nhyatt/putty-source
1
0
Fork 0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-07-01 11:32:48 -05:00
Code Issues Projects Releases Wiki Activity

Support for XDM-AUTHORIZATION-1 at the SSH server end, making use of

Browse Source 
the remote IP/port data provided by the server for forwarded
connections. Disabled by default, since it's incompatible with SSH2,
probably incompatible with some X clients, and tickles a bug in
at least one version of OpenSSH.

[originally from svn r2554]
This commit is contained in:
Simon Tatham
2003-01-12 14:11:38 +00:00
parent 05ae857752
commit fee1624c69
8 changed files with 201 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
doc/config.but
View File

@ -1,4 +1,4 @@
\versionid $Id: config.but,v 1.47 2002/12/18 16:23:10 simon Exp $
\versionid $Id: config.but,v 1.48 2003/01/12 14:11:38 simon Exp $
\C{config} Configuring PuTTY
@ -1887,6 +1887,53 @@ display location} box.
See \k{using-x-forwarding} for more information about X11
forwarding.
\S2{config-ssh-x11auth} Remote X11 authentication
\cfg{winhelp-topic}{ssh.tunnels.x11auth}
If you are using X11 forwarding, the virtual X server created on the
SSH server machine will be protected by authorisation data. This
data is invented, and checked, by PuTTY.
The usual authorisation method used for this is called
\cw{MIT-MAGIC-COOKIE-1}. This is a simple password-style protocol:
the X client sends some cookie data to the server, and the server
checks that it matches the real cookie. The cookie data is sent over
an unencrypted X11 connection; so if you allow a client on a third
machine to access the virtual X server, then the cookie will be sent
in the clear.
PuTTY offers the alternative protocol \cw{XDM-AUTHORIZATION-1}. This
is a cryptographically authenticated protocol: the data sent by the
X client is different every time, and it depends on the IP address
and port of the client's end of the connection and is also stamped
with the current time. So an eavesdropper who captures an
\cw{XDM-AUTHORIZATION-1} string cannot immediately re-use it for
their own X connection.
PuTTY's support for \cw{XDM-AUTHORIZATION-1} is a somewhat
experimental feature, and may encounter several problems:
\b Some X clients probably do not even support
\cw{XDM-AUTHORIZATION-1}, so they will not know what to do with the
data PuTTY has provided.
\b This authentication mechanism will only work in SSH v2. In SSH
v1, the SSH server does not tell the client the source address of
a forwarded connection in a machine-readable format, so it's
impossible to verify the \cw{XDM-AUTHORIZATION-1} data.
\b You may find this feature causes problems with some SSH servers,
which will not clean up \cw{XDM-AUTHORIZATION-1} data after a
session, so that if you then connect to the same server using
a client which only does \cw{MIT-MAGIC-COOKIE-1} and are allocated
the same remote display number, you might find that out-of-date
authentication data is still present on your server and your X
connections fail.
PuTTY's default is \cw{MIT-MAGIC-COOKIE-1}. If you change it, you
should be sure you know what you're doing.
\S{config-ssh-portfwd} Port forwarding
\cfg{winhelp-topic}{ssh.tunnels.portfwd}