Add X11ForwardTimeout option to specify timeout for untrusted X11

authentication cookies to avoid fallback in X11 code to fully-trusted
implicit authentication using SO_PEERCRED described at:
http://lists.x.org/archives/xorg-devel/2010-May/008636.html

After the X11ForwardTimeout has expired the client will now refuse
incoming X11 channel opens.

based on patch from Tavis Ormandy; "nice" markus@

1 files changed, 6 insertions, 3 deletions

diff --git a/usr.bin/ssh/ssh.c b/usr.bin/ssh/ssh.c
index c9f87053a57..b6aa87c40f9 100644
--- a/usr.bin/ssh/ssh.c
+++ b/usr.bin/ssh/ssh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.c,v 1.339 2010/06/25 23:10:30 djm Exp $ */
+/* $OpenBSD: ssh.c,v 1.340 2010/06/25 23:15:36 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1084,7 +1084,9 @@ ssh_session(void)
 		char *proto, *data;
 		/* Get reasonable local authentication information. */
 		client_x11_get_proto(display, options.xauth_location,
-		    options.forward_x11_trusted, &proto, &data);
+		    options.forward_x11_trusted, 
+		    options.forward_x11_timeout,
+		    &proto, &data);
 		/* Request forwarding with authentication spoofing. */
 		debug("Requesting X11 forwarding with authentication "
 		    "spoofing.");
@@ -1180,7 +1182,8 @@ ssh_session2_setup(int id, int success, void *arg)
 		char *proto, *data;
 		/* Get reasonable local authentication information. */
 		client_x11_get_proto(display, options.xauth_location,
-		    options.forward_x11_trusted, &proto, &data);
+		    options.forward_x11_trusted,
+		    options.forward_x11_timeout, &proto, &data);
 		/* Request forwarding with authentication spoofing. */
 		debug("Requesting X11 forwarding with authentication "
 		    "spoofing.");