X11 cookies and forwarding (fwd)
Ed Phillips
ed at UDel.Edu
Fri Nov 16 08:27:12 EST 2001
On Thu, 15 Nov 2001, Dan Astoorian wrote:
> Date: Thu, 15 Nov 2001 16:09:20 -0500
> From: Dan Astoorian <djast at cs.toronto.edu>
> To: Ed Phillips <ed at UDel.Edu>
> Subject: Re: X11 cookies and forwarding
>
> On Thu, 15 Nov 2001 15:46:22 EST, Ed Phillips writes:
> > I'm guess I wasn't following the whole cookies discussion completely
> > (putting cookies in /tmp to avoid putting them on NFS, etc.), but I
> > noticed today that with 2.9.9p2, if I use "ssh -X" to start a shell on the
> > server, in that shell XAUTHORITY is set to /tmp/ssh-XXXXXXXX/cookies and
> > there are cookies placed there there.
>
> Are you sure the _server_ was running 2.9.9p2? The behaviour you're
> describing was how OpenSSH 2.5.2 worked; that behaviour was removed by
> 2.9 or 2.9.9.
>
> The cookie used to be created under /tmp (and XAUTHORITY set so that X
> applications would know where to find it), until someone decided that
> NFS-sniffing ultimately wasn't worth defending against (since if you
> can't trust the directory where you're keeping your cryptographic keys,
> then .Xauthority is among the least of your problems).
Well, I bet people would care if their private keys (auth forwarding)
where getting stored in $HOME (NFS mounted)... ;-)
> Using /tmp created other problems; e.g., there was a security problem
> when OpenSSH's daemon tried to clean up the cookie file (it did so as
> root, which made it possible for a malicious user to fool OpenSSH's sshd
> into deleting any file on the system named "cookies", via symlink
> mischief with the directory).
Actually, I'd guess that if you replaced the "cookies" file with a
symbolic link to any file on the system, you could remove that file
(depending how many checks are being done). This can be avoided, right?
Why is the solution moving the file somewhere else? Doesn't sshd still
need to be careful about what it's removing as uid 0 (i.e., don't remove
the cookies file if it's a symbolic link, has the wrong inode number, has
the wrong contents, etc., etc.)?
> > So what's the real issue here... having ssh create a "fake" cookie and
> > that gets copied to the server side... in the user's home directory?
>
> The issue *I* was raising is "should the fake keys be moved?" My
> suggestion was to consider using a different file from the default
> ($HOME/.Xauthority), to avoid the stale NFS handle problems I was
> talking about--but not to revert to the previous behaviour of using
> /tmp/.
Okay... now I'm following you. I think /tmp is a good place for the
cookies... much better than $HOME... but that depends on avoiding the
problems in sshd.
Ed
Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082
Systems Programmer III, Network and Systems Services
finger -l ed at polycut.nss.udel.edu for PGP public key
More information about the openssh-unix-dev
mailing list