openssh unix dev - Nov 2001 - [PATCH] tcp-wrappers support extended to x11 forwards

Hi!

Here is the patch to support tcp wrappers with x11-forwarded connections.

The patch is for openssh-3.0.1p1 but it works fine with 2.9.9p2 too.


I've understood that this will not be included in the official version
because it adds complexity (?!) to openssh.

Binding the forwarded port to localhost doesn't solve all problems. I've
understood that you should also implement forwarding for x11 unix domain
sockets.

Therefore I would ask you to reconsider of putting something like my patch 
here into official version of openssh.

After all, it uses tcp wrappers only if they are enabled as configure option.

There is a reason why port 22 has support for tcp-wrappers. I think that
same reason applies to x11 forwarded ports.

If the forwarded port can be bound to localhost and it doesn't cause any
additional problems then this patch is obsolete.

Since there is no working solution to the localhost display would you please
consider this patch?


All comments are wellcome.

-- 
  Osmo Paananen 

-------------- next part --------------
diff -u openssh-3.0.1p1/channels.c openssh-modified/channels.c
--- openssh-3.0.1p1/channels.c	Fri Oct 12 04:35:05 2001
+++ openssh-modified/channels.c	Mon Nov 26 15:53:04 2001
@@ -55,6 +55,12 @@
 #include "key.h"
 #include "authfd.h"
 
+#ifdef LIBWRAP
+#include <tcpd.h>
+#include <syslog.h>
+extern int allow_severity;
+extern int deny_severity;
+#endif /* LIBWRAP */
 
 /* -- channel core */
 
@@ -1006,6 +1012,25 @@
 			error("accept: %.100s", strerror(errno));
 			return;
 		}
+#ifdef LIBWRAP
+		/* XXX LIBWRAP noes not know about IPv6 */
+		{
+		  struct request_info req;
+		  
+		  request_init(&req, RQ_DAEMON, "sshdfwd-X11", RQ_FILE,
newsock, 0);
+		  fromhost(&req);
+		  
+		  if (!hosts_access(&req)) {
+		    syslog(deny_severity, "refused fwd-X11 connect from %s",
eval_client(&req));
+		    close(newsock);
+		    
+		    return;
+		  }
+		  syslog(allow_severity, "fwd-X11 connect from %s",
eval_client(&req));
+
+        }
+#endif /* LIBWRAP */ 
+
 		remote_ipaddr = get_peer_ipaddr(newsock);
 		remote_port = get_peer_port(newsock);
 		snprintf(buf, sizeof buf, "X11 connection from %.200s port %d",
diff -u openssh-3.0.1p1/ssh-keyscan.c openssh-modified/ssh-keyscan.c
--- openssh-3.0.1p1/ssh-keyscan.c	Wed Nov 14 23:40:45 2001
+++ openssh-modified/ssh-keyscan.c	Mon Nov 26 14:04:42 2001
@@ -34,6 +34,13 @@
 #include "atomicio.h"
 #include "misc.h"
 
+#ifdef LIBWRAP
+#include <tcpd.h>
+#include <syslog.h>
+int allow_severity = LOG_INFO;
+int deny_severity = LOG_WARNING;
+#endif /* LIBWRAP */
+
 /* Flag indicating whether IPv4 or IPv6.  This can be set on the command line.
    Default value is AF_UNSPEC means both IPv4 and IPv6. */
 #ifdef IPV4_DEFAULT
diff -u openssh-3.0.1p1/ssh.c openssh-modified/ssh.c
--- openssh-3.0.1p1/ssh.c	Mon Nov 12 01:52:04 2001
+++ openssh-modified/ssh.c	Mon Nov 26 14:04:42 2001
@@ -80,6 +80,15 @@
 char *__progname;
 #endif
 
+#ifdef LIBWRAP
+#include <tcpd.h>
+#include <syslog.h>
+int allow_severity = LOG_INFO;
+int deny_severity = LOG_WARNING;
+#endif /* LIBWRAP */
+
+
+
 /* Flag indicating whether IPv4 or IPv6.  This can be set on the command line.
    Default value is AF_UNSPEC means both IPv4 and IPv6. */
 #ifdef IPV4_DEFAULT

On Tue, 27 Nov 2001, Osmo Paananen wrote:
:I've understood that this will not be included in the official version
:because it adds complexity (?!) to openssh.
:
:Binding the forwarded port to localhost doesn't solve all problems.
I've
:understood that you should also implement forwarding for x11 unix domain
:sockets.

why should unix domain sockets be supported?  not all systems support
them.

also, i would be interested in hearing from portable users who find that
this patch *breaks* x11 forwarding for the server.  i do not think adding
familylocal authorization entries is required at all right now.

Index: session.c
==================================================================RCS file:
/var/cvs/openssh/session.c,v
retrieving revision 1.156
diff -u -r1.156 session.c
--- session.c	2001/11/13 12:46:19	1.156
+++ session.c	2001/11/27 21:11:05
@@ -1415,7 +1415,8 @@
 				    _PATH_SSH_SYSTEM_RC);
 		} else if (do_xauth && options.xauth_location != NULL) {
 			/* Add authority data to .Xauthority if appropriate. */
-			char *screen = strchr(s->display, ':');
+			/*char *screen = strchr(s->display, ':');*/
+			char *screen = NULL;

 			if (debug_flag) {
 				fprintf(stderr,

:Therefore I would ask you to reconsider of putting something like my patch
:here into official version of openssh.
:
:After all, it uses tcp wrappers only if they are enabled as configure option.
:
:There is a reason why port 22 has support for tcp-wrappers. I think that
:same reason applies to x11 forwarded ports.
:
:If the forwarded port can be bound to localhost and it doesn't cause any
:additional problems then this patch is obsolete.

yes.

:Since there is no working solution to the localhost display would you please
:consider this patch?

this is certainly not final, but it functions on openbsd and hp-ux 11 with
X11R6 libs (though this specific patch does *not* apply to portable).

Index: channels.h
==================================================================RCS file:
/cvs/src/usr.bin/ssh/channels.h,v
retrieving revision 1.51
diff -u -r1.51 channels.h
--- channels.h	7 Nov 2001 22:53:21 -0000	1.51
+++ channels.h	26 Nov 2001 18:49:30 -0000
@@ -198,7 +198,7 @@

 int	 x11_connect_display(void);
 char	*x11_create_display(int);
-char	*x11_create_display_inet(int, int);
+char	*x11_create_display_inet(int, int, int, char **);
 void     x11_input_open(int, int, void *);
 void     x11_request_forwarding(void);
 void	 x11_request_forwarding_with_spoofing(int, const char *, const char *);
Index: channels.c
==================================================================RCS file:
/cvs/src/usr.bin/ssh/channels.c,v
retrieving revision 1.140
diff -u -r1.140 channels.c
--- channels.c	10 Oct 2001 22:18:47 -0000	1.140
+++ channels.c	26 Nov 2001 18:49:31 -0000
@@ -2394,7 +2394,8 @@
  * occurs.
  */
 char *
-x11_create_display_inet(int screen_number, int x11_display_offset)
+x11_create_display_inet(int screen_number, int x11_display_offset,
+    int gateway_ports, char **auth_display)
 {
 	int display_number, sock;
 	u_short port;
@@ -2410,7 +2411,7 @@
 		port = 6000 + display_number;
 		memset(&hints, 0, sizeof(hints));
 		hints.ai_family = IPv4or6;
-		hints.ai_flags = AI_PASSIVE;		/* XXX loopback only ? */
+		hints.ai_flags = gateway_ports ? AI_PASSIVE : 0;
 		hints.ai_socktype = SOCK_STREAM;
 		snprintf(strport, sizeof strport, "%d", port);
 		if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0) {
@@ -2463,7 +2464,16 @@
 	if (gethostname(hostname, sizeof(hostname)) < 0)
 		fatal("gethostname: %.100s", strerror(errno));
 	snprintf(display, sizeof display, "%.400s:%d.%d", hostname,
-		 display_number, screen_number);
+	    display_number, screen_number);
+	/*
+	 * auth_display must be used as the displayname when the
+	 * authorization entry is added with xauth(1).  This will be
+	 * different than the DISPLAY string for localhost displays.
+	 */
+	*auth_display = xstrdup(display);
+	if (!gateway_ports)
+		snprintf(display, sizeof display, "localhost:%d.%d",
+		    display_number, screen_number);

 	/* Allocate a channel for each socket. */
 	for (n = 0; n < num_socks; n++) {
Index: session.c
==================================================================RCS file:
/cvs/src/usr.bin/ssh/session.c,v
retrieving revision 1.108
diff -u -r1.108 session.c
--- session.c	11 Oct 2001 13:45:21 -0000	1.108
+++ session.c	26 Nov 2001 18:49:32 -0000
@@ -75,6 +75,7 @@
 	/* X11 */
 	char	*display;
 	int	screen;
+	char	*auth_display;
 	char	*auth_proto;
 	char	*auth_data;
 	int	single_connection;
@@ -1030,31 +1031,31 @@
 				    _PATH_SSH_SYSTEM_RC);
 		} else if (do_xauth && options.xauth_location != NULL) {
 			/* Add authority data to .Xauthority if appropriate. */
-			char *screen = strchr(s->display, ':');
+			char *screen = strchr(s->auth_display, ':');

 			if (debug_flag) {
 				fprintf(stderr,
 				    "Running %.100s add "
 				    "%.100s %.100s %.100s\n",
-				    options.xauth_location, s->display,
+				    options.xauth_location, s->auth_display,
 				    s->auth_proto, s->auth_data);
 				if (screen != NULL)
 					fprintf(stderr,
 					    "Adding %.*s/unix%s %s %s\n",
-					    (int)(screen - s->display),
-					    s->display, screen,
+					    (int)(screen - s->auth_display),
+					    s->auth_display, screen,
 					    s->auth_proto, s->auth_data);
 			}
 			snprintf(cmd, sizeof cmd, "%s -q -",
 			    options.xauth_location);
 			f = popen(cmd, "w");
 			if (f) {
-				fprintf(f, "add %s %s %s\n", s->display,
+				fprintf(f, "add %s %s %s\n", s->auth_display,
 				    s->auth_proto, s->auth_data);
 				if (screen != NULL)
 					fprintf(f, "add %.*s/unix%s %s %s\n",
-					    (int)(screen - s->display),
-					    s->display, screen,
+					    (int)(screen - s->auth_display),
+					    s->auth_display, screen,
 					    s->auth_proto,
 					    s->auth_data);
 				pclose(f);
@@ -1549,6 +1550,8 @@
 		xfree(s->term);
 	if (s->display)
 		xfree(s->display);
+	if (s->auth_display)
+		xfree(s->auth_display);
 	if (s->auth_data)
 		xfree(s->auth_data);
 	if (s->auth_proto)
@@ -1667,7 +1670,8 @@
 		debug("X11 display already set.");
 		return 0;
 	}
-	s->display = x11_create_display_inet(s->screen,
options.x11_display_offset);
+	s->display = x11_create_display_inet(s->screen,
options.x11_display_offset,
+	    options.gateway_ports, &s->auth_display);
 	if (s->display == NULL) {
 		debug("x11_create_display_inet failed.");
 		return 0;