From openssh at roumenpetrov.info Wed Jun 1 06:07:38 2011 From: openssh at roumenpetrov.info (Roumen Petrov) Date: Tue, 31 May 2011 23:07:38 +0300 Subject: port-linux.c bug with oom_adjust_restore() - causes real bad oom_adj - which can cause DoS conditions. In-Reply-To: References: <4DE40477.9000407@simplicitymedialtd.co.uk> <4DE40CE8.6020609@simplicitymedialtd.co.uk> <20110531072540.GU8496@greenie.muc.de> Message-ID: <4DE54A8A.1070905@roumenpetrov.info> Darren Tucker wrote: > On Tue, May 31, 2011 at 10:18 PM, Cal Leeming [Simplicity Media Ltd] > wrote: > [...] > >> Oh trust me, I looked *everywhere*. Even to the extent of running >> tripwire from a bare bones system, and looking manually at every >> change made. I also looked for loads of different keywords (-17, oom, >> proc, self) etc. Spent hours on it :/ >> >> As for the comment about the modprobe, I already did all this (full >> debug can be found at >> http://www.debianhelp.org/content/cgroup-oom-killer-loop-causes-system-lockup-possible-fix-included >> ), and found that when the bnx2 module isn't loaded, the problem goes >> away.. When it is loaded, the problem comes back. >> > Did you check /proc/self/oom_adj before and after loading the module? > I don't see that in there, and it it *does* change it would eliminate > sshd as a variable. > > As a workaround, you could add "echo 0>/proc/self/oom_adj" to > /etc/default/ssh. It's a bit ugly, but at least you wouldn't need to > recompile anything. > May is not related but /proc/self/oom_adjis is reported as deprecated: syslog: kernel: udevd (): /proc//oom_adj is deprecated, please use /proc//oom_score_adj instead, where kernel is 2.6.38.6. I see oom_score_adj for first time in 2.6.36 . Regards, Roumen -- Get X.509 certificates support in OpenSSH: http://roumenpetrov.info/openssh/ From gert at greenie.muc.de Wed Jun 1 06:43:23 2011 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 31 May 2011 22:43:23 +0200 Subject: port-linux.c bug with oom_adjust_restore() - causes real bad oom_adj - which can cause DoS conditions. In-Reply-To: <4DE54A8A.1070905@roumenpetrov.info> References: <4DE40477.9000407@simplicitymedialtd.co.uk> <4DE40CE8.6020609@simplicitymedialtd.co.uk> <20110531072540.GU8496@greenie.muc.de> <4DE54A8A.1070905@roumenpetrov.info> Message-ID: <20110531204322.GE8496@greenie.muc.de> Hi, On Tue, May 31, 2011 at 11:07:38PM +0300, Roumen Petrov wrote: > May is not related but /proc/self/oom_adjis is reported as deprecated: > syslog: kernel: udevd (): /proc//oom_adj is > deprecated, please use /proc//oom_score_adj instead, where kernel > is 2.6.38.6. I see oom_score_adj for first time in 2.6.36 . Unrelated. OpenSSH will use whatever is there. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de From djm at mindrot.org Thu Jun 2 15:04:06 2011 From: djm at mindrot.org (Damien Miller) Date: Thu, 2 Jun 2011 15:04:06 +1000 (EST) Subject: preauth privsep logging via monitor Message-ID: Hi, This diff (for portable) makes the chrooted preauth privsep process log via the monitor using a shared socketpair. It removes the need for /dev/log inside /var/empty and makes mandatory sandboxing of the privsep child easier down the road (no more socket() syscall required). Please test. -d Index: log.c =================================================================== RCS file: /var/cvs/openssh/log.c,v retrieving revision 1.54 diff -u -p -r1.54 log.c --- log.c 10 Jun 2008 13:01:51 -0000 1.54 +++ log.c 2 Jun 2011 03:59:56 -0000 @@ -56,6 +56,8 @@ static LogLevel log_level = SYSLOG_LEVEL static int log_on_stderr = 1; static int log_facility = LOG_AUTH; static char *argv0; +static log_handler_fn *log_handler; +static void *log_handler_ctx; extern char *__progname; @@ -260,6 +262,9 @@ log_init(char *av0, LogLevel level, Sysl exit(1); } + log_handler = NULL; + log_handler_ctx = NULL; + log_on_stderr = on_stderr; if (on_stderr) return; @@ -327,6 +332,23 @@ log_init(char *av0, LogLevel level, Sysl #define MSGBUFSIZ 1024 void +set_log_handler(log_handler_fn *handler, void *ctx) +{ + log_handler = handler; + log_handler_ctx = ctx; +} + +void +do_log2(LogLevel level, const char *fmt,...) +{ + va_list args; + + va_start(args, fmt); + do_log(level, fmt, args); + va_end(args); +} + +void do_log(LogLevel level, const char *fmt, va_list args) { #if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT) @@ -337,6 +359,7 @@ do_log(LogLevel level, const char *fmt, char *txt = NULL; int pri = LOG_INFO; int saved_errno = errno; + log_handler_fn *tmp_handler; if (level > log_level) return; @@ -375,7 +398,7 @@ do_log(LogLevel level, const char *fmt, pri = LOG_ERR; break; } - if (txt != NULL) { + if (txt != NULL && log_handler == NULL) { snprintf(fmtbuf, sizeof(fmtbuf), "%s: %s", txt, fmt); vsnprintf(msgbuf, sizeof(msgbuf), fmtbuf, args); } else { @@ -383,7 +406,13 @@ do_log(LogLevel level, const char *fmt, } strnvis(fmtbuf, msgbuf, sizeof(fmtbuf), log_on_stderr ? LOG_STDERR_VIS : LOG_SYSLOG_VIS); - if (log_on_stderr) { + if (log_handler != NULL) { + /* Avoid recursion */ + tmp_handler = log_handler; + log_handler = NULL; + tmp_handler(level, fmtbuf, log_handler_ctx); + log_handler = tmp_handler; + } else if (log_on_stderr) { snprintf(msgbuf, sizeof msgbuf, "%s\r\n", fmtbuf); write(STDERR_FILENO, msgbuf, strlen(msgbuf)); } else { Index: log.h =================================================================== RCS file: /var/cvs/openssh/log.h,v retrieving revision 1.21 diff -u -p -r1.21 log.h --- log.h 13 Jun 2008 00:22:54 -0000 1.21 +++ log.h 2 Jun 2011 03:58:14 -0000 @@ -46,6 +46,8 @@ typedef enum { SYSLOG_LEVEL_NOT_SET = -1 } LogLevel; +typedef void (log_handler_fn)(LogLevel, const char *, void *); + void log_init(char *, LogLevel, SyslogFacility, int); SyslogFacility log_facility_number(char *); @@ -64,6 +66,9 @@ void debug(const char *, ...) __attr void debug2(const char *, ...) __attribute__((format(printf, 1, 2))); void debug3(const char *, ...) __attribute__((format(printf, 1, 2))); + +void set_log_handler(log_handler_fn *, void *); +void do_log2(LogLevel, const char *, ...); void do_log(LogLevel, const char *, va_list); void cleanup_exit(int) __attribute__((noreturn)); #endif Index: monitor.c =================================================================== RCS file: /var/cvs/openssh/monitor.c,v retrieving revision 1.147 diff -u -p -r1.147 monitor.c --- monitor.c 29 May 2011 11:39:38 -0000 1.147 +++ monitor.c 2 Jun 2011 04:02:42 -0000 @@ -45,6 +45,14 @@ #include #include +#ifdef HAVE_POLL_H +#include +#else +# ifdef HAVE_SYS_POLL_H +# include +# endif +#endif + #ifdef SKEY #include #endif @@ -52,6 +60,7 @@ #include #include "openbsd-compat/sys-queue.h" +#include "atomicio.h" #include "xmalloc.h" #include "ssh.h" #include "key.h" @@ -179,6 +188,8 @@ int mm_answer_audit_event(int, Buffer *) int mm_answer_audit_command(int, Buffer *); #endif +static int monitor_read_log(struct monitor *); + static Authctxt *authctxt; static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */ @@ -346,6 +357,10 @@ monitor_child_preauth(Authctxt *_authctx debug3("preauth child monitor started"); + close(pmonitor->m_recvfd); + close(pmonitor->m_log_sendfd); + pmonitor->m_log_sendfd = pmonitor->m_recvfd = -1; + authctxt = _authctxt; memset(authctxt, 0, sizeof(*authctxt)); @@ -405,6 +420,10 @@ monitor_child_preauth(Authctxt *_authctx #endif } + /* Drain any buffered messages from the child */ + while (pmonitor->m_log_recvfd != -1 && monitor_read_log(pmonitor) == 0) + ; + if (!authctxt->valid) fatal("%s: authenticated invalid user", __func__); if (strcmp(auth_method, "unknown") == 0) @@ -414,6 +433,10 @@ monitor_child_preauth(Authctxt *_authctx __func__, authctxt->user); mm_get_keystate(pmonitor); + + close(pmonitor->m_sendfd); + close(pmonitor->m_log_recvfd); + pmonitor->m_sendfd = pmonitor->m_log_recvfd = -1; } static void @@ -431,6 +454,9 @@ monitor_child_handler(int sig) void monitor_child_postauth(struct monitor *pmonitor) { + close(pmonitor->m_recvfd); + pmonitor->m_recvfd = -1; + monitor_set_child_handler(pmonitor->m_pid); signal(SIGHUP, &monitor_child_handler); signal(SIGTERM, &monitor_child_handler); @@ -454,6 +480,9 @@ monitor_child_postauth(struct monitor *p for (;;) monitor_read(pmonitor, mon_dispatch, NULL); + + close(pmonitor->m_sendfd); + pmonitor->m_sendfd = -1; } void @@ -465,6 +494,45 @@ monitor_sync(struct monitor *pmonitor) } } +static int +monitor_read_log(struct monitor *pmonitor) +{ + Buffer logmsg; + u_int len, level; + char *msg; + + buffer_init(&logmsg); + buffer_append_space(&logmsg, 4); + if (atomicio(read, pmonitor->m_log_recvfd, + buffer_ptr(&logmsg), buffer_len(&logmsg)) != buffer_len(&logmsg)) { + if (errno == EPIPE) { + debug("%s: child log fd closed", __func__); + close(pmonitor->m_log_recvfd); + pmonitor->m_log_recvfd = -1; + return -1; + } + fatal("%s: log fd read: %s", __func__, strerror(errno)); + } + len = buffer_get_int(&logmsg); + if (len <= 4 || len > 8192) + fatal("%s: invalid log message length %u", __func__, len); + buffer_clear(&logmsg); + buffer_append_space(&logmsg, len); + if (atomicio(read, pmonitor->m_log_recvfd, + buffer_ptr(&logmsg), buffer_len(&logmsg)) != buffer_len(&logmsg)) + fatal("%s: log fd read: %s", __func__, strerror(errno)); + + level = buffer_get_int(&logmsg); + msg = buffer_get_string(&logmsg, NULL); + if (log_level_name(level) == NULL) + fatal("%s: invalid log level %u (corrupted message?)", + __func__, level); + do_log2(level, "[preauth] %s", msg); + buffer_free(&logmsg); + xfree(msg); + return 0; +} + int monitor_read(struct monitor *pmonitor, struct mon_table *ent, struct mon_table **pent) @@ -472,6 +540,27 @@ monitor_read(struct monitor *pmonitor, s Buffer m; int ret; u_char type; + struct pollfd pfd[2]; + + for (;;) { + bzero(&pfd, sizeof(pfd)); + pfd[0].fd = pmonitor->m_sendfd; + pfd[0].events = POLLIN; + pfd[1].fd = pmonitor->m_log_recvfd; + pfd[1].events = pfd[1].fd == -1 ? 0 : POLLIN; + if (poll(pfd, pfd[1].fd == -1 ? 1 : 2, -1) == -1) + fatal("%s: poll: %s", __func__, strerror(errno)); + if (pfd[1].revents) { + /* + * Drain all log messages before processing next + * monitor request. + */ + monitor_read_log(pmonitor); + continue; + } + if (pfd[0].revents) + break; /* Continues below */ + } buffer_init(&m); @@ -1851,17 +1940,30 @@ mm_init_compression(struct mm_master *mm } while (0) static void -monitor_socketpair(int *pair) +monitor_openfds(struct monitor *mon, int do_logfds) { #ifdef HAVE_SOCKETPAIR - if (socketpair(AF_UNIX, SOCK_STREAM, 0, pair) == -1) - fatal("%s: socketpair", __func__); + int pair[2]; + + if (socketpair(AF_UNIX, SOCK_STREAM, 0, pair) == -1) + fatal("%s: socketpair: %s", __func__, strerror(errno)); + FD_CLOSEONEXEC(pair[0]); + FD_CLOSEONEXEC(pair[1]); + mon->m_recvfd = pair[0]; + mon->m_sendfd = pair[1]; + + if (do_logfds) { + if (pipe(pair) == -1) + fatal("%s: pipe: %s", __func__, strerror(errno)); + FD_CLOSEONEXEC(pair[0]); + FD_CLOSEONEXEC(pair[1]); + mon->m_log_recvfd = pair[0]; + mon->m_log_sendfd = pair[1]; + } else + mon->m_log_recvfd = mon->m_log_sendfd = -1; #else - fatal("%s: UsePrivilegeSeparation=yes not supported", - __func__); -#endif - FD_CLOSEONEXEC(pair[0]); - FD_CLOSEONEXEC(pair[1]); + fatal("%s: UsePrivilegeSeparation=yes not supported", __func__); +#endif /* HAVE_SOCKETPAIR */ } #define MM_MEMSIZE 65536 @@ -1870,14 +1972,10 @@ struct monitor * monitor_init(void) { struct monitor *mon; - int pair[2]; mon = xcalloc(1, sizeof(*mon)); - monitor_socketpair(pair); - - mon->m_recvfd = pair[0]; - mon->m_sendfd = pair[1]; + monitor_openfds(mon, 1); /* Used to share zlib space across processes */ if (options.compression) { @@ -1894,12 +1992,7 @@ monitor_init(void) void monitor_reinit(struct monitor *mon) { - int pair[2]; - - monitor_socketpair(pair); - - mon->m_recvfd = pair[0]; - mon->m_sendfd = pair[1]; + monitor_openfds(mon, 0); } #ifdef GSSAPI Index: monitor.h =================================================================== RCS file: /var/cvs/openssh/monitor.h,v retrieving revision 1.22 diff -u -p -r1.22 monitor.h --- monitor.h 5 Nov 2008 05:20:46 -0000 1.22 +++ monitor.h 2 Jun 2011 03:58:14 -0000 @@ -72,6 +72,8 @@ struct mm_master; struct monitor { int m_recvfd; int m_sendfd; + int m_log_recvfd; + int m_log_sendfd; struct mm_master *m_zback; struct mm_master *m_zlib; struct Kex **m_pkex; Index: monitor_wrap.c =================================================================== RCS file: /var/cvs/openssh/monitor_wrap.c,v retrieving revision 1.88 diff -u -p -r1.88 monitor_wrap.c --- monitor_wrap.c 29 May 2011 11:39:38 -0000 1.88 +++ monitor_wrap.c 2 Jun 2011 03:58:14 -0000 @@ -88,6 +88,26 @@ extern struct monitor *pmonitor; extern Buffer loginmsg; extern ServerOptions options; +void +mm_log_handler(LogLevel level, const char *msg, void *ctx) +{ + Buffer log_msg; + struct monitor *mon = (struct monitor *)ctx; + + if (mon->m_log_sendfd == -1) + fatal("%s: no log channel", __func__); + + buffer_init(&log_msg); + buffer_put_int(&log_msg, 0); /* filled in with length below */ + buffer_put_int(&log_msg, level); + buffer_put_cstring(&log_msg, msg); + put_u32(buffer_ptr(&log_msg), buffer_len(&log_msg) - 4); + if (atomicio(vwrite, mon->m_log_sendfd, buffer_ptr(&log_msg), + buffer_len(&log_msg)) != buffer_len(&log_msg)) + fatal("%s: write: %s", __func__, strerror(errno)); + buffer_free(&log_msg); +} + int mm_is_monitor(void) { Index: monitor_wrap.h =================================================================== RCS file: /var/cvs/openssh/monitor_wrap.h,v retrieving revision 1.29 diff -u -p -r1.29 monitor_wrap.h --- monitor_wrap.h 5 Mar 2009 13:58:22 -0000 1.29 +++ monitor_wrap.h 2 Jun 2011 03:58:14 -0000 @@ -37,6 +37,7 @@ struct monitor; struct mm_master; struct Authctxt; +void mm_log_handler(LogLevel, const char *, void *); int mm_is_monitor(void); DH *mm_choose_dh(int, int, int); int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int); Index: sshd.c =================================================================== RCS file: /var/cvs/openssh/sshd.c,v retrieving revision 1.404 diff -u -p -r1.404 sshd.c --- sshd.c 5 May 2011 04:15:09 -0000 1.404 +++ sshd.c 2 Jun 2011 03:58:14 -0000 @@ -636,10 +636,8 @@ privsep_preauth(Authctxt *authctxt) } else if (pid != 0) { debug2("Network child is on pid %ld", (long)pid); - close(pmonitor->m_recvfd); pmonitor->m_pid = pid; monitor_child_preauth(authctxt, pmonitor); - close(pmonitor->m_sendfd); /* Sync memory */ monitor_sync(pmonitor); @@ -651,8 +649,11 @@ privsep_preauth(Authctxt *authctxt) return (1); } else { /* child */ - close(pmonitor->m_sendfd); + close(pmonitor->m_log_recvfd); + + /* Arrange for logging to be sent to the monitor */ + set_log_handler(mm_log_handler, pmonitor); /* Demote the child */ if (getuid() == 0 || geteuid() == 0) @@ -685,7 +686,6 @@ privsep_postauth(Authctxt *authctxt) fatal("fork of unprivileged child failed"); else if (pmonitor->m_pid != 0) { verbose("User child is on pid %ld", (long)pmonitor->m_pid); - close(pmonitor->m_recvfd); buffer_clear(&loginmsg); monitor_child_postauth(pmonitor); @@ -693,7 +693,10 @@ privsep_postauth(Authctxt *authctxt) exit(0); } + /* child */ + close(pmonitor->m_sendfd); + pmonitor->m_sendfd = -1; /* Demote the private keys to public