bugzilla-daemon at bugzilla.mindrot.org
2016-Mar-14 02:19 UTC
[Bug 2552] New: ssh -X and "ForwardX11Trusted no" break most applications, distros turn on "ForwardX11Trusted yes"
https://bugzilla.mindrot.org/show_bug.cgi?id=2552
Bug ID: 2552
Summary: ssh -X and "ForwardX11Trusted no" break most
applications, distros turn on "ForwardX11Trusted
yes"
Product: Portable OpenSSH
Version: 7.2p1
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: ssh
Assignee: unassigned-bugs at mindrot.org
Reporter: pabs3 at bonedaddy.net
CC: cjwatson at debian.org, jjelen at redhat.com
I'm not sure what severity this should be reported at, please adjust it
if you disagree with what I chose.
"ForwardX11Trusted no" breaks most applications (including causing
crashes in xterm when you select text). As a result, distributions (at
least Fedora & Debian) are patching ssh -X to work like ssh -Y by
turning on "ForwardX11Trusted yes". Some discussion of this issue is
in
this Debian thread from last year:
https://lists.debian.org/debian-devel/2015/08/msg00316.html
It seems to me that this situation is not acceptable and that something
should change. The distros aren't going to budge because `ssh -X` is
extremely user-unfriendly right now, so I'm hoping the OpenSSH project
can help clear this logjam.
There are several possible solutions I can think of:
Fix every X11 application and toolkit to not crash when denied access.
I don't think this is feasible.
Switch every X11 application and toolkit to Wayland instead. This is
only slightly more feasible, since there will still be things like
xterm that need a complete rewrite.
Give an error when ssh -X is used or when "ForwardX11Trusted no" is
set
in the configuration. This will force users to switch to learn about
the choice between unstable X11 forwarding or insecure X11 forwarding,
which they probably wouldn't be happy about. I don't know how the
distributions would react, but it probably wouldn't be good.
For ssh -X and "ForwardX11Trusted no", implement an X11 proxy that
lies
to applications/toolkits about what they are allowed to do in order to
prevent them from crashing. This would probably convince the distros to
return to "ForwardX11Trusted no" by default. This could perhaps use
xpra if it is secure enough. Otherwise this is probably going to be a
lot of work to implement and test.
https://xpra.org/
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Mar-14 08:33 UTC
[Bug 2552] ssh -X and "ForwardX11Trusted no" break most applications, distros turn on "ForwardX11Trusted yes"
https://bugzilla.mindrot.org/show_bug.cgi?id=2552 --- Comment #1 from Jakub Jelen <jjelen at redhat.com> --- Thank you for bringing this upstream. The fact that SECURITY extension "breaks" applications is known problem for years, but when distros basically disabled untrusted forwarding, there was no reason for application developers to fix these problems. And now we are on the same page, >10 years later. But you miss one thing that changed. The XSECURITY extension is no longer enabled by default on current systems (at least Fedora/RHEL) and disabled upstream since 2007 in favour of X Access Control Extension (XACE). This caused CVE-2016-1908 (fallback from untrusted to trusted) when the extension is missing. Current behaviour is that untrusted X11 forwarding requests fail in this case My initial idea was to have a look into XACE, if it is mature enough and if it would be able to work with our X11 forwarding, but Wayland/xpra look also like an interesting way to go. I would be interested in others insights on this issue. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Mar-15 02:09 UTC
[Bug 2552] ssh -X and "ForwardX11Trusted no" break most applications, distros turn on "ForwardX11Trusted yes"
https://bugzilla.mindrot.org/show_bug.cgi?id=2552 --- Comment #2 from Paul Wise <pabs3 at bonedaddy.net> --- Thanks for that information. Using XACE sounds better than xpra since the latter would be an extra external dependency. Wayland support would be an entirely separate feature and probably off-topic here. There has been some work on transporting Wayland over the network here: https://lists.freedesktop.org/archives/wayland-devel/2016-February/026933.html https://blogs.s-osg.org/wow-wayland-over-wire/ -- You are receiving this mail because: You are watching the assignee of the bug.