|
 |
f8987c |
diff -up openssh-6.6p1/channels.c.x11max openssh-6.6p1/channels.c
|
|
|
f8987c |
--- openssh-6.6p1/channels.c.x11max 2016-06-27 16:28:49.803631684 +0200
|
|
|
f8987c |
+++ openssh-6.6p1/channels.c 2016-06-27 16:28:49.814631678 +0200
|
|
|
f8987c |
@@ -138,8 +138,8 @@ static int all_opens_permitted = 0;
|
|
|
f8987c |
|
|
|
f8987c |
/* -- X11 forwarding */
|
|
|
f8987c |
|
|
|
f8987c |
-/* Maximum number of fake X11 displays to try. */
|
|
|
f8987c |
-#define MAX_DISPLAYS 1000
|
|
|
f8987c |
+/* Minimum port number for X11 forwarding */
|
|
|
f8987c |
+#define X11_PORT_MIN 6000
|
|
|
f8987c |
|
|
|
f8987c |
/* Saved X11 local (client) display. */
|
|
|
f8987c |
static char *x11_saved_display = NULL;
|
|
|
f8987c |
@@ -3445,7 +3445,8 @@ channel_send_window_changes(void)
|
|
|
f8987c |
*/
|
|
|
f8987c |
int
|
|
|
f8987c |
x11_create_display_inet(int x11_display_offset, int x11_use_localhost,
|
|
|
f8987c |
- int single_connection, u_int *display_numberp, int **chanids)
|
|
|
f8987c |
+ int x11_max_displays, int single_connection, u_int *display_numberp,
|
|
|
f8987c |
+ int **chanids)
|
|
|
f8987c |
{
|
|
|
f8987c |
Channel *nc = NULL;
|
|
|
f8987c |
int display_number, sock;
|
|
|
f8987c |
@@ -3457,10 +3458,15 @@ x11_create_display_inet(int x11_display_
|
|
|
f8987c |
if (chanids == NULL)
|
|
|
f8987c |
return -1;
|
|
|
f8987c |
|
|
|
f8987c |
+ /* Try to bind ports starting at 6000+X11DisplayOffset */
|
|
|
f8987c |
+ x11_max_displays = x11_max_displays + x11_display_offset;
|
|
|
f8987c |
+
|
|
|
f8987c |
for (display_number = x11_display_offset;
|
|
|
f8987c |
- display_number < MAX_DISPLAYS;
|
|
|
f8987c |
+ display_number < x11_max_displays;
|
|
|
f8987c |
display_number++) {
|
|
|
f8987c |
- port = 6000 + display_number;
|
|
|
f8987c |
+ port = X11_PORT_MIN + display_number;
|
|
|
f8987c |
+ if (port < X11_PORT_MIN) /* overflow */
|
|
|
f8987c |
+ break;
|
|
|
f8987c |
memset(&hints, 0, sizeof(hints));
|
|
|
f8987c |
hints.ai_family = IPv4or6;
|
|
|
f8987c |
hints.ai_flags = x11_use_localhost ? 0: AI_PASSIVE;
|
|
|
f8987c |
@@ -3512,7 +3518,7 @@ x11_create_display_inet(int x11_display_
|
|
|
f8987c |
if (num_socks > 0)
|
|
|
f8987c |
break;
|
|
|
f8987c |
}
|
|
|
f8987c |
- if (display_number >= MAX_DISPLAYS) {
|
|
|
f8987c |
+ if (display_number >= x11_max_displays || port < X11_PORT_MIN ) {
|
|
|
f8987c |
error("Failed to allocate internet-domain X11 display socket.");
|
|
|
f8987c |
return -1;
|
|
|
f8987c |
}
|
|
|
f8987c |
@@ -3658,7 +3664,7 @@ x11_connect_display(void)
|
|
|
f8987c |
memset(&hints, 0, sizeof(hints));
|
|
|
f8987c |
hints.ai_family = IPv4or6;
|
|
|
f8987c |
hints.ai_socktype = SOCK_STREAM;
|
|
|
f8987c |
- snprintf(strport, sizeof strport, "%u", 6000 + display_number);
|
|
|
f8987c |
+ snprintf(strport, sizeof strport, "%u", X11_PORT_MIN + display_number);
|
|
|
f8987c |
if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) {
