- markus@cvs.openbsd.org 2001/06/19 14:09:45

     [session.c sshd.8]
     disable x11-fwd if use_login is enabled; from lukem@wasabisystems.com

3 files changed, 23 insertions, 5 deletions

diff --git a/ChangeLog b/ChangeLog
index a3766b28a..bf242a6f0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -15,6 +15,9 @@
    - markus@cvs.openbsd.org 2001/06/19 12:34:09
      [session.c]
      cleanup forced command handling, from dwd@bell-labs.com
+   - markus@cvs.openbsd.org 2001/06/19 14:09:45
+     [session.c sshd.8]
+     disable x11-fwd if use_login is enabled; from lukem@wasabisystems.com
 
 20010615
  - (stevesk) don't set SA_RESTART and set SIGCHLD to SIG_DFL
@@ -5667,4 +5670,4 @@
  - Wrote replacements for strlcpy and mkdtemp
  - Released 1.0pre1
 
-$Id: ChangeLog,v 1.1293 2001/06/21 03:13:10 mouring Exp $
+$Id: ChangeLog,v 1.1294 2001/06/21 03:14:49 mouring Exp $
diff --git a/session.c b/session.c
index 005f7ab17..187f38edd 100644
--- a/session.c
+++ b/session.c
@@ -33,7 +33,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: session.c,v 1.90 2001/06/19 12:34:09 markus Exp $");
+RCSID("$OpenBSD: session.c,v 1.91 2001/06/19 14:09:45 markus Exp $");
 
 #include "ssh.h"
 #include "ssh1.h"
@@ -1980,6 +1980,11 @@ session_setup_x11fwd(Session *s)
                 packet_send_debug("No xauth program; cannot forward with spoofing.");
                 return 0;
         }
+        if (options.use_login) {
+                packet_send_debug("X11 forwarding disabled; "
+                    "not compatible with UseLogin=yes.");
+                return 0;
+        }
         if (s->display != NULL) {
                 debug("X11 display already set.");
                 return 0;
diff --git a/sshd.8 b/sshd.8
index 7ff4a4201..796e81866 100644
--- a/sshd.8
+++ b/sshd.8
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.126 2001/06/11 16:04:38 markus Exp $
+.\" $OpenBSD: sshd.8,v 1.127 2001/06/19 14:09:45 markus Exp $
 .Dd September 25, 1999
 .Dt SSHD 8
 .Os
@@ -796,11 +796,18 @@ The default is AUTH.
 Specifies whether
 .Xr login 1
 is used for interactive login sessions.
+The default is
+.Dq no .
 Note that
 .Xr login 1
 is never used for remote command execution.
-The default is
-.Dq no .
+Note also, that if this is enabled,                                                           
+.Cm X11Forwarding                                                             
+will be disabled because
+.Xr login 1
+does not know how to handle
+.Xr xauth 1                                                                   
+cookies.
 .It Cm X11DisplayOffset
 Specifies the first display number available for
 .Nm sshd Ns 's
@@ -815,6 +822,9 @@ The default is
 .Dq no .
 Note that disabling X11 forwarding does not improve security in any
 way, as users can always install their own forwarders.
+X11 forwarding is automatically disabled if                                                     
+.Cm UseLogin                                                                  
+is enabled.          
 .It Cm XAuthLocation
 Specifies the location of the
 .Xr xauth 1