sshd audit not happy with ssh1 and scp

Darren Tucker dtucker at
Sat Sep 16 19:23:02 EST 2006

On Thu, Sep 14, 2006 at 04:41:20PM -0400, John Baldwin wrote:
> I think I've found a bug with sshd handling audit events for commands (like 
> scp) over ssh1 connections.  Specifically, after updating to a recent FreeBSD 
> 6.x with audit support, I'm getting log messages like these when using scp 
> over ssh1:
> Sep 12 14:13:16 <> bm55 sshd[12335]: Accepted rsa for xxx from 
> A.B.C.D port 2981
> Sep 12 14:13:16 <auth.crit> bm55 sshd[12335]: fatal: monitor_read: unpermitted 

Thanks for the report.  FreeBSD is using audit support now?  Is it the
debug driver, or are you using OpenBSM or something?

> -    {MONITOR_REQ_AUDIT_COMMAND, MON_ONCE, mm_answer_audit_command},
> +    {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},

Since SSH protocol 1 can only support a single command per session, the
intent was to only allow the monitor call once, although it probably
doesn't matter much.

> I notice that early on it tries to enable MONITOR_REQ_AUDIT_COMMAND in
> mm_answer_pwnamallow().  However, this doesn't actually work as it tries
> to enable it in the monitor_dispatch table (which doesn't even have a
> REQ_AUDIT_COMMAND in either version 1.5 or 2.0) when it needs to be enabled
> in the monitor_postauth table instead.

You're right.  I think that should be probably be removed.

Does the following patch also resolve the problem for you?

Index: monitor.c
RCS file: /usr/local/src/security/openssh/cvs/openssh/monitor.c,v
retrieving revision 1.119
diff -u -p -r1.119 monitor.c
--- monitor.c	1 Sep 2006 05:48:19 -0000	1.119
+++ monitor.c	16 Sep 2006 09:15:53 -0000
@@ -286,7 +286,7 @@ struct mon_table mon_dispatch_postauth15
     {MONITOR_REQ_TERM, 0, mm_answer_term},
     {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
-    {MONITOR_REQ_AUDIT_COMMAND, MON_ONCE, mm_answer_audit_command},
+    {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command},
     {0, 0, NULL}
@@ -660,9 +660,6 @@ mm_answer_pwnamallow(int sock, Buffer *m
 	if (options.use_pam)
 		monitor_permit(mon_dispatch, MONITOR_REQ_PAM_START, 1);
-	monitor_permit(mon_dispatch, MONITOR_REQ_AUDIT_COMMAND, 1);
 	return (0);

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list