Bug#366096: ssh: Incompatible with lbxproxy

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#366096: ssh: Incompatible with lbxproxy
From: Paul Szabo <psz@maths.usyd.edu.au>
Date: Fri, 05 May 2006 14:37:10 +1000
Message-id: <[🔎] 200605050437.k454bAi5016536@ortona.maths.usyd.edu.au>
Reply-to: Paul Szabo <psz@maths.usyd.edu.au>, 366096@bugs.debian.org

Package: ssh
Version: 1:3.8.1p1-8.sarge.4
Severity: normal


ssh is incompatible with lbxproxy: perl script below shows the problem.

Ssh wants to be secure, and spoofs the X authentication cookie; then on
incoming (forwarded) X requests, it tries to replace the fake info with
the saved (real) data. This works some (most?) of the time, but does not
work when using lbxproxy. Seems that lbxproxy sends the cookie in a way
that is not seen/detected by ssh.

Ssh should be made compatible with lbxproxy, either by making it capable
of doing the X authentication cookie replacement in that case also, or
at least by providing an option to leave the authentication data alone,
un-spoofed.

(Not really related to Bug#57116.)

Thanks,

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia


#!/usr/bin/perl -w --

$d = $ENV{DISPLAY};
$u = 77;	# Anything unused

mysystem( "lbxproxy :$u -terminate &" );
sleep 1;

mysystem( "xauth list" );

$c = `xauth list $d`;
$c =~ s/.*MIT-MAGIC-COOKIE-1 +//;
chomp $c;

$k = $c;
#$k = 'f72f52dad34218a911bc34fb774b9acc';
print "
Should not use cookie
  $c
found above, but should instead use that shown
by xauth back on originating machine.
\n" if $k eq $c;

mysystem( "xauth add :$u . $k" );
mysystem( "xauth list" );
mysystem( "xterm -display :$u" );
mysystem( "xauth remove :$u" );

# The differing cookies are due to ssh.c using
# x11_request_forwarding_with_spoofing()
# which could be "fixed up" by
# x11_open_helper()
# (both functions defined in channels.c).
# Seems that lbxproxy sends the auth info in a way that is not
# detected by ssh, so it does not get a chance to fix up: maybe
# because ssh tries the replacement at channel open time only?

sub mysystem {
  ( $x ) = @_;
  print "Doing $x ...\n";
  system $x;
}


-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-spm0.9
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages ssh depends on:
ii  adduser                3.63              Add and remove users and groups
ii  debconf                1.4.30.13         Debian configuration management sy
ii  dpkg                   1.10.28           Package maintenance system for Deb
ii  libc6                  2.3.2.ds1-22      GNU C Library: Shared libraries an
ii  libpam-modules         0.76-22           Pluggable Authentication Modules f
ii  libpam-runtime         0.76-22           Runtime support for the PAM librar
ii  libpam0g               0.76-22           Pluggable Authentication Modules l
ii  libssl0.9.7            0.9.7e-3sarge1    SSL shared libraries
ii  libwrap0               7.6.dbs-8         Wietse Venema's TCP wrappers libra
ii  zlib1g                 1:1.2.2-4.sarge.2 compression library - runtime

-- debconf information excluded

Reply to:

Prev by Date: Processed: [bts-link] source package openssh
Next by Date: Bug#115767: I see this too on x86-xen running etch
Previous by thread: Processed: [bts-link] source package openssh
Next by thread: Bug#115767: I see this too on x86-xen running etch
Index(es):
- Date
- Thread