Re: X11forwarding yes: how to debug/setup after xauth fix

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 13/10/2017 13:40, Michael Felt wrote:

debug3: send packet: type 4
sshd sends a SSH2_MSG_DEBUG back to client, probably indicating
why the request failed

debug3: send packet: type 100
sshd sends SSH2_MSG_CHANNEL_FAILURE.

The debug message would probably give you the reason it fails. You could
try to wheedle it out of PuTTY,
I'll try an iptrace trace - to see what putty is masking with XXXXX.
apply the patch below to have it shown
at LogLevel=debug3 or try to guess which of one of likely ones it is
from session.c:session_setup_x11fwd()

packet_send_debug("X11 forwarding disabled in user configuration file."); packet_send_debug("X11 forwarding disabled in server configuration file.");
packet_send_debug("No xauth program; cannot forward with spoofing.");
packet_send_debug("Can't get IP address for X11 DISPLAY.");

My 'quess' is that it somehow related to 'auth' - as there was a security-fix for auth that was introduced in version 7.2 (as I mentioned before: https://www.openssh.com/security.html, March 9, 2016) and https://www.openssh.com/txt/release-7.2p2

 * sshd(8): sanitise X11 authentication credentials to avoid xauth
   command injection when X11Forwarding is enabled.

My guess is that AIX is still sending either one of '\n', '\r', or even both.

-d

diff --git a/packet.c b/packet.c
index f114ea52..5dda4243 100644
--- a/packet.c
+++ b/packet.c
@@ -1774,6 +1774,8 @@ ssh_packet_send_debug(struct ssh *ssh, const char *fmt,...)
      vsnprintf(buf, sizeof(buf), fmt, args);
      va_end(args);
  +    debug3("sending debug message: %s", buf);
+
Will also try this!

This verifies it is xauth related:

debug3: sending debug message: No xauth program; cannot forward with spoofing.

so, added an extra debug - and this is what I see:

debug1: session_input_channel_req: session 0 req x11-req
debug3: setup_x11fwd: xauth_location == /usr/X11R6/bin/xauth
debug3: sending debug message: No xauth program; cannot forward with spoofing.

but the xauth_location should be:
# which xauth
/usr/bin/X11/xauth

and fyi:

# ls -l /usr/bin/X11
lrwxrwxrwx    1 bin      bin              16 Aug 31 17:40 /usr/bin/X11 -> /usr/lpp/X11/bin

# ls -ld /usr/X11R6
drwxr-xr-x    2 bin      bin             256 Aug 29 12:16 /usr/X11R6
# ls -l /usr/X11R6
total 0
lrwxrwxrwx    1 bin      bin              19 Aug 31 17:40 lib -> /usr/lpp/X11/lib/R6

so, obviously - the stat() calls for /usr/X11R6/bin/xauth return -1.
# ls -l /usr/X11R6/bin/xauth
ls: 0653-341 The file /usr/X11R6/bin/xauth does not exist.

And, I expect noone from IBM has ever said anything - as they still use OpenSSH-6.0 as a base, although they are also using OpenSSH-7.1, both of which are not affected by the fix for OpenSSH-7.2.

Studying further - but maybe you already know what needs to be done.


      if ((r = sshpkt_start(ssh, SSH2_MSG_DEBUG)) != 0 ||
          (r = sshpkt_put_u8(ssh, 0)) != 0 || /* always display */
          (r = sshpkt_put_cstring(ssh, buf)) != 0 ||


_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux