Re: [JSch-users] protocol question
Status: Alpha
Brought to you by:
ymnk
From: Lars P. F. <pe...@bl...> - 2005-09-21 11:58:58
|
Thank you very much! I really appreciate your fast turn around on fixes. It is not so much that my sshd is 'evil' (even if I wish I had one to test with). The reason the bug showed up in my case is for two reasons. 1. I use the code in an applet. The javavm process will be the same as long as the browser is not closed. This means that static variables will remain between different sessions. In this particular case the values for host and port in ChannelX11. 2. In my applet if the user did not select to enable X11 forwarding I called ChannelShell.setXForwarding(false). Unfortunately there is a bug in the implementation which sets xforwading variable to true, regardless of the input parameter. :-) To make the bug manifest in my environment I did the following: 1. Open a session to a server and request x11 forwarding, then close it. The host and port static gets set in ChannelX11. 2. open another session and not request x11 forwarding, but I call ChannelShell.setXForwarding so the channel requests X11 forwarding anyway. Then I start a xterm, and it shows up on my x-server. I modified your fix somewhat to make the client actually return SSH_MSG_CHANNEL_OPEN_FAILURE. I added the following constants: // http://ietf.org/internet-drafts/draft-ietf-secsh-assignednumbers-12.= txt static final int SSH_OPEN_ADMINISTRATIVELY_PROHIBITED =3D 1; static final int SSH_OPEN_CONNECT_FAILED =3D 2; static final int SSH_OPEN_UNKNOWN_CHANNEL_TYPE =3D 3; static final int SSH_OPEN_RESOURCE_SHORTAGE =3D 4; And in the case clause for SSH_MSG_CHANNEL_OPEN in Session.java I modifie= d it like this: if(!"forwarded-tcpip".equals(ctyp) && !("x11".equals(ctyp) && x11_forwarding)){ =20 if("x11".equals(ctyp) && !x11_forwarding) { //x11 forwarding was not requested, we MUST deny accord= ing to //draft-ietf-secsh-connect-25.txt int recipient =3D buf.getInt(); packet.reset(); buf.putByte((byte)SSH_MSG_CHANNEL_OPEN_FAILURE); buf.putInt(recipient); buf.putInt(SSH_OPEN_ADMINISTRATIVELY_PROHIBITED); buf.putString("open failed".getBytes()); buf.putString("en".getBytes()); write(packet); break; } else { System.out.println("Session.run: CHANNEL OPEN "+ctyp);=20 throw new IOException("Session.run: CHANNEL OPEN "+ctyp= ); } On Wed, Sep 21, 2005 at 01:33:28AM +0900, Atsuhiko Yamanaka wrote: > Hi, >=20 > +-From: Lars Persson Fink <pe...@bl...> -- > |_Date: Tue, 20 Sep 2005 07:26:27 +0200 ___________ > | > |Great! Is that fix available in source code somewhere. If > |possible I'd like to back port it to the release I am using. >=20 > Ok, so here it is, > http://www.jcraft.com/jsch/jsch-0.1.22-rc11.zip > Searching for 'x11_forwarding' in com/jcraft/jsch/RequestX11.java and > com/jcraft/jsch/Session.java . >=20 > Frankly to say, I don't have such a malicious sshd, so I have not > confirmed it will really reject unexpected connections related to > x11 forwarding, but I hope that fix will work well. >=20 > Sincerely, --=20 Lars Persson Fink home: +46 8 722 42 15 H=E4radsdomarv=E4gen 11 cell: +46 70 334 35 97 SE-128 38 Skarpn=E4ck |