From e6e573bda2af14eaf40c0b38f9558252e599180f Mon Sep 17 00:00:00 2001 From: djm Date: Tue, 5 Feb 2002 01:11:34 +0000 Subject: [PATCH] - stevesk@cvs.openbsd.org 2002/01/27 14:57:46 [channels.c servconf.c servconf.h session.c sshd.8 sshd_config] add X11UseLocalhost; ok markus@ --- ChangeLog | 3 +++ channels.c | 6 +++--- servconf.c | 12 ++++++++++-- servconf.h | 3 ++- session.c | 6 +++--- sshd.8 | 27 ++++++++++++++++++++++++++- sshd_config | 3 ++- 7 files changed, 49 insertions(+), 11 deletions(-) diff --git a/ChangeLog b/ChangeLog index 8d8db0a6..a8bc7813 100644 --- a/ChangeLog +++ b/ChangeLog @@ -22,6 +22,9 @@ revert code to add x11 localhost display authorization entry for hostname/unix:d and uts.nodename/unix:d if nodename was different than hostname. just add entry for unix:d instead. ok markus@ + - stevesk@cvs.openbsd.org 2002/01/27 14:57:46 + [channels.c servconf.c servconf.h session.c sshd.8 sshd_config] + add X11UseLocalhost; ok markus@ 20020130 - (djm) Delay PRNG seeding until we need it in ssh-keygen, from markus@ diff --git a/channels.c b/channels.c index 2436e087..f015a049 100644 --- a/channels.c +++ b/channels.c @@ -39,7 +39,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: channels.c,v 1.162 2002/01/24 21:09:25 stevesk Exp $"); +RCSID("$OpenBSD: channels.c,v 1.163 2002/01/27 14:57:46 stevesk Exp $"); #include "ssh.h" #include "ssh1.h" @@ -2379,7 +2379,7 @@ channel_connect_to(const char *host, u_short port) * an error occurs. */ int -x11_create_display_inet(int x11_display_offset, int gateway_ports, +x11_create_display_inet(int x11_display_offset, int x11_use_localhost, int single_connection) { Channel *nc = NULL; @@ -2395,7 +2395,7 @@ x11_create_display_inet(int x11_display_offset, int gateway_ports, port = 6000 + display_number; memset(&hints, 0, sizeof(hints)); hints.ai_family = IPv4or6; - hints.ai_flags = gateway_ports ? AI_PASSIVE : 0; + hints.ai_flags = x11_use_localhost ? 0: AI_PASSIVE; hints.ai_socktype = SOCK_STREAM; snprintf(strport, sizeof strport, "%d", port); if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0) { diff --git a/servconf.c b/servconf.c index 0cb744a1..e33d65a5 100644 --- a/servconf.c +++ b/servconf.c @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: servconf.c,v 1.98 2002/01/22 02:52:41 stevesk Exp $"); +RCSID("$OpenBSD: servconf.c,v 1.99 2002/01/27 14:57:46 stevesk Exp $"); #if defined(KRB4) || defined(KRB5) #include @@ -63,6 +63,7 @@ initialize_server_options(ServerOptions *options) options->print_lastlog = -1; options->x11_forwarding = -1; options->x11_display_offset = -1; + options->x11_use_localhost = -1; options->xauth_location = NULL; options->strict_modes = -1; options->keepalives = -1; @@ -159,6 +160,8 @@ fill_default_server_options(ServerOptions *options) options->x11_forwarding = 0; if (options->x11_display_offset == -1) options->x11_display_offset = 10; + if (options->x11_use_localhost == -1) + options->x11_use_localhost = 1; if (options->xauth_location == NULL) options->xauth_location = _PATH_XAUTH; if (options->strict_modes == -1) @@ -255,7 +258,7 @@ typedef enum { sChallengeResponseAuthentication, sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, sPrintMotd, sPrintLastLog, sIgnoreRhosts, - sX11Forwarding, sX11DisplayOffset, + sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, sStrictModes, sEmptyPasswd, sKeepAlives, sUseLogin, sAllowTcpForwarding, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, @@ -315,6 +318,7 @@ static struct { { "ignoreuserknownhosts", sIgnoreUserKnownHosts }, { "x11forwarding", sX11Forwarding }, { "x11displayoffset", sX11DisplayOffset }, + { "x11uselocalhost", sX11UseLocalhost }, { "xauthlocation", sXAuthLocation }, { "strictmodes", sStrictModes }, { "permitemptypasswords", sEmptyPasswd }, @@ -655,6 +659,10 @@ parse_flag: intptr = &options->x11_display_offset; goto parse_int; + case sX11UseLocalhost: + intptr = &options->x11_use_localhost; + goto parse_flag; + case sXAuthLocation: charptr = &options->xauth_location; goto parse_filename; diff --git a/servconf.h b/servconf.h index 943c7ef5..463a16da 100644 --- a/servconf.h +++ b/servconf.h @@ -11,7 +11,7 @@ * called by a name other than "ssh" or "Secure Shell". */ -/* RCSID("$OpenBSD: servconf.h,v 1.51 2001/12/19 07:18:56 deraadt Exp $"); */ +/* RCSID("$OpenBSD: servconf.h,v 1.52 2002/01/27 14:57:46 stevesk Exp $"); */ #ifndef SERVCONF_H #define SERVCONF_H @@ -55,6 +55,7 @@ typedef struct { int x11_forwarding; /* If true, permit inet (spoofing) X11 fwd. */ int x11_display_offset; /* What DISPLAY number to start * searching at */ + int x11_use_localhost; /* If true, use localhost for fake X11 server. */ char *xauth_location; /* Location of xauth program */ int strict_modes; /* If true, require string home dir modes. */ int keepalives; /* If true, set SO_KEEPALIVE. */ diff --git a/session.c b/session.c index 268d1384..7e1d0a82 100644 --- a/session.c +++ b/session.c @@ -33,7 +33,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: session.c,v 1.118 2002/01/26 16:44:22 stevesk Exp $"); +RCSID("$OpenBSD: session.c,v 1.119 2002/01/27 14:57:46 stevesk Exp $"); #include "ssh.h" #include "ssh1.h" @@ -2021,7 +2021,7 @@ session_setup_x11fwd(Session *s) return 0; } s->display_number = x11_create_display_inet(options.x11_display_offset, - options.gateway_ports, s->single_connection); + options.x11_use_localhost, s->single_connection); if (s->display_number == -1) { debug("x11_create_display_inet failed."); return 0; @@ -2035,7 +2035,7 @@ session_setup_x11fwd(Session *s) * authorization entry is added with xauth(1). This will be * different than the DISPLAY string for localhost displays. */ - if (!options.gateway_ports) { + if (options.x11_use_localhost) { snprintf(display, sizeof display, "localhost:%d.%d", s->display_number, s->screen); snprintf(auth_display, sizeof auth_display, "unix:%d.%d", diff --git a/sshd.8 b/sshd.8 index 256b2aa5..d1ddeb12 100644 --- a/sshd.8 +++ b/sshd.8 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.163 2002/01/18 20:46:34 stevesk Exp $ +.\" $OpenBSD: sshd.8,v 1.164 2002/01/27 14:57:46 stevesk Exp $ .Dd September 25, 1999 .Dt SSHD 8 .Os @@ -858,6 +858,31 @@ way, as users can always install their own forwarders. X11 forwarding is automatically disabled if .Cm UseLogin is enabled. +.It Cm X11UseLocalhost +Specifies whether +.Nm +should bind the X11 forwarding server to the loopback address or to +the wildcard address. By default, +.Nm +binds the forwarding server to the loopback address and sets the +hostname part of the +.Ev DISPLAY +environment variable to +.Dq localhost . +This prevents remote hosts from connecting to the fake display. +However, some older X11 clients may not function with this +configuration. +.Cm X11UseLocalhost +may be set to +.Dq no +to specify that the forwarding server should be bound to the wildcard +address. +The argument must be +.Dq yes +or +.Dq no . +The default is +.Dq yes . .It Cm XAuthLocation Specifies the location of the .Xr xauth 1 diff --git a/sshd_config b/sshd_config index 3502ab6a..d1e8c6b4 100644 --- a/sshd_config +++ b/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.44 2002/01/16 17:40:23 stevesk Exp $ +# $OpenBSD: sshd_config,v 1.45 2002/01/27 14:57:46 stevesk Exp $ # This is the sshd server system-wide configuration file. See sshd(8) # for more information. @@ -77,6 +77,7 @@ #X11Forwarding no #X11DisplayOffset 10 +#X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #KeepAlive yes -- 2.45.2