Server Interpreted "localuser" Authentication using SO_PEERCRED interferes with SSH
Alan Coopersmith
alan.coopersmith at oracle.com
Mon May 17 10:32:15 PDT 2010
Tavis Ormandy wrote:
> On Mon, May 17, 2010 at 07:56:33AM -0700, Alan Coopersmith wrote:
>> Tavis Ormandy wrote:
>>> But it turns out this doesnt work with si:localuser authentication, as even
>>> though the cookie should be rejected, X falls back to peer credentials. I'm not
>>> sure this was intended, after I've tried to authenticate with an expired
>>> untrusted cookie, shouldn't the connection be rejected? Was this intended
>>> behaviour?
>> I don't think that's unique to the +si:local*, but any of the forms of
>> authentication that work will be used. I'd expect the same results if
>> you did xhost +local: or xhost +localhost (whichever covers the connection
>> type ssh is using to connect).
>>
>
> Thanks for the reply Alan, that's unfortunate. Is it possible to disable
> this in the protocol? (ssh could enforce a flag is set when
> authenticating, for example).
You could send the equivalent of:
xhost -si:localuser:tormandy
but ssh would have no idea when the user wants that or not.
I'm not aware of any protocol or configuration mechanism to change the
way authentication works to reject-after-first-failure instead of
accept-if-any-allow. The X11 protocol itself doesn't seem to specify
beyond that unrecognized schemes may be ignored, but changing the basic
behavior of authentication would likely be quite a disruptive change, so
we'd want the same defaults as today, even if we did allow other configurations.
--
-Alan Coopersmith- alan.coopersmith at oracle.com
Oracle Solaris Platform Engineering: X Window System
More information about the xorg-devel
mailing list