8 files changed, 66 insertions, 20 deletions

diff --git a/ChangeLog b/ChangeLog
index b0f82de2f..d86960e31 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -74,6 +74,13 @@
      servers with trusted keys that accept authentication silently and
      automatically before presenting fake password/passphrase prompts;
      "nice!" markus@
+   - djm@cvs.openbsd.org 2010/06/25 23:10:30
+     [ssh.c]
+     log the hostname and address that we connected to at LogLevel=verbose
+     after authentication is successful to mitigate "phishing" attacks by
+     servers with trusted keys that accept authentication silently and
+     automatically before presenting fake password/passphrase prompts;
+     "nice!" markus@
 
 20100622
  - (djm) [loginrec.c] crank LINFO_NAMESIZE (username length) to 512
diff --git a/clientloop.c b/clientloop.c
index 76de37213..5608bcc2e 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.c,v 1.220 2010/04/10 02:08:44 djm Exp $ */
+/* $OpenBSD: clientloop.c,v 1.221 2010/06/25 23:15:36 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -155,11 +155,12 @@ static int stdin_eof;		/* EOF has been encountered on stderr. */
 static Buffer stdin_buffer;     /* Buffer for stdin data. */
 static Buffer stdout_buffer;    /* Buffer for stdout data. */
 static Buffer stderr_buffer;    /* Buffer for stderr data. */
-static u_int buffer_high;/* Soft max buffer size. */
+static u_int buffer_high;       /* Soft max buffer size. */
 static int connection_in;       /* Connection to server (input). */
 static int connection_out;      /* Connection to server (output). */
 static int need_rekeying;       /* Set to non-zero if rekeying is requested. */
-static int session_closed = 0;  /* In SSH2: login session closed. */
+static int session_closed;      /* In SSH2: login session closed. */
+static int x11_refuse_time;     /* If >0, refuse x11 opens after this time. */
 
 static void client_init_dispatch(void);
 int     session_ident = -1;
@@ -254,7 +255,7 @@ get_current_time(void)
 #define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1"
 void
 client_x11_get_proto(const char *display, const char *xauth_path,
-    u_int trusted, char **_proto, char **_data)
+    u_int trusted, u_int timeout, char **_proto, char **_data)
 {
         char cmd[1024];
         char line[512];
@@ -264,6 +265,7 @@ client_x11_get_proto(const char *display, const char *xauth_path,
         int got_data = 0, generated = 0, do_unlink = 0, i;
         char *xauthdir, *xauthfile;
         struct stat st;
+        u_int now;
 
         xauthdir = xauthfile = NULL;
         *_proto = proto;
@@ -299,11 +301,18 @@ client_x11_get_proto(const char *display, const char *xauth_path,
                                     xauthdir);
                                 snprintf(cmd, sizeof(cmd),
                                     "%s -f %s generate %s " SSH_X11_PROTO
-                                    " untrusted timeout 1200 2>" _PATH_DEVNULL,
-                                    xauth_path, xauthfile, display);
+                                    " untrusted timeout %u 2>" _PATH_DEVNULL,
+                                    xauth_path, xauthfile, display, timeout);
                                 debug2("x11_get_proto: %s", cmd);
                                 if (system(cmd) == 0)
                                         generated = 1;
+                                if (x11_refuse_time == 0) {
+                                        now = time(NULL) + 1;
+                                        if (UINT_MAX - timeout < now)
+                                                x11_refuse_time = UINT_MAX;
+                                        else
+                                                x11_refuse_time = now + timeout;
+                                }
                         }
                 }
 
@@ -1686,6 +1695,11 @@ client_request_x11(const char *request_type, int rchan)
                     "malicious server.");
                 return NULL;
         }
+        if (x11_refuse_time != 0 && time(NULL) >= x11_refuse_time) {
+                verbose("Rejected X11 connection after ForwardX11Timeout "
+                    "expired");
+                return NULL;
+        }
         originator = packet_get_string(NULL);
         if (datafellows & SSH_BUG_X11FWD) {
                 debug2("buggy server: x11 request w/o originator_port");
diff --git a/clientloop.h b/clientloop.h
index a5bc246a3..52115db6e 100644
--- a/clientloop.h
+++ b/clientloop.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.h,v 1.24 2010/05/16 12:55:51 markus Exp $ */
+/* $OpenBSD: clientloop.h,v 1.25 2010/06/25 23:15:36 djm Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -39,7 +39,7 @@
 
 /* Client side main loop for the interactive session. */
 int      client_loop(int, int, int);
-void     client_x11_get_proto(const char *, const char *, u_int,
+void     client_x11_get_proto(const char *, const char *, u_int, u_int,
             char **, char **);
 void     client_global_request_reply_fwd(int, u_int32_t, void *);
 void     client_session2_setup(int, int, int, const char *, struct termios *,
diff --git a/mux.c b/mux.c
index fdf0385e0..5c3857ee8 100644
--- a/mux.c
+++ b/mux.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: mux.c,v 1.20 2010/06/25 07:14:46 djm Exp $ */
+/* $OpenBSD: mux.c,v 1.21 2010/06/25 23:15:36 djm Exp $ */
 /*
  * Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org>
  *
@@ -1107,11 +1107,14 @@ mux_session_confirm(int id, int success, void *arg)
         display = getenv("DISPLAY");
         if (cctx->want_x_fwd && options.forward_x11 && display != NULL) {
                 char *proto, *data;
+
                 /* Get reasonable local authentication information. */
                 client_x11_get_proto(display, options.xauth_location,
-                    options.forward_x11_trusted, &proto, &data);
+                    options.forward_x11_trusted, options.forward_x11_timeout,
+                    &proto, &data);
                 /* Request forwarding with authentication spoofing. */
-                debug("Requesting X11 forwarding with authentication spoofing.");
+                debug("Requesting X11 forwarding with authentication "
+                    "spoofing.");
                 x11_request_forwarding_with_spoofing(id, display, proto, data);
                 /* XXX wait for reply */
         }
diff --git a/readconf.c b/readconf.c
index aae9cef4b..da48ae7da 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.185 2010/06/25 07:14:46 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.186 2010/06/25 23:15:36 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -110,8 +110,8 @@
 
 typedef enum {
         oBadOption,
-        oForwardAgent, oForwardX11, oForwardX11Trusted, oGatewayPorts,
-        oExitOnForwardFailure,
+        oForwardAgent, oForwardX11, oForwardX11Trusted, oForwardX11Timeout,
+        oGatewayPorts, oExitOnForwardFailure,
         oPasswordAuthentication, oRSAAuthentication,
         oChallengeResponseAuthentication, oXAuthLocation,
         oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
@@ -143,6 +143,7 @@ static struct {
         { "forwardagent", oForwardAgent },
         { "forwardx11", oForwardX11 },
         { "forwardx11trusted", oForwardX11Trusted },
+        { "forwardx11timeout", oForwardX11Timeout },
         { "exitonforwardfailure", oExitOnForwardFailure },
         { "xauthlocation", oXAuthLocation },
         { "gatewayports", oGatewayPorts },
@@ -414,6 +415,10 @@ parse_flag:
         case oForwardX11Trusted:
                 intptr = &options->forward_x11_trusted;
                 goto parse_flag;
+        
+        case oForwardX11Timeout:
+                intptr = &options->forward_x11_timeout;
+                goto parse_time;
 
         case oGatewayPorts:
                 intptr = &options->gateway_ports;
@@ -1018,6 +1023,7 @@ initialize_options(Options * options)
         options->forward_agent = -1;
         options->forward_x11 = -1;
         options->forward_x11_trusted = -1;
+        options->forward_x11_timeout = -1;
         options->exit_on_forward_failure = -1;
         options->xauth_location = NULL;
         options->gateway_ports = -1;
@@ -1104,6 +1110,8 @@ fill_default_options(Options * options)
                 options->forward_x11 = 0;
         if (options->forward_x11_trusted == -1)
                 options->forward_x11_trusted = 0;
+        if (options->forward_x11_timeout == -1)
+                options->forward_x11_timeout = 1200;
         if (options->exit_on_forward_failure == -1)
                 options->exit_on_forward_failure = 0;
         if (options->xauth_location == NULL)
diff --git a/readconf.h b/readconf.h
index 3c8eae9d2..66acafdef 100644
--- a/readconf.h
+++ b/readconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.h,v 1.84 2010/06/25 07:14:46 djm Exp $ */
+/* $OpenBSD: readconf.h,v 1.85 2010/06/25 23:15:36 djm Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -32,6 +32,7 @@ typedef struct {
 typedef struct {
         int     forward_agent;  /* Forward authentication agent. */
         int     forward_x11;    /* Forward X11 display. */
+        int     forward_x11_timeout;    /* Expiration for Cookies */
         int     forward_x11_trusted;    /* Trust Forward X11 display. */
         int     exit_on_forward_failure;        /* Exit if bind(2) fails for -L/-R */
         char   *xauth_location; /* Location for xauth program */
diff --git a/ssh.c b/ssh.c
index 6537ad9a2..d8f0b214f 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.c,v 1.339 2010/06/25 23:10:30 djm Exp $ */
+/* $OpenBSD: ssh.c,v 1.340 2010/06/25 23:15:36 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1103,7 +1103,9 @@ ssh_session(void)
                 char *proto, *data;
                 /* Get reasonable local authentication information. */
                 client_x11_get_proto(display, options.xauth_location,
-                    options.forward_x11_trusted, &proto, &data);
+                    options.forward_x11_trusted, 
+                    options.forward_x11_timeout,
+                    &proto, &data);
                 /* Request forwarding with authentication spoofing. */
                 debug("Requesting X11 forwarding with authentication "
                     "spoofing.");
@@ -1199,7 +1201,8 @@ ssh_session2_setup(int id, int success, void *arg)
                 char *proto, *data;
                 /* Get reasonable local authentication information. */
                 client_x11_get_proto(display, options.xauth_location,
-                    options.forward_x11_trusted, &proto, &data);
+                    options.forward_x11_trusted,
+                    options.forward_x11_timeout, &proto, &data);
                 /* Request forwarding with authentication spoofing. */
                 debug("Requesting X11 forwarding with authentication "
                     "spoofing.");
diff --git a/ssh_config.5 b/ssh_config.5
index 2df948e62..6968a4488 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -34,8 +34,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.133 2010/04/16 06:45:01 jmc Exp $
-.Dd $Mdocdate: April 16 2010 $
+.\" $OpenBSD: ssh_config.5,v 1.134 2010/06/25 23:15:36 djm Exp $
+.Dd $Mdocdate: June 25 2010 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -432,6 +432,16 @@ An attacker may then be able to perform activities such as keystroke monitoring
 if the
 .Cm ForwardX11Trusted
 option is also enabled.
+.It Cm ForwardX11Timeout
+Specify a timeout for untrusted X11 forwarding using the format described in
+.Sx TIME FORMATS
+section of
+.Xr sshd_config 5 .
+X11 connections received by
+.Xr ssh 1
+after this time will be refused.
+The default is to disable untrusted X11 forwarding after twenty minutes has
+elapsed.
 .It Cm ForwardX11Trusted
 If this option is set to
 .Dq yes ,