Trusted IRIX Support

Jason Ostermann josterm at raytheon.com
Thu May 12 13:13:42 EST 2005 

I'm working on integrating OpenSSH into Trusted IRIX. SGI has performed 
some manner of change and created their own binary distributions. 
Unfortunately, we have to wait until their quarterly release to get 
updated versions. To that end, I'd like to make the appropriate changes 
and feed them back into the main OpenSSH tree.

I've started work and created a very quick-n-dirty hack to show it can 
work. I set this up using SGI's distribution of PAM. I'm also quite 
certain that this is not a complete fix.

To my (limited) understanding, the following changes have to take place:
1) Change the MAC (Mandatory Access Control) label of the process to the 
label requested by the user. This is loaded by the SGI pam_mac module 
into the PAM envinronment variable "MAC". I'm assuming this should 
happen sometime around permanently_set_uid in uidswap.c.
2) Change the capabilities of the process to the capabilities requested 
by the user. This is loaded by the SGI pam_cap module into the PAM 
encironment variable "CAP". I'm also assuming this should happen 
sometime around permanently_set_uid in uidswap.c.
3) Ignore the sanity checks at the end of permanently_set_uid that 
ensures the user cannot change back to the prior uid. If they request, 
and are granted, the capabilities to do that, then it's ok.


This works with UsePrivilegeSeparation set to OFF, and UseLogin set to 
OFF. In the Trusted OS realm, UsePrivilegeSeparation has little meaning. 
We have run with UseLogin set to ON previously, but this requires 
authenticating to ssh and to login, as SGI login does not support -f. In 
addition, failure lockout password controls are not enforced on the 
first password authentication. Using keys to avoid the initial password 
prompt is not feasable in our environment.

Please let me know if this appears to hunt down the right track, and 
what manner I should provide a diff when the time comes. This is just an 
initial investigation at this point, and all that is tested is 
PasswordAuthentication and a basic user shell.

Thanks,
Jason

More information about the openssh-unix-dev mailing list