sshd audit not happy with ssh1 and scp
John Baldwin
jhb at freebsd.org
Sat Sep 16 23:31:37 EST 2006
On Saturday 16 September 2006 05:23, Darren Tucker wrote:
> On Thu, Sep 14, 2006 at 04:41:20PM -0400, John Baldwin wrote:
> > I think I've found a bug with sshd handling audit events for commands (like
> > scp) over ssh1 connections. Specifically, after updating to a recent FreeBSD
> > 6.x with audit support, I'm getting log messages like these when using scp
> > over ssh1:
> >
> > Sep 12 14:13:16 <auth.info> bm55 sshd[12335]: Accepted rsa for xxx from
> > A.B.C.D port 2981
> > Sep 12 14:13:16 <auth.crit> bm55 sshd[12335]: fatal: monitor_read: unpermitted
>
> Thanks for the report. FreeBSD is using audit support now? Is it the
> debug driver, or are you using OpenBSM or something?
OpenBSM. It's now in FreeBSD 6.x and BSM_AUDIT is enabled by default.
> [...]
> > - {MONITOR_REQ_AUDIT_COMMAND, MON_ONCE, mm_answer_audit_command},
> > + {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
>
> Since SSH protocol 1 can only support a single command per session, the
> intent was to only allow the monitor call once, although it probably
> doesn't matter much.
Ok.
> > I notice that early on it tries to enable MONITOR_REQ_AUDIT_COMMAND in
> > mm_answer_pwnamallow(). However, this doesn't actually work as it tries
> > to enable it in the monitor_dispatch table (which doesn't even have a
> > REQ_AUDIT_COMMAND in either version 1.5 or 2.0) when it needs to be enabled
> > in the monitor_postauth table instead.
>
> You're right. I think that should be probably be removed.
>
> Does the following patch also resolve the problem for you?
Yes, the patch works great. Thanks! I assume you are going to commit
that to OpenSSH? DES, can you import this as a vendor fix on the
vendor branch?
> Index: monitor.c
> ===================================================================
> RCS file: /usr/local/src/security/openssh/cvs/openssh/monitor.c,v
> retrieving revision 1.119
> diff -u -p -r1.119 monitor.c
> --- monitor.c 1 Sep 2006 05:48:19 -0000 1.119
> +++ monitor.c 16 Sep 2006 09:15:53 -0000
> @@ -286,7 +286,7 @@ struct mon_table mon_dispatch_postauth15
> {MONITOR_REQ_TERM, 0, mm_answer_term},
> #ifdef SSH_AUDIT_EVENTS
> {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
> - {MONITOR_REQ_AUDIT_COMMAND, MON_ONCE, mm_answer_audit_command},
> + {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command},
> #endif
> {0, 0, NULL}
> };
> @@ -660,9 +660,6 @@ mm_answer_pwnamallow(int sock, Buffer *m
> if (options.use_pam)
> monitor_permit(mon_dispatch, MONITOR_REQ_PAM_START, 1);
> #endif
> -#ifdef SSH_AUDIT_EVENTS
> - monitor_permit(mon_dispatch, MONITOR_REQ_AUDIT_COMMAND, 1);
> -#endif
>
> return (0);
> }
>
--
John Baldwin
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev at mindrot.org
http://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
More information about the openssh-unix-dev
mailing list