search for: forwardx11timeout

https://bugzilla.mindrot.org/show_bug.cgi?id=2295 Bug ID: 2295 Summary: clarify the effect of ForwardX11Timeout=0 in ssh config Product: Portable OpenSSH Version: 6.7p1 Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: Documentation Assignee: unassigned-bugs at...

Hi, it seems that setting ForwardX11Trusted = yes ForwardX11Timeout = 0 causes untrusted connections to be refused immediately. While this certainly makes sense this way, I believe in this case ForwardX11Timeout = 0 might be better used for disabling the timeout entirely (the current behaviour is the same as ForwardX11Trusted = no). Is there some reason while...

This change allows use of untrusted X11 forwarding (which is more secure) without requiring users to choose a finite timeout after which to refuse new connections. This matches the semantics of the X11 security extension itself, which also treat a validity timeout of 0 on an authentication cookie as indefinite. Signed-off-by: Trixie Able <table at inventati.org> --- clientloop.c | 12

https://bugzilla.mindrot.org/show_bug.cgi?id=1718 Summary: Spurious messages "X11 connection rejected because of wrong authentication." Product: Portable OpenSSH Version: 5.3p1 Platform: Other OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: ssh

...ions seem to require -Y and I have not dug into all of the reasons. > Maybe it is some other issue that is closing your ssh connection > (maybe you should use the KeepAlive options on the ssh > server/client); just guessing. On Debian and FreeBSD 'man ssh_config' now shows: ForwardX11Timeout Specify a timeout for untrusted X11 forwarding using the format described in the TIME FORMATS section of sshd_config(5). X11 connections received by ssh(1) after this time will be refused. The default is to disable untrusted X11 forwarding after twenty minutes...

...1 23:20:25 -0000 1.319 +++ ssh.1 25 Aug 2011 19:24:29 -0000 @@ -419,11 +419,13 @@ For full details of the options listed b .It ConnectTimeout .It ControlMaster .It ControlPath +.It ControlPersist .It DynamicForward .It EscapeChar .It ExitOnForwardFailure .It ForwardAgent .It ForwardX11 +.It ForwardX11Timeout .It ForwardX11Trusted .It GatewayPorts .It GlobalKnownHostsFile @@ -438,6 +440,7 @@ For full details of the options listed b .It IdentityFile .It IdentitiesOnly .It IPQoS +.It KbdInteractiveAuthentication .It KbdInteractiveDevices .It KexAlgorithms .It LocalCommand

...ll | | qplot(1:10, 1:10) + xlab("gr??e") | ## ERROR `---- My setup: - locally: Linux (Debian GNU/Linux 9) - remotely Linux (RHEL Server release 7.3 (Maipo) (Maybe) relevant bits of my .ssh/config: ,---- | Host theserver | HostName XXX.XXX.XXX.XXX | ForwardX11 yes | ForwardX11Timeout 596h | IdentityFile ~/.ssh/id_rsa | IdentitiesOnly yes | ForwardAgent yes | ServerAliveInterval 300 `---- Thanks in advance for your help! Best, Andreas

...hrase. bz#2901 * sshd(8): when a channel closed message is received from a client, close the stderr file descriptor at the same time stdout is closed. This avoids stuck processes if they were waiting for stderr to close and were insensitive to stdin/out closing. bz#2863 * ssh(1): allow ForwardX11Timeout=0 to disable the untrusted X11 forwarding timeout and support X11 forwarding indefinitely. Previously the behaviour of ForwardX11Timeout=0 was undefined. * sshd(8): when compiled with GSSAPI support, cache supported method OIDs regardless of whether GSSAPI authentication is enabled in th...

...cords indicate that you have accepted this patch, so this is just a reminder. Invalid Sx reference - not a section on this page. --- ssh_config.5-unpatched 2013-05-25 14:56:05.228356137 -0400 +++ ssh_config.5 2013-05-25 14:56:04.832356145 -0400 @@ -490,9 +490,7 @@ option is also enabled. .It Cm ForwardX11Timeout Specify a timeout for untrusted X11 forwarding -using the format described in the -.Sx TIME FORMATS -section of +using the format described in the TIME FORMATS section of .Xr sshd_config 5 . X11 connections received by .Xr ssh 1 @@ -1296,9 +1294,7 @@ .Dq no . Note that this option applies to...

...Status: NEW Severity: enhancement Priority: P2 Component: ssh AssignedTo: unassigned-bugs at mindrot.org ReportedBy: taviso at cmpxchg8b.com Created attachment 1877 --> https://bugzilla.mindrot.org/attachment.cgi?id=1877 Possible implementation of ForwardX11Timeout On several popular Linux distributions (like redhat), x11 access control is performed using SO_PEERCRED credentials, this breaks ssh -X, as once the untrusted cookie expires, the untrusted connection becomes trusted. I posted about this to the Xorg devel list. http://lists.x.org/archives/xorg-de...

...mindrot.org Reporter: mikko.rantalainen at peda.net Steps to reproduce: $ cat ~/.ssh/config ControlMaster auto ControlPath ~/.ssh/connections/%r@%h:%p ControlPersist 1 Host workstation HostName remote.example.com HostKeyAlias workstation ForwardX11 yes ForwardX11Timeout 10h AddKeysToAgent yes ForwardAgent yes With two local terminal sessions A and B. A: ssh workstation B: ssh workstation A: logout The ssh connection to workstation is immediately completed but stderr gets an extra message Shared connection to remote.example.com closed. This i...

...ent intentions, but please check the final release notes for OpenSSH 7.0 when it is released. Changes since OpenSSH 6.8 ========================= This is primarily a bugfix release. Security -------- * ssh(1): when forwarding X11 connections with ForwardX11Trusted=no, connections made after ForwardX11Timeout expired could be permitted and no longer subject to XSECURITY restrictions because of an ineffective timeout check in ssh(1) coupled with "fail open" behaviour in the X11 server when clients attempted connections with expired credentials. This problem was reported by Jann Horn...

...hrase. bz#2901 * sshd(8): when a channel closed message is received from a client, close the stderr file descriptor at the same time stdout is closed. This avoids stuck processes if they were waiting for stderr to close and were insensitive to stdin/out closing. bz#2863 * ssh(1): allow ForwardX11Timeout=0 to disable the untrusted X11 forwarding timeout and support X11 forwarding indefinitely. Previously the behaviour of ForwardX11Timeout=0 was undefined. * sshd(8): when compiled with GSSAPI support, cache supported method OIDs regardless of whether GSSAPI authentication is enabled in th...

...ent intentions, but please check the final release notes for OpenSSH 7.0 when it is released. Changes since OpenSSH 6.8 ========================= This is primarily a bugfix release. Security -------- * ssh(1): when forwarding X11 connections with ForwardX11Trusted=no, connections made after ForwardX11Timeout expired could be permitted and no longer subject to XSECURITY restrictions because of an ineffective timeout check in ssh(1) coupled with "fail open" behaviour in the X11 server when clients attempted connections with expired credentials. This problem was reported by Jann Horn...