- djm@cvs.openbsd.org 2010/06/25 23:10:30

[ssh.c]
     log the hostname and address that we connected to at LogLevel=verbose
     after authentication is successful to mitigate "phishing" attacks by
     servers with trusted keys that accept authentication silently and
     automatically before presenting fake password/passphrase prompts;
     "nice!" markus@
This commit is contained in:
Damien Miller 2010-06-26 10:02:24 +10:00
parent 383ffe6c5f
commit 1ab6a51f9b
8 changed files with 66 additions and 20 deletions

View File

@ -74,6 +74,13 @@
servers with trusted keys that accept authentication silently and servers with trusted keys that accept authentication silently and
automatically before presenting fake password/passphrase prompts; automatically before presenting fake password/passphrase prompts;
"nice!" markus@ "nice!" markus@
- djm@cvs.openbsd.org 2010/06/25 23:10:30
[ssh.c]
log the hostname and address that we connected to at LogLevel=verbose
after authentication is successful to mitigate "phishing" attacks by
servers with trusted keys that accept authentication silently and
automatically before presenting fake password/passphrase prompts;
"nice!" markus@
20100622 20100622
- (djm) [loginrec.c] crank LINFO_NAMESIZE (username length) to 512 - (djm) [loginrec.c] crank LINFO_NAMESIZE (username length) to 512

View File

@ -1,4 +1,4 @@
/* $OpenBSD: clientloop.c,v 1.220 2010/04/10 02:08:44 djm Exp $ */ /* $OpenBSD: clientloop.c,v 1.221 2010/06/25 23:15:36 djm Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -155,11 +155,12 @@ static int stdin_eof; /* EOF has been encountered on stderr. */
static Buffer stdin_buffer; /* Buffer for stdin data. */ static Buffer stdin_buffer; /* Buffer for stdin data. */
static Buffer stdout_buffer; /* Buffer for stdout data. */ static Buffer stdout_buffer; /* Buffer for stdout data. */
static Buffer stderr_buffer; /* Buffer for stderr data. */ static Buffer stderr_buffer; /* Buffer for stderr data. */
static u_int buffer_high;/* Soft max buffer size. */ static u_int buffer_high; /* Soft max buffer size. */
static int connection_in; /* Connection to server (input). */ static int connection_in; /* Connection to server (input). */
static int connection_out; /* Connection to server (output). */ static int connection_out; /* Connection to server (output). */
static int need_rekeying; /* Set to non-zero if rekeying is requested. */ static int need_rekeying; /* Set to non-zero if rekeying is requested. */
static int session_closed = 0; /* In SSH2: login session closed. */ static int session_closed; /* In SSH2: login session closed. */
static int x11_refuse_time; /* If >0, refuse x11 opens after this time. */
static void client_init_dispatch(void); static void client_init_dispatch(void);
int session_ident = -1; int session_ident = -1;
@ -254,7 +255,7 @@ get_current_time(void)
#define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1" #define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1"
void void
client_x11_get_proto(const char *display, const char *xauth_path, client_x11_get_proto(const char *display, const char *xauth_path,
u_int trusted, char **_proto, char **_data) u_int trusted, u_int timeout, char **_proto, char **_data)
{ {
char cmd[1024]; char cmd[1024];
char line[512]; char line[512];
@ -264,6 +265,7 @@ client_x11_get_proto(const char *display, const char *xauth_path,
int got_data = 0, generated = 0, do_unlink = 0, i; int got_data = 0, generated = 0, do_unlink = 0, i;
char *xauthdir, *xauthfile; char *xauthdir, *xauthfile;
struct stat st; struct stat st;
u_int now;
xauthdir = xauthfile = NULL; xauthdir = xauthfile = NULL;
*_proto = proto; *_proto = proto;
@ -299,11 +301,18 @@ client_x11_get_proto(const char *display, const char *xauth_path,
xauthdir); xauthdir);
snprintf(cmd, sizeof(cmd), snprintf(cmd, sizeof(cmd),
"%s -f %s generate %s " SSH_X11_PROTO "%s -f %s generate %s " SSH_X11_PROTO
" untrusted timeout 1200 2>" _PATH_DEVNULL, " untrusted timeout %u 2>" _PATH_DEVNULL,
xauth_path, xauthfile, display); xauth_path, xauthfile, display, timeout);
debug2("x11_get_proto: %s", cmd); debug2("x11_get_proto: %s", cmd);
if (system(cmd) == 0) if (system(cmd) == 0)
generated = 1; generated = 1;
if (x11_refuse_time == 0) {
now = time(NULL) + 1;
if (UINT_MAX - timeout < now)
x11_refuse_time = UINT_MAX;
else
x11_refuse_time = now + timeout;
}
} }
} }
@ -1686,6 +1695,11 @@ client_request_x11(const char *request_type, int rchan)
"malicious server."); "malicious server.");
return NULL; return NULL;
} }
if (x11_refuse_time != 0 && time(NULL) >= x11_refuse_time) {
verbose("Rejected X11 connection after ForwardX11Timeout "
"expired");
return NULL;
}
originator = packet_get_string(NULL); originator = packet_get_string(NULL);
if (datafellows & SSH_BUG_X11FWD) { if (datafellows & SSH_BUG_X11FWD) {
debug2("buggy server: x11 request w/o originator_port"); debug2("buggy server: x11 request w/o originator_port");

