New Subsystem criteria for Match option block in OpenSSH server
Nicola Muto
nicola.muto at cryptolab.net
Tue May 22 00:15:16 EST 2012
> The problem with that is that Match is done at connection
> establishment time and Subsystem is not a property of the connection,
> it's a request type that can be sent zero or more times during the
> life
> of the connection.
So, is it better not to use the ConnectionInfo structure to handle the
subsystem request?
If you like it, I can rearrange the code and remove the subsystem field
from the structure in the file servconf.h.
> What happens if I open a sftp subsytem then a normal
> shell session or vice versa?
All the sftp sessions should be chrooted and all shell session should
not,
in any order they are opened.
> that's usually a pretty good indication that you're doing something
> wrong.
I do not know well how the sshd server works internally and what
are its execution code flows, so I added a lot of traces to understand
better what's happening around the privilege separation concept.
These traces are in the file sshd-traces.txt attached to this email.
Well, with the privilege separation active the main process forks and
drops
privileges definitively before I can receive the subsystem request. So,
as you
can see at line 2.11 in the traces, when the client send the subsystem
request
the process has a no-root UID and it's too late to perform a 'chroot'
syscall.
Am I right?
I do not like, as you I think, to extend the time-window where the sshd
process
is running with root privilege. But I need some help on how to keep the
privilege
separation active and trigger a Match Subsystem option to "chroot" the
sshd process.
> I'd like to study your diff a bit more but it got mangled to the
> point
> that patch denies there's even a diff in there. Could you please
> resend
> (a) using diff -u (unified) format and (b) as an text/plain
> attachment.
Of course Darren. Please, see attachment part, now the diff should be
in
the format you requested.
\\nm
On 2012-05-18 07:25, Darren Tucker wrote:
> On Thu, May 17, 2012 at 04:19:36PM +0200, Nicola Muto wrote:
>> Hello everybody,
>>
>> I'm a C/C++ consultant working for Ericsson.
>>
>> I changed the OpenSSH-Portable code to add a new criteria
>> into the Match sshd_config option read by the sshd server.
>>
>> The new criteria is "Subsystem"; so a conditional block based
>
> The problem with that is that Match is done at connection
> establishment time and Subsystem is not a property of the connection,
> it's a request type that can be sent zero or more times during the
> life
> of the connection. What happens if I open a sftp subsytem then a
> normal
> shell session or vice versa?
>
>> you must also disable the privilege separation
>
> that's usually a pretty good indication that you're doing something
> wrong.
>
> I'd like to study your diff a bit more but it got mangled to the
> point
> that patch denies there's even a diff in there. Could you please
> resend
> (a) using diff -u (unified) format and (b) as an text/plain
> attachment.
>
> Thanks.
>
> --
> Darren Tucker (dtucker at zip.com.au)
> GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
> Good judgement comes with experience. Unfortunately, the
> experience
> usually comes from bad judgement.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sshd-traces.txt
Type: text/x-c
Size: 17979 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20120521/d0e723e7/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: diff-out.txt
Type: text/x-diff
Size: 16494 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20120521/d0e723e7/attachment-0003.bin>
More information about the openssh-unix-dev
mailing list