- stevesk@cvs.openbsd.org 2002/01/27 14:57:46

[channels.c servconf.c servconf.h session.c sshd.8 sshd_config] add X11UseLocalhost; ok markus@
2002-02-05 12:11:34 +11:00 · 2002-02-05 12:11:34 +11:00 · 95c249ff47
parent 512bccbb5a
commit 95c249ff47
7 changed files with 50 additions and 12 deletions
--- a/5
+++ b/5
@ -22,6 +22,9 @@
     revert code to add x11 localhost display authorization entry for
     hostname/unix:d and uts.nodename/unix:d if nodename was different than
     hostname.  just add entry for unix:d instead.  ok markus@
+   - stevesk@cvs.openbsd.org 2002/01/27 14:57:46
+     [channels.c servconf.c servconf.h session.c sshd.8 sshd_config]
+     add X11UseLocalhost; ok markus@

 20020130
 - (djm) Delay PRNG seeding until we need it in ssh-keygen, from markus@
@ -7424,4 +7427,4 @@
 - Wrote replacements for strlcpy and mkdtemp
 - Released 1.0pre1

-$Id: ChangeLog,v 1.1804 2002/02/05 01:11:02 djm Exp $
+$Id: ChangeLog,v 1.1805 2002/02/05 01:11:34 djm Exp $
--- a/channels.c
+++ b/channels.c
@ -39,7 +39,7 @@
 */

 #include "includes.h"
-RCSID("$OpenBSD: channels.c,v 1.162 2002/01/24 21:09:25 stevesk Exp $");
+RCSID("$OpenBSD: channels.c,v 1.163 2002/01/27 14:57:46 stevesk Exp $");

 #include "ssh.h"
 #include "ssh1.h"
@ -2379,7 +2379,7 @@ channel_connect_to(const char *host, u_short port)
 * an error occurs.
 */
 int
-x11_create_display_inet(int x11_display_offset, int gateway_ports,
+x11_create_display_inet(int x11_display_offset, int x11_use_localhost,
    int single_connection)
 {
 	Channel *nc = NULL;
@ -2395,7 +2395,7 @@ x11_create_display_inet(int x11_display_offset, int gateway_ports,
 		port = 6000 + display_number;
 		memset(&hints, 0, sizeof(hints));
 		hints.ai_family = IPv4or6;
-		hints.ai_flags = gateway_ports ? AI_PASSIVE : 0;
+		hints.ai_flags = x11_use_localhost ? 0: AI_PASSIVE;
 		hints.ai_socktype = SOCK_STREAM;
 		snprintf(strport, sizeof strport, "%d", port);
 		if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0) {
--- a/servconf.c
+++ b/servconf.c
@ -10,7 +10,7 @@
 */

 #include "includes.h"
-RCSID("$OpenBSD: servconf.c,v 1.98 2002/01/22 02:52:41 stevesk Exp $");
+RCSID("$OpenBSD: servconf.c,v 1.99 2002/01/27 14:57:46 stevesk Exp $");

 #if defined(KRB4) || defined(KRB5)
 #include <krb.h>
@ -63,6 +63,7 @@ initialize_server_options(ServerOptions *options)
 	options->print_lastlog = -1;
 	options->x11_forwarding = -1;
 	options->x11_display_offset = -1;
+	options->x11_use_localhost = -1;
 	options->xauth_location = NULL;
 	options->strict_modes = -1;
 	options->keepalives = -1;
@ -159,6 +160,8 @@ fill_default_server_options(ServerOptions *options)
 		options->x11_forwarding = 0;
 	if (options->x11_display_offset == -1)
 		options->x11_display_offset = 10;
+	if (options->x11_use_localhost == -1)
+		options->x11_use_localhost = 1;
 	if (options->xauth_location == NULL)
 		options->xauth_location = _PATH_XAUTH;
 	if (options->strict_modes == -1)
@ -255,7 +258,7 @@ typedef enum {
 	sChallengeResponseAuthentication,
 	sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
 	sPrintMotd, sPrintLastLog, sIgnoreRhosts,
-	sX11Forwarding, sX11DisplayOffset,
+	sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
 	sStrictModes, sEmptyPasswd, sKeepAlives,
 	sUseLogin, sAllowTcpForwarding,
 	sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
@ -315,6 +318,7 @@ static struct {
 	{ "ignoreuserknownhosts", sIgnoreUserKnownHosts },
 	{ "x11forwarding", sX11Forwarding },
 	{ "x11displayoffset", sX11DisplayOffset },
+	{ "x11uselocalhost", sX11UseLocalhost },
 	{ "xauthlocation", sXAuthLocation },
 	{ "strictmodes", sStrictModes },
 	{ "permitemptypasswords", sEmptyPasswd },
@ -655,6 +659,10 @@ parse_flag:
 		intptr = &options->x11_display_offset;
 		goto parse_int;