View File

@ -1,4 +1,4 @@
/* $OpenBSD: clientloop.h,v 1.24 2010/05/16 12:55:51 markus Exp $ */ /* $OpenBSD: clientloop.h,v 1.25 2010/06/25 23:15:36 djm Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -39,7 +39,7 @@
/* Client side main loop for the interactive session. */ /* Client side main loop for the interactive session. */
int client_loop(int, int, int); int client_loop(int, int, int);
void client_x11_get_proto(const char *, const char *, u_int, void client_x11_get_proto(const char *, const char *, u_int, u_int,
char **, char **); char **, char **);
void client_global_request_reply_fwd(int, u_int32_t, void *); void client_global_request_reply_fwd(int, u_int32_t, void *);
void client_session2_setup(int, int, int, const char *, struct termios *, void client_session2_setup(int, int, int, const char *, struct termios *,

9
mux.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: mux.c,v 1.20 2010/06/25 07:14:46 djm Exp $ */ /* $OpenBSD: mux.c,v 1.21 2010/06/25 23:15:36 djm Exp $ */
/* /*
* Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org> * Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org>
* *
@ -1107,11 +1107,14 @@ mux_session_confirm(int id, int success, void *arg)
display = getenv("DISPLAY"); display = getenv("DISPLAY");
if (cctx->want_x_fwd && options.forward_x11 && display != NULL) { if (cctx->want_x_fwd && options.forward_x11 && display != NULL) {
char *proto, *data; char *proto, *data;
/* Get reasonable local authentication information. */ /* Get reasonable local authentication information. */
client_x11_get_proto(display, options.xauth_location, client_x11_get_proto(display, options.xauth_location,
options.forward_x11_trusted, &proto, &data); options.forward_x11_trusted, options.forward_x11_timeout,
&proto, &data);
/* Request forwarding with authentication spoofing. */ /* Request forwarding with authentication spoofing. */
debug("Requesting X11 forwarding with authentication spoofing."); debug("Requesting X11 forwarding with authentication "
"spoofing.");
x11_request_forwarding_with_spoofing(id, display, proto, data); x11_request_forwarding_with_spoofing(id, display, proto, data);
/* XXX wait for reply */ /* XXX wait for reply */
} }

View File

@ -1,4 +1,4 @@
/* $OpenBSD: readconf.c,v 1.185 2010/06/25 07:14:46 djm Exp $ */ /* $OpenBSD: readconf.c,v 1.186 2010/06/25 23:15:36 djm Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -110,8 +110,8 @@
typedef enum { typedef enum {
oBadOption, oBadOption,
oForwardAgent, oForwardX11, oForwardX11Trusted, oGatewayPorts, oForwardAgent, oForwardX11, oForwardX11Trusted, oForwardX11Timeout,
oExitOnForwardFailure, oGatewayPorts, oExitOnForwardFailure,
oPasswordAuthentication, oRSAAuthentication, oPasswordAuthentication, oRSAAuthentication,
oChallengeResponseAuthentication, oXAuthLocation, oChallengeResponseAuthentication, oXAuthLocation,
oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward, oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
@ -143,6 +143,7 @@ static struct {
{ "forwardagent", oForwardAgent }, { "forwardagent", oForwardAgent },
{ "forwardx11", oForwardX11 }, { "forwardx11", oForwardX11 },
{ "forwardx11trusted", oForwardX11Trusted }, { "forwardx11trusted", oForwardX11Trusted },
{ "forwardx11timeout", oForwardX11Timeout },
{ "exitonforwardfailure", oExitOnForwardFailure }, { "exitonforwardfailure", oExitOnForwardFailure },
{ "xauthlocation", oXAuthLocation }, { "xauthlocation", oXAuthLocation },
{ "gatewayports", oGatewayPorts }, { "gatewayports", oGatewayPorts },
@ -415,6 +416,10 @@ parse_flag:
intptr = &options->forward_x11_trusted; intptr = &options->forward_x11_trusted;
goto parse_flag; goto parse_flag;
case oForwardX11Timeout:
intptr = &options->forward_x11_timeout;
goto parse_time;
case oGatewayPorts: case oGatewayPorts:
intptr = &options->gateway_ports; intptr = &options->gateway_ports;
goto parse_flag; goto parse_flag;
@ -1018,6 +1023,7 @@ initialize_options(Options * options)
options->forward_agent = -1; options->forward_agent = -1;
options->forward_x11 = -1; options->forward_x11 = -1;
options->forward_x11_trusted = -1; options->forward_x11_trusted = -1;
options->forward_x11_timeout = -1;
options->exit_on_forward_failure = -1; options->exit_on_forward_failure = -1;
options->xauth_location = NULL; options->xauth_location = NULL;
options->gateway_ports = -1; options->gateway_ports = -1;
@ -1104,6 +1110,8 @@ fill_default_options(Options * options)
options->forward_x11 = 0; options->forward_x11 = 0;
if (options->forward_x11_trusted == -1) if (options->forward_x11_trusted == -1)
options->forward_x11_trusted = 0; options->forward_x11_trusted = 0;
if (options->forward_x11_timeout == -1)
options->forward_x11_timeout = 1200;
if (options->exit_on_forward_failure == -1) if (options->exit_on_forward_failure == -1)
options->exit_on_forward_failure = 0; options->exit_on_forward_failure = 0;
if (options->xauth_location == NULL) if (options->xauth_location == NULL)

