summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authordjm <djm>2010-06-26 00:02:03 +0000
committerdjm <djm>2010-06-26 00:02:03 +0000
commitace3a1d44bbf0f2b48c31d186789dff08711884c (patch)
tree1b0d4c7c808390e24c4e3b5cd4655e80de5077d1
parentd2fa903264c8d6e44371534ad7cb6773b4006d16 (diff)
downloadopenssh-ace3a1d44bbf0f2b48c31d186789dff08711884c.tar.gz
- djm@cvs.openbsd.org 2010/06/25 23:10:30
[ssh.c] log the hostname and address that we connected to at LogLevel=verbose after authentication is successful to mitigate "phishing" attacks by servers with trusted keys that accept authentication silently and automatically before presenting fake password/passphrase prompts; "nice!" markus@
-rw-r--r--ChangeLog7
-rw-r--r--clientloop.c26
-rw-r--r--clientloop.h4
-rw-r--r--mux.c9
-rw-r--r--readconf.c14
-rw-r--r--readconf.h3
-rw-r--r--ssh.c16
-rw-r--r--ssh_config.514
8 files changed, 73 insertions, 20 deletions
diff --git a/ChangeLog b/ChangeLog
index 2467840e..b0f82de2 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -67,6 +67,13 @@
[auth1.c auth2-none.c]
skip the initial check for access with an empty password when
PermitEmptyPasswords=no; bz#1638; ok markus@
+ - djm@cvs.openbsd.org 2010/06/25 23:10:30
+ [ssh.c]
+ log the hostname and address that we connected to at LogLevel=verbose
+ after authentication is successful to mitigate "phishing" attacks by
+ servers with trusted keys that accept authentication silently and
+ automatically before presenting fake password/passphrase prompts;
+ "nice!" markus@
20100622
- (djm) [loginrec.c] crank LINFO_NAMESIZE (username length) to 512
diff --git a/clientloop.c b/clientloop.c
index 76de3721..5608bcc2 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.c,v 1.220 2010/04/10 02:08:44 djm Exp $ */
+/* $OpenBSD: clientloop.c,v 1.221 2010/06/25 23:15:36 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -155,11 +155,12 @@ static int stdin_eof; /* EOF has been encountered on stderr. */
static Buffer stdin_buffer; /* Buffer for stdin data. */
static Buffer stdout_buffer; /* Buffer for stdout data. */
static Buffer stderr_buffer; /* Buffer for stderr data. */
-static u_int buffer_high;/* Soft max buffer size. */
+static u_int buffer_high; /* Soft max buffer size. */
static int connection_in; /* Connection to server (input). */
static int connection_out; /* Connection to server (output). */
static int need_rekeying; /* Set to non-zero if rekeying is requested. */
-static int session_closed = 0; /* In SSH2: login session closed. */
+static int session_closed; /* In SSH2: login session closed. */
+static int x11_refuse_time; /* If >0, refuse x11 opens after this time. */
static void client_init_dispatch(void);
int session_ident = -1;
@@ -254,7 +255,7 @@ get_current_time(void)
#define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1"
void
client_x11_get_proto(const char *display, const char *xauth_path,
- u_int trusted, char **_proto, char **_data)
+ u_int trusted, u_int timeout, char **_proto, char **_data)
{
char cmd[1024];
char line[512];
@@ -264,6 +265,7 @@ client_x11_get_proto(const char *display, const char *xauth_path,
int got_data = 0, generated = 0, do_unlink = 0, i;
char *xauthdir, *xauthfile;
struct stat st;
+ u_int now;
xauthdir = xauthfile = NULL;
*_proto = proto;
@@ -299,11 +301,18 @@ client_x11_get_proto(const char *display, const char *xauth_path,
xauthdir);
snprintf(cmd, sizeof(cmd),
"%s -f %s generate %s " SSH_X11_PROTO
- " untrusted timeout 1200 2>" _PATH_DEVNULL,
- xauth_path, xauthfile, display);
+ " untrusted timeout %u 2>" _PATH_DEVNULL,
+ xauth_path, xauthfile, display, timeout);
debug2("x11_get_proto: %s", cmd);
if (system(cmd) == 0)
generated = 1;
