[Bug 1785] New: configurable timeout for x11 cookies

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Sun Jun 20 21:24:47 EST 2010 

https://bugzilla.mindrot.org/show_bug.cgi?id=1785

           Summary: configurable timeout for x11 cookies
           Product: Portable OpenSSH
           Version: 5.5p1
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: ssh
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: taviso at cmpxchg8b.com


Created attachment 1877
  --> https://bugzilla.mindrot.org/attachment.cgi?id=1877
Possible implementation of ForwardX11Timeout

On several popular Linux distributions (like redhat), x11 access
control is performed using SO_PEERCRED credentials, this breaks ssh -X,
as once the untrusted cookie expires, the untrusted connection becomes
trusted.

I posted about this to the Xorg devel list.

http://lists.x.org/archives/xorg-devel/2010-May/008636.html

I don't think openssh is to blame, but it would be great if a
workaround was available. Because X will prefer the authentication data
ssh sends before the fallback, perhaps providing an option to make sure
it doesn't expire while the connection exists is a reasonable
workaround?

Patch against cvs attached that might be acceptable, and is generally
useful even for people not affected by this issue (the default
hardcoded timeout of 2 hours is a little short imho).

This only applies to untrusted cookies, which are of low value to
attackers (at least, they're a supported security boundary).

The X developers did not have any useful suggestions to work around
this problem, but perhaps you guys can think of one? An alternative
might be just to refuse to work when requested to forward untrusted X11
connections to a machine using si:localuser access.

Any help appreciated, I'm happy to write some code, test, etc.

Patch tested like so:

$ xhost
access control enabled, only authorized clients can connect
SI:localuser:taviso
$ ./ssh -oForwardX11Timeout=10 -X untrusted at localhost
Last login: Sun Jun 20 13:17:34 2010 from insomniac.lan
$ xwd -root > /dev/null; echo $?
X Error of failed request:  BadWindow (invalid Window parameter)
  Major opcode of failed request:  3 (X_GetWindowAttributes)
  Resource id in failed request:  0x300001
  Serial number of failed request:  17
  Current serial number in output stream:  18
1
$ sleep 10
$ xwd -root > /dev/null; echo $?
0

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list