LPK integration - summary and ideas

Philipp Marek philipp.marek at linbit.com
Wed Jun 9 22:57:49 EST 2010


Hello Howard,

Am Mittwoch, 9. Juni 2010, 14:40:29 schrieb Howard Chu:
> > 2) If a separate process is the better way, how about skipping the
> >     signature idea and instead provide the same level of securiy as
> >     sshd itself?
> >     Just open two pipes (STDIN, STDOUT) to an external program started
> >     on sshd startup, use them for communication, and if the handles
> >     ever get closed just log an error and don't use them anymore.
> >     So if the external program gets changed on disk it wouldn't matter
> >     (or at least, only as far as changing /usr/sbin/sshd would, too).
> 
> On modern POSIX systems you can now reliably determine the uid/gid of the
> peer of a Unix Domain socket, so there's really no need to invent
> fancier solutions here.
I should have been more clear here.

What this should help against is (I think) that the external process gets 
hijacked to provide attacker-supplied authorization information.

The original mail wanted to check some kind of signature; to make that 
easier I proposed to just start the process once, with sshd, so that a 
simple file rename isn't sufficient to gain access.


Or maybe I just don't understand you - why do you want to check the UID/GID 
of the auxillary process?


Regards,

Phil


More information about the openssh-unix-dev mailing list