keys. */ demote_sensitive_data(); From mark.crick at dimensiondata.com Thu Jun 2 15:10:47 2011 From: mark.crick at dimensiondata.com (Mark Crick (AU)) Date: Thu, 2 Jun 2011 15:10:47 +1000 Subject: Openwindows run on remote machine on OpenSSH_3.9p1 solaris 5.8 Message-ID: Hi, I've had some strange recent behaviour from ssh (OpenSSH_3.9p1 Solaris 5.8). I have an application that runs a script that run a remote command over ssh, however rather than running the command ssh tried to run openwindows (an xsession app, i think). Every time the application ran the command the same issue would occur, until the application was restarted. The command it should have been trying to run had nothing to do with xsessions. I was to get output from the app to show that the ssh command was being built and run correctly. Stupidly I forgot to get verbose mode output from SSH. I'm thinking there must of be profile issue, maybe. I also experienced a similar issue were the ssh process hung (the command it was running has finished), i pstacked the ssh processes and they were stuck in reads() (forgot to truss). The issue also went away when the app was restarted. Anyone heard of any bugs similar? Thanks, Mark Crick From djm at mindrot.org Thu Jun 2 15:48:07 2011 From: djm at mindrot.org (Damien Miller) Date: Thu, 2 Jun 2011 15:48:07 +1000 (EST) Subject: Openwindows run on remote machine on OpenSSH_3.9p1 solaris 5.8 In-Reply-To: References: Message-ID: On Thu, 2 Jun 2011, Mark Crick (AU) wrote: > Hi, > > I've had some strange recent behaviour from ssh (OpenSSH_3.9p1 Solaris 5.8). OpenSSH 3.9p1 was released nearly 7 years ago. If you want any assistance at all you will first need to reproduce the problem with a recent version. -d From dtucker at zip.com.au Fri Jun 3 11:08:02 2011 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 3 Jun 2011 11:08:02 +1000 Subject: unconitionally use socketpair? Message-ID: <20110603010802.GA25132@gate.dtucker.net> Does anyone actually use sshd on a system that doesn't have socketpair? It's used elsewhere so the don't-have path seems like it'd never be exercised these days. Index: monitor.c =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh/monitor.c,v retrieving revision 1.147 diff -u -p -r1.147 monitor.c --- monitor.c 29 May 2011 11:39:38 -0000 1.147 +++ monitor.c 3 Jun 2011 01:05:31 -0000 @@ -1853,13 +1853,8 @@ mm_init_compression(struct mm_master *mm static void monitor_socketpair(int *pair) { -#ifdef HAVE_SOCKETPAIR if (socketpair(AF_UNIX, SOCK_STREAM, 0, pair) == -1) fatal("%s: socketpair", __func__); -#else - fatal("%s: UsePrivilegeSeparation=yes not supported", - __func__); -#endif FD_CLOSEONEXEC(pair[0]); FD_CLOSEONEXEC(pair[1]); } -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From tim at multitalents.net Fri Jun 3 11:34:58 2011 From: tim at multitalents.net (Tim Rice) Date: Thu, 2 Jun 2011 18:34:58 -0700 (PDT) Subject: unconitionally use socketpair? In-Reply-To: <20110603010802.GA25132@gate.dtucker.net> References: <20110603010802.GA25132@gate.dtucker.net> Message-ID: On Fri, 3 Jun 2011, Darren Tucker wrote: > Does anyone actually use sshd on a system that doesn't have socketpair? > It's used elsewhere so the don't-have path seems like it'd never be > exercised these days. I found 2 systems in my survey file. One was an old SCO system we no longer support and the other (from 2006) was "host: i586-pc-syllable" Whatever that is. -- Tim Rice Multitalents (707) 456-1146 tim at multitalents.net (707) 887-1469 From dtucker at zip.com.au Fri Jun 3 12:08:53 2011 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 3 Jun 2011 12:08:53 +1000 Subject: unconitionally use socketpair? In-Reply-To: References: <20110603010802.GA25132@gate.dtucker.net> Message-ID: On Fri, Jun 3, 2011 at 11:34 AM, Tim Rice wrote: [...] > I found 2 systems in my survey file. One was an old SCO system we no > longer support and the other (from 2006) was "host: i586-pc-syllable" > Whatever that is. It's a BEOS clone. We could just stick a null implementation of socketpair in the compat library that just returns failure and sets errno to ENOENT or something. That'd allow any such systems to still compile and mostly work, without adding to the work of pulling changes from OpenBSD. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4? 37C9 C982 80C7 8FF4 FA69 ? ? Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Fri Jun 3 14:04:57 2011 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 3 Jun 2011 14:04:57 +1000 Subject: unconitionally use socketpair? In-Reply-To: References: <20110603010802.GA25132@gate.dtucker.net> Message-ID: On Fri, Jun 3, 2011 at 12:08 PM, Darren Tucker wrote: [...] > We could just stick a null implementation of socketpair in the compat > library that just returns failure and sets errno to ENOENT or > something. ?That'd allow any such systems to still compile and mostly > work, without adding to the work of pulling changes from OpenBSD. I committed the removal. This code has been in sshd.c for ~5y without an ifdef, so anything that doesn't have socketpair is long broken. if (rexec_flag && socketpair(AF_UNIX, SOCK_STREAM, 0, config_s) == -1) { -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4? 37C9 C982 80C7 8FF4 FA69 ? ? Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From sinkarbabu.kirubanithi at oracle.com Thu Jun 9 03:23:18 2011 From: sinkarbabu.kirubanithi at oracle.com (Sinkarbabu) Date: Wed, 08 Jun 2011 22:53:18 +0530 Subject: Java wrapper - help needed Message-ID: <4DEFB006.6070208@oracle.com> Hi All, One request: Is there any java wrapper available to manage the OpenSSH? For example, start/stop the SSH/SFTP service. P.S: If this is not a right mailing list to post such questions, please direct me to appropriate one. Regards, Sinkar From keisial at gmail.com Fri Jun 10 06:07:36 2011 From: keisial at gmail.com (=?ISO-8859-1?Q?=C1ngel_Gonz=E1lez?=) Date: Thu, 09 Jun 2011 22:07:36 +0200 Subject: Java wrapper - help needed In-Reply-To: <4DEFB006.6070208@oracle.com> References: <4DEFB006.6070208@oracle.com> Message-ID: <4DF12808.5050508@gmail.com> Sinkarbabu wrote: > Hi All, > > One request: Is there any java wrapper available to manage the > OpenSSH? For example, start/stop the SSH/SFTP service. > > P.S: If this is not a right mailing list to post such questions, > please direct me to appropriate one. > > Regards, > Sinkar Usually you have a shell script for starting/stopping the sshd daemon. Eg. /etc/rc.d/sshd So you can run it from java using Runtime.exec("/etc/rc.d/sshd start"); From blakesto at gmail.com Sat Jun 11 05:06:36 2011 From: blakesto at gmail.com (Blake Hilliard) Date: Fri, 10 Jun 2011 14:06:36 -0500 Subject: openssh issue with PAM authentication errors Message-ID: Hi, I noticed an issue with the information openssh chooses to print from PAM during authentication. It can be reproduced with the following steps, assuming your system uses openssh, PAM, and allows password retries when logging in: 1. From the root user on a system, create /etc/nologin with a message. 2. Try to log in with another session as a non-root user, but don't do a password retry yet. 3. From the root user, remove /etc/nologin. 