On 04/10/2017 11:28, Michael Felt wrote:
On 04/10/2017 11:07, Michael Felt wrote:
I know that there is a security-fix starting with openssh-7.2
(https://www.openssh.com/security.html, March 9, 2016) - and when I
load any version of openssh prior to Openssh-7.2 I get the expected
X11 behavior over an ssh(d) X11forwarding tunnel.
So, what should I be looking at on my server or client-side. Is there
a different setting I should be using? I am still using the "putty"
setting of: MIT-Magic-Cookie-1. (I'll test, in a moment using
XDM-Authorization-1).
Did not help.
However, the hint I am hoping for is the flag to set for sshd (e.g.,
-ddddd) and what debug string - to see if X11forwarding is attempted,
and if so, why it is rejected by the sshd.
Looking further: How can I see what is failing? Can I add a character
to the whitelist (once I know what is rejected)?
imho: the cure may be worse than the illness if this means my X11
sessions are either "clear" or impossible - as they are not in the SSH
(encrypted) tunnel.
From http://www.openssh.com/txt/x11fwd.adv
4. Details
As part of establishing an X11 forwarding session, sshd(8)
accepts an X11 authentication credential from the client.
This credential is supplied to the xauth(1) utility to
establish it for X11 applications that the user subsequently
runs.
The contents of the credential's components (authentication
scheme and credential data) were not sanitised to exclude
meta-characters such as newlines.
So - is it the new-line in this output (I assume this is the response
being sent (one line deleted))
# xauth list
x072.home.local/unix:10 MIT-MAGIC-COOKIE-1 e757afdfac29af76342ec2360787ae91
# xauth list | od -c
0000000 x 0 7 2 . h o m e . l o c a l /
0000020 u n i x : 1 0 M I T - M A G
0000040 I C - C O O K I E - 1 e 7 5
...
0000100 e c 2 3 6 0 7 8 7 a e 9 1 \n
An attacker could
therefore supply a credential that injected commands to
xauth(1). The attacker could then use a number of xauth
commands to read or overwrite arbitrary files subject to
file permissions, connect to local ports or perform attacks
on xauth(1) itself.
OpenSSH 7.2p2 implements a whitelist of characters that
are permitted to appear in X11 authentication credentials.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev