- markus@cvs.openbsd.org 2001/06/19 14:09:45

[session.c sshd.8] disable x11-fwd if use_login is enabled; from lukem@wasabisystems.com
2025-02-17 06:16:55 +00:00 · 2001-06-21 03:14:49 +00:00 · 2001-06-21 03:14:49 +00:00 · 699776e9ec
commit 699776e9ec
parent c85ab8afab
3 changed files with 23 additions and 5 deletions
--- a/5
+++ b/5
@ -15,6 +15,9 @@
   - markus@cvs.openbsd.org 2001/06/19 12:34:09
     [session.c]
     cleanup forced command handling, from dwd@bell-labs.com
+   - markus@cvs.openbsd.org 2001/06/19 14:09:45
+     [session.c sshd.8]
+     disable x11-fwd if use_login is enabled; from lukem@wasabisystems.com

 20010615
 - (stevesk) don't set SA_RESTART and set SIGCHLD to SIG_DFL
@ -5667,4 +5670,4 @@
 - Wrote replacements for strlcpy and mkdtemp
 - Released 1.0pre1

-$Id: ChangeLog,v 1.1293 2001/06/21 03:13:10 mouring Exp $
+$Id: ChangeLog,v 1.1294 2001/06/21 03:14:49 mouring Exp $
--- a/session.c
+++ b/session.c
@ -33,7 +33,7 @@
 */

 #include "includes.h"
-RCSID("$OpenBSD: session.c,v 1.90 2001/06/19 12:34:09 markus Exp $");
+RCSID("$OpenBSD: session.c,v 1.91 2001/06/19 14:09:45 markus Exp $");

 #include "ssh.h"
 #include "ssh1.h"
@ -1980,6 +1980,11 @@ session_setup_x11fwd(Session *s)
 		packet_send_debug("No xauth program; cannot forward with spoofing.");
 		return 0;
 	}
+	if (options.use_login) {
+		packet_send_debug("X11 forwarding disabled; "
+		    "not compatible with UseLogin=yes.");
+		return 0;
+	}
 	if (s->display != NULL) {
 		debug("X11 display already set.");
 		return 0;
--- a/sshd.8
+++ b/sshd.8
@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.126 2001/06/11 16:04:38 markus Exp $
+.\" $OpenBSD: sshd.8,v 1.127 2001/06/19 14:09:45 markus Exp $
 .Dd September 25, 1999
 .Dt SSHD 8
 .Os
@ -796,11 +796,18 @@ The default is AUTH.
 Specifies whether
 .Xr login 1
 is used for interactive login sessions.
+The default is
+.Dq no .
 Note that
 .Xr login 1
 is never used for remote command execution.
-The default is
-.Dq no .
+Note also, that if this is enabled,                                                           
+.Cm X11Forwarding                                                             
+will be disabled because
+.Xr login 1
+does not know how to handle
+.Xr xauth 1                                                                   
+cookies.
 .It Cm X11DisplayOffset
 Specifies the first display number available for
 .Nm sshd Ns 's
@ -815,6 +822,9 @@ The default is
 .Dq no .
 Note that disabling X11 forwarding does not improve security in any
 way, as users can always install their own forwarders.
+X11 forwarding is automatically disabled if                                                     
+.Cm UseLogin                                                                  
+is enabled.          
 .It Cm XAuthLocation
 Specifies the location of the
 .Xr xauth 1