February 28, 2005
ssh X Forwarding 與 Xauth
之前閱讀 Mark McLoughlin (GNOME 開發者) 的 blog [SSH, X Forwarding and Xauth],才釐清很多觀念,很多看似「理所當然」的設計,如果不去深入研究原理,很可能會陷入泥淖而不自知。當使用 "ssh -Y" 時,ssh X Forwarding 會建立 proxy X server 指向 local display,這過程就如同一個 ssh tunnel,而我們可以發現 $DISPLAY 環境變數已經被修改,指向這個 tunnel 對應的 proxy X server。
當然,X forwarding 可沒這麼簡單,X Window System 設計之初就是徹底網路化的視窗系統,為了能夠存取資源,必須在遠端機器的 ~/.Xauthority 加入 xauth cookie。好玩的地方就在這,剛剛提到的 xauth cookie 並非是經過傳遞,相反的是後續產生的,於是我們可以發現這個事實:
-
When you try and connect from the remote host to the local display over the tunnel, the SSH client compares the cookie in the first protocol message and if it matches the one it generated for the tunnel, it swaps that cookie with the original cookie and allows the connection to complete.
-
At first that might just seem like misguided paranoid delusional crackrock, but it does actually make sense. With this cool trick, if you SSH to a compromised machine (i.e. a machine where an attacker can access you ~/.Xauthority), then your display is only vulnerable while you remain logged in. Once you log out again, the compromised cookie is useless.
迴響