4. From the non-root session, retry the password. This time you'll succeed, but then you'll see the contents of /etc/nologin. In fact, if you retried again in step 2, then you'll see the contents of /etc/nologin printed twice. This seems like the wrong behavior. The contents of /etc/nologin are sent as a PAM error message and stored in the variable "loginmsg" in openssh. loginmsg is then only displayed if a retry succeeds. At that point, the printed message only applies to the failed authentications, not the successful one. And if you never successfully log in because /etc/nologin is never removed, then you'll never see the /etc/nologin contents displayed. It should probably get printed after each login attempt, not as a final login message. That's how telnet behaves. The more real-world use case where I've seen this is if you have a system that uses /etc/nologin when booting up to prevent users from logging in until a set of services are fully started. Thanks, - Blake From otokan at gmail.com Mon Jun 13 18:13:10 2011 From: otokan at gmail.com (Onur Cenk) Date: Mon, 13 Jun 2011 11:13:10 +0300 Subject: Bug 396 - sshd orphans processes when no pty allocated Message-ID: Hello everyone, I've look at the latest nightly snapshot but I could find this bug is fixed on the source code. Is there any progression to fix that issue. This bug is open for almost 10 years, come on guys :) >List: openssh-unix-dev >Subject: Re: killing remote commands >From: HAUTREUX Matthieu >Date: 2010-10-21 10:09:06 >Message-ID: 4CC01142.90108 () cea ! fr >[Download message RAW] > >Flavien, > >you are right, this sounds like an old problem. I can redirect you to >this thread >http://www.derkeiler.com/Newsgroups/comp.security.ssh/2007-06/msg00139.html >and this bug https://bugzilla.mindrot.org/show_bug.cgi?id=396 in which >it is discussed and a patch proposed for 4.6p1. I think that modifying >the proposed patch for the latest version should be straightforward. > >IMHO, having the proposed option "RemoteCommandCleanup" in the main >branch would be really interesting/necessary. > >Regards, >Matthieu > >Flavien a ?crit : >> Dear ssh gurus, >> >> >> Here's the version I'm testing on : >> flavien :/$ ssh -V >> OpenSSH_5.3p1 Debian-3ubuntu4, OpenSSL 0.9.8k 25 Mar 2009 >> >> I launch a remote command : >> flavien$ ssh -o ControlMaster=yes -o ControlPath=/tmp/ssh-control localhost 'echo \ >> pid:$$ ...sleeping...; sleep 2803' flavien at localhost's password: >> pid:11565 ...sleeping... >> >> On another shell, I kill the ssh client : >> flavien$ ssh -o ControlPath=/tmp/ssh-control -O exit localhost >> Exit request sent. >> flavien$ >> >> The ssh client is killed in the original terminal. Fine. However, the >> shell at the other end is not killed : >> flavien$ ps -ef | grep 2803 >> flavien 11565 1 0 10:37 ? 00:00:00 bash -c echo pid:$$ ...sleeping...; \ >> sleep 2803 flavien 11566 11565 0 10:37 ? 00:00:00 sleep 2803 >> >> If the remote process is an interactive shell, however, it is killed >> once the ssh client terminates. I suspect that's because the shell >> gets an EOF on its stdin. Is this true ? >> >> For reading this ml for a few years, I have in mind some sort of >> "signal forwarding" feature that would send a SIGINT to the remote >> processes. Am I making this up ? >> >> TIA, >> >> Flavien. >> _______________________________________________ >> openssh-unix-dev mailing list >> openssh-unix-dev at mindrot.org >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >> > >_______________________________________________ >openssh-unix-dev mailing list >openssh-unix-dev at mindrot.org >https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev From sinkarbabu.kirubanithi at oracle.com Mon Jun 13 22:34:09 2011 From: sinkarbabu.kirubanithi at oracle.com (Sinkarbabu) Date: Mon, 13 Jun 2011 18:04:09 +0530 Subject: Java wrapper - help needed In-Reply-To: <4DF12808.5050508@gmail.com> References: <4DEFB006.6070208@oracle.com> <4DF12808.5050508@gmail.com> Message-ID: <4DF603C1.9070505@oracle.com> Thanks Angel, i assume this may be the only option around of java. One more question: Is there any API available in any native language that can be used to administer OpenSSH (For example, start/stop and may be a notification in case of failed transfer etc.)? Regards, Sinkar On 6/10/2011 1:37 AM, ?ngel Gonz?lez wrote: > Sinkarbabu wrote: >> Hi All, >> >> One request: Is there any java wrapper available to manage the >> OpenSSH? For example, start/stop the SSH/SFTP service. >> >> P.S: If this is not a right mailing list to post such questions, >> please direct me to appropriate one. >> >> Regards, >> Sinkar > Usually you have a shell script for starting/stopping the sshd daemon. > Eg. /etc/rc.d/sshd > So you can run it from java using Runtime.exec("/etc/rc.d/sshd start"); > From bob at proulx.com Tue Jun 14 04:23:22 2011 From: bob at proulx.com (Bob Proulx) Date: Mon, 13 Jun 2011 12:23:22 -0600 Subject: Java wrapper - help needed In-Reply-To: <4DF603C1.9070505@oracle.com> References: <4DEFB006.6070208@oracle.com> <4DF12808.5050508@gmail.com> <4DF603C1.9070505@oracle.com> Message-ID: <20110613182322.GA4272@hysteria.proulx.com> Sinkarbabu wrote: > One more question: Is there any API available in any native language > that can be used to administer OpenSSH (For example, start/stop and > may be a notification in case of failed transfer etc.)? Hi Sinkar, The problem with the specifics of the questions you are asking are that they really have little to do with ssh or sshd themselves. Instead they relate to how do you use them *on some particular operation system*. And there are a very many different operating systems. Just within the BSD family there are many and and within Unix more within GNU/Linux many more. I don't think it is possible to count them because they keep moving around but dozens of reasonably well used ones and hundreds possibly thousands of others. In each of those the answer to your questions may be different. For example on HP-UX the startup scripts for sshd is /sbin/init.d/sshd but on Debian GNU/Linux it is /etc/init.d/ssh and it is different elsewhere such as /etc/rc.d/init.d/sshd on RHEL. And each of those may be somewhat different from each other. None of those are included in OpenSSH itself but are added by the operating system. To hide some of those differences and for other reasons it seems that most GNU/Linux distributions are converging on a 'service' command. So for a later GNU/Linux system such as Debian or Red Hat the following will probably be what you need to start and stop the ssh daemon. But not necessarily. Your system may be different. service sshd start service sshd stop service sshd restart And then you ask about failed transfers... The exit code of programs will tell you whether the command executed successfully or not. The scp command documents this in the man page: EXIT STATUS The scp utility exits 0 on success, and >0 if an error occurs. You should always check the return code for status. For example you could do this: #!/bin/sh if scp localfile foo.example.com:/remote/file; then # scp will have produced error messages appropriately exit 1 fi exit 0 Or some people prefer the use of -e: #!