openssh bugs - Jun 2010 - [Bug 1785] New: configurable timeout for x11 cookies

https://bugzilla.mindrot.org/show_bug.cgi?id=1785

           Summary: configurable timeout for x11 cookies
           Product: Portable OpenSSH
           Version: 5.5p1
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: ssh
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: taviso at cmpxchg8b.com


Created attachment 1877
  --> https://bugzilla.mindrot.org/attachment.cgi?id=1877
Possible implementation of ForwardX11Timeout

On several popular Linux distributions (like redhat), x11 access
control is performed using SO_PEERCRED credentials, this breaks ssh -X,
as once the untrusted cookie expires, the untrusted connection becomes
trusted.

I posted about this to the Xorg devel list.

http://lists.x.org/archives/xorg-devel/2010-May/008636.html

I don't think openssh is to blame, but it would be great if a
workaround was available. Because X will prefer the authentication data
ssh sends before the fallback, perhaps providing an option to make sure
it doesn't expire while the connection exists is a reasonable
workaround?

Patch against cvs attached that might be acceptable, and is generally
useful even for people not affected by this issue (the default
hardcoded timeout of 2 hours is a little short imho).

This only applies to untrusted cookies, which are of low value to
attackers (at least, they're a supported security boundary).

The X developers did not have any useful suggestions to work around
this problem, but perhaps you guys can think of one? An alternative
might be just to refuse to work when requested to forward untrusted X11
connections to a machine using si:localuser access.

Any help appreciated, I'm happy to write some code, test, etc.

Patch tested like so:

$ xhost
access control enabled, only authorized clients can connect
SI:localuser:taviso
$ ./ssh -oForwardX11Timeout=10 -X untrusted at localhost
Last login: Sun Jun 20 13:17:34 2010 from insomniac.lan
$ xwd -root > /dev/null; echo $?
X Error of failed request:  BadWindow (invalid Window parameter)
  Major opcode of failed request:  3 (X_GetWindowAttributes)
  Resource id in failed request:  0x300001
  Serial number of failed request:  17
  Current serial number in output stream:  18
1
$ sleep 10
$ xwd -root > /dev/null; echo $?
0

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1785

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org
             Blocks|                            |1708

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1785

--- Comment #1 from Damien Miller <djm at mindrot.org>  ---
Additionally, we can make the client refuse X11 connection requests for
untrusted channels when it knows the cookie is scheduled to expire (- a
few seconds to be safe)

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1785

--- Comment #2 from Damien Miller <djm at mindrot.org>  ---
Created attachment 1886
  --> https://bugzilla.mindrot.org/attachment.cgi?id=1886
/home/djm/ssh-x11forwardtimeout2.diff

Make client refuse X11 connections after timeout has expired

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1785

--- Comment #3 from Tavis Ormandy <taviso at cmpxchg8b.com>  ---
Oops, 20 minutes, not two hours, my mistake.

Your patch looks good to me, a much better solution.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1785

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED

--- Comment #4 from Damien Miller <djm at mindrot.org>  ---
patch applied - this will be in OpenSSH-5.6. Thanks!

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1785

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #5 from Damien Miller <djm at mindrot.org> 2011-01-24 12:33:59
EST ---
Move resolved bugs to CLOSED after 5.7 release

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.