[PATCH] tcp-wrappers support extended to x11 forwards
Kevin Steves
stevesk at pobox.com
Wed Nov 28 08:59:40 EST 2001
On Tue, 27 Nov 2001, Osmo Paananen wrote:
:I've understood that this will not be included in the official version
:because it adds complexity (?!) to openssh.
:
:Binding the forwarded port to localhost doesn't solve all problems. I've
:understood that you should also implement forwarding for x11 unix domain
:sockets.
why should unix domain sockets be supported? not all systems support
them.
also, i would be interested in hearing from portable users who find that
this patch *breaks* x11 forwarding for the server. i do not think adding
familylocal authorization entries is required at all right now.
Index: session.c
===================================================================
RCS file: /var/cvs/openssh/session.c,v
retrieving revision 1.156
diff -u -r1.156 session.c
--- session.c 2001/11/13 12:46:19 1.156
+++ session.c 2001/11/27 21:11:05
@@ -1415,7 +1415,8 @@
_PATH_SSH_SYSTEM_RC);
} else if (do_xauth && options.xauth_location != NULL) {
/* Add authority data to .Xauthority if appropriate. */
- char *screen = strchr(s->display, ':');
+ /*char *screen = strchr(s->display, ':');*/
+ char *screen = NULL;
if (debug_flag) {
fprintf(stderr,
:Therefore I would ask you to reconsider of putting something like my patch
:here into official version of openssh.
:
:After all, it uses tcp wrappers only if they are enabled as configure option.
:
:There is a reason why port 22 has support for tcp-wrappers. I think that
:same reason applies to x11 forwarded ports.
:
:If the forwarded port can be bound to localhost and it doesn't cause any
:additional problems then this patch is obsolete.
yes.
:Since there is no working solution to the localhost display would you please
:consider this patch?
this is certainly not final, but it functions on openbsd and hp-ux 11 with
X11R6 libs (though this specific patch does *not* apply to portable).
Index: channels.h
===================================================================
RCS file: /cvs/src/usr.bin/ssh/channels.h,v
retrieving revision 1.51
diff -u -r1.51 channels.h
--- channels.h 7 Nov 2001 22:53:21 -0000 1.51
+++ channels.h 26 Nov 2001 18:49:30 -0000
@@ -198,7 +198,7 @@
int x11_connect_display(void);
char *x11_create_display(int);
-char *x11_create_display_inet(int, int);
+char *x11_create_display_inet(int, int, int, char **);
void x11_input_open(int, int, void *);
void x11_request_forwarding(void);
void x11_request_forwarding_with_spoofing(int, const char *, const char *);
Index: channels.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/channels.c,v
retrieving revision 1.140
diff -u -r1.140 channels.c
--- channels.c 10 Oct 2001 22:18:47 -0000 1.140
+++ channels.c 26 Nov 2001 18:49:31 -0000
@@ -2394,7 +2394,8 @@
* occurs.
*/
char *
-x11_create_display_inet(int screen_number, int x11_display_offset)
+x11_create_display_inet(int screen_number, int x11_display_offset,
+ int gateway_ports, char **auth_display)
{
int display_number, sock;
u_short port;
@@ -2410,7 +2411,7 @@
port = 6000 + display_number;
memset(&hints, 0, sizeof(hints));
hints.ai_family = IPv4or6;
- hints.ai_flags = AI_PASSIVE; /* XXX loopback only ? */
+ hints.ai_flags = gateway_ports ? AI_PASSIVE : 0;
hints.ai_socktype = SOCK_STREAM;
snprintf(strport, sizeof strport, "%d", port);
if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0) {
@@ -2463,7 +2464,16 @@
if (gethostname(hostname, sizeof(hostname)) < 0)
fatal("gethostname: %.100s", strerror(errno));
snprintf(display, sizeof display, "%.400s:%d.%d", hostname,
- display_number, screen_number);
+ display_number, screen_number);
+ /*
+ * auth_display must be used as the displayname when the
+ * authorization entry is added with xauth(1). This will be
+ * different than the DISPLAY string for localhost displays.
+ */
+ *auth_display = xstrdup(display);
+ if (!gateway_ports)
+ snprintf(display, sizeof display, "localhost:%d.%d",
+ display_number, screen_number);
/* Allocate a channel for each socket. */
for (n = 0; n < num_socks; n++) {
Index: session.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/session.c,v
retrieving revision 1.108
diff -u -r1.108 session.c
--- session.c 11 Oct 2001 13:45:21 -0000 1.108
+++ session.c 26 Nov 2001 18:49:32 -0000
@@ -75,6 +75,7 @@
/* X11 */
char *display;
int screen;
+ char *auth_display;
char *auth_proto;
char *auth_data;
int single_connection;
@@ -1030,31 +1031,31 @@
_PATH_SSH_SYSTEM_RC);
} else if (do_xauth && options.xauth_location != NULL) {
/* Add authority data to .Xauthority if appropriate. */
- char *screen = strchr(s->display, ':');
+ char *screen = strchr(s->auth_display, ':');
if (debug_flag) {
fprintf(stderr,
"Running %.100s add "
"%.100s %.100s %.100s\n",
- options.xauth_location, s->display,
+ options.xauth_location, s->auth_display,
s->auth_proto, s->auth_data);
if (screen != NULL)
fprintf(stderr,
"Adding %.*s/unix%s %s %s\n",
- (int)(screen - s->display),
- s->display, screen,
+ (int)(screen - s->auth_display),
+ s->auth_display, screen,
s->auth_proto, s->auth_data);
}
snprintf(cmd, sizeof cmd, "%s -q -",
options.xauth_location);
f = popen(cmd, "w");
if (f) {
- fprintf(f, "add %s %s %s\n", s->display,
+ fprintf(f, "add %s %s %s\n", s->auth_display,
s->auth_proto, s->auth_data);
if (screen != NULL)
fprintf(f, "add %.*s/unix%s %s %s\n",
- (int)(screen - s->display),
- s->display, screen,
+ (int)(screen - s->auth_display),
+ s->auth_display, screen,
s->auth_proto,
s->auth_data);
pclose(f);
@@ -1549,6 +1550,8 @@
xfree(s->term);
if (s->display)
xfree(s->display);
+ if (s->auth_display)
+ xfree(s->auth_display);
if (s->auth_data)
xfree(s->auth_data);
if (s->auth_proto)
@@ -1667,7 +1670,8 @@
debug("X11 display already set.");
return 0;
}
- s->display = x11_create_display_inet(s->screen, options.x11_display_offset);
+ s->display = x11_create_display_inet(s->screen, options.x11_display_offset,
+ options.gateway_ports, &s->auth_display);
if (s->display == NULL) {
debug("x11_create_display_inet failed.");
return 0;
More information about the openssh-unix-dev
mailing list