+ if (x11_refuse_time == 0) {
+ now = time(NULL) + 1;
+ if (UINT_MAX - timeout < now)
+ x11_refuse_time = UINT_MAX;
+ else
+ x11_refuse_time = now + timeout;
+ }
}
}
@@ -1686,6 +1695,11 @@ client_request_x11(const char *request_type, int rchan)
"malicious server.");
return NULL;
}
+ if (x11_refuse_time != 0 && time(NULL) >= x11_refuse_time) {
+ verbose("Rejected X11 connection after ForwardX11Timeout "
+ "expired");
+ return NULL;
+ }
originator = packet_get_string(NULL);
if (datafellows & SSH_BUG_X11FWD) {
debug2("buggy server: x11 request w/o originator_port");
diff --git a/clientloop.h b/clientloop.h
index a5bc246a..52115db6 100644
--- a/clientloop.h
+++ b/clientloop.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.h,v 1.24 2010/05/16 12:55:51 markus Exp $ */
+/* $OpenBSD: clientloop.h,v 1.25 2010/06/25 23:15:36 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -39,7 +39,7 @@
/* Client side main loop for the interactive session. */
int client_loop(int, int, int);
-void client_x11_get_proto(const char *, const char *, u_int,
+void client_x11_get_proto(const char *, const char *, u_int, u_int,
char **, char **);
void client_global_request_reply_fwd(int, u_int32_t, void *);
void client_session2_setup(int, int, int, const char *, struct termios *,
diff --git a/mux.c b/mux.c
index fdf0385e..5c3857ee 100644
--- a/mux.c
+++ b/mux.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: mux.c,v 1.20 2010/06/25 07:14:46 djm Exp $ */
+/* $OpenBSD: mux.c,v 1.21 2010/06/25 23:15:36 djm Exp $ */
/*
* Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org>
*
@@ -1107,11 +1107,14 @@ mux_session_confirm(int id, int success, void *arg)
display = getenv("DISPLAY");
if (cctx->want_x_fwd && options.forward_x11 && display != NULL) {
char *proto, *data;
+
/* Get reasonable local authentication information. */
client_x11_get_proto(display, options.xauth_location,
- options.forward_x11_trusted, &proto, &data);
+ options.forward_x11_trusted, options.forward_x11_timeout,
+ &proto, &data);
/* Request forwarding with authentication spoofing. */
- debug("Requesting X11 forwarding with authentication spoofing.");
+ debug("Requesting X11 forwarding with authentication "
+ "spoofing.");
x11_request_forwarding_with_spoofing(id, display, proto, data);
/* XXX wait for reply */
}
diff --git a/readconf.c b/readconf.c
index aae9cef4..da48ae7d 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.185 2010/06/25 07:14:46 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.186 2010/06/25 23:15:36 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -110,8 +110,8 @@
typedef enum {
oBadOption,
- oForwardAgent, oForwardX11, oForwardX11Trusted, oGatewayPorts,
- oExitOnForwardFailure,
+ oForwardAgent, oForwardX11, oForwardX11Trusted, oForwardX11Timeout,
+ oGatewayPorts, oExitOnForwardFailure,
oPasswordAuthentication, oRSAAuthentication,
oChallengeResponseAuthentication, oXAuthLocation,
oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
@@ -143,6 +143,7 @@ static struct {
{ "forwardagent", oForwardAgent },
{ "forwardx11", oForwardX11 },
{ "forwardx11trusted", oForwardX11Trusted },
+ { "forwardx11timeout", oForwardX11Timeout },
{ "exitonforwardfailure", oExitOnForwardFailure },
{ "xauthlocation", oXAuthLocation },
{ "gatewayports", oGatewayPorts },
@@ -414,6 +415,10 @@ parse_flag:
case oForwardX11Trusted:
intptr = &options->forward_x11_trusted;
goto parse_flag;
+
+ case oForwardX11Timeout:
+ intptr = &options->forward_x11_timeout;
+ goto parse_time;
case oGatewayPorts:
intptr = &options->gateway_ports;
@@ -1018,6 +1023,7 @@ initialize_options(Options * options)
options->forward_agent = -1;
options->forward_x11 = -1;
options->forward_x11_trusted = -1;
