version 1.242, 2005/06/08 11:25:09 |
version 1.243, 2005/06/16 03:38:36 |
|
|
return exit_status; |
return exit_status; |
} |
} |
|
|
#define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1" |
|
|
|
static void |
static void |
x11_get_proto(char **_proto, char **_data) |
|
{ |
|
char cmd[1024]; |
|
char line[512]; |
|
char xdisplay[512]; |
|
static char proto[512], data[512]; |
|
FILE *f; |
|
int got_data = 0, generated = 0, do_unlink = 0, i; |
|
char *display, *xauthdir, *xauthfile; |
|
struct stat st; |
|
|
|
xauthdir = xauthfile = NULL; |
|
*_proto = proto; |
|
*_data = data; |
|
proto[0] = data[0] = '\0'; |
|
|
|
if (!options.xauth_location || |
|
(stat(options.xauth_location, &st) == -1)) { |
|
debug("No xauth program."); |
|
} else { |
|
if ((display = getenv("DISPLAY")) == NULL) { |
|
debug("x11_get_proto: DISPLAY not set"); |
|
return; |
|
} |
|
/* |
|
* Handle FamilyLocal case where $DISPLAY does |
|
* not match an authorization entry. For this we |
|
* just try "xauth list unix:displaynum.screennum". |
|
* XXX: "localhost" match to determine FamilyLocal |
|
* is not perfect. |
|
*/ |
|
if (strncmp(display, "localhost:", 10) == 0) { |
|
snprintf(xdisplay, sizeof(xdisplay), "unix:%s", |
|
display + 10); |
|
display = xdisplay; |
|
} |
|
if (options.forward_x11_trusted == 0) { |
|
xauthdir = xmalloc(MAXPATHLEN); |
|
xauthfile = xmalloc(MAXPATHLEN); |
|
strlcpy(xauthdir, "/tmp/ssh-XXXXXXXXXX", MAXPATHLEN); |
|
if (mkdtemp(xauthdir) != NULL) { |
|
do_unlink = 1; |
|
snprintf(xauthfile, MAXPATHLEN, "%s/xauthfile", |
|
xauthdir); |
|
snprintf(cmd, sizeof(cmd), |
|
"%s -f %s generate %s " SSH_X11_PROTO |
|
" untrusted timeout 1200 2>" _PATH_DEVNULL, |
|
options.xauth_location, xauthfile, display); |
|
debug2("x11_get_proto: %s", cmd); |
|
if (system(cmd) == 0) |
|
generated = 1; |
|
} |
|
} |
|
snprintf(cmd, sizeof(cmd), |
|
"%s %s%s list %s . 2>" _PATH_DEVNULL, |
|
options.xauth_location, |
|
generated ? "-f " : "" , |
|
generated ? xauthfile : "", |
|
display); |
|
debug2("x11_get_proto: %s", cmd); |
|
f = popen(cmd, "r"); |
|
if (f && fgets(line, sizeof(line), f) && |
|
sscanf(line, "%*s %511s %511s", proto, data) == 2) |
|
got_data = 1; |
|
if (f) |
|
pclose(f); |
|
} |
|
|
|
if (do_unlink) { |
|
unlink(xauthfile); |
|
rmdir(xauthdir); |
|
} |
|
if (xauthdir) |
|
xfree(xauthdir); |
|
if (xauthfile) |
|
xfree(xauthfile); |
|
|
|
/* |
|
* If we didn't get authentication data, just make up some |
|
* data. The forwarding code will check the validity of the |
|
* response anyway, and substitute this data. The X11 |
|
* server, however, will ignore this fake data and use |
|
* whatever authentication mechanisms it was using otherwise |
|
* for the local connection. |
|
*/ |
|
if (!got_data) { |
|
u_int32_t rnd = 0; |
|
|
|
logit("Warning: No xauth data; " |
|
"using fake authentication data for X11 forwarding."); |
|
strlcpy(proto, SSH_X11_PROTO, sizeof proto); |
|
for (i = 0; i < 16; i++) { |
|
if (i % 4 == 0) |
|
rnd = arc4random(); |
|
snprintf(data + 2 * i, sizeof data - 2 * i, "%02x", |
|
rnd & 0xff); |
|
rnd >>= 8; |
|
} |
|
} |
|
} |
|
|
|
static void |
|
ssh_init_forwarding(void) |
ssh_init_forwarding(void) |
{ |
{ |
int success = 0; |
int success = 0; |
|
|
int have_tty = 0; |
int have_tty = 0; |
struct winsize ws; |
struct winsize ws; |
char *cp; |
char *cp; |
|
const char *display; |
|
|
/* Enable compression if requested. */ |
/* Enable compression if requested. */ |
if (options.compression) { |
if (options.compression) { |
|
|
packet_disconnect("Protocol error waiting for pty request response."); |
packet_disconnect("Protocol error waiting for pty request response."); |
} |
} |
/* Request X11 forwarding if enabled and DISPLAY is set. */ |
/* Request X11 forwarding if enabled and DISPLAY is set. */ |
if (options.forward_x11 && getenv("DISPLAY") != NULL) { |
display = getenv("DISPLAY"); |
|
if (options.forward_x11 && display != NULL) { |
char *proto, *data; |
char *proto, *data; |
/* Get reasonable local authentication information. */ |
/* Get reasonable local authentication information. */ |
x11_get_proto(&proto, &data); |
client_x11_get_proto(display, options.xauth_location, |
|
options.forward_x11_trusted, &proto, &data); |
/* Request forwarding with authentication spoofing. */ |
/* Request forwarding with authentication spoofing. */ |
debug("Requesting X11 forwarding with authentication spoofing."); |
debug("Requesting X11 forwarding with authentication spoofing."); |
x11_request_forwarding_with_spoofing(0, proto, data); |
x11_request_forwarding_with_spoofing(0, display, proto, data); |
|
|
/* Read response from the server. */ |
/* Read response from the server. */ |
type = packet_read(); |
type = packet_read(); |
|
|
ssh_session2_setup(int id, void *arg) |
ssh_session2_setup(int id, void *arg) |
{ |
{ |
extern char **environ; |
extern char **environ; |
|
const char *display; |
int interactive = tty_flag; |
int interactive = tty_flag; |
if (options.forward_x11 && getenv("DISPLAY") != NULL) { |
|
|
display = getenv("DISPLAY"); |
|
if (options.forward_x11 && display != NULL) { |
char *proto, *data; |
char *proto, *data; |
/* Get reasonable local authentication information. */ |
/* Get reasonable local authentication information. */ |
x11_get_proto(&proto, &data); |
client_x11_get_proto(display, options.xauth_location, |
|
options.forward_x11_trusted, &proto, &data); |
/* Request forwarding with authentication spoofing. */ |
/* Request forwarding with authentication spoofing. */ |
debug("Requesting X11 forwarding with authentication spoofing."); |
debug("Requesting X11 forwarding with authentication spoofing."); |
x11_request_forwarding_with_spoofing(id, proto, data); |
x11_request_forwarding_with_spoofing(id, display, proto, data); |
interactive = 1; |
interactive = 1; |
/* XXX wait for reply */ |
/* XXX wait for reply */ |
} |
} |