/bin/sh -e scp localfile foo.example.com:/remote/file exit 0 Does that help you? Maybe and maybe not. You say you are using Java. But OpenSSH is written in C. And I will hazard a guess that most of the developers are also very familiar with shell scripting. But Java specifics? Probably less so, don't know. If you are trying to use Java then I might suggest that a Java specific mailing list might help. It doesn't really matter that you are invoking ssh as it could be any program. Bob From eanderle at umich.edu Fri Jun 17 05:28:03 2011 From: eanderle at umich.edu (Eric Anderle) Date: Thu, 16 Jun 2011 15:28:03 -0400 Subject: Privilege Separation Design Question Message-ID: <20110616192803.GA27882@munich.citi.umich.edu> Hello all, I have a question about the design of the privilege separation aspect of openSSH. From what I understand, the interface between the privileged process and the unprivileged one is implemented as a set of well-defined operations with only a small subset of these operations enabled at any given time. These operations are enabled and disabled depending on the task at hand. What I am wondering is why it was chosen to implement privilege separation in this fashion, particularly the security implications of this design. Also, I would like to know if security would be weakened by allowing a slightly larger subset of operations (namely, PWNAM) to be executed at any time. Thank you in advance for your help, and please respond to my email address (eanderle at umich.edu) and CC all addresses CC'd here. Eric From djm at mindrot.org Fri Jun 17 12:08:48 2011 From: djm at mindrot.org (Damien Miller) Date: Fri, 17 Jun 2011 12:08:48 +1000 (EST) Subject: Privilege Separation Design Question In-Reply-To: <20110616192803.GA27882@munich.citi.umich.edu> References: <20110616192803.GA27882@munich.citi.umich.edu> Message-ID: On Thu, 16 Jun 2011, Eric Anderle wrote: > Hello all, > > I have a question about the design of the privilege separation aspect of > openSSH. From what I understand, the interface between the privileged > process and the unprivileged one is implemented as a set of well-defined > operations with only a small subset of these operations enabled at any > given time. These operations are enabled and disabled depending on the > task at hand. > > What I am wondering is why it was chosen to implement privilege > separation in this fashion, particularly the security implications of > this design. The design and motivation of privsep is described in the paper: http://www.citi.umich.edu/u/provos/papers/privsep.pdf Operations are generally only exposed when they are needed to limit the attack surface of the monitor, enforce correct protocol flow and reduce the opportunities for a compromised slave to reconnoiter through or request undesirable state changes of the monitor. > Also, I would like to know if security would be weakened by allowing a > slightly larger subset of operations (namely, PWNAM) to be executed at > any time. getpwnamallow() is used as a state-changing operation in the monitor, as it is called right before user authentication starts so you'd have to untangle that to begin with. Why would you want to call it more often? The user name isn't supposed to change during a session. -d From djm at mindrot.org Mon Jun 20 14:46:28 2011 From: djm at mindrot.org (Damien Miller) Date: Mon, 20 Jun 2011 14:46:28 +1000 (EST) Subject: preauth privsep logging via monitor In-Reply-To: References: Message-ID: On Thu, 2 Jun 2011, Damien Miller wrote: > Hi, > > This diff (for portable) makes the chrooted preauth privsep process > log via the monitor using a shared socketpair. It removes the need > for /dev/log inside /var/empty and makes mandatory sandboxing of the > privsep child easier down the road (no more socket() syscall required). FYI this has been committed and will be in the 20110621 snapshot. I never received any test reports for users of portable OpenSSH, so please give a snapshot a try and report back. -d From djm at mindrot.org Mon Jun 20 14:58:00 2011 From: djm at mindrot.org (Damien Miller) Date: Mon, 20 Jun 2011 14:58:00 +1000 (EST) Subject: preauth privsep logging via monitor In-Reply-To: References: Message-ID: On Thu, 2 Jun 2011, Damien Miller wrote: > Hi, > > This diff (for portable) makes the chrooted preauth privsep process > log via the monitor using a shared socketpair. It removes the need > for /dev/log inside /var/empty and makes mandatory sandboxing of the > privsep child easier down the road (no more socket() syscall required). FYI this has been committed and will be in the 20110621 snapshot. I never received any test reports for users of portable OpenSSH, so please give a snapshot a try and report back. -d From vinschen at redhat.com Mon Jun 20 18:08:01 2011 From: vinschen at redhat.com (Corinna Vinschen) Date: Mon, 20 Jun 2011 10:08:01 +0200 Subject: preauth privsep logging via monitor In-Reply-To: References: Message-ID: <20110620080801.GY3437@calimero.vinschen.de> On Jun 20 14:58, Damien Miller wrote: > On Thu, 2 Jun 2011, Damien Miller wrote: > > > Hi, > > > > This diff (for portable) makes the chrooted preauth privsep process > > log via the monitor using a shared socketpair. It removes the need > > for /dev/log inside /var/empty and makes mandatory sandboxing of the > > privsep child easier down the road (no more socket() syscall required). > > FYI this has been committed and will be in the 20110621 snapshot. I > never received any test reports for users of portable OpenSSH, so please > give a snapshot a try and report back. I was on vacation when you asked for testing the first time, so I tested now. I tried from CVS, and it still builds and works fine on Cygwin. When you say "mandatory sandboxing of the privsep child", this hopefully doesn't imply that running the privsep child becomes mandatory, too. This would break running ssh on Cygwin which still lacks descriptor passing via sendmsg/recvmsg. Out of curiosity, do you see a way to implement the privsep child without the need for descriptor passing? Maybe by passing the data over the socket instead of by passing the descriptor to the data? Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat From Ondrej.Rajmon at cuzk.cz Mon Jun 20 22:54:38 2011 From: Ondrej.Rajmon at cuzk.cz (Ondrej.Rajmon at cuzk.cz) Date: Mon, 20 Jun 2011 14:54:38 +0200 Subject: Login records in wtmp for ssh as tty Message-ID: <42ABC4E796C3974FB59B9D0CA1076BB80C8E13FBD4@E200003.katastr.int> Hello, after update my sshd to openssh-5.8_p2 (Linux Gentoo) I stated, that all ssh login (that open terminal session) causes writing of 2 records to a wtmp log. For example: user1 pts/4 gw.testdom.net Mon Jun 20 13:33 still logged in user1 ssh gw.testdom.net Mon Jun 20 13:33 - 13:38 (00:05) The first one is a standard record which appears only if a terminal session is opened. The second one is new (at least for me). It appears always, regardless of the type of ssh session (with or without terminal). I would highly appreciate such feature because I want to see all logged in user even if they are just forwarding ports to another target, so they do not open a terminal session. But what I don't understand is behavior of that second record. It gets closed in a few minutes, spontaneously. The few minutes is usually something between 1 and 30 but can be more than 60, too. So this second record give a knowledge about established sessions, but doesn't reflect their real duration. My questions are: 1) Is such behavior correct? 2) Why the second record is closed automatically regardless of the real session duration? 