[Bug 3855] New: sshd-auth sandbox

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Fri Aug 22 17:37:48 AEST 2025 

https://bugzilla.mindrot.org/show_bug.cgi?id=3855

            Bug ID: 3855
           Summary: sshd-auth sandbox
           Product: Portable OpenSSH
           Version: 10.0p2
          Hardware: ARM
                OS: Linux
            Status: NEW
          Severity: major
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: adrian.jarc at aviatnet.com

We have recently investigated an issue where once we updated to
OpenSSH10.0p2 our integration using wolfProvider
(https://github.com/wolfSSL/wolfProvider) for OpenSSL (3.0.12) and
wolfSSL (built in FIPS mode) didn't want to authenticate user.

During the investigation we have found out that wolfSSLs wolfCrypt
module(FIPS140-3 certified) opens file descriptors for /dev/urandom (or
/dev/random if there is no urandom) when generating random seed for
running KEX algorithms (in our case:
diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521).
This function stopped working once we upgraded from 9.9p2 to 10.0p2. We
investigated and found out that seed generation tries to open file
descriptor from the sshd-auth module, which is sandboxed before doing
anything, and because of that 4th attempt to open FD fails.

So we now made a "patch" that changes lines
https://github.com/openssh/openssh-portable/blob/V_10_0/sshd-auth.c#L787-L792
from:
"
        privsep_child_demote();

        /* perform the key exchange */
        /* authenticate user and start session */
        do_ssh2_kex(ssh);
        do_authentication2(ssh);
"
to:
"
        /* perform the key exchange */
        /* authenticate user and start session */
        do_ssh2_kex(ssh);
        do_authentication2(ssh);

        privsep_child_demote();
".
Now we are wondering what security issues this might cause, and if
there is maybe a better way to fix those limitations that are imposed.
WolfSSL team is also investigating this issue but in their case, they
were unable to reproduce. In our case it was always successful.

WolfSSL also can't easily change their wolfCrypt module, as that would
mean they need to recertify everything (this takes a while).

If we noticed correctly in our case once privsep_child_demote()
function calls ssh_sandbox_child(box). It executes the implementation
in:
https://github.com/openssh/openssh-portable/blob/V_10_0/sandbox-rlimit.c.


System info:
uname -a command returns: Linux WTM4800 5.4.134-iproc #1 PREEMPT Tue
Jan 25 01:02:13 UTC 2022 armv7l armv7l armv7l GNU/Linux

This Linux is a custom Yocto build for our devices.

OpenSSH is build with configuration from Yocto repository:
https://git.yoctoproject.org/poky/tree/meta/recipes-connectivity/openssh

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list