X11forwarding yes: how to debug/setup after xauth fix
Michael Felt
michael at felt.demon.nl
Wed Oct 4 20:33:52 AEDT 2017
On 04/10/2017 11:28, Michael Felt wrote:
> On 04/10/2017 11:07, Michael Felt wrote:
>> I know that there is a security-fix starting with openssh-7.2
>> (https://www.openssh.com/security.html, March 9, 2016) - and when I
>> load any version of openssh prior to Openssh-7.2 I get the expected
>> X11 behavior over an ssh(d) X11forwarding tunnel.
>>
>> So, what should I be looking at on my server or client-side. Is there
>> a different setting I should be using? I am still using the "putty"
>> setting of: MIT-Magic-Cookie-1. (I'll test, in a moment using
>> XDM-Authorization-1).
> Did not help.
>> However, the hint I am hoping for is the flag to set for sshd (e.g.,
>> -ddddd) and what debug string - to see if X11forwarding is attempted,
>> and if so, why it is rejected by the sshd.
>
> Looking further: How can I see what is failing? Can I add a character
> to the whitelist (once I know what is rejected)?
>
> imho: the cure may be worse than the illness if this means my X11
> sessions are either "clear" or impossible - as they are not in the SSH
> (encrypted) tunnel.
>
> From http://www.openssh.com/txt/x11fwd.adv
>
> 4. Details
>
> As part of establishing an X11 forwarding session, sshd(8)
> accepts an X11 authentication credential from the client.
> This credential is supplied to the xauth(1) utility to
> establish it for X11 applications that the user subsequently
> runs.
>
> The contents of the credential's components (authentication
> scheme and credential data) were not sanitised to exclude
> meta-characters such as newlines.
So - is it the new-line in this output (I assume this is the response
being sent (one line deleted))
# xauth list
x072.home.local/unix:10 MIT-MAGIC-COOKIE-1 e757afdfac29af76342ec2360787ae91
# xauth list | od -c
0000000 x 0 7 2 . h o m e . l o c a l /
0000020 u n i x : 1 0 M I T - M A G
0000040 I C - C O O K I E - 1 e 7 5
...
0000100 e c 2 3 6 0 7 8 7 a e 9 1 \n
> An attacker could
> therefore supply a credential that injected commands to
> xauth(1). The attacker could then use a number of xauth
> commands to read or overwrite arbitrary files subject to
> file permissions, connect to local ports or perform attacks
> on xauth(1) itself.
>
> OpenSSH 7.2p2 implements a whitelist of characters that
> are permitted to appear in X11 authentication credentials.
>
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
More information about the openssh-unix-dev
mailing list