privsep
Denis Ducamp
Denis.Ducamp at hsc.fr
Sat Mar 23 00:15:56 EST 2002
On Wed, Mar 20, 2002 at 02:46:47PM -0800, Kevin Steves wrote:
> i think our strategy for privsep is to just keep portable sync'd closely
> with openbsd's tree, even though things will be broken wrt privsep for
> many platforms. then we just get primary one's working and work out
> issues as we go along. i'll start to work on sun and hp-ux again
> tomorrow.
First of all thanks to Niels Provos, Markus Friedl and all others for that
work.
I successfully used privsep this morning on Linux Slackware 8.0 after
applying the following patch and getting the tree.h file from
http://www.openbsd.org/cgi-bin/cvsweb/~checkout~/src/sys/sys/tree.h?rev=1.2&content-type=text/plain
You have to activate it in sshd_config with
UsePrivilegeSeparation yes
and then you can verify that it works :
term1$ ssh localhost
=> wait to enter your password
term2# ps auwwx | grep sshd
root 17403 0.2 0.9 3768 1240 ? S 14:04 0:00 /usr/local/sbin/sshd
nobody 17404 1.1 0.9 3776 1256 ? S 14:04 0:00 /usr/local/sbin/sshd
term2# lsof -p 17404
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
sshd 17404 root cwd DIR 3,6 4096 604111 /var/empty
sshd 17404 root rtd DIR 3,6 4096 604111 /var/empty
[...]
=> enter your password in term1
term2# ps auwwx | grep sshd
root 17403 0.0 1.2 5568 1556 ? S 14:04 0:00 /usr/local/sbin/sshd
ducamp 17411 0.6 1.1 5040 1384 ? S 14:06 0:00 /usr/local/sbin/sshd
term2# lsof -p 17411
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
sshd 17411 root cwd DIR 3,6 4096 2 /
sshd 17411 root rtd DIR 3,6 4096 2 /
[...]
( why my lsof shows processes 17404 and 17411 as root is a mistery... )
Denis Ducamp.
--
Denis.Ducamp at hsc.fr --- Hervé Schauer Consultants --- http://www.hsc.fr/
Owl/Openwall/snort/hping/dsniff en français http://www.groar.org/trad/
Owl en français http://www.openwall.com/Owl/fr/
Du bon usage de ... http://usenet-fr.news.eu.org/fr-chartes/rfc1855.html
-------------- next part --------------
diff -dur --new-file openssh/cipher.c openssh.new/cipher.c
--- openssh/cipher.c Fri Mar 22 03:54:25 2002
+++ openssh.new/cipher.c Fri Mar 22 11:24:15 2002
@@ -507,6 +507,13 @@
for (i = blocks; i > 0; i--, cnow-=RIJNDAEL_BLOCKSIZE,
plain-=RIJNDAEL_BLOCKSIZE) {
rijndael_decrypt(&c->r_ctx, cnow, plain);
+ ivp = (i == 1) ? c->r_iv : cnow-RIJNDAEL_BLOCKSIZE;
+ for (j = 0; j < RIJNDAEL_BLOCKSIZE; j++)
+ plain[j] ^= ivp[j];
+ }
+ memcpy(c->r_iv, buf, RIJNDAEL_BLOCKSIZE);
+ }
+ return (1);
}
/*
@@ -675,13 +682,6 @@
plen = EVP_X_STATE_LEN(cc->evp);
memcpy(EVP_X_STATE(cc->evp), dat, plen);
}
- ivp = (i == 1) ? c->r_iv : cnow-RIJNDAEL_BLOCKSIZE;
- for (j = 0; j < RIJNDAEL_BLOCKSIZE; j++)
- plain[j] ^= ivp[j];
- }
- memcpy(c->r_iv, buf, RIJNDAEL_BLOCKSIZE);
- }
- return (1);
}
static int
ssh_rijndael_cleanup(EVP_CIPHER_CTX *ctx)
diff -dur --new-file openssh/monitor.c openssh.new/monitor.c
--- openssh/monitor.c Fri Mar 22 03:30:43 2002
+++ openssh.new/monitor.c Fri Mar 22 11:38:00 2002
@@ -494,7 +494,9 @@
buffer_put_cstring(m, pwent->pw_name);
buffer_put_cstring(m, "*");
buffer_put_cstring(m, pwent->pw_gecos);
+#if defined(HAVE_PW_CLASS_IN_PASSWD)
buffer_put_cstring(m, pwent->pw_class);
+#endif
buffer_put_cstring(m, pwent->pw_dir);
buffer_put_cstring(m, pwent->pw_shell);
diff -dur --new-file openssh/monitor_mm.h openssh.new/monitor_mm.h
--- openssh/monitor_mm.h Fri Mar 22 03:30:43 2002
+++ openssh.new/monitor_mm.h Fri Mar 22 11:34:50 2002
@@ -25,7 +25,7 @@
#ifndef _MM_H_
#define _MM_H_
-#include <sys/tree.h>
+#include <tree.h>
struct mm_share {
RB_ENTRY(mm_share) next;
diff -dur --new-file openssh/monitor_wrap.c openssh.new/monitor_wrap.c
--- openssh/monitor_wrap.c Fri Mar 22 03:30:43 2002
+++ openssh.new/monitor_wrap.c Fri Mar 22 11:00:02 2002
@@ -197,7 +197,9 @@
pw->pw_name = buffer_get_string(&m, NULL);
pw->pw_passwd = buffer_get_string(&m, NULL);
pw->pw_gecos = buffer_get_string(&m, NULL);
+#if defined(HAVE_PW_CLASS_IN_PASSWD)
pw->pw_class = buffer_get_string(&m, NULL);
+#endif
pw->pw_dir = buffer_get_string(&m, NULL);
pw->pw_shell = buffer_get_string(&m, NULL);
buffer_free(&m);
Binary files openssh/scard/Ssh.bin and openssh.new/scard/Ssh.bin differ
More information about the openssh-unix-dev
mailing list