Xauthority location: only per-user setting possible

Tue Jul 10 07:08:50 EST 2001

On Fri, 6 Jul 2001, Pekka Savola wrote:

> Hello all,
>
> $XAUTHORITY location has moved from under /tmp to ~/.Xauthority in
> 2.9p2.
>
> The commit message was:
> ---
> remove xauth-cookie-in-tmp handling. use default $XAUTHORITY, since
> we do already trust $HOME/.ssh
> you can use .ssh/sshrc and .ssh/environment if you want to customize
> the location of the xauth cookies
> ---
>
> [...]
>
> To provide xauthority in /tmp for _everyone_, everyone has to pick
> one $XAUTHORITY location and put it in .ssh/environment.
>
> This does not seem too scalable.

Yes, this is a problem.

In a nutshell, removing the xauth-cookie-in-tmp handling makes it so
that there is no way to securely change the location of the Xauthority
file to a subdirectory of /tmp (or any other globally-shared temporary
directory).

You can define XAUTHORITY in $HOME/.ssh/environment (e.g., to
/tmp/username-Xauthority), but there is no way to create the file
securely.  So, this option is unacceptable.

You can use mktemp(1) in $HOME/.ssh/rc to securely create a Xauthority
file, but there is no way to propagate the XAUTHORITY environment
variable back up to sshd.  So, this option won't work.

The quickest solution is to simply add back in the xauth-cookie-in-tmp
handling stuff, and make sure that xauthfile_cleanup_proc uses
temporarily_use_uid().  I've come up with a patch against 2.9p2 to do
exactly that, although I haven't tested it.

I think a better solution (and one more in tune with the desires of
the OpenSSH maintainers) would be to have OpenSSH capture the stdout
of $HOME/.ssh/rc and process it in exactly the same way as
$HOME/.ssh/environment.  That would permit one to construct a
$HOME/.ssh/rc like the following:

    #! /bin/sh
    read proto cookie
    [ "x${proto}x" = xx ] && exit 1
    [ "x${cookie}x" = xx ] && exit 1
    XAUTHORITY="`mktemp /tmp/username-ssh-cookie-XXXXXX`" || exit 1
    # If "echo" isn't a builtin, this exposes your cookie to ps(1)!
    echo add ${DISPLAY} ${proto} ${cookie} | xauth -q - || exit 1
    echo XAUTHORITY=${XAUTHORITY}
    exit 0

In short, let the user solve the Xauthority file problem (and any
other initialization problems he might happen to have), and
communicate the necessary environment variables back to sshd.  This
gets OpenSSH out of the business of doing things that should be
handled by the user in the first place.

Thoughts?

-- 
James Ralston, Information Technology
Software Engineering Institute
Carnegie Mellon University, Pittsburgh, PA, USA