3) What the timeout for the record closing depends on? Can I influence that? Ondrej From djm at mindrot.org Tue Jun 21 19:52:32 2011 From: djm at mindrot.org (Damien Miller) Date: Tue, 21 Jun 2011 19:52:32 +1000 (EST) Subject: preauth privsep logging via monitor In-Reply-To: <20110620080801.GY3437@calimero.vinschen.de> References: <20110620080801.GY3437@calimero.vinschen.de> Message-ID: On Mon, 20 Jun 2011, Corinna Vinschen wrote: > On Jun 20 14:58, Damien Miller wrote: > > On Thu, 2 Jun 2011, Damien Miller wrote: > > > > > Hi, > > > > > > This diff (for portable) makes the chrooted preauth privsep process > > > log via the monitor using a shared socketpair. It removes the need > > > for /dev/log inside /var/empty and makes mandatory sandboxing of the > > > privsep child easier down the road (no more socket() syscall required). > > > > FYI this has been committed and will be in the 20110621 snapshot. I > > never received any test reports for users of portable OpenSSH, so please > > give a snapshot a try and report back. > > I was on vacation when you asked for testing the first time, so I tested > now. I tried from CVS, and it still builds and works fine on Cygwin. > > When you say "mandatory sandboxing of the privsep child", this hopefully > doesn't imply that running the privsep child becomes mandatory, too. I mean "mandatory" in the sense of Mandatory Access Control, not that privsep itself would be mandatory :) > This would break running ssh on Cygwin which still lacks descriptor passing > via sendmsg/recvmsg. > > Out of curiosity, do you see a way to implement the privsep child > without the need for descriptor passing? Maybe by passing the data over > the socket instead of by passing the descriptor to the data? That's possible but would add a bit of complexity to the monitor - right now it operates synchronously on two fds, but if it were to process network traffic too then it would need a non-blocking mainloop of its own. -d From mwlucas at blackhelicopters.org Tue Jun 21 23:15:52 2011 From: mwlucas at blackhelicopters.org (Michael W. Lucas) Date: Tue, 21 Jun 2011 09:15:52 -0400 Subject: SSH book reviewers wanted Message-ID: <20110621131552.GA67380@bewilderbeast.blackhelicopters.org> Hi, Thought there would be some interest here. I'm writing a small book on OpenSSH. Am now looking for tech reviewers. http://blather.michaelwlucas.com/archives/902 ==ml -- Michael W. Lucas http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/ Latest book: Network Flow Analysis http://www.networkflowanalysis.com/ mwlucas at BlackHelicopters.org, Twitter @mwlauthor From cal.leeming at simplicitymedialtd.co.uk Tue Jun 21 23:32:54 2011 From: cal.leeming at simplicitymedialtd.co.uk (Cal Leeming [Simplicity Media Ltd]) Date: Tue, 21 Jun 2011 14:32:54 +0100 Subject: SSH book reviewers wanted In-Reply-To: <20110621131552.GA67380@bewilderbeast.blackhelicopters.org> References: <20110621131552.GA67380@bewilderbeast.blackhelicopters.org> Message-ID: I'm assuming the book costs money? If so, then I am completely against it. Personally, I don't see anything this book would tell me, that Google wouldn't. On the other hand, if this book is being given out for free, I'd say you've probably wasted your time getting it published, again because all the information I could ever need is in Google. (or in the source code). On Tue, Jun 21, 2011 at 2:15 PM, Michael W. Lucas < mwlucas at blackhelicopters.org> wrote: > Hi, > > Thought there would be some interest here. I'm writing a small book > on OpenSSH. Am now looking for tech reviewers. > > http://blather.michaelwlucas.com/archives/902 > > ==ml > > -- > Michael W. Lucas > http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/ > Latest book: Network Flow Analysis http://www.networkflowanalysis.com/ > mwlucas at BlackHelicopters.org, Twitter @mwlauthor > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > From cal.leeming at simplicitymedialtd.co.uk Wed Jun 22 02:31:44 2011 From: cal.leeming at simplicitymedialtd.co.uk (Cal Leeming [Simplicity Media Ltd]) Date: Tue, 21 Jun 2011 17:31:44 +0100 Subject: SSH book reviewers wanted In-Reply-To: References: <20110621131552.GA67380@bewilderbeast.blackhelicopters.org> Message-ID: I'm all for high quality documentation, but I completely disagree with someone charging for a book which is aimed at an free and open source product :S On another note, if it was a huge thing (like a book on Linux or Django or something) then fair enough, but the 'cool' things that can be done with OpenSSH could be very easily listed on a single html page. I just don't see the point in it (other than for monetary purposes). On Tue, Jun 21, 2011 at 5:25 PM, Dan Kaminsky wrote: > There's absolutely a place for high quality documentation, and I wish you > nothing but the best for your project. There's lots of interesting uses of > OpenSSH! > > Sent from my iPhone > > On Jun 21, 2011, at 6:32 AM, "Cal Leeming [Simplicity Media Ltd]"< > cal.leeming at simplicitymedialtd.co.uk> wrote: > > > I'm assuming the book costs money? If so, then I am completely against > it. > > Personally, I don't see anything this book would tell me, that Google > > wouldn't. > > > > On the other hand, if this book is being given out for free, I'd say > you've > > probably wasted your time getting it published, again because all the > > information I could ever need is in Google. (or in the source code). > > > > > > > > On Tue, Jun 21, 2011 at 2:15 PM, Michael W. Lucas < > > mwlucas at blackhelicopters.org> wrote: > > > >> Hi, > >> > >> Thought there would be some interest here. I'm writing a small book > >> on OpenSSH. Am now looking for tech reviewers. > >> > >> http://blather.michaelwlucas.com/archives/902 > >> > >> ==ml > >> > >> -- > >> Michael W. Lucas > >> http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/ > >> Latest book: Network Flow Analysis http://www.networkflowanalysis.com/ > >> mwlucas at BlackHelicopters.org, Twitter @mwlauthor > >> _______________________________________________ > >> openssh-unix-dev mailing list > >> openssh-unix-dev at mindrot.org > >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > >> > > _______________________________________________ > > openssh-unix-dev mailing list > > openssh-unix-dev at mindrot.org > > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > From dan at doxpara.com Wed Jun 22 02:25:06 2011 From: dan at doxpara.com (Dan Kaminsky) Date: Tue, 21 Jun 2011 09:25:06 -0700 Subject: SSH book reviewers wanted In-Reply-To: References: <20110621131552.GA67380@bewilderbeast.blackhelicopters.org> Message-ID: There's absolutely a place for high quality documentation, and I wish you nothing but the best for your project. There's lots of interesting uses of OpenSSH! Sent from my iPhone On Jun 21, 2011, at 6:32 AM, "Cal Leeming [Simplicity Media Ltd]" wrote: > I'm assuming the book costs money? If so, then I am completely against it. > Personally, I don't see anything this book would tell me, that Google > wouldn't. > > On the other hand, if this book is being given out for free, I'd say you've > probably wasted your time getting it published, again because all the > information I could ever need is in Google. (or in the source code). > > > > On Tue, Jun 21, 2011 at 2:15 PM, Michael W. Lucas < > mwlucas at blackhelicopters.org> wrote: > >> Hi, >> >> Thought there would be some interest here. I'm writing a small book >> on OpenSSH. Am now looking for tech reviewers. >> >> http://blather.michaelwlucas.com/archives/902 >> >> ==ml >> >> -- >> Michael W. Lucas >> http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/ >> Latest book: Network Flow Analysis http://www.networkflowanalysis.com/ >> mwlucas at BlackHelicopters.org, Twitter @mwlauthor >> _______________________________________________ >> openssh-unix-dev mailing list >> openssh-unix-dev at mindrot.org >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >> > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev From bob at proulx.com Wed Jun 22 05:49:41 2011 From: bob at proulx.com (Bob Proulx) Date: Tue, 21 Jun 2011 13:49:41 -0600 Subject: SSH book reviewers wanted In-Reply-To: References: <20110621131552.GA67380@bewilderbeast.blackhelicopters.org> Message-ID: <20110621194941.GF1086@hysteria.proulx.com> Cal Leeming wrote: > I'm all for high quality documentation, but I completely disagree with > someone charging