Server Interpreted "localuser" Authentication using SO_PEERCRED interferes with SSH
Tavis Ormandy
taviso at cmpxchg8b.com
Mon May 17 10:12:47 PDT 2010
On Mon, May 17, 2010 at 07:56:33AM -0700, Alan Coopersmith wrote:
> Tavis Ormandy wrote:
> > The problem is, if I'm using xhost +si:localuser:taviso, once the
> > timeout has expired, X will fall back to SO_PEERCRED verification. As
> > openssh opened the connection, the credentials check out and I'm
> > authenticated. This is bad, because now the remote (possibly compromised)
> > machine has a trusted X connection to my workstation.
>
> You should not use +si:localuser:taviso unless you want every single process
> running with that userid to be granted full access to your display.
>
Sure, unfortunately this is the default on RHEL and others.
> > But it turns out this doesnt work with si:localuser authentication, as even
> > though the cookie should be rejected, X falls back to peer credentials. I'm not
> > sure this was intended, after I've tried to authenticate with an expired
> > untrusted cookie, shouldn't the connection be rejected? Was this intended
> > behaviour?
>
> I don't think that's unique to the +si:local*, but any of the forms of
> authentication that work will be used. I'd expect the same results if
> you did xhost +local: or xhost +localhost (whichever covers the connection
> type ssh is using to connect).
>
Thanks for the reply Alan, that's unfortunate. Is it possible to disable
this in the protocol? (ssh could enforce a flag is set when
authenticating, for example).
Thanks, Tavis.
--
-------------------------------------
taviso at cmpxchg8b.com | pgp encrypted mail preferred
-------------------------------------------------------
More information about the xorg-devel
mailing list