+	case sX11UseLocalhost:
+		intptr = &options->x11_use_localhost;
+		goto parse_flag;
+
 	case sXAuthLocation:
 		charptr = &options->xauth_location;
 		goto parse_filename;
--- a/servconf.h
+++ b/servconf.h
@ -11,7 +11,7 @@
 * called by a name other than "ssh" or "Secure Shell".
 */

-/* RCSID("$OpenBSD: servconf.h,v 1.51 2001/12/19 07:18:56 deraadt Exp $"); */
+/* RCSID("$OpenBSD: servconf.h,v 1.52 2002/01/27 14:57:46 stevesk Exp $"); */

 #ifndef SERVCONF_H
 #define SERVCONF_H
@ -55,6 +55,7 @@ typedef struct {
 	int     x11_forwarding;	/* If true, permit inet (spoofing) X11 fwd. */
 	int     x11_display_offset;	/* What DISPLAY number to start
 					 * searching at */
+	int     x11_use_localhost;	/* If true, use localhost for fake X11 server. */
 	char   *xauth_location;	/* Location of xauth program */
 	int     strict_modes;	/* If true, require string home dir modes. */
 	int     keepalives;	/* If true, set SO_KEEPALIVE. */
--- a/session.c
+++ b/session.c
@ -33,7 +33,7 @@
 */

 #include "includes.h"
-RCSID("$OpenBSD: session.c,v 1.118 2002/01/26 16:44:22 stevesk Exp $");
+RCSID("$OpenBSD: session.c,v 1.119 2002/01/27 14:57:46 stevesk Exp $");

 #include "ssh.h"
 #include "ssh1.h"
@ -2021,7 +2021,7 @@ session_setup_x11fwd(Session *s)
 		return 0;
 	}
 	s->display_number = x11_create_display_inet(options.x11_display_offset,
-	    options.gateway_ports, s->single_connection);
+	    options.x11_use_localhost, s->single_connection);
 	if (s->display_number == -1) {
 		debug("x11_create_display_inet failed.");
 		return 0;
@ -2035,7 +2035,7 @@ session_setup_x11fwd(Session *s)
 	 * authorization entry is added with xauth(1).  This will be
 	 * different than the DISPLAY string for localhost displays.
 	 */
-	if (!options.gateway_ports) {
+	if (options.x11_use_localhost) {
 		snprintf(display, sizeof display, "localhost:%d.%d",
 		    s->display_number, s->screen);
 		snprintf(auth_display, sizeof auth_display, "unix:%d.%d",
--- a/sshd.8
+++ b/sshd.8
@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.163 2002/01/18 20:46:34 stevesk Exp $
+.\" $OpenBSD: sshd.8,v 1.164 2002/01/27 14:57:46 stevesk Exp $
 .Dd September 25, 1999
 .Dt SSHD 8
 .Os
@ -858,6 +858,31 @@ way, as users can always install their own forwarders.
 X11 forwarding is automatically disabled if
 .Cm UseLogin
 is enabled.
+.It Cm X11UseLocalhost
+Specifies whether
+.Nm
+should bind the X11 forwarding server to the loopback address or to
+the wildcard address.  By default,
+.Nm
+binds the forwarding server to the loopback address and sets the
+hostname part of the
+.Ev DISPLAY
+environment variable to
+.Dq localhost .
+This prevents remote hosts from connecting to the fake display.
+However, some older X11 clients may not function with this
+configuration.
+.Cm X11UseLocalhost
+may be set to
+.Dq no
+to specify that the forwarding server should be bound to the wildcard
+address.
+The argument must be
+.Dq yes
+or
+.Dq no .
+The default is
+.Dq yes .
 .It Cm XAuthLocation
 Specifies the location of the
 .Xr xauth 1
--- a/3
+++ b/3
@ -1,4 +1,4 @@
-#	$OpenBSD: sshd_config,v 1.44 2002/01/16 17:40:23 stevesk Exp $
+#	$OpenBSD: sshd_config,v 1.45 2002/01/27 14:57:46 stevesk Exp $

 # This is the sshd server system-wide configuration file.  See sshd(8)
 # for more information.
@ -77,6 +77,7 @@

 #X11Forwarding no
 #X11DisplayOffset 10
+#X11UseLocalhost yes
 #PrintMotd yes
 #PrintLastLog yes
 #KeepAlive yes