-#define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1"
-
-static void
-x11_get_proto(char **_proto, char **_data)
-{
- char cmd[1024];
- char line[512];
- char xdisplay[512];
- static char proto[512], data[512];
- FILE *f;
- int got_data = 0, generated = 0, do_unlink = 0, i;
- char *display, *xauthdir, *xauthfile;
- struct stat st;
-
- xauthdir = xauthfile = NULL;
- *_proto = proto;
- *_data = data;
- proto[0] = data[0] = '\0';
-
- if (!options.xauth_location ||
- (stat(options.xauth_location, &st) == -1)) {
- debug("No xauth program.");
- } else {
- if ((display = getenv("DISPLAY")) == NULL) {
- debug("x11_get_proto: DISPLAY not set");
- return;
- }
- /*
- * Handle FamilyLocal case where $DISPLAY does
- * not match an authorization entry. For this we
- * just try "xauth list unix:displaynum.screennum".
- * XXX: "localhost" match to determine FamilyLocal
- * is not perfect.
- */
- if (strncmp(display, "localhost:", 10) == 0) {
- snprintf(xdisplay, sizeof(xdisplay), "unix:%s",
- display + 10);
- display = xdisplay;
- }
- if (options.forward_x11_trusted == 0) {
- xauthdir = xmalloc(MAXPATHLEN);
- xauthfile = xmalloc(MAXPATHLEN);
- strlcpy(xauthdir, "/tmp/ssh-XXXXXXXXXX", MAXPATHLEN);
- if (mkdtemp(xauthdir) != NULL) {
- do_unlink = 1;
- snprintf(xauthfile, MAXPATHLEN, "%s/xauthfile",
- xauthdir);
- snprintf(cmd, sizeof(cmd),
- "%s -f %s generate %s " SSH_X11_PROTO
- " untrusted timeout 1200 2>" _PATH_DEVNULL,
- options.xauth_location, xauthfile, display);
- debug2("x11_get_proto: %s", cmd);
- if (system(cmd) == 0)
- generated = 1;
- }
- }
- snprintf(cmd, sizeof(cmd),
- "%s %s%s list %s . 2>" _PATH_DEVNULL,
- options.xauth_location,
- generated ? "-f " : "" ,
- generated ? xauthfile : "",
- display);
- debug2("x11_get_proto: %s", cmd);
- f = popen(cmd, "r");
- if (f && fgets(line, sizeof(line), f) &&
- sscanf(line, "%*s %511s %511s", proto, data) == 2)
- got_data = 1;
- if (f)
- pclose(f);
- }
-
- if (do_unlink) {
- unlink(xauthfile);
- rmdir(xauthdir);
- }
- if (xauthdir)
- xfree(xauthdir);
- if (xauthfile)
- xfree(xauthfile);
-
- /*
- * If we didn't get authentication data, just make up some
- * data. The forwarding code will check the validity of the
- * response anyway, and substitute this data. The X11
- * server, however, will ignore this fake data and use
- * whatever authentication mechanisms it was using otherwise
- * for the local connection.
- */
- if (!got_data) {
- u_int32_t rand = 0;
-
- logit("Warning: No xauth data; "
- "using fake authentication data for X11 forwarding.");
- strlcpy(proto, SSH_X11_PROTO, sizeof proto);
- for (i = 0; i < 16; i++) {
- if (i % 4 == 0)
- rand = arc4random();
- snprintf(data + 2 * i, sizeof data - 2 * i, "%02x",
- rand & 0xff);
- rand >>= 8;
- }
- }
-}
-