for a book which is aimed at an free and open source > product :S > > On another note, if it was a huge thing (like a book on Linux or Django or > something) then fair enough, but the 'cool' things that can be done with > OpenSSH could be very easily listed on a single html page. I just don't see > the point in it (other than for monetary purposes). I like paper books. I don't get as much utility out of electronic documentation for user guides and tutorials. My best tech books are covered with sticky notes and page markers. Most of my best teachers I have never met other than through the pages of their writings. To Michael W. Lucas I wish you the best of luck! Bob From alex at alex.org.uk Wed Jun 22 05:53:54 2011 From: alex at alex.org.uk (Alex Bligh) Date: Tue, 21 Jun 2011 20:53:54 +0100 Subject: SSH book reviewers wanted In-Reply-To: <20110621194941.GF1086@hysteria.proulx.com> References: <20110621131552.GA67380@bewilderbeast.blackhelicopters.org> <20110621194941.GF1086@hysteria.proulx.com> Message-ID: <9BB2799984FC6F3F0EB3C5A6@Ximines.local> --On 21 June 2011 13:49:41 -0600 Bob Proulx wrote: > I like paper books. I don't get as much utility out of electronic > documentation for user guides and tutorials. My best tech books are > covered with sticky notes and page markers. Most of my best teachers > I have never met other than through the pages of their writings. > > To Michael W. Lucas I wish you the best of luck! +1 -- Alex Bligh From raubvogel at gmail.com Wed Jun 22 07:12:05 2011 From: raubvogel at gmail.com (Mauricio Tavares) Date: Tue, 21 Jun 2011 17:12:05 -0400 Subject: SSH book reviewers wanted In-Reply-To: References: <20110621131552.GA67380@bewilderbeast.blackhelicopters.org> Message-ID: On Tue, Jun 21, 2011 at 12:31 PM, Cal Leeming [Simplicity Media Ltd] wrote: > I'm all for high quality documentation, but I completely disagree with > someone charging for a book which is aimed at an free and open source > product :S > I have books on postfix, dovecot, samba, bind, RT, and other free and open source projects. They do have their place, specially if they are well done; what you are paying for is someone's time not only to compile info but also to organize it in a nice, pleasing, and useful way. Information -- be it on rebuilding a supercharger, care and maintenance of an inflatable sheep, or design of third degree speaker cabinets -- is out there. Sometimes getting the info is part of the fun. Other times you may decide the cost of buying a book is less than your time to get info. Of course, the best part of a book is that you do not have to buy it if you do not want. From cal.leeming at simplicitymedialtd.co.uk Wed Jun 22 07:15:27 2011 From: cal.leeming at simplicitymedialtd.co.uk (Cal Leeming [Simplicity Media Ltd]) Date: Tue, 21 Jun 2011 22:15:27 +0100 Subject: SSH book reviewers wanted In-Reply-To: References: <20110621131552.GA67380@bewilderbeast.blackhelicopters.org> Message-ID: Forgive me for being a bit old fashioned, but getting your hands On Tue, Jun 21, 2011 at 10:12 PM, Mauricio Tavares wrote: > On Tue, Jun 21, 2011 at 12:31 PM, Cal Leeming [Simplicity Media Ltd] > wrote: > > I'm all for high quality documentation, but I completely disagree with > > someone charging for a book which is aimed at an free and open source > > product :S > > > I have books on postfix, dovecot, samba, bind, RT, and other free > and open source projects. They do have their place, specially if they > are well done; what you are paying for is someone's time not only to > compile info but also to organize it in a nice, pleasing, and useful > way. > > Information -- be it on rebuilding a supercharger, care and > maintenance of an inflatable sheep, or design of third degree speaker > cabinets -- is out there. Sometimes getting the info is part of the > fun. Other times you may decide the cost of buying a book is less than > your time to get info. > So, buying a book + spending time reading it + waiting for delivery + finding the book, is cheaper and faster than just using Google? Sorry, I don't buy it. (no pun intended). > > Of course, the best part of a book is that you do not have to buy it > if you do not want. > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > From gert at greenie.muc.de Wed Jun 22 06:56:39 2011 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 21 Jun 2011 22:56:39 +0200 Subject: SSH book reviewers wanted In-Reply-To: References: <20110621131552.GA67380@bewilderbeast.blackhelicopters.org> Message-ID: <20110621205639.GV8496@greenie.muc.de> Hi, On Tue, Jun 21, 2011 at 05:31:44PM +0100, Cal Leeming [Simplicity Media Ltd] wrote: > I just don't see the point in it (other than for monetary purposes). Some of us actually have to pay for their living... (And I'm perfectly fine with someone adding value, like "printed and well-readable documentation", to open source stuff and getting paid for it) I'd actually offer to help with the review, but I wouldn't do a good job (too much other things that I already have on my "do in my copious spare time" list that don't get done :( ) - sorry for that. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de From mwlucas at blackhelicopters.org Wed Jun 22 11:48:21 2011 From: mwlucas at blackhelicopters.org (Michael W. Lucas) Date: Tue, 21 Jun 2011 21:48:21 -0400 Subject: SSH book reviewers wanted In-Reply-To: References: <20110621131552.GA67380@bewilderbeast.blackhelicopters.org> Message-ID: <20110622014821.GD70806@bewilderbeast.blackhelicopters.org> Folks, As the original poster of the question: can we please let this thread die? Unquestionably, the hard-core read-the-source approach is best. Some people believe this is the One True Way. Others disagree. Some of those others are willing to pay me for a book. I, in turn, am willing to let the OpenBSD folks handle book pre-orders so that some cash gets funneled back into OpenSSH (admittedly, indirectly). I'm choosing not to argue because, well, it's about as useful as "emacs vs vi." It's not the first time people have thrown this idea at me. Admittedly, it's the first time I've nearly brought a mailing list down in flames by asking for reviewers. My apologies for that. Please return to real technical discussions. Nothing to see here, move along. ==ml -- Michael W. Lucas http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/ Latest book: Network Flow Analysis http://www.networkflowanalysis.com/ mwlucas at BlackHelicopters.org, Twitter @mwlauthor From djm at mindrot.org Wed Jun 22 22:53:05 2011 From: djm at mindrot.org (Damien Miller) Date: Wed, 22 Jun 2011 22:53:05 +1000 (EST) Subject: sandbox pre-auth privsep child Message-ID: Hi, This patch (relative to -HEAD) defines an API to allow sandboxing of the pre-auth privsep child and a couple of sandbox implementations. The idea here is to heavily restrict what the network-face pre-auth process can do. This was the original intent behind dropping to a dedicated uid and chrooting to an empty directory, but even this still allows a compromised slave process to make new network connections and try to exploit local kernel attack surface. Fortunately, now that the logging-via-monitor diff is in, the slave never needs to open a socket, or any new fd at all - so the set of syscalls that it runs is very small. This lets us use various OS-level measures to limit what it can do. This approach is not new - it has been used by Chris Evans' vsftpd FTP server and, more recently, by Google's Chrome web browser. This patch includes three concrete sandbox implementations, a dummy one for platforms that support nothing