Re: X11forwarding yes: how to debug/setup after xauth fix

Michael Felt <michael@xxxxxxxxxxxxx> · Wed, 4 Oct 2017 11:33:52 +0200

On 04/10/2017 11:28, Michael Felt wrote:
On 04/10/2017 11:07, Michael Felt wrote:
I know that there is a security-fix starting with openssh-7.2 
(https://www.openssh.com/security.html, March 9, 2016) - and when I 
load any version of openssh prior to Openssh-7.2 I get the expected 
X11 behavior over an ssh(d) X11forwarding tunnel.

So, what should I be looking at on my server or client-side. Is there 
a different setting I should be using? I am still using the "putty" 
setting of: MIT-Magic-Cookie-1. (I'll test, in a moment using 
XDM-Authorization-1). 
Did not help.
However, the hint I am hoping for is the flag to set for sshd (e.g., 
-ddddd) and what debug string - to see if X11forwarding is attempted, 
and if so, why it is rejected by the sshd.

Looking further: How can I see what is failing? Can I add a character 
to the whitelist (once I know what is rejected)?

imho: the cure may be worse than the illness if this means my X11 
sessions are either "clear" or impossible - as they are not in the SSH 
(encrypted) tunnel.

From http://www.openssh.com/txt/x11fwd.adv

4. Details

        As part of establishing an X11 forwarding session, sshd(8)
    accepts an X11 authentication credential from the client.
    This credential is supplied to the xauth(1) utility to
    establish it for X11 applications that the user subsequently
    runs.

    The contents of the credential's components (authentication
    scheme and credential data) were not sanitised to exclude
    meta-characters such as newlines. 

So - is it the new-line in this output (I assume this is the response 
being sent (one line deleted))

# xauth list
x072.home.local/unix:10  MIT-MAGIC-COOKIE-1 e757afdfac29af76342ec2360787ae91
# xauth list | od -c
0000000    x   0   7   2   .   h   o   m   e   .   l   o   c   a l   /
0000020    u   n   i   x   :   1   0           M   I   T   -   M A   G
0000040    I   C   -   C   O   O   K   I   E   -   1           e 7   5
...
0000100    e   c   2   3   6   0   7   8   7   a   e   9   1  \n

An attacker could
    therefore supply a credential that injected commands to
    xauth(1). The attacker could then use a number of xauth
    commands to read or overwrite arbitrary files subject to
    file permissions, connect to local ports or perform attacks
    on xauth(1) itself.

    OpenSSH 7.2p2 implements a whitelist of characters that
    are permitted to appear in X11 authentication credentials.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev