summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2002-02-05 12:11:34 +1100
committerDamien Miller <djm@mindrot.org>2002-02-05 12:11:34 +1100
commit95c249ff475a9e0c15a4a8fcc9668f8dddb0a6c3 (patch)
treed66a300fac9b34f4262009250fb504cfa1b2efaf
parent512bccbb5a7d4c2a8fc53dad17f4a6f7a07b0474 (diff)
- stevesk@cvs.openbsd.org 2002/01/27 14:57:46
[channels.c servconf.c servconf.h session.c sshd.8 sshd_config] add X11UseLocalhost; ok markus@
Diffstat
-rw-r--r--ChangeLog5
-rw-r--r--channels.c6
-rw-r--r--servconf.c12
-rw-r--r--servconf.h3
-rw-r--r--session.c6
-rw-r--r--sshd.827
-rw-r--r--sshd_config3
7 files changed, 50 insertions, 12 deletions
diff --git a/ChangeLog b/ChangeLog
index 5e54a3d1a..77c564004 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -22,6 +22,9 @@
22 revert code to add x11 localhost display authorization entry for 22 revert code to add x11 localhost display authorization entry for
23 hostname/unix:d and uts.nodename/unix:d if nodename was different than 23 hostname/unix:d and uts.nodename/unix:d if nodename was different than
24 hostname. just add entry for unix:d instead. ok markus@ 24 hostname. just add entry for unix:d instead. ok markus@
25 - stevesk@cvs.openbsd.org 2002/01/27 14:57:46
26 [channels.c servconf.c servconf.h session.c sshd.8 sshd_config]
27 add X11UseLocalhost; ok markus@
25 28
2620020130 2920020130
27 - (djm) Delay PRNG seeding until we need it in ssh-keygen, from markus@ 30 - (djm) Delay PRNG seeding until we need it in ssh-keygen, from markus@
@@ -7424,4 +7427,4 @@
7424 - Wrote replacements for strlcpy and mkdtemp 7427 - Wrote replacements for strlcpy and mkdtemp
7425 - Released 1.0pre1 7428 - Released 1.0pre1
7426 7429
7427$Id: ChangeLog,v 1.1804 2002/02/05 01:11:02 djm Exp $ 7430$Id: ChangeLog,v 1.1805 2002/02/05 01:11:34 djm Exp $
diff --git a/channels.c b/channels.c
index 2436e0873..f015a049e 100644
--- a/channels.c
+++ b/channels.c
@@ -39,7 +39,7 @@
39 */ 39 */
40 40
41#include "includes.h" 41#include "includes.h"
42RCSID("$OpenBSD: channels.c,v 1.162 2002/01/24 21:09:25 stevesk Exp $"); 42RCSID("$OpenBSD: channels.c,v 1.163 2002/01/27 14:57:46 stevesk Exp $");
43 43
44#include "ssh.h" 44#include "ssh.h"
45#include "ssh1.h" 45#include "ssh1.h"
@@ -2379,7 +2379,7 @@ channel_connect_to(const char *host, u_short port)
2379 * an error occurs. 2379 * an error occurs.
2380 */ 2380 */
2381int 2381int
2382x11_create_display_inet(int x11_display_offset, int gateway_ports, 2382x11_create_display_inet(int x11_display_offset, int x11_use_localhost,
2383 int single_connection) 2383 int single_connection)
2384{ 2384{
2385 Channel *nc = NULL; 2385 Channel *nc = NULL;
@@ -2395,7 +2395,7 @@ x11_create_display_inet(int x11_display_offset, int gateway_ports,
2395 port = 6000 + display_number; 2395 port = 6000 + display_number;
2396 memset(&hints, 0, sizeof(hints)); 2396 memset(&hints, 0, sizeof(hints));
2397 hints.ai_family = IPv4or6; 2397 hints.ai_family = IPv4or6;
2398 hints.ai_flags = gateway_ports ? AI_PASSIVE : 0; 2398 hints.ai_flags = x11_use_localhost ? 0: AI_PASSIVE;
2399 hints.ai_socktype = SOCK_STREAM; 2399 hints.ai_socktype = SOCK_STREAM;
2400 snprintf(strport, sizeof strport, "%d", port); 2400 snprintf(strport, sizeof strport, "%d", port);
2401 if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0) { 2401 if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0) {
diff --git a/servconf.c b/servconf.c
index 0cb744a1d..e33d65a5e 100644
--- a/servconf.c
+++ b/servconf.c
