Patch to add "warn" value to ForwardX11 and ForwardAgent

Dave Dykstra dwd at bell-labs.com
Wed Oct 31 06:33:25 EST 2001


On Tue, Oct 30, 2001 at 11:53:54AM -0500, Dan Astoorian wrote:
> On Tue, 30 Oct 2001 11:20:53 EST, Dave Dykstra writes:
> > > Circa 2001-Oct-30 12:03:29 +1100 dixit Damien Miller:
> > > 
> > > : What would be nicer is some way for the client to get the user to accept
> > > : / reject each forwarding request.
> > 
> > I considered that, and maybe it should still be an option, but it has some
> > problems:
> >     1. A forward request can come at any time and it could be very awkward
> > 	to prompt in the middle of something that the user is typing into
> > 	such as an editor.  A pop-up window is a possibility but I think
> > 	that's over-engineering.
> 
> Just thinking out loud:
> 
> If the feature were to be introduced, perhaps one reasonable way to
> design the UI might be for the connection attempt to produce a warning
> advising the user to type a newline and a tilde-escape to accept or
> reject the connection.  E.g.: introduce the escapes ~+ to accept the
> connection, and ~- to reject it; and while we're at it, there should be
> a way to redisplay the pending connection(s); perhaps ~# could list
> these in addition to established ones.

That makes sense.  Pretty complicated though.


> This, of course, presupposes that a pty has been assigned--but if no pty
> has been assigned (or quiet mode is in effect), any sort of prompting is
> going to be a problem anyway.
> 
> Would such functionality be useful for general port forwardings as well
> as X11 and authentication agent forwardings?

I don't think so.  Whether or not it's a security hole is highly dependent
on the ports being forwarded, and in thinking back on all the times I've
used port forwarding I can't think of any example where it would have been
a security problem if somebody else used the forward.  I'm sure there are
cases, I just don't think it's common enough to put in an option to warn.

- Dave Dykstra



More information about the openssh-unix-dev mailing list