LPK integration - summary and ideas
Philipp Marek
philipp.marek at linbit.com
Wed Jun 9 22:57:49 EST 2010
Hello Howard,
Am Mittwoch, 9. Juni 2010, 14:40:29 schrieb Howard Chu:
> > 2) If a separate process is the better way, how about skipping the
> > signature idea and instead provide the same level of securiy as
> > sshd itself?
> > Just open two pipes (STDIN, STDOUT) to an external program started
> > on sshd startup, use them for communication, and if the handles
> > ever get closed just log an error and don't use them anymore.
> > So if the external program gets changed on disk it wouldn't matter
> > (or at least, only as far as changing /usr/sbin/sshd would, too).
>
> On modern POSIX systems you can now reliably determine the uid/gid of the
> peer of a Unix Domain socket, so there's really no need to invent
> fancier solutions here.
I should have been more clear here.
What this should help against is (I think) that the external process gets
hijacked to provide attacker-supplied authorization information.
The original mail wanted to check some kind of signature; to make that
easier I proposed to just start the process once, with sshd, so that a
simple file rename isn't sufficient to gain access.
Or maybe I just don't understand you - why do you want to check the UID/GID
of the auxillary process?
Regards,
Phil
More information about the openssh-unix-dev
mailing list