
350	if ((r = snprintf(cmd, sizeof(cmd),	350	xauth_path, xauthfile, display,
351	"%s -f %s generate %s " SSH_X11_PROTO	351	SSH_X11_PROTO, _PATH_DEVNULL);
352	" untrusted timeout %u 2>" _PATH_DEVNULL,	352	} else {
353	xauth_path, xauthfile, display,	353	/* Add some slack to requested expiry */
354	x11_timeout_real)) < 0 \|\|	354	if (timeout < UINT_MAX - X11_TIMEOUT_SLACK)
355	(size_t)r >= sizeof(cmd))	355	x11_timeout_real = timeout +
356	fatal("%s: cmd too long", __func__);	356	X11_TIMEOUT_SLACK;
		357	else {
		358	/* Don't overflow on long timeouts */
		359	x11_timeout_real = UINT_MAX;
		360	}
		361	xasprintf(&cmd, "%s -f %s generate %s %s "
		362	"untrusted timeout %u 2>%s",
		363	xauth_path, xauthfile, display,
		364	SSH_X11_PROTO, x11_timeout_real,
		365	_PATH_DEVNULL);
		366	}
357	debug2("%s: %s", __func__, cmd);	367	debug2("%s: %s", __func__, cmd);
358	if (x11_refuse_time == 0) {	368
		369	if (timeout != 0 && x11_refuse_time == 0) {
359	now = monotime() + 1;	370	now = monotime() + 1;
360	if (UINT_MAX - timeout < now)	371	if (UINT_MAX - timeout < now)
361	x11_refuse_time = UINT_MAX;	372	x11_refuse_time = UINT_MAX;
@@ -366,6 +377,7 @@ client_x11_get_proto(struct ssh ssh, const char display,
366	}	377	}
367	if (system(cmd) == 0)	378	if (system(cmd) == 0)
368	generated = 1;	379	generated = 1;
		380	free(cmd);
369	}	381	}
370		382
371	/*	383	/*
@@ -374,7 +386,7 @@ client_x11_get_proto(struct ssh ssh, const char display,
374	* above.	386	* above.
375	*/	387	*/
376	if (trusted \|\| generated) {	388	if (trusted \|\| generated) {
377	snprintf(cmd, sizeof(cmd),	389	xasprintf(&cmd,
378	"%s %s%s list %s 2>" _PATH_DEVNULL,	390	"%s %s%s list %s 2>" _PATH_DEVNULL,
379	xauth_path,	391	xauth_path,
380	generated ? "-f " : "" ,	392	generated ? "-f " : "" ,
@@ -387,6 +399,7 @@ client_x11_get_proto(struct ssh ssh, const char display,
387	got_data = 1;	399	got_data = 1;
388	if (f)	400	if (f)
389	pclose(f);	401	pclose(f);
		402	free(cmd);
390	}	403	}
391	}	404	}
392		405


diff --git a/ssh_config.5 b/ssh_config.5 index 2df1165f1..27136dbd6 100644 --- a/ssh_config.5 +++ b/ssh_config.5
@@ -33,7 +33,7 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: ssh_config.5,v 1.284 2018/09/21 03:11:36 djm Exp $	36	.\" $OpenBSD: ssh_config.5,v 1.285 2018/09/21 12:46:22 djm Exp $
37	.Dd $Mdocdate: September 21 2018 $	37	.Dd $Mdocdate: September 21 2018 $
38	.Dt SSH_CONFIG 5	38	.Dt SSH_CONFIG 5
39	.Os	39	.Os
@@ -686,6 +686,10 @@ section of
686	X11 connections received by	686	X11 connections received by
687	.Xr ssh 1	687	.Xr ssh 1
688	after this time will be refused.	688	after this time will be refused.
		689	Setting
		690	.Cm ForwardX11Timeout
		691	to zero will disable the timeout and permit X11 forwarding for the life
		692	of the connection.
689	The default is to disable untrusted X11 forwarding after twenty minutes has	693	The default is to disable untrusted X11 forwarding after twenty minutes has
690	elapsed.	694	elapsed.
691	.It Cm ForwardX11Trusted	695	.It Cm ForwardX11Trusted