|
|
|
f8987c |
error("%.100s: unknown host. (%s)", buf,
|
|
|
f8987c |
ssh_gai_strerror(gaierr));
|
|
|
f8987c |
@@ -3674,7 +3680,7 @@ x11_connect_display(void)
|
|
|
f8987c |
/* Connect it to the display. */
|
|
|
f8987c |
if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
|
|
|
f8987c |
debug2("connect %.100s port %u: %.100s", buf,
|
|
|
f8987c |
- 6000 + display_number, strerror(errno));
|
|
|
f8987c |
+ X11_PORT_MIN + display_number, strerror(errno));
|
|
|
f8987c |
close(sock);
|
|
|
f8987c |
continue;
|
|
|
f8987c |
}
|
|
|
f8987c |
@@ -3683,8 +3689,8 @@ x11_connect_display(void)
|
|
|
f8987c |
}
|
|
|
f8987c |
freeaddrinfo(aitop);
|
|
|
f8987c |
if (!ai) {
|
|
|
f8987c |
- error("connect %.100s port %u: %.100s", buf, 6000 + display_number,
|
|
|
f8987c |
- strerror(errno));
|
|
|
f8987c |
+ error("connect %.100s port %u: %.100s", buf,
|
|
|
f8987c |
+ X11_PORT_MIN + display_number, strerror(errno));
|
|
|
f8987c |
return -1;
|
|
|
f8987c |
}
|
|
|
f8987c |
set_nodelay(sock);
|
|
|
f8987c |
diff -up openssh-6.6p1/channels.h.x11max openssh-6.6p1/channels.h
|
|
|
f8987c |
--- openssh-6.6p1/channels.h.x11max 2016-06-27 16:28:49.814631678 +0200
|
|
|
f8987c |
+++ openssh-6.6p1/channels.h 2016-06-27 16:31:18.925557840 +0200
|
|
|
f8987c |
@@ -281,7 +281,7 @@ int permitopen_port(const char *);
|
|
|
f8987c |
|
|
|
f8987c |
void channel_set_x11_refuse_time(u_int);
|
|
|
f8987c |
int x11_connect_display(void);
|
|
|
f8987c |
-int x11_create_display_inet(int, int, int, u_int *, int **);
|
|
|
f8987c |
+int x11_create_display_inet(int, int, int, int, u_int *, int **);
|
|
|
f8987c |
void x11_input_open(int, u_int32_t, void *);
|
|
|
f8987c |
void x11_request_forwarding_with_spoofing(int, const char *, const char *,
|
|
|
f8987c |
const char *, int);
|
|
|
f8987c |
diff -up openssh-6.6p1/servconf.c.x11max openssh-6.6p1/servconf.c
|
|
|
f8987c |
--- openssh-6.6p1/servconf.c.x11max 2016-06-27 16:28:49.808631681 +0200
|
|
|
f8987c |
+++ openssh-6.6p1/servconf.c 2016-06-27 16:30:46.941573678 +0200
|
|
|
f8987c |
@@ -92,6 +92,7 @@ initialize_server_options(ServerOptions
|
|
|
f8987c |
options->print_lastlog = -1;
|
|
|
f8987c |
options->x11_forwarding = -1;
|
|
|
f8987c |
options->x11_display_offset = -1;
|
|
|
f8987c |
+ options->x11_max_displays = -1;
|
|
|
f8987c |
options->x11_use_localhost = -1;
|
|
|
f8987c |
options->permit_tty = -1;
|
|
|
f8987c |
options->xauth_location = NULL;
|
|
|
f8987c |
@@ -219,6 +220,8 @@ fill_default_server_options(ServerOption
|
|
|
f8987c |
options->x11_forwarding = 0;
|
|
|
f8987c |
if (options->x11_display_offset == -1)
|
|
|
f8987c |
options->x11_display_offset = 10;
|
|
|
f8987c |
+ if (options->x11_max_displays == -1)
|
|
|
f8987c |
+ options->x11_max_displays = DEFAULT_MAX_DISPLAYS;
|
|
|
f8987c |
if (options->x11_use_localhost == -1)
|
|
|
f8987c |
options->x11_use_localhost = 1;
|
|
|
