X11 display issues
Andy Polyakov
appro at fy.chalmers.se
Thu Feb 22 22:59:25 EST 2001
> > > oh yes, this is a problem. i will probably change the sshd-X11-proxy
> > > from internet to unix domain sockets.
> >
> > Say you run ssh against firewall in order to run X11 application on
> > computer behind the firewall. UNIX socket would kill the idea...
>
> well you can ssh from the firewall to the next machine.
well, what if it doesn't have ssh (or you want to login with xdmcp). yes,
i realize that it might be too odd to really care about, but that's the
only way to keep the design versatile.
> i don't like the idea of having the X11 socket listen to inaddr_any.
in firewall case you don't really have a choice as you don't know in
advance where does x11 traffic come from. SSHSCI addresses the issue by
establishing separate access policy with libwrap.
> > > > To make it fool-proof I suggest to set DISPLAY to the interface's
> > > > address the user has reached the system in question through.
> > >
> > > I tried this before, but it does not work since it uses AF_INET6 if
> > > i connect by
> > > $ ssh -X ::1
> >
> > Does libX11 talk IPv6 at all?
>
> no, this is the problem. your patch breaks x11-fwd if i connect
> to an ipv6 address.
actually my original idea (for ssh-1.2.2x) was to *list* interfaces and
that's what one can do instead of totally relying on getsockname. i.e.
whenever getsockname returns IPv6, list interfaces (with SIOCGIFCONF
ioctl, works even under CYGWIN:-) and pick first non loopback IPv4
interface for DISPLAY. and whenever libX11 starts speaking IPv6, switch
totally to getsockname. something like following. cheers. a.
/* and now something completely different:-) <appro at fy.chalmers.se> */
{
struct sockaddr_storage me;
socklen_t melen = sizeof(me);
char h_name[NI_MAXHOST];
if (getsockname(packet_get_connection_in(),
(struct sockaddr *)&me, &melen) != 0) {
error("[X11-broken-fwd] Unable to getsockname");
packet_send_debug("[X11-broken-fwd] Unable to getsockname");
shutdown(sock, SHUT_RDWR);
close(sock);
return NULL;
}
#ifdef SIOCGIFCONF
if (me.ss_family != AF_INET)
{
int s;
struct sockaddr_in *sin;
struct ifconf ifc;
struct ifreq *ifr;
char *ifreqs;
int ifrn;
if ((s=socket (AF_INET,SOCK_DGRAM,0)) < 0)
fatal ("Unable to create socket: %s\n",
strerror(errno));
#ifdef SIOCGIFNUM
if (ioctl (s,SIOCGIFNUM,&ifrn) < 0)
fatal ("Unable to SIOCGIFNUM: %s\n",
strerror(errno));
#else
ifrn = 64;
#endif
ifc.ifc_len = sizeof(struct ifreq)*ifrn;
ifc.ifc_buf = ifreqs = xmalloc (ifc.ifc_len);
if (ioctl (s,SIOCGIFCONF,&ifc) < 0)
fatal ("Unable to SIOCGIFCONF: %s\n",
strerror(errno));
ifr = ifc.ifc_req;
ifrn = ifc.ifc_len/sizeof(struct ifreq);
for (; ifrn--; ifr++) {
if (ioctl (s,SIOCGIFFLAGS,ifr) < 0) continue;
if (!(ifr->ifr_flags&IFF_UP)) continue;
#ifdef IFF_UNNUMBERED
if (ifr->ifr_flags&IFF_UNNUMBERED) continue;
#endif
if (ioctl (s,SIOCGIFADDR, ifr) < 0) continue;
sin = (struct sockaddr_in *)&ifr->ifr_addr;
if (sin->sin_family != AF_INET) continue;
if (sin->sin_addr.s_addr == INADDR_ANY)
continue;
if (sin->sin_addr.s_addr == INADDR_LOOPBACK)
continue;
memcpy((void *)me,(void *)sin,sizeof(*sin));
break;
}
xfree (ifreqs);
close (s);
}
#endif
#ifndef IPADDR_IN_DISPLAY
if (getnameinfo ((void *)&me, melen,
h_name,sizeof(h_name),NULL,0,NI_NAMEREQD) == 0)
snprintf (display, sizeof(display),"%.*s:%d.%d",
sizeof(h_name), h_name,
display_number, screen_number);
else
#endif
{
if (me.ss_family != AF_INET) {
error("[X11-broken-fwd] Unsupported protocol family");
packet_send_debug("[X11-broken-fwd] Unsupported protocol family");
shutdown(sock, SHUT_RDWR);
close(sock);
return NULL;
}
else
snprintf(display, sizeof(display), "%.50s:%d.%d",
inet_ntoa(((struct sockaddr_in *)&me)->sin_addr),
display_number, screen_number);
}
}
More information about the openssh-unix-dev
mailing list