+ options->forward_x11_timeout = -1;
options->exit_on_forward_failure = -1;
options->xauth_location = NULL;
options->gateway_ports = -1;
@@ -1104,6 +1110,8 @@ fill_default_options(Options * options)
options->forward_x11 = 0;
if (options->forward_x11_trusted == -1)
options->forward_x11_trusted = 0;
+ if (options->forward_x11_timeout == -1)
+ options->forward_x11_timeout = 1200;
if (options->exit_on_forward_failure == -1)
options->exit_on_forward_failure = 0;
if (options->xauth_location == NULL)
diff --git a/readconf.h b/readconf.h
index 3c8eae9d..66acafde 100644
--- a/readconf.h
+++ b/readconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.h,v 1.84 2010/06/25 07:14:46 djm Exp $ */
+/* $OpenBSD: readconf.h,v 1.85 2010/06/25 23:15:36 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -32,6 +32,7 @@ typedef struct {
typedef struct {
int forward_agent; /* Forward authentication agent. */
int forward_x11; /* Forward X11 display. */
+ int forward_x11_timeout; /* Expiration for Cookies */
int forward_x11_trusted; /* Trust Forward X11 display. */
int exit_on_forward_failure; /* Exit if bind(2) fails for -L/-R */
char *xauth_location; /* Location for xauth program */
diff --git a/ssh.c b/ssh.c
index 228afecf..d8f0b214 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.c,v 1.338 2010/05/16 12:55:51 markus Exp $ */
+/* $OpenBSD: ssh.c,v 1.340 2010/06/25 23:15:36 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -829,6 +829,13 @@ main(int ac, char **av)
ssh_login(&sensitive_data, host, (struct sockaddr *)&hostaddr,
pw, timeout_ms);
+ if (packet_connection_is_on_socket()) {
+ verbose("Authenticated to %s ([%s]:%d).", host,
+ get_remote_ipaddr(), get_remote_port());
+ } else {
+ verbose("Authenticated to %s (via proxy).", host);
+ }
+
/* We no longer need the private host keys. Clear them now. */
if (sensitive_data.nkeys != 0) {
for (i = 0; i < sensitive_data.nkeys; i++) {
@@ -1096,7 +1103,9 @@ ssh_session(void)
char *proto, *data;
/* Get reasonable local authentication information. */
client_x11_get_proto(display, options.xauth_location,
- options.forward_x11_trusted, &proto, &data);
+ options.forward_x11_trusted,
+ options.forward_x11_timeout,
+ &proto, &data);
/* Request forwarding with authentication spoofing. */
debug("Requesting X11 forwarding with authentication "
"spoofing.");
@@ -1192,7 +1201,8 @@ ssh_session2_setup(int id, int success, void *arg)
char *proto, *data;
/* Get reasonable local authentication information. */
client_x11_get_proto(display, options.xauth_location,
- options.forward_x11_trusted, &proto, &data);
+ options.forward_x11_trusted,
+ options.forward_x11_timeout, &proto, &data);
/* Request forwarding with authentication spoofing. */
debug("Requesting X11 forwarding with authentication "
"spoofing.");
diff --git a/ssh_config.5 b/ssh_config.5
index 2df948e6..6968a448 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -34,8 +34,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh_config.5,v 1.133 2010/04/16 06:45:01 jmc Exp $
-.Dd $Mdocdate: April 16 2010 $
+.\" $OpenBSD: ssh_config.5,v 1.134 2010/06/25 23:15:36 djm Exp $
+.Dd $Mdocdate: June 25 2010 $
.Dt SSH_CONFIG 5
.Os
.Sh NAME
@@ -432,6 +432,16 @@ An attacker may then be able to perform activities such as keystroke monitoring
if the
.Cm ForwardX11Trusted
option is also enabled.
+.It Cm ForwardX11Timeout
+Specify a timeout for untrusted X11 forwarding using the format described in
+.Sx TIME FORMATS
+section of
+.Xr sshd_config 5 .
+X11 connections received by
+.Xr ssh 1
+after this time will be refused.
+The default is to disable untrusted X11 forwarding after twenty minutes has
+elapsed.
.It Cm ForwardX11Trusted
If this option is set to
.Dq yes ,