Bug#366096: ssh: Incompatible with lbxproxy
Package: ssh
Version: 1:3.8.1p1-8.sarge.4
Severity: normal
ssh is incompatible with lbxproxy: perl script below shows the problem.
Ssh wants to be secure, and spoofs the X authentication cookie; then on
incoming (forwarded) X requests, it tries to replace the fake info with
the saved (real) data. This works some (most?) of the time, but does not
work when using lbxproxy. Seems that lbxproxy sends the cookie in a way
that is not seen/detected by ssh.
Ssh should be made compatible with lbxproxy, either by making it capable
of doing the X authentication cookie replacement in that case also, or
at least by providing an option to leave the authentication data alone,
un-spoofed.
(Not really related to Bug#57116.)
Thanks,
Paul Szabo psz@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
#!/usr/bin/perl -w --
$d = $ENV{DISPLAY};
$u = 77; # Anything unused
mysystem( "lbxproxy :$u -terminate &" );
sleep 1;
mysystem( "xauth list" );
$c = `xauth list $d`;
$c =~ s/.*MIT-MAGIC-COOKIE-1 +//;
chomp $c;
$k = $c;
#$k = 'f72f52dad34218a911bc34fb774b9acc';
print "
Should not use cookie
$c
found above, but should instead use that shown
by xauth back on originating machine.
\n" if $k eq $c;
mysystem( "xauth add :$u . $k" );
mysystem( "xauth list" );
mysystem( "xterm -display :$u" );
mysystem( "xauth remove :$u" );
# The differing cookies are due to ssh.c using
# x11_request_forwarding_with_spoofing()
# which could be "fixed up" by
# x11_open_helper()
# (both functions defined in channels.c).
# Seems that lbxproxy sends the auth info in a way that is not
# detected by ssh, so it does not get a chance to fix up: maybe
# because ssh tries the replacement at channel open time only?
sub mysystem {
( $x ) = @_;
print "Doing $x ...\n";
system $x;
}
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-spm0.9
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages ssh depends on:
ii adduser 3.63 Add and remove users and groups
ii debconf 1.4.30.13 Debian configuration management sy
ii dpkg 1.10.28 Package maintenance system for Deb
ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an
ii libpam-modules 0.76-22 Pluggable Authentication Modules f
ii libpam-runtime 0.76-22 Runtime support for the PAM librar
ii libpam0g 0.76-22 Pluggable Authentication Modules l
ii libssl0.9.7 0.9.7e-3sarge1 SSL shared libraries
ii libwrap0 7.6.dbs-8 Wietse Venema's TCP wrappers libra
ii zlib1g 1:1.2.2-4.sarge.2 compression library - runtime
-- debconf information excluded
Reply to: