sshd audit not happy with ssh1 and scp
John Baldwin
jhb at freebsd.org
Fri Sep 15 06:41:20 EST 2006
I think I've found a bug with sshd handling audit events for commands (like
scp) over ssh1 connections. Specifically, after updating to a recent FreeBSD
6.x with audit support, I'm getting log messages like these when using scp
over ssh1:
Sep 12 14:13:16 <auth.info> bm55 sshd[12335]: Accepted rsa for xxx from
A.B.C.D port 2981
Sep 12 14:13:16 <auth.crit> bm55 sshd[12335]: fatal: monitor_read: unpermitted
request 57
Sep 12 14:13:16 <console.info> bm55 kernel: Sep 12 14:13:16 <auth.crit> bm55
sshd[12335]: fatal: monitor_read: unpermitted request 57
Sep 12 14:13:16 <auth.crit> bm55 sshd[12337]: fatal: mm_request_send: write:
Broken pipe
Sep 12 14:13:16 <console.info> bm55 kernel: Sep 12 14:13:16 <auth.crit> bm55
sshd[12337]: fatal: mm_request_send: write: Broken pipe
I tracked these down to the audit event handling for ssh1. Changing ssh1 to
use MON_PERMIT instead of MON_ONCE (ssh2 uses MON_PERMIT) for
REQ_AUDIT_COMMAND fixes it (well, shuts up the warnings):
==== //depot/yahoo/ybsd_6/src/crypto/openssh/monitor.c#4 (text+ko) ====
@@ -272,7 +272,7 @@
{MONITOR_REQ_TERM, 0, mm_answer_term},
#ifdef SSH_AUDIT_EVENTS
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
- {MONITOR_REQ_AUDIT_COMMAND, MON_ONCE, mm_answer_audit_command},
+ {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
#endif
{0, 0, NULL}
};
I notice that early on it tries to enable MONITOR_REQ_AUDIT_COMMAND in
mm_answer_pwnamallow(). However, this doesn't actually work as it tries
to enable it in the monitor_dispatch table (which doesn't even have a
REQ_AUDIT_COMMAND in either version 1.5 or 2.0) when it needs to be enabled
in the monitor_postauth table instead. So, you can either make it
MON_PERMIT like above or you can fix it to not do the monitor_permit() on
the passed in table, but do it on the appropriate postauth table instead.
I'm using the above patch for now, but if you fix openssh I'll go with the
vendor's fix once it makes it into FreeBSD of course. I don't know if the
better fix is the patch above to get ssh1 in sync with ssh2 (in which case th
monitor_permit() in mm_answer_pwnameallow() should probably be removed), or
to fix mm_answer_pwnameallow() to perform the monitor_permit() on the correct
dispatch table.
--
John Baldwin
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev at mindrot.org
http://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
More information about the openssh-unix-dev
mailing list