openssh unix dev - Jul 2001 - Xauthority location: only per-user setting possible

Hello all,

$XAUTHORITY location has moved from under /tmp to ~/.Xauthority in 2.9p2.

The commit message was:
---
remove xauth-cookie-in-tmp handling. use default $XAUTHORITY, since
we do already trust $HOME/.ssh
you can use .ssh/sshrc and .ssh/environment if you want to customize
the location of the xauth cookies
---

The latter is true, but can only be enabled in per-user basis as far as I
see.  To make it work for one user, you need to do like:

.ssh/environment:
XAUTHORITY=/tmp/some/where

.ssh/rc or /etc/ssh/rc:
if read proto cookie; then
	echo add $DISPLAY $proto $cookie | /usr/X11R6/bin/xauth -q -
fi

However, .ssh/environment handling does not parse environment variables
(good thing; they might not even be known at this point) or provide much
flexibility.

To provide xauthority in /tmp for _everyone_, everyone has to pick one
$XAUTHORITY location and put it in .ssh/environment.

This does not seem too scalable.

One other application of this is an SSH gateway where users _don't_ even
have a writable home directory.  There are probably more.

I can't figure out how this could be done in a flexible manner today.
Any thoughts would be greatly appreciated.

-- 
Pekka Savola                 "Tell me of difficulties surmounted,
Netcore Oy                   not those you stumble over and fall"
Systems. Networks. Security.  -- Robert Jordan: A Crown of Swords

On Fri, 6 Jul 2001, Pekka Savola wrote:
> Hello all,
>
> $XAUTHORITY location has moved from under /tmp to ~/.Xauthority in
> 2.9p2.
>
> The commit message was:
> ---
> remove xauth-cookie-in-tmp handling. use default $XAUTHORITY, since
> we do already trust $HOME/.ssh
> you can use .ssh/sshrc and .ssh/environment if you want to customize
> the location of the xauth cookies
> ---
>
> [...]
>
> To provide xauthority in /tmp for _everyone_, everyone has to pick
> one $XAUTHORITY location and put it in .ssh/environment.
>
> This does not seem too scalable.
Yes, this is a problem.

In a nutshell, removing the xauth-cookie-in-tmp handling makes it so
that there is no way to securely change the location of the Xauthority
file to a subdirectory of /tmp (or any other globally-shared temporary
directory).

You can define XAUTHORITY in $HOME/.ssh/environment (e.g., to
/tmp/username-Xauthority), but there is no way to create the file
securely.  So, this option is unacceptable.

You can use mktemp(1) in $HOME/.ssh/rc to securely create a Xauthority
file, but there is no way to propagate the XAUTHORITY environment
variable back up to sshd.  So, this option won't work.

The quickest solution is to simply add back in the xauth-cookie-in-tmp
handling stuff, and make sure that xauthfile_cleanup_proc uses
temporarily_use_uid().  I've come up with a patch against 2.9p2 to do
exactly that, although I haven't tested it.

I think a better solution (and one more in tune with the desires of
the OpenSSH maintainers) would be to have OpenSSH capture the stdout
of $HOME/.ssh/rc and process it in exactly the same way as
$HOME/.ssh/environment.  That would permit one to construct a
$HOME/.ssh/rc like the following:

    #! /bin/sh
    read proto cookie
    [ "x${proto}x" = xx ] && exit 1
    [ "x${cookie}x" = xx ] && exit 1
    XAUTHORITY="`mktemp /tmp/username-ssh-cookie-XXXXXX`" || exit 1
    # If "echo" isn't a builtin, this exposes your cookie to
ps(1)!
    echo add ${DISPLAY} ${proto} ${cookie} | xauth -q - || exit 1
    echo XAUTHORITY=${XAUTHORITY}
    exit 0

In short, let the user solve the Xauthority file problem (and any
other initialization problems he might happen to have), and
communicate the necessary environment variables back to sshd.  This
gets OpenSSH out of the business of doing things that should be
handled by the user in the first place.

Thoughts?

-- 
James Ralston, Information Technology
Software Engineering Institute
Carnegie Mellon University, Pittsburgh, PA, USA