[PATCH] allow indefinite ForwardX11Timeout by setting it to 0

Fri Jun 29 11:50:07 AEST 2018

> On 2018-05-28 22:12, table at inventati.org wrote:
>>
>> On 2018-04-27 16:21, table at inventati.org wrote:
>>>
>>> This change allows use of untrusted X11 forwarding (which is more
>>> secure) without
>>> requiring users to choose a finite timeout after which to refuse new
>>> connections.
>>>
>>> This matches the semantics of the X11 security extension itself, which
>>> also treat a
>>> validity timeout of 0 on an authentication cookie as indefinite.
>>>
>>> Signed-off-by: Trixie Able <table at inventati.org>
>>> ---
>>>  clientloop.c | 12 +++++++++---
>>>  ssh_config.5 |  1 +
>>>  2 files changed, 10 insertions(+), 3 deletions(-)
>>>
>>> diff --git a/clientloop.c b/clientloop.c
>>> index 7bcf22e3..99dcec89 100644
>>> --- a/clientloop.c
>>> +++ b/clientloop.c
>>> @@ -342,11 +342,17 @@ client_x11_get_proto(struct ssh *ssh, const char
>>> *display,
>>>                  rmdir(xauthdir);
>>>                  return -1;
>>>              }
>>> -
>>> -            if (timeout >= UINT_MAX - X11_TIMEOUT_SLACK)
>>> +            /* add (at most) X11_TIMEOUT_SLACK to timeout to get
>>> +             * x11_timeout_real, but do not adjust a timeout of 0 or
>>> +             * overflow integers.
>>> +             */
>>> +            if (timeout == 0)
>>> +                x11_timeout_real = 0;
>>> +            else if (timeout >= UINT_MAX - X11_TIMEOUT_SLACK)
>>>                  x11_timeout_real = UINT_MAX;
>>>              else
>>>                  x11_timeout_real = timeout + X11_TIMEOUT_SLACK;
>>> +
>>>              if ((r = snprintf(cmd, sizeof(cmd),
>>>                  "%s -f %s generate %s " SSH_X11_PROTO
>>>                  " untrusted timeout %u 2>" _PATH_DEVNULL,
>>> @@ -355,7 +361,7 @@ client_x11_get_proto(struct ssh *ssh, const char
>>> *display,
>>>                  (size_t)r >= sizeof(cmd))
>>>                  fatal("%s: cmd too long", __func__);
>>>              debug2("%s: %s", __func__, cmd);
>>> -            if (x11_refuse_time == 0) {
>>> +            if (timeout != 0) {
>>>                  now = monotime() + 1;
>>>                  if (UINT_MAX - timeout < now)
>>>                      x11_refuse_time = UINT_MAX;
>>> diff --git a/ssh_config.5 b/ssh_config.5
>>> index 71705cab..cdc407ed 100644
>>> --- a/ssh_config.5
>>> +++ b/ssh_config.5
>>> @@ -683,6 +683,7 @@ X11 connections received by
>>>  after this time will be refused.
>>>  The default is to disable untrusted X11 forwarding after twenty minutes
>>> has
>>>  elapsed.
>>> +A timeout of zero allows untrusted X11 forwarding indefinitely.
>>>  .It Cm ForwardX11Trusted
>>>  If this option is set to
>>>  .Cm yes ,
>>
>>
>> r?
>
>
> Bump, ccing djm at openbsd.org as annotate indicates they committed most of the
> code near these changes.
>
> If bumping patches is discouraged please let me know--I don't mean to be
> rude but would like to have an r+ or r- for this small changeset.

This is reasonable and I'd like to see it in the tree, if someone gets
a chance to review soon. Thanks