[PATCH] tcp-wrappers support extended to x11 forwards

Kevin Steves stevesk at pobox.com
Wed Nov 28 08:59:40 EST 2001


On Tue, 27 Nov 2001, Osmo Paananen wrote:
:I've understood that this will not be included in the official version
:because it adds complexity (?!) to openssh.
:
:Binding the forwarded port to localhost doesn't solve all problems. I've
:understood that you should also implement forwarding for x11 unix domain
:sockets.

why should unix domain sockets be supported?  not all systems support
them.

also, i would be interested in hearing from portable users who find that
this patch *breaks* x11 forwarding for the server.  i do not think adding
familylocal authorization entries is required at all right now.

Index: session.c
===================================================================
RCS file: /var/cvs/openssh/session.c,v
retrieving revision 1.156
diff -u -r1.156 session.c
--- session.c	2001/11/13 12:46:19	1.156
+++ session.c	2001/11/27 21:11:05
@@ -1415,7 +1415,8 @@
 				    _PATH_SSH_SYSTEM_RC);
 		} else if (do_xauth && options.xauth_location != NULL) {
 			/* Add authority data to .Xauthority if appropriate. */
-			char *screen = strchr(s->display, ':');
+			/*char *screen = strchr(s->display, ':');*/
+			char *screen = NULL;

 			if (debug_flag) {
 				fprintf(stderr,

:Therefore I would ask you to reconsider of putting something like my patch
:here into official version of openssh.
:
:After all, it uses tcp wrappers only if they are enabled as configure option.
:
:There is a reason why port 22 has support for tcp-wrappers. I think that
:same reason applies to x11 forwarded ports.
:
:If the forwarded port can be bound to localhost and it doesn't cause any
:additional problems then this patch is obsolete.

yes.

:Since there is no working solution to the localhost display would you please
:consider this patch?

this is certainly not final, but it functions on openbsd and hp-ux 11 with
X11R6 libs (though this specific patch does *not* apply to portable).

Index: channels.h
===================================================================
RCS file: /cvs/src/usr.bin/ssh/channels.h,v
retrieving revision 1.51
diff -u -r1.51 channels.h
--- channels.h	7 Nov 2001 22:53:21 -0000	1.51
+++ channels.h	26 Nov 2001 18:49:30 -0000
@@ -198,7 +198,7 @@

 int	 x11_connect_display(void);
 char	*x11_create_display(int);
-char	*x11_create_display_inet(int, int);
+char	*x11_create_display_inet(int, int, int, char **);
 void     x11_input_open(int, int, void *);
 void     x11_request_forwarding(void);
 void	 x11_request_forwarding_with_spoofing(int, const char *, const char *);
Index: channels.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/channels.c,v
retrieving revision 1.140
diff -u -r1.140 channels.c
--- channels.c	10 Oct 2001 22:18:47 -0000	1.140
+++ channels.c	26 Nov 2001 18:49:31 -0000
@@ -2394,7 +2394,8 @@
  * occurs.
  */
 char *
-x11_create_display_inet(int screen_number, int x11_display_offset)
+x11_create_display_inet(int screen_number, int x11_display_offset,
+    int gateway_ports, char **auth_display)
 {
 	int display_number, sock;
 	u_short port;
@@ -2410,7 +2411,7 @@
 		port = 6000 + display_number;
 		memset(&hints, 0, sizeof(hints));
 		hints.ai_family = IPv4or6;
-		hints.ai_flags = AI_PASSIVE;		/* XXX loopback only ? */
+		hints.ai_flags = gateway_ports ? AI_PASSIVE : 0;
 		hints.ai_socktype = SOCK_STREAM;
 		snprintf(strport, sizeof strport, "%d", port);
 		if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0) {
@@ -2463,7 +2464,16 @@
 	if (gethostname(hostname, sizeof(hostname)) < 0)
 		fatal("gethostname: %.100s", strerror(errno));
 	snprintf(display, sizeof display, "%.400s:%d.%d", hostname,
-		 display_number, screen_number);
+	    display_number, screen_number);
+	/*
+	 * auth_display must be used as the displayname when the
+	 * authorization entry is added with xauth(1).  This will be
+	 * different than the DISPLAY string for localhost displays.
+	 */
+	*auth_display = xstrdup(display);
+	if (!gateway_ports)
+		snprintf(display, sizeof display, "localhost:%d.%d",
+		    display_number, screen_number);

 	/* Allocate a channel for each socket. */
 	for (n = 0; n < num_socks; n++) {
Index: session.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/session.c,v
retrieving revision 1.108
diff -u -r1.108 session.c
--- session.c	11 Oct 2001 13:45:21 -0000	1.108
+++ session.c	26 Nov 2001 18:49:32 -0000
@@ -75,6 +75,7 @@
 	/* X11 */
 	char	*display;
 	int	screen;
+	char	*auth_display;
 	char	*auth_proto;
 	char	*auth_data;
 	int	single_connection;
@@ -1030,31 +1031,31 @@
 				    _PATH_SSH_SYSTEM_RC);
 		} else if (do_xauth && options.xauth_location != NULL) {
 			/* Add authority data to .Xauthority if appropriate. */
-			char *screen = strchr(s->display, ':');
+			char *screen = strchr(s->auth_display, ':');

 			if (debug_flag) {
 				fprintf(stderr,
 				    "Running %.100s add "
 				    "%.100s %.100s %.100s\n",
-				    options.xauth_location, s->display,
+				    options.xauth_location, s->auth_display,
 				    s->auth_proto, s->auth_data);
 				if (screen != NULL)
 					fprintf(stderr,
 					    "Adding %.*s/unix%s %s %s\n",
-					    (int)(screen - s->display),
-					    s->display, screen,
+					    (int)(screen - s->auth_display),
+					    s->auth_display, screen,
 					    s->auth_proto, s->auth_data);
 			}
 			snprintf(cmd, sizeof cmd, "%s -q -",
 			    options.xauth_location);
 			f = popen(cmd, "w");
 			if (f) {
-				fprintf(f, "add %s %s %s\n", s->display,
+				fprintf(f, "add %s %s %s\n", s->auth_display,
 				    s->auth_proto, s->auth_data);
 				if (screen != NULL)
 					fprintf(f, "add %.*s/unix%s %s %s\n",
-					    (int)(screen - s->display),
-					    s->display, screen,
+					    (int)(screen - s->auth_display),
+					    s->auth_display, screen,
 					    s->auth_proto,
 					    s->auth_data);
 				pclose(f);
@@ -1549,6 +1550,8 @@
 		xfree(s->term);
 	if (s->display)
 		xfree(s->display);
+	if (s->auth_display)
+		xfree(s->auth_display);
 	if (s->auth_data)
 		xfree(s->auth_data);
 	if (s->auth_proto)
@@ -1667,7 +1670,8 @@
 		debug("X11 display already set.");
 		return 0;
 	}
-	s->display = x11_create_display_inet(s->screen, options.x11_display_offset);
+	s->display = x11_create_display_inet(s->screen, options.x11_display_offset,
+	    options.gateway_ports, &s->auth_display);
 	if (s->display == NULL) {
 		debug("x11_create_display_inet failed.");
 		return 0;




More information about the openssh-unix-dev mailing list