X11 forwarding after su'ing

Haan, de, Jan Jan.de.Haan at Essent.nl
Fri Jun 6 21:33:44 EST 2003 

> > 3. why not use ssh -X -l <thotheruserIwantedsuto?> <thehost>?
> Maybe, because -l root ain't that nice?

> Philipp

Sorry for refering so late to a (securityfocus) post, but the Subject 
has been nagging me for the last month ;-) Problem was how to keep your
DISPLAY, xauth and security (no 'ssh root at host' over the net) when 
changing users remotely (especially to root with su/sudo)

Comments please on the security side of this 'solution' and the 
proposed feature request.

Solved it by running two sshd's, one started with "sshd -f sshd1_config"
with
"ListenAddress <hostname on ethx>"
"PermitRootLogin no"
"PidFile /var/run/ssh1.pid"        <== That one bit me 
...                                    in the ass a few times ;-)
...
And another started with "sshd -f sshd2_config"
"ListenAddress dummy0"
"PermitRootLogin yes"
"PidFile /var/run/ssh2.pid"

dummy0 is the hostname of the ip address on a loopbackadapter 
(Debian/GNU/Linux /etc/modules, dummy; HPUX/Sun ifconfig lo0:1;
winx msloopback adapter) which is not visible on the outside 
(disabled in routing) Only one extra address/subnet (/30 ?) is 
needed for an unlimited number of hosts since it can be 
identical on all because it is not routed.

Access can be gained in two ways: generating two keys that you both
load in your ssh-agent or by adding your identity.pub to the 
authorized_keys2 of the second remote user.

Proof of concept:

user1 at host1:/home/user1 >ssh -X host2
Linux host2 2.4.18-686 #1 Sun Apr 14 11:32:47 EST 2002 i686 unknown
Last login: Fri Jun  6 08:44:00 2003 from host1
user1 at host2:~$ ssh -X root at dummy0
Linux host2 2.4.18-686 #1 Sun Apr 14 11:32:47 EST 2002 i686 unknown
Last login: Fri Jun  6 11:25:25 2003 from dummy0
root at host2:/root >echo $DISPLAY
localhost:11.0
root at host2:/root >

and

user1 at host1:/home/user1 >ssh -X -f host2 'ssh -X -f root at dummy0
/usr/bin/X11/xterm'

works too.

Feature request

This kludge (2 daemons) would not have to be used if the posibility existed
of 
using a combined "AllowUsers" and "ListenAddress" parameter (ACL's ?)
for instance:
ACL
[allow|deny],[dns|host|ipaddress|range[:port]],[user|group],[dns|host|ipaddr
ess|range[:port]]
ACL allow,    hostname, root,  dummy0
ACL deny,     *,        !root, dummy0
ACL allow,    *,        !root, *
ACL deny,     *,        *,     *  (sorry, Cisco heritage showing ;-) )

Sincerely,

Jan.

More information about the openssh-unix-dev mailing list