@@ -10,7 +10,7 @@
10 */ 10 */
11 11
12#include "includes.h" 12#include "includes.h"
13RCSID("$OpenBSD: servconf.c,v 1.98 2002/01/22 02:52:41 stevesk Exp $"); 13RCSID("$OpenBSD: servconf.c,v 1.99 2002/01/27 14:57:46 stevesk Exp $");
14 14
15#if defined(KRB4) || defined(KRB5) 15#if defined(KRB4) || defined(KRB5)
16#include <krb.h> 16#include <krb.h>
@@ -63,6 +63,7 @@ initialize_server_options(ServerOptions *options)
63 options->print_lastlog = -1; 63 options->print_lastlog = -1;
64 options->x11_forwarding = -1; 64 options->x11_forwarding = -1;
65 options->x11_display_offset = -1; 65 options->x11_display_offset = -1;
66 options->x11_use_localhost = -1;
66 options->xauth_location = NULL; 67 options->xauth_location = NULL;
67 options->strict_modes = -1; 68 options->strict_modes = -1;
68 options->keepalives = -1; 69 options->keepalives = -1;
@@ -159,6 +160,8 @@ fill_default_server_options(ServerOptions *options)
159 options->x11_forwarding = 0; 160 options->x11_forwarding = 0;
160 if (options->x11_display_offset == -1) 161 if (options->x11_display_offset == -1)
161 options->x11_display_offset = 10; 162 options->x11_display_offset = 10;
163 if (options->x11_use_localhost == -1)
164 options->x11_use_localhost = 1;
162 if (options->xauth_location == NULL) 165 if (options->xauth_location == NULL)
163 options->xauth_location = _PATH_XAUTH; 166 options->xauth_location = _PATH_XAUTH;
164 if (options->strict_modes == -1) 167 if (options->strict_modes == -1)
@@ -255,7 +258,7 @@ typedef enum {
255 sChallengeResponseAuthentication, 258 sChallengeResponseAuthentication,
256 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, 259 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
257 sPrintMotd, sPrintLastLog, sIgnoreRhosts, 260 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
258 sX11Forwarding, sX11DisplayOffset, 261 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
259 sStrictModes, sEmptyPasswd, sKeepAlives, 262 sStrictModes, sEmptyPasswd, sKeepAlives,
260 sUseLogin, sAllowTcpForwarding, 263 sUseLogin, sAllowTcpForwarding,
261 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, 264 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
@@ -315,6 +318,7 @@ static struct {
315 { "ignoreuserknownhosts", sIgnoreUserKnownHosts }, 318 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
316 { "x11forwarding", sX11Forwarding }, 319 { "x11forwarding", sX11Forwarding },
317 { "x11displayoffset", sX11DisplayOffset }, 320 { "x11displayoffset", sX11DisplayOffset },
321 { "x11uselocalhost", sX11UseLocalhost },
318 { "xauthlocation", sXAuthLocation }, 322 { "xauthlocation", sXAuthLocation },
319 { "strictmodes", sStrictModes }, 323 { "strictmodes", sStrictModes },
320 { "permitemptypasswords", sEmptyPasswd }, 324 { "permitemptypasswords", sEmptyPasswd },
@@ -655,6 +659,10 @@ parse_flag:
655 intptr = &options->x11_display_offset; 659 intptr = &options->x11_display_offset;
656 goto parse_int; 660 goto parse_int;
657 661
662 case sX11UseLocalhost:
663 intptr = &options->x11_use_localhost;
664 goto parse_flag;
665
658 case sXAuthLocation: 666 case sXAuthLocation:
659 charptr = &options->xauth_location; 667 charptr = &options->xauth_location;
660 goto parse_filename; 668 goto parse_filename;
diff --git a/servconf.h b/servconf.h
index 943c7ef56..463a16dad 100644
--- a/servconf.h
+++ b/servconf.h
@@ -11,7 +11,7 @@
11 * called by a name other than "ssh" or "Secure Shell". 11 * called by a name other than "ssh" or "Secure Shell".
