Patch to add "warn" value to ForwardX11 and ForwardAgent

Wed Oct 31 09:26:47 EST 2001

On Tue, Oct 30, 2001 at 02:31:35PM -0600, Dave Dykstra wrote:
> On Tue, Oct 30, 2001 at 05:58:21PM +0100, Markus Friedl wrote:
> > i think adding some verbose() calls should be enough for all cases.
> 
> Aha, I didn't realize there was a client log level between the default
> (INFO) and what -v sets (DEBUG), which one can set with "LogLevel=VERBOSE".
> Yes, that will probably do.  I'll try it.


Yes, I think that works ok, although I am a little concerned about what
other messages might be printed out at the verbose level.  There doesn't
seem to be a lot of calls to verbose(), but I'm not sure if some of those
that are there might be in code that runs in the client.  I think I like
warn better, but if you put this in I'll use it instead.  It still needs
the extra functions in clientloop.c, because channels.c is shared between
the client and the server.

- Dave Dykstra

--- clientloop.c.O	Fri Oct 26 11:47:19 2001
+++ clientloop.c	Tue Oct 30 17:14:44 2001
@@ -1234,6 +1234,36 @@
 	}
 	xfree(rtype);
 }
+static void
+client_input_agent_open(int type, int plen, void *ctxt)
+{
+	if (!options.forward_agent) {
+		deny_input_open(type, plen, ctxt);
+		return;
+	}
+	verbose("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
+	verbose("@  ssh NOTICE: received agent open request from the server.        @");
+	verbose("@  If you did not initiate it, you are probably under attack.      @");
+	verbose("@  To eliminate these notices, set the LogLevel option to INFO,    @");
+	verbose("@  but note that that is risky if the server is not well-secured.  @");
+	verbose("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
+	auth_input_open_request(type, plen, ctxt);
+}
+static void
+client_input_x11_open(int type, int plen, void *ctxt)
+{
+	if (!options.forward_x11) {
+		deny_input_open(type, plen, ctxt);
+		return;
+	}
+	verbose("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
+	verbose("@  ssh NOTICE: received X11 open request from the server.          @");
+	verbose("@  If you did not initiate it, you are probably under attack.      @");
+	verbose("@  To eliminate these notices, set the LogLevel option to INFO,    @");
+	verbose("@  but note that that is risky if the server is not well-secured.  @");
+	verbose("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
+	x11_input_open(type, plen, ctxt);
+}
 
 static void
 client_init_dispatch_20(void)
@@ -1265,11 +1295,8 @@
 	dispatch_set(SSH_SMSG_EXITSTATUS, &client_input_exit_status);
 	dispatch_set(SSH_SMSG_STDERR_DATA, &client_input_stderr_data);
 	dispatch_set(SSH_SMSG_STDOUT_DATA, &client_input_stdout_data);
-
-	dispatch_set(SSH_SMSG_AGENT_OPEN, options.forward_agent ?
-	    &auth_input_open_request : &deny_input_open);
-	dispatch_set(SSH_SMSG_X11_OPEN, options.forward_x11 ?
-	    &x11_input_open : &deny_input_open);
+	dispatch_set(SSH_SMSG_AGENT_OPEN, &client_input_agent_open);
+	dispatch_set(SSH_SMSG_X11_OPEN, &client_input_x11_open);
 }
 static void
 client_init_dispatch_15(void)
--- ssh.1.O	Fri Oct 26 12:56:10 2001
+++ ssh.1	Tue Oct 30 17:22:06 2001
@@ -849,6 +849,14 @@
 .Dq yes
 or
 .Dq no .
+If the
+.Cm LogLevel
+option is set to VERBOSE or higher, a warning is printed every time an
+X11 connection is forwarded; this is highly recommended if the server is
+not well-secured because an agent authentication allows an attacker to
+log in to any other server that has one of the agent's keys in an
+.Pa authorized_keys
+file.
 The default is
 .Dq no .
 .It Cm ForwardX11
@@ -860,6 +868,12 @@
 .Dq yes
 or
 .Dq no .
+If the
+.Cm LogLevel
+option is set to VERBOSE or higher, a warning is printed every time an
+X11 connection is forwarded; this is highly recommended if the server is
+not well-secured because an X11 connection can read and write anything
+on the user's X11 display.
 The default is
 .Dq no .
 .It Cm GatewayPorts

