Re: [JSch-users] protocol question

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Thank you very much!

I really appreciate your fast turn around on fixes.

It is not so much that my sshd is 'evil' (even if I wish I had one to
test with). The reason the bug showed up in my case is for two
reasons.

1. I use the code in an applet. The javavm process will be the same as
long as the browser is not closed. This means that static variables
will remain between different sessions. In this particular case the
values for host and port in ChannelX11.

2. In my applet if the user did not select to enable X11 forwarding I
called ChannelShell.setXForwarding(false). Unfortunately there is a bug
in the implementation which sets xforwading variable to true,
regardless of the input parameter. :-)

To make the bug manifest in my environment I did the following:

1. Open a session to a server and request x11 forwarding, then close
it. The host and port static gets set in ChannelX11.
2. open another session and not request x11 forwarding, but I call
ChannelShell.setXForwarding so the channel requests X11 forwarding
anyway. Then I start a xterm, and it shows up on my x-server.

I modified your fix somewhat to make the client actually return
SSH_MSG_CHANNEL_OPEN_FAILURE.

I added the following constants:

  // http://ietf.org/internet-drafts/draft-ietf-secsh-assignednumbers-12.=
txt
    static final int SSH_OPEN_ADMINISTRATIVELY_PROHIBITED =3D 1;
    static final int SSH_OPEN_CONNECT_FAILED              =3D 2;
    static final int SSH_OPEN_UNKNOWN_CHANNEL_TYPE        =3D 3;
    static final int SSH_OPEN_RESOURCE_SHORTAGE           =3D 4;

And in the case clause for SSH_MSG_CHANNEL_OPEN in Session.java I modifie=
d it like this:

          if(!"forwarded-tcpip".equals(ctyp) &&
	     !("x11".equals(ctyp) && x11_forwarding)){
             =20
              if("x11".equals(ctyp) && !x11_forwarding) {
                  //x11 forwarding was not requested, we MUST deny accord=
ing to
                  //draft-ietf-secsh-connect-25.txt
                  int recipient =3D buf.getInt();
                  packet.reset();
                  buf.putByte((byte)SSH_MSG_CHANNEL_OPEN_FAILURE);
                  buf.putInt(recipient);
                  buf.putInt(SSH_OPEN_ADMINISTRATIVELY_PROHIBITED);
                  buf.putString("open failed".getBytes());
                  buf.putString("en".getBytes());
                  write(packet);
                  break;
              } else {
                  System.out.println("Session.run: CHANNEL OPEN "+ctyp);=20
                  throw new IOException("Session.run: CHANNEL OPEN "+ctyp=
);
              }

On Wed, Sep 21, 2005 at 01:33:28AM +0900, Atsuhiko Yamanaka wrote:
> Hi,
>=20
>    +-From: Lars Persson Fink <pe...@bl...> --
>    |_Date: Tue, 20 Sep 2005 07:26:27 +0200 ___________
>    |
>    |Great!  Is that fix available in source code somewhere. If
>    |possible I'd like to back port it to the release I am using.
>=20
> Ok, so here it is,
>   http://www.jcraft.com/jsch/jsch-0.1.22-rc11.zip
> Searching for 'x11_forwarding' in com/jcraft/jsch/RequestX11.java and
> com/jcraft/jsch/Session.java .
>=20
> Frankly to say, I don't have such a malicious sshd, so I have not
> confirmed it will really reject unexpected connections related to
> x11 forwarding, but I hope that fix will work well.
>=20
> Sincerely,

--=20
Lars Persson Fink	  home:  +46  8 722 42 15
H=E4radsdomarv=E4gen 11	  cell:  +46 70 334 35 97
SE-128 38 Skarpn=E4ck