12 */ 12 */
13 13
14/* RCSID("$OpenBSD: servconf.h,v 1.51 2001/12/19 07:18:56 deraadt Exp $"); */ 14/* RCSID("$OpenBSD: servconf.h,v 1.52 2002/01/27 14:57:46 stevesk Exp $"); */
15 15
16#ifndef SERVCONF_H 16#ifndef SERVCONF_H
17#define SERVCONF_H 17#define SERVCONF_H
@@ -55,6 +55,7 @@ typedef struct {
55 int x11_forwarding; /* If true, permit inet (spoofing) X11 fwd. */ 55 int x11_forwarding; /* If true, permit inet (spoofing) X11 fwd. */
56 int x11_display_offset; /* What DISPLAY number to start 56 int x11_display_offset; /* What DISPLAY number to start
57 * searching at */ 57 * searching at */
58 int x11_use_localhost; /* If true, use localhost for fake X11 server. */
58 char *xauth_location; /* Location of xauth program */ 59 char *xauth_location; /* Location of xauth program */
59 int strict_modes; /* If true, require string home dir modes. */ 60 int strict_modes; /* If true, require string home dir modes. */
60 int keepalives; /* If true, set SO_KEEPALIVE. */ 61 int keepalives; /* If true, set SO_KEEPALIVE. */
diff --git a/session.c b/session.c
index 268d1384e..7e1d0a82b 100644
--- a/session.c
+++ b/session.c
@@ -33,7 +33,7 @@
33 */ 33 */
34 34
35#include "includes.h" 35#include "includes.h"
36RCSID("$OpenBSD: session.c,v 1.118 2002/01/26 16:44:22 stevesk Exp $"); 36RCSID("$OpenBSD: session.c,v 1.119 2002/01/27 14:57:46 stevesk Exp $");
37 37
38#include "ssh.h" 38#include "ssh.h"
39#include "ssh1.h" 39#include "ssh1.h"
@@ -2021,7 +2021,7 @@ session_setup_x11fwd(Session *s)
2021 return 0; 2021 return 0;
2022 } 2022 }
2023 s->display_number = x11_create_display_inet(options.x11_display_offset, 2023 s->display_number = x11_create_display_inet(options.x11_display_offset,
2024 options.gateway_ports, s->single_connection); 2024 options.x11_use_localhost, s->single_connection);
2025 if (s->display_number == -1) { 2025 if (s->display_number == -1) {
2026 debug("x11_create_display_inet failed."); 2026 debug("x11_create_display_inet failed.");
2027 return 0; 2027 return 0;
@@ -2035,7 +2035,7 @@ session_setup_x11fwd(Session *s)
2035 * authorization entry is added with xauth(1). This will be 2035 * authorization entry is added with xauth(1). This will be
2036 * different than the DISPLAY string for localhost displays. 2036 * different than the DISPLAY string for localhost displays.
2037 */ 2037 */
2038 if (!options.gateway_ports) { 2038 if (options.x11_use_localhost) {
2039 snprintf(display, sizeof display, "localhost:%d.%d", 2039 snprintf(display, sizeof display, "localhost:%d.%d",
2040 s->display_number, s->screen); 2040 s->display_number, s->screen);
2041 snprintf(auth_display, sizeof auth_display, "unix:%d.%d", 2041 snprintf(auth_display, sizeof auth_display, "unix:%d.%d",
diff --git a/sshd.8 b/sshd.8
index 256b2aa57..d1ddeb123 100644
--- a/sshd.8
+++ b/sshd.8
@@ -34,7 +34,7 @@
34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36.\" 36.\"
37.\" $OpenBSD: sshd.8,v 1.163 2002/01/18 20:46:34 stevesk Exp $ 37.\" $OpenBSD: sshd.8,v 1.164 2002/01/27 14:57:46 stevesk Exp $
38.Dd September 25, 1999 38.Dd September 25, 1999
39.Dt SSHD 8 39.Dt SSHD 8
40.Os 40.Os
@@ -858,6 +858,31 @@ way, as users can always install their own forwarders.
858X11 forwarding is automatically disabled if 858X11 forwarding is automatically disabled if
859.Cm UseLogin 859.Cm UseLogin
860is enabled. 860is enabled.
861.It Cm X11UseLocalhost
862Specifies whether
863.Nm
864should bind the X11 forwarding server to the loopback address or to
865the wildcard address. By default,
866.Nm
867binds the forwarding server to the loopback address and sets the
868hostname part of the
869.Ev DISPLAY
870environment variable to
871.Dq localhost .
872This prevents remote hosts from connecting to the fake display.
873However, some older X11 clients may not function with this
874configuration.
875.Cm X11UseLocalhost
876may be set to
877.Dq no
878to specify that the forwarding server should be bound to the wildcard
879address.
880The argument must be
881.Dq yes
882or
883.Dq no .
884The default is
885.Dq yes .
861.It Cm XAuthLocation 886.It Cm XAuthLocation
862Specifies the location of the 887Specifies the location of the
863.Xr xauth 1 888.Xr xauth 1
diff --git a/sshd_config b/sshd_config
index 3502ab6ac..d1e8c6b4d 100644
--- a/sshd_config
+++ b/sshd_config
@@ -1,4 +1,4 @@
1# $OpenBSD: sshd_config,v 1.44 2002/01/16 17:40:23 stevesk Exp $ 1# $OpenBSD: sshd_config,v 1.45 2002/01/27 14:57:46 stevesk Exp $
2 2
3# This is the sshd server system-wide configuration file. See sshd(8) 3# This is the sshd server system-wide configuration file. See sshd(8)
4# for more information. 4# for more information.
@@ -77,6 +77,7 @@
77 77
78#X11Forwarding no 78#X11Forwarding no
79#X11DisplayOffset 10 79#X11DisplayOffset 10
80#X11UseLocalhost yes
80#PrintMotd yes 81#PrintMotd yes
81#PrintLastLog yes 82#PrintLastLog yes
82#KeepAlive yes 83#KeepAlive yes
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-05 11:17:34 +0000