f8987c |
if (options->xauth_location == NULL)
|
|
|
f8987c |
@@ -364,7 +367,7 @@ typedef enum {
|
|
|
f8987c |
sPasswordAuthentication, sKbdInteractiveAuthentication,
|
|
|
f8987c |
sListenAddress, sAddressFamily,
|
|
|
f8987c |
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
|
|
|
f8987c |
- sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
|
|
|
f8987c |
+ sX11Forwarding, sX11DisplayOffset, sX11MaxDisplays, sX11UseLocalhost,
|
|
|
f8987c |
sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
|
|
|
f8987c |
sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
|
|
|
f8987c |
sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
|
|
|
f8987c |
@@ -476,6 +479,7 @@ static struct {
|
|
|
f8987c |
{ "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
|
|
|
f8987c |
{ "x11forwarding", sX11Forwarding, SSHCFG_ALL },
|
|
|
f8987c |
{ "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
|
|
|
f8987c |
+ { "x11maxdisplays", sX11MaxDisplays, SSHCFG_ALL },
|
|
|
f8987c |
{ "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
|
|
|
f8987c |
{ "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
|
|
|
f8987c |
{ "strictmodes", sStrictModes, SSHCFG_GLOBAL },
|
|
|
f8987c |
@@ -1202,6 +1206,10 @@ process_server_config_line(ServerOptions
|
|
|
f8987c |
intptr = &options->x11_display_offset;
|
|
|
f8987c |
goto parse_int;
|
|
|
f8987c |
|
|
|
f8987c |
+ case sX11MaxDisplays:
|
|
|
f8987c |
+ intptr = &options->x11_max_displays;
|
|
|
f8987c |
+ goto parse_int;
|
|
|
f8987c |
+
|
|
|
f8987c |
case sX11UseLocalhost:
|
|
|
f8987c |
intptr = &options->x11_use_localhost;
|
|
|
f8987c |
goto parse_flag;
|
|
|
f8987c |
@@ -1889,6 +1897,7 @@ copy_set_server_options(ServerOptions *d
|
|
|
f8987c |
M_CP_INTOPT(gateway_ports);
|
|
|
f8987c |
M_CP_INTOPT(x11_display_offset);
|
|
|
f8987c |
M_CP_INTOPT(x11_forwarding);
|
|
|
f8987c |
+ M_CP_INTOPT(x11_max_displays);
|
|
|
f8987c |
M_CP_INTOPT(x11_use_localhost);
|
|
|
f8987c |
M_CP_INTOPT(permit_tty);
|
|
|
f8987c |
M_CP_INTOPT(max_sessions);
|
|
|
f8987c |
@@ -2106,6 +2115,7 @@ dump_config(ServerOptions *o)
|
|
|
f8987c |
dump_cfg_int(sLoginGraceTime, o->login_grace_time);
|
|
|
f8987c |
dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time);
|
|
|
f8987c |
dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
|
|
|
f8987c |
+ dump_cfg_int(sX11MaxDisplays, o->x11_max_displays);
|
|
|
f8987c |
dump_cfg_int(sMaxAuthTries, o->max_authtries);
|
|
|
f8987c |
dump_cfg_int(sMaxSessions, o->max_sessions);
|
|
|
f8987c |
dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
|
|
|
f8987c |
diff -up openssh-6.6p1/servconf.h.x11max openssh-6.6p1/servconf.h
|
|
|
f8987c |
--- openssh-6.6p1/servconf.h.x11max 2016-06-27 16:28:49.809631681 +0200
|
|
|
f8987c |
+++ openssh-6.6p1/servconf.h 2016-06-27 16:28:49.815631678 +0200
|
|
|
f8987c |
@@ -55,6 +55,7 @@
|
|
|
f8987c |
|
|
|
f8987c |
