sshd audit not happy with ssh1 and scp
Darren Tucker
dtucker at zip.com.au
Sat Sep 16 19:23:02 EST 2006
On Thu, Sep 14, 2006 at 04:41:20PM -0400, John Baldwin wrote:
> I think I've found a bug with sshd handling audit events for commands (like
> scp) over ssh1 connections. Specifically, after updating to a recent FreeBSD
> 6.x with audit support, I'm getting log messages like these when using scp
> over ssh1:
>
> Sep 12 14:13:16 <auth.info> bm55 sshd[12335]: Accepted rsa for xxx from
> A.B.C.D port 2981
> Sep 12 14:13:16 <auth.crit> bm55 sshd[12335]: fatal: monitor_read: unpermitted
Thanks for the report. FreeBSD is using audit support now? Is it the
debug driver, or are you using OpenBSM or something?
[...]
> - {MONITOR_REQ_AUDIT_COMMAND, MON_ONCE, mm_answer_audit_command},
> + {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
Since SSH protocol 1 can only support a single command per session, the
intent was to only allow the monitor call once, although it probably
doesn't matter much.
> I notice that early on it tries to enable MONITOR_REQ_AUDIT_COMMAND in
> mm_answer_pwnamallow(). However, this doesn't actually work as it tries
> to enable it in the monitor_dispatch table (which doesn't even have a
> REQ_AUDIT_COMMAND in either version 1.5 or 2.0) when it needs to be enabled
> in the monitor_postauth table instead.
You're right. I think that should be probably be removed.
Does the following patch also resolve the problem for you?
Index: monitor.c
===================================================================
RCS file: /usr/local/src/security/openssh/cvs/openssh/monitor.c,v
retrieving revision 1.119
diff -u -p -r1.119 monitor.c
--- monitor.c 1 Sep 2006 05:48:19 -0000 1.119
+++ monitor.c 16 Sep 2006 09:15:53 -0000
@@ -286,7 +286,7 @@ struct mon_table mon_dispatch_postauth15
{MONITOR_REQ_TERM, 0, mm_answer_term},
#ifdef SSH_AUDIT_EVENTS
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
- {MONITOR_REQ_AUDIT_COMMAND, MON_ONCE, mm_answer_audit_command},
+ {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command},
#endif
{0, 0, NULL}
};
@@ -660,9 +660,6 @@ mm_answer_pwnamallow(int sock, Buffer *m
if (options.use_pam)
monitor_permit(mon_dispatch, MONITOR_REQ_PAM_START, 1);
#endif
-#ifdef SSH_AUDIT_EVENTS
- monitor_permit(mon_dispatch, MONITOR_REQ_AUDIT_COMMAND, 1);
-#endif
return (0);
}
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list