sshd audit not happy with ssh1 and scp

John Baldwin jhb at freebsd.org
Fri Sep 15 06:41:20 EST 2006 

I think I've found a bug with sshd handling audit events for commands (like 
scp) over ssh1 connections.  Specifically, after updating to a recent FreeBSD 
6.x with audit support, I'm getting log messages like these when using scp 
over ssh1:

Sep 12 14:13:16 <auth.info> bm55 sshd[12335]: Accepted rsa for xxx from 
A.B.C.D port 2981
Sep 12 14:13:16 <auth.crit> bm55 sshd[12335]: fatal: monitor_read: unpermitted 
request 57
Sep 12 14:13:16 <console.info> bm55 kernel: Sep 12 14:13:16 <auth.crit> bm55 
sshd[12335]: fatal: monitor_read: unpermitted request 57
Sep 12 14:13:16 <auth.crit> bm55 sshd[12337]: fatal: mm_request_send: write: 
Broken pipe
Sep 12 14:13:16 <console.info> bm55 kernel: Sep 12 14:13:16 <auth.crit> bm55 
sshd[12337]: fatal: mm_request_send: write: Broken pipe

I tracked these down to the audit event handling for ssh1.  Changing ssh1 to 
use MON_PERMIT instead of MON_ONCE (ssh2 uses MON_PERMIT) for
REQ_AUDIT_COMMAND fixes it (well, shuts up the warnings):

==== //depot/yahoo/ybsd_6/src/crypto/openssh/monitor.c#4 (text+ko) ====

@@ -272,7 +272,7 @@
     {MONITOR_REQ_TERM, 0, mm_answer_term},
 #ifdef SSH_AUDIT_EVENTS
     {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
-    {MONITOR_REQ_AUDIT_COMMAND, MON_ONCE, mm_answer_audit_command},
+    {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
 #endif
     {0, 0, NULL}
 };

I notice that early on it tries to enable MONITOR_REQ_AUDIT_COMMAND in
mm_answer_pwnamallow().  However, this doesn't actually work as it tries
to enable it in the monitor_dispatch table (which doesn't even have a
REQ_AUDIT_COMMAND in either version 1.5 or 2.0) when it needs to be enabled
in the monitor_postauth table instead.   So, you can either make it
MON_PERMIT like above or you can fix it to not do the monitor_permit() on
the passed in table, but do it on the appropriate postauth table instead.

I'm using the above patch for now, but if you fix openssh I'll go with the 
vendor's fix once it makes it into FreeBSD of course.  I don't know if the 
better fix is the patch above to get ssh1 in sync with ssh2 (in which case th 
monitor_permit() in mm_answer_pwnameallow() should probably be removed), or 
to fix mm_answer_pwnameallow() to perform the monitor_permit() on the correct 
dispatch table.

-- 
John Baldwin

More information about the openssh-unix-dev mailing list