[PATCH] allow indefinite ForwardX11Timeout by setting it to 0

table at inventati.org table at inventati.org
Tue May 29 08:12:18 AEST 2018 

On 2018-04-27 16:21, table at inventati.org wrote:
> This change allows use of untrusted X11 forwarding (which is more
> secure) without
> requiring users to choose a finite timeout after which to refuse new
> connections.
> 
> This matches the semantics of the X11 security extension itself, which
> also treat a
> validity timeout of 0 on an authentication cookie as indefinite.
> 
> Signed-off-by: Trixie Able <table at inventati.org>
> ---
>  clientloop.c | 12 +++++++++---
>  ssh_config.5 |  1 +
>  2 files changed, 10 insertions(+), 3 deletions(-)
> 
> diff --git a/clientloop.c b/clientloop.c
> index 7bcf22e3..99dcec89 100644
> --- a/clientloop.c
> +++ b/clientloop.c
> @@ -342,11 +342,17 @@ client_x11_get_proto(struct ssh *ssh, const char 
> *display,
>                  rmdir(xauthdir);
>                  return -1;
>              }
> -
> -            if (timeout >= UINT_MAX - X11_TIMEOUT_SLACK)
> +            /* add (at most) X11_TIMEOUT_SLACK to timeout to get
> +             * x11_timeout_real, but do not adjust a timeout of 0 or
> +             * overflow integers.
> +             */
> +            if (timeout == 0)
> +                x11_timeout_real = 0;
> +            else if (timeout >= UINT_MAX - X11_TIMEOUT_SLACK)
>                  x11_timeout_real = UINT_MAX;
>              else
>                  x11_timeout_real = timeout + X11_TIMEOUT_SLACK;
> +
>              if ((r = snprintf(cmd, sizeof(cmd),
>                  "%s -f %s generate %s " SSH_X11_PROTO
>                  " untrusted timeout %u 2>" _PATH_DEVNULL,
> @@ -355,7 +361,7 @@ client_x11_get_proto(struct ssh *ssh, const char 
> *display,
>                  (size_t)r >= sizeof(cmd))
>                  fatal("%s: cmd too long", __func__);
>              debug2("%s: %s", __func__, cmd);
> -            if (x11_refuse_time == 0) {
> +            if (timeout != 0) {
>                  now = monotime() + 1;
>                  if (UINT_MAX - timeout < now)
>                      x11_refuse_time = UINT_MAX;
> diff --git a/ssh_config.5 b/ssh_config.5
> index 71705cab..cdc407ed 100644
> --- a/ssh_config.5
> +++ b/ssh_config.5
> @@ -683,6 +683,7 @@ X11 connections received by
>  after this time will be refused.
>  The default is to disable untrusted X11 forwarding after twenty 
> minutes has
>  elapsed.
> +A timeout of zero allows untrusted X11 forwarding indefinitely.
>  .It Cm ForwardX11Trusted
>  If this option is set to
>  .Cm yes ,

r?

More information about the openssh-unix-dev mailing list