Splitting of sshd binaries in 9.8?
Damien Miller
djm at mindrot.org
Wed Jul 17 10:31:04 AEST 2024
currently it's like this:
sshd [listener]
|
exec
|
sshd-session [privsep monitor]
| |
| fork
| |
| sshd-session [preauth unpriv]
|
fork (after auth completes)
|
sshd-session [postauth unpriv]
I think the next step will be to move the preauth unpriv process into
its own binary.
The final step will be to move the postauth unpriv process to a separate
binary, as well as (for portable) adding a new ssh-pam-helper binary that
will be called by the privsep monitor.
At that point, there will be no address-space inheritance and minimal
code sharing between the various processes.
On Sun, 14 Jul 2024, Lars Noodén wrote:
> I realize that the splitting of the sshd binaries is a work in progress.
> Nonetheless I am trying to make a diagram of the situation as of 9.8.
> How close have I gotten?
>
> Is it correct that currently for a basic session, binaries are run four
> ways?
>
> 1. A privileged binary to listen for incoming connections (66717 below)
>
> 2. A privileged session monitor to track the session, for the duration
> of the session (1095 below)
>
> 3. A temporary, unprivileged binary to negotiate the key exchange and
> the authentication with the privileged monitor (6801 below)
>
> 4. An unprivileged binary running as the main account for the duration
> of the session (95350 below)
>
> Here is what I am seeing with ps:
>
> $ ps -ax -o user,pid,ppid,args | grep [s]shd
> root 66717 1 sshd: /usr/sbin/sshd [listener] 0 of 10-100
> startups (sshd)
>
> $ ps -ax -o user,pid,ppid,args | grep [s]shd
> root 66717 1 sshd: /usr/sbin/sshd [listener] 1 of 10-100
> startups (sshd)
> root 1095 66717 sshd-session: lars [priv] (sshd-session)
> sshd 6801 1095 sshd-session: lars [net] (sshd-session)
>
> $ ps -ax -o user,pid,ppid,args | grep [s]shd
> root 66717 1 sshd: /usr/sbin/sshd [listener] 0 of 10-100
> startups (sshd)
> root 1095 66717 sshd-session: lars [priv] (sshd-session)
> lars 95350 1095 sshd-session: lars at ttyp1 (sshd-session)
>
> And here is an ASCII art interpretation sequence, partially based on
> Niels Provos' privilege separation diagram from 2003:
>
> +----------+
> | priv | <========================================= New Connection
> | listener |
> | (root) |
> | |
> | | +---------+
> | +--+ priv |
> | | | session |
> | | | monitor |
> | | | (root) | +--------+
> | | | +------------------+ unpriv |
> | | | | | net | ==> Key Exchange
> | | | | | (sshd) | <==
> | | | | | |
> | | | | | | ==> Authentication
> | | | | | | <==
> | | | | <== Req Auth === | |
> | | | | = Auth Result => | |
> | | | | +--------+
> | | | |
> | | | | +---------+
> | | | +------------------+ unpriv |
> | | | | | session |
> | | | | <== Req PTY ==== | (lars) |
> | | | | === Pass PTY ==> | |
> | | | | | | ==> Net traffic
> | | | | | | <==
> +----------+ +---------+ +---------+
>
> Have I missed or misinterpreted anything?
>
> Thanks.
> /Lars
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
More information about the openssh-unix-dev
mailing list