#define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */
|
|
|
f8987c |
#define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */
|
|
|
f8987c |
+#define DEFAULT_MAX_DISPLAYS 1000 /* Maximum number of fake X11 displays to try. */
|
|
|
f8987c |
|
|
|
f8987c |
/* Magic name for internal sftp-server */
|
|
|
f8987c |
#define INTERNAL_SFTP_NAME "internal-sftp"
|
|
|
f8987c |
@@ -85,6 +86,7 @@ typedef struct {
|
|
|
f8987c |
int x11_forwarding; /* If true, permit inet (spoofing) X11 fwd. */
|
|
|
f8987c |
int x11_display_offset; /* What DISPLAY number to start
|
|
|
f8987c |
* searching at */
|
|
|
f8987c |
+ int x11_max_displays; /* Number of displays to search */
|
|
|
f8987c |
int x11_use_localhost; /* If true, use localhost for fake X11 server. */
|
|
|
f8987c |
char *xauth_location; /* Location of xauth program */
|
|
|
f8987c |
int permit_tty; /* If false, deny pty allocation */
|
|
|
f8987c |
diff -up openssh-6.6p1/session.c.x11max openssh-6.6p1/session.c
|
|
|
f8987c |
--- openssh-6.6p1/session.c.x11max 2016-06-27 16:28:49.809631681 +0200
|
|
|
f8987c |
+++ openssh-6.6p1/session.c 2016-06-27 16:28:49.815631678 +0200
|
|
|
f8987c |
@@ -2741,8 +2741,9 @@ session_setup_x11fwd(Session *s)
|
|
|
f8987c |
return 0;
|
|
|
f8987c |
}
|
|
|
f8987c |
if (x11_create_display_inet(options.x11_display_offset,
|
|
|
f8987c |
- options.x11_use_localhost, s->single_connection,
|
|
|
f8987c |
- &s->display_number, &s->x11_chanids) == -1) {
|
|
|
f8987c |
+ options.x11_use_localhost, options.x11_max_displays,
|
|
|
f8987c |
+ s->single_connection, &s->display_number,
|
|
|
f8987c |
+ &s->x11_chanids) == -1) {
|
|
|
f8987c |
debug("x11_create_display_inet failed.");
|
|
|
f8987c |
return 0;
|
|
|
f8987c |
}
|
|
|
f8987c |
diff -up openssh-6.6p1/sshd_config.5.x11max openssh-6.6p1/sshd_config.5
|
|
|
f8987c |
--- openssh-6.6p1/sshd_config.5.x11max 2016-06-27 16:28:49.809631681 +0200
|
|
|
f8987c |
+++ openssh-6.6p1/sshd_config.5 2016-06-27 16:32:01.253536879 +0200
|
|
|
f8987c |
@@ -930,6 +930,7 @@ Available keywords are
|
|
|
f8987c |
.Cm RhostsRSAAuthentication ,
|
|
|
f8987c |
.Cm RSAAuthentication ,
|
|
|
f8987c |
.Cm X11DisplayOffset ,
|
|
|
f8987c |
+.Cm X11MaxDisplays ,
|
|
|
f8987c |
.Cm X11Forwarding
|
|
|
f8987c |
and
|
|
|
f8987c |
.Cm X11UseLocalHost .
|
|
|
f8987c |
@@ -1339,6 +1340,12 @@ Specifies the first display number avail
|
|
|
f8987c |
X11 forwarding.
|
|
|
f8987c |
This prevents sshd from interfering with real X11 servers.
|
|
|
f8987c |
The default is 10.
|
|
|
f8987c |
+.It Cm X11MaxDisplays
|
|
|
f8987c |
+Specifies the maximum number of displays available for
|
|
|
f8987c |
+.Xr sshd 8 Ns 's
|
|
|
f8987c |
+X11 forwarding.
|
|
|
f8987c |
+This prevents sshd from exhausting local ports.
|
|
|
f8987c |
+The default is 1000.
|
|
|
f8987c |
.It Cm X11Forwarding
|
|
|
f8987c |
Specifies whether X11 forwarding is permitted.
|
|
|
f8987c |
The argument must be
|