NetBSD Problem Report #13172
Received: (qmail 1359 invoked from network); 12 Jun 2001 02:39:24 -0000
Message-Id: <20010612024133.6FB7E9C56@argo.akimbo.com.au>
Date: Tue, 12 Jun 2001 12:41:33 +1000 (EST)
From: lukem@wasabisystems.com
Reply-To: lukem@wasabisystems.com
To: gnats-bugs@gnats.netbsd.org
Subject: enabling UseLogin in sshd.conf breaks X11 forwarding
X-Send-Pr-Version: 3.95
>Number: 13172
>Category: security
>Synopsis: enabling UseLogin in sshd.conf breaks X11 forwarding
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: lukem
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Jun 12 02:40:01 +0000 2001
>Closed-Date: Mon Jun 18 10:24:18 +0000 2001
>Last-Modified: Mon Jun 18 10:24:18 +0000 2001
>Originator: Luke Mewburn
>Release: Tue Jun 12 12:35:26 EST 2001
>Organization:
Wasabi Systems
>Environment:
System: NetBSD argo.akimbo.com.au 1.5T NetBSD 1.5T (ARGO) #5: Tue Apr 3 22:22:51 EST 2001 lukem@argo.akimbo.com.au:/z/src/current/src/sys/arch/i386/compile/ARGO i386
Architecture: i386
Machine: i386
>Description:
When enabling "UseLogin yes" in sshd.conf, sshd(8) doesn't
correctly set up X11 forwarding; $DISPLAY has been set,
$XAUTHORITY has been set to a temporary file, but that file
contains no cookies. When watching the logs and debug output,
there doesn't seem to be any indication that this
configuration should be a problem.
Examination of the source indicates that whilst all the
precursor setup to X11 forwarding occurs, the actual xauth
operations to populate $XAUTHORITY doesn't occur if UseLogin
is yes and /usr/bin/login is being used.
>How-To-Repeat:
Enable "UseLogin yes" in /etc/sshd.conf. Restart sshd.
Login with X11 forwarding enabled ("ssh -X somehost").
Run "xauth list" and notice that no cookies are forwarded
even though $XAUTHORITY is set to a temporary cookie file
and $DISPLAY has been munged.
>Fix:
One (or more of):
- Update the documentation to reflect that UseLogin doesn't
work with X11 forwarding enabled.
- Change the source to refuse X11 forwarding if UseLogin is
enabled. This might not be appropriate if /usr/bin/login can
handle the setup of $XAUTHORITY, which is highly unlikely.
Note: checking the pkgsrc/security/ssh package (which is ssh
1.2.27nb1), and adding "--with-login" to its configure args
reveals that that program has the same problem.
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed
State-Changed-By: lukem
State-Changed-When: Mon Jun 18 03:23:46 PDT 2001
State-Changed-Why:
uselogin yes now disables x11forwarding. document this
Responsible-Changed-From-To: security-officer->lukem
Responsible-Changed-By: lukem
Responsible-Changed-When: Mon Jun 18 03:23:46 PDT 2001
Responsible-Changed-Why:
i fixed it
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.