View File

@ -1,4 +1,4 @@
/* $OpenBSD: readconf.h,v 1.84 2010/06/25 07:14:46 djm Exp $ */ /* $OpenBSD: readconf.h,v 1.85 2010/06/25 23:15:36 djm Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -32,6 +32,7 @@ typedef struct {
typedef struct { typedef struct {
int forward_agent; /* Forward authentication agent. */ int forward_agent; /* Forward authentication agent. */
int forward_x11; /* Forward X11 display. */ int forward_x11; /* Forward X11 display. */
int forward_x11_timeout; /* Expiration for Cookies */
int forward_x11_trusted; /* Trust Forward X11 display. */ int forward_x11_trusted; /* Trust Forward X11 display. */
int exit_on_forward_failure; /* Exit if bind(2) fails for -L/-R */ int exit_on_forward_failure; /* Exit if bind(2) fails for -L/-R */
char *xauth_location; /* Location for xauth program */ char *xauth_location; /* Location for xauth program */

9
ssh.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssh.c,v 1.339 2010/06/25 23:10:30 djm Exp $ */ /* $OpenBSD: ssh.c,v 1.340 2010/06/25 23:15:36 djm Exp $ */
/* /*
* Author: Tatu Ylonen <ylo@cs.hut.fi> * Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -1103,7 +1103,9 @@ ssh_session(void)
char *proto, *data; char *proto, *data;
/* Get reasonable local authentication information. */ /* Get reasonable local authentication information. */
client_x11_get_proto(display, options.xauth_location, client_x11_get_proto(display, options.xauth_location,
options.forward_x11_trusted, &proto, &data); options.forward_x11_trusted,
options.forward_x11_timeout,
&proto, &data);
/* Request forwarding with authentication spoofing. */ /* Request forwarding with authentication spoofing. */
debug("Requesting X11 forwarding with authentication " debug("Requesting X11 forwarding with authentication "
"spoofing."); "spoofing.");
@ -1199,7 +1201,8 @@ ssh_session2_setup(int id, int success, void *arg)
char *proto, *data; char *proto, *data;
/* Get reasonable local authentication information. */ /* Get reasonable local authentication information. */
client_x11_get_proto(display, options.xauth_location, client_x11_get_proto(display, options.xauth_location,
options.forward_x11_trusted, &proto, &data); options.forward_x11_trusted,
options.forward_x11_timeout, &proto, &data);
/* Request forwarding with authentication spoofing. */ /* Request forwarding with authentication spoofing. */
debug("Requesting X11 forwarding with authentication " debug("Requesting X11 forwarding with authentication "
"spoofing."); "spoofing.");

View File

@ -34,8 +34,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.\" $OpenBSD: ssh_config.5,v 1.133 2010/04/16 06:45:01 jmc Exp $ .\" $OpenBSD: ssh_config.5,v 1.134 2010/06/25 23:15:36 djm Exp $
.Dd $Mdocdate: April 16 2010 $ .Dd $Mdocdate: June 25 2010 $
.Dt SSH_CONFIG 5 .Dt SSH_CONFIG 5
.Os .Os
.Sh NAME .Sh NAME
@ -432,6 +432,16 @@ An attacker may then be able to perform activities such as keystroke monitoring
if the if the
.Cm ForwardX11Trusted .Cm ForwardX11Trusted
option is also enabled. option is also enabled.
.It Cm ForwardX11Timeout
Specify a timeout for untrusted X11 forwarding using the format described in
.Sx TIME FORMATS
section of
.Xr sshd_config 5 .
X11 connections received by
.Xr ssh 1
after this time will be refused.
The default is to disable untrusted X11 forwarding after twenty minutes has
elapsed.
.It Cm ForwardX11Trusted .It Cm ForwardX11Trusted
If this option is set to If this option is set to
.Dq yes , .Dq yes ,