upstream: Allow ssh_config ForwardX11Timeout=0 to disable the
timeout and allow X11 connections in untrusted mode indefinitely. ok dtucker@ OpenBSD-Commit-ID: ea1ceed3f540b48e5803f933e59a03b20db10c69
This commit is contained in:
parent
cb24d9fcc9
commit
b5e412a899
43
clientloop.c
43
clientloop.c
|
@ -1,4 +1,4 @@
|
||||||
/* $OpenBSD: clientloop.c,v 1.317 2018/07/11 18:53:29 markus Exp $ */
|
/* $OpenBSD: clientloop.c,v 1.318 2018/09/21 12:46:22 djm Exp $ */
|
||||||
/*
|
/*
|
||||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||||
|
@ -279,7 +279,7 @@ client_x11_get_proto(struct ssh *ssh, const char *display,
|
||||||
const char *xauth_path, u_int trusted, u_int timeout,
|
const char *xauth_path, u_int trusted, u_int timeout,
|
||||||
char **_proto, char **_data)
|
char **_proto, char **_data)
|
||||||
{
|
{
|
||||||
char cmd[1024], line[512], xdisplay[512];
|
char *cmd, line[512], xdisplay[512];
|
||||||
char xauthfile[PATH_MAX], xauthdir[PATH_MAX];
|
char xauthfile[PATH_MAX], xauthdir[PATH_MAX];
|
||||||
static char proto[512], data[512];
|
static char proto[512], data[512];
|
||||||
FILE *f;
|
FILE *f;
|
||||||
|
@ -343,19 +343,30 @@ client_x11_get_proto(struct ssh *ssh, const char *display,
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (timeout >= UINT_MAX - X11_TIMEOUT_SLACK)
|
if (timeout == 0) {
|
||||||
x11_timeout_real = UINT_MAX;
|
/* auth doesn't time out */
|
||||||
else
|
xasprintf(&cmd, "%s -f %s generate %s %s "
|
||||||
x11_timeout_real = timeout + X11_TIMEOUT_SLACK;
|
"untrusted 2>%s",
|
||||||
if ((r = snprintf(cmd, sizeof(cmd),
|
xauth_path, xauthfile, display,
|
||||||
"%s -f %s generate %s " SSH_X11_PROTO
|
SSH_X11_PROTO, _PATH_DEVNULL);
|
||||||
" untrusted timeout %u 2>" _PATH_DEVNULL,
|
} else {
|
||||||
xauth_path, xauthfile, display,
|
/* Add some slack to requested expiry */
|
||||||
x11_timeout_real)) < 0 ||
|
if (timeout < UINT_MAX - X11_TIMEOUT_SLACK)
|
||||||
(size_t)r >= sizeof(cmd))
|
x11_timeout_real = timeout +
|
||||||
fatal("%s: cmd too long", __func__);
|
X11_TIMEOUT_SLACK;
|
||||||
|
else {
|
||||||
|
/* Don't overflow on long timeouts */
|
||||||
|
x11_timeout_real = UINT_MAX;
|
||||||
|
}
|
||||||
|
xasprintf(&cmd, "%s -f %s generate %s %s "
|
||||||
|
"untrusted timeout %u 2>%s",
|
||||||
|
xauth_path, xauthfile, display,
|
||||||
|
SSH_X11_PROTO, x11_timeout_real,
|
||||||
|
_PATH_DEVNULL);
|
||||||
|
}
|
||||||
debug2("%s: %s", __func__, cmd);
|
debug2("%s: %s", __func__, cmd);
|
||||||
if (x11_refuse_time == 0) {
|
|
||||||
|
if (timeout != 0 && x11_refuse_time == 0) {
|
||||||
now = monotime() + 1;
|
now = monotime() + 1;
|
||||||
if (UINT_MAX - timeout < now)
|
if (UINT_MAX - timeout < now)
|
||||||
x11_refuse_time = UINT_MAX;
|
x11_refuse_time = UINT_MAX;
|
||||||
|
@ -366,6 +377,7 @@ client_x11_get_proto(struct ssh *ssh, const char *display,
|
||||||
}
|
}
|
||||||
if (system(cmd) == 0)
|
if (system(cmd) == 0)
|
||||||
generated = 1;
|
generated = 1;
|
||||||
|
free(cmd);
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
@ -374,7 +386,7 @@ client_x11_get_proto(struct ssh *ssh, const char *display,
|
||||||
* above.
|
* above.
|
||||||
*/
|
*/
|
||||||
if (trusted || generated) {
|
if (trusted || generated) {
|
||||||
snprintf(cmd, sizeof(cmd),
|
xasprintf(&cmd,
|
||||||
"%s %s%s list %s 2>" _PATH_DEVNULL,
|
"%s %s%s list %s 2>" _PATH_DEVNULL,
|
||||||
xauth_path,
|
xauth_path,
|
||||||
generated ? "-f " : "" ,
|
generated ? "-f " : "" ,
|
||||||
|
@ -387,6 +399,7 @@ client_x11_get_proto(struct ssh *ssh, const char *display,
|
||||||
got_data = 1;
|
got_data = 1;
|
||||||
if (f)
|
if (f)
|
||||||
pclose(f);
|
pclose(f);
|
||||||
|
free(cmd);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -33,7 +33,7 @@
|
||||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
.\"
|
.\"
|
||||||
.\" $OpenBSD: ssh_config.5,v 1.284 2018/09/21 03:11:36 djm Exp $
|
.\" $OpenBSD: ssh_config.5,v 1.285 2018/09/21 12:46:22 djm Exp $
|
||||||
.Dd $Mdocdate: September 21 2018 $
|
.Dd $Mdocdate: September 21 2018 $
|
||||||
.Dt SSH_CONFIG 5
|
.Dt SSH_CONFIG 5
|
||||||
.Os
|
.Os
|
||||||
|
@ -686,6 +686,10 @@ section of
|
||||||
X11 connections received by
|
X11 connections received by
|
||||||
.Xr ssh 1
|
.Xr ssh 1
|
||||||
after this time will be refused.
|
after this time will be refused.
|
||||||
|
Setting
|
||||||
|
.Cm ForwardX11Timeout
|
||||||
|
to zero will disable the timeout and permit X11 forwarding for the life
|
||||||
|
of the connection.
|
||||||
The default is to disable untrusted X11 forwarding after twenty minutes has
|
The default is to disable untrusted X11 forwarding after twenty minutes has
|
||||||
elapsed.
|
elapsed.
|
||||||
.It Cm ForwardX11Trusted
|
.It Cm ForwardX11Trusted
|
||||||
|
|
Loading…
Reference in New Issue