[PATCH] allow indefinite ForwardX11Timeout by setting it to 0

table at inventati.org table at inventati.org
Sat Apr 28 02:21:19 AEST 2018


This change allows use of untrusted X11 forwarding (which is more 
secure) without
requiring users to choose a finite timeout after which to refuse new 
connections.

This matches the semantics of the X11 security extension itself, which 
also treat a
validity timeout of 0 on an authentication cookie as indefinite.

Signed-off-by: Trixie Able <table at inventati.org>
---
  clientloop.c | 12 +++++++++---
  ssh_config.5 |  1 +
  2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/clientloop.c b/clientloop.c
index 7bcf22e3..99dcec89 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -342,11 +342,17 @@ client_x11_get_proto(struct ssh *ssh, const char 
*display,
                  rmdir(xauthdir);
                  return -1;
              }
-
-            if (timeout >= UINT_MAX - X11_TIMEOUT_SLACK)
+            /* add (at most) X11_TIMEOUT_SLACK to timeout to get
+             * x11_timeout_real, but do not adjust a timeout of 0 or
+             * overflow integers.
+             */
+            if (timeout == 0)
+                x11_timeout_real = 0;
+            else if (timeout >= UINT_MAX - X11_TIMEOUT_SLACK)
                  x11_timeout_real = UINT_MAX;
              else
                  x11_timeout_real = timeout + X11_TIMEOUT_SLACK;
+
              if ((r = snprintf(cmd, sizeof(cmd),
                  "%s -f %s generate %s " SSH_X11_PROTO
                  " untrusted timeout %u 2>" _PATH_DEVNULL,
@@ -355,7 +361,7 @@ client_x11_get_proto(struct ssh *ssh, const char 
*display,
                  (size_t)r >= sizeof(cmd))
                  fatal("%s: cmd too long", __func__);
              debug2("%s: %s", __func__, cmd);
-            if (x11_refuse_time == 0) {
+            if (timeout != 0) {
                  now = monotime() + 1;
                  if (UINT_MAX - timeout < now)
                      x11_refuse_time = UINT_MAX;
diff --git a/ssh_config.5 b/ssh_config.5
index 71705cab..cdc407ed 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -683,6 +683,7 @@ X11 connections received by
  after this time will be refused.
  The default is to disable untrusted X11 forwarding after twenty minutes 
has
  elapsed.
+A timeout of zero allows untrusted X11 forwarding indefinitely.
  .It Cm ForwardX11Trusted
  If this option is set to
  .Cm yes ,
-- 
2.17.0


More information about the openssh-unix-dev mailing list