sshd audit not happy with ssh1 and scp

John Baldwin jhb at freebsd.org
Sat Sep 16 23:31:37 EST 2006 

On Saturday 16 September 2006 05:23, Darren Tucker wrote:
> On Thu, Sep 14, 2006 at 04:41:20PM -0400, John Baldwin wrote:
> > I think I've found a bug with sshd handling audit events for commands (like 
> > scp) over ssh1 connections.  Specifically, after updating to a recent FreeBSD 
> > 6.x with audit support, I'm getting log messages like these when using scp 
> > over ssh1:
> > 
> > Sep 12 14:13:16 <auth.info> bm55 sshd[12335]: Accepted rsa for xxx from 
> > A.B.C.D port 2981
> > Sep 12 14:13:16 <auth.crit> bm55 sshd[12335]: fatal: monitor_read: unpermitted 
> 
> Thanks for the report.  FreeBSD is using audit support now?  Is it the
> debug driver, or are you using OpenBSM or something?

OpenBSM.  It's now in FreeBSD 6.x and BSM_AUDIT is enabled by default.

> [...]
> > -    {MONITOR_REQ_AUDIT_COMMAND, MON_ONCE, mm_answer_audit_command},
> > +    {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
> 
> Since SSH protocol 1 can only support a single command per session, the
> intent was to only allow the monitor call once, although it probably
> doesn't matter much.

Ok.

> > I notice that early on it tries to enable MONITOR_REQ_AUDIT_COMMAND in
> > mm_answer_pwnamallow().  However, this doesn't actually work as it tries
> > to enable it in the monitor_dispatch table (which doesn't even have a
> > REQ_AUDIT_COMMAND in either version 1.5 or 2.0) when it needs to be enabled
> > in the monitor_postauth table instead.
> 
> You're right.  I think that should be probably be removed.
> 
> Does the following patch also resolve the problem for you?

Yes, the patch works great.  Thanks!  I assume you are going to commit
that to OpenSSH?  DES, can you import this as a vendor fix on the
vendor branch?

> Index: monitor.c
> ===================================================================
> RCS file: /usr/local/src/security/openssh/cvs/openssh/monitor.c,v
> retrieving revision 1.119
> diff -u -p -r1.119 monitor.c
> --- monitor.c	1 Sep 2006 05:48:19 -0000	1.119
> +++ monitor.c	16 Sep 2006 09:15:53 -0000
> @@ -286,7 +286,7 @@ struct mon_table mon_dispatch_postauth15
>      {MONITOR_REQ_TERM, 0, mm_answer_term},
>  #ifdef SSH_AUDIT_EVENTS
>      {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
> -    {MONITOR_REQ_AUDIT_COMMAND, MON_ONCE, mm_answer_audit_command},
> +    {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command},
>  #endif
>      {0, 0, NULL}
>  };
> @@ -660,9 +660,6 @@ mm_answer_pwnamallow(int sock, Buffer *m
>  	if (options.use_pam)
>  		monitor_permit(mon_dispatch, MONITOR_REQ_PAM_START, 1);
>  #endif
> -#ifdef SSH_AUDIT_EVENTS
> -	monitor_permit(mon_dispatch, MONITOR_REQ_AUDIT_COMMAND, 1);
> -#endif
>  
>  	return (0);
>  }
> 

-- 
John Baldwin

More information about the openssh-unix-dev mailing list