else, a weak one that uses setrlimit(2) and a strong one that uses OpenBSD's systrace(4). The setrlimit(2) sandbox drops the hard and soft fd, process and "created file size" limits to zero. This effectively prevents the slave process from forking or creating new file descriptors (e.g. sockets). This works well suprisingly well on most platforms at preventing a compromised slave from, e.g., acting as a proxy into one's network but it doesn't do much to reduce kernel attack surface. Credit goes to Darren Tucker for this idea. The systrace(4) sandbox uses systrace's unsupervised fast-path, which is basically a list of allowed syscalls. The set of allowed syscalls here is very narrow, so this is excellent containment that prevents the slave from doing anything nasty directly, and removes almost all of the kernel attack surface too. Note that the systrace sandbox uses a recently-committed extension to systrace (the per-syscall SYSTR_POLICY_KILL policy) that is, so far, only present in OpenBSD. I'd like to add specific sandboxes for other platforms too - OS X has OS-level sandboxing support that looks suitable and shouldn't be too hard to add. Linux's PR_SET_SECCOMP is too restrictive, but Will Drewry's patches to extend it to allow a set of permitted syscalls would make it a great fit. FreeBSD's Capsicum would be another good target. In the meantime, I'd appreciate test reports of the rlimit sandbox at least. It should do no harm on any platform that supports setrlimit(). Note that you will need to set "UsePrivilegeSeparation=sandbox" when starting sshd with this patch to actually use the sandbox. -d Index: Makefile.in =================================================================== RCS file: /var/cvs/openssh/Makefile.in,v retrieving revision 1.322 diff -u -p -r1.322 Makefile.in --- Makefile.in 5 May 2011 03:48:37 -0000 1.322 +++ Makefile.in 22 Jun 2011 09:17:44 -0000 @@ -89,7 +89,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw auth2-gss.o gss-serv.o gss-serv-krb5.o \ loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ sftp-server.o sftp-common.o \ - roaming_common.o roaming_serv.o + roaming_common.o roaming_serv.o \ + sandbox-null.o sandbox-rlimit.o sandbox-systrace.o MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 Index: configure.ac =================================================================== RCS file: /var/cvs/openssh/configure.ac,v retrieving revision 1.476 diff -u -p -r1.476 configure.ac --- configure.ac 3 Jun 2011 02:11:38 -0000 1.476 +++ configure.ac 22 Jun 2011 09:29:47 -0000 @@ -106,6 +106,16 @@ AC_SUBST([LD]) AC_C_INLINE AC_CHECK_DECL([LLONG_MAX], [have_llong_max=1], , [#include ]) +AC_CHECK_DECL([SYSTR_POLICY_KILL], [have_systr_policy_kill=1], , [ + #include + #include + #include +]) +AC_CHECK_DECL([RLIMIT_NPROC], + [AC_DEFINE([HAVE_RLIMIT_NPROC], [], [sys/resource.h has RLIMIT_NPROC])], , [ + #include + #include +]) use_stack_protector=1 AC_ARG_WITH([stackprotect], @@ -2461,6 +2471,34 @@ AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], [ [non-privileged user for privilege separation]) AC_SUBST([SSH_PRIVSEP_USER]) +# Decide which sandbox style to use +sandbox_arg="" +AC_ARG_WITH([sandbox], + [ --with-sandbox=style Specify privilege separation sandbox (no, rlimit, systrace)], + [ + if test "x$withval" = "xyes" ; then + sandbox_arg="" + else + sandbox_arg="$withval" + fi + ] +) +if test "x$sandbox_arg" = "xsystrace" || \ + ( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then + SANDBOX_STYLE="systrace" + AC_DEFINE([SANDBOX_SYSTRACE], [1], [Sandbox using systrace(4)]) +elif test "x$sandbox_arg" = "xrlimit" || \ + ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" ) ; then + SANDBOX_STYLE="rlimit" + AC_DEFINE([SANDBOX_RLIMIT], [1], [Sandbox using setrlimit(2)]) +elif test -z "$sandbox_arg" || test "x$sandbox_arg" = "xno" || \ + test "x$sandbox_arg" = "xnone" || test "x$sandbox_arg" = "xnull" ; then + SANDBOX_STYLE="none" + AC_DEFINE([SANDBOX_NULL], [1], [no privsep sandboxing]) +else + AC_MSG_ERROR([unsupported -with-sandbox]) +fi + # Cheap hack to ensure NEWS-OS libraries are arranged right. if test ! -z "$SONY" ; then LIBS="$LIBS -liberty"; @@ -4191,6 +4229,7 @@ echo " IP address in \$DISPLAY hac echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" echo " BSD Auth support: $BSD_AUTH_MSG" echo " Random number source: $RAND_MSG" +echo " Privsep sandbox style: $SANDBOX_STYLE" echo "" Index: sandbox-null.c =================================================================== RCS file: sandbox-null.c diff -N sandbox-null.c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ sandbox-null.c 22 Jun 2011 09:17:44 -0000 @@ -0,0 +1,71 @@ +/* + * Copyright (c) 2011 Damien Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "includes.h" + +#ifdef SANDBOX_NULL + +#include + +#include +#include +#include +#include +#include +#include + +#include "log.h" +#include "sandbox.h" +#include "xmalloc.h" + +/* dummy sandbox */ + +struct ssh_sandbox { + int junk; +}; + +struct ssh_sandbox * +ssh_sandbox_init(void) +{ + struct ssh_sandbox *box; + + /* + * Strictly, we don't need to maintain any state here but we need + * to return non-NULL to satisfy the API. + */ + box = xcalloc(1, sizeof(*box)); + return box; +} + +void +ssh_sandbox_child(struct ssh_sandbox *box) +{ + /* Nothing to do here */ +} + +void +ssh_sandbox_parent_finish(struct ssh_sandbox *box) +{ + free(box); +} + +void +ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid) +{ + /* Nothing to do here */ +} + +#endif /* SANDBOX_NULL */ Index: sandbox-rlimit.c =================================================================== RCS file: sandbox-rlimit.c diff -N sandbox-rlimit.c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ sandbox-rlimit.c 22 Jun 2011 12:35:14 -0000 @@ -0,0 +1,92 @@ +/* + * Copyright (c) 2011 Damien Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "includes.h" + +#ifdef SANDBOX_RLIMIT + +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include + +#include "log.h" +#include "sandbox.h" +#include "xmalloc.h" + +/* Minimal sandbox that sets zero nfiles, nprocs and filesize rlimits */ + +struct ssh_sandbox { + pid_t child_pid; +}; + +struct ssh_sandbox * +ssh_sandbox_init(void) +{ + struct ssh_sandbox *box; + + /* + * Strictly, we don't need to maintain any state here but we need + * to return non-NULL to satisfy the API. + */ + debug3("%s: preparing rlimit sandbox", __func__); + box = xcalloc(1, sizeof(*box)); + box->child_pid = 0; + + return box; +} + +void +ssh_sandbox_child(struct ssh_sandbox *box) +{ + struct rlimit rl_zero; + + rl_zero.rlim_cur = rl_zero.rlim_max = 0; + + if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1) + fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s", + __func__, strerror(errno)); + if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1) + fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s", + __func__, strerror(errno)); +#ifdef HAVE_RLIMIT_NPROC + if (setrlimit(RLIMIT_NPROC, &rl_zero) == -1) + fatal("%s: setrlimit(RLIMIT_NPROC, { 0, 0 }): %s", + __func__, strerror(errno)); +#endif +} + +void +ssh_sandbox_parent_finish(struct ssh_sandbox *box) +{ + free(box); + debug3("%s: finished", __func__); +} + +void +ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid) +{ + box->child_pid = child_pid; +} + +#endif /* SANDBOX_RLIMIT */ Index: sandbox-systrace.c =================================================================== RCS file: sandbox-systrace.c diff -N sandbox-systrace.c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ sandbox-systrace.c 22 Jun 2011 09:17:44 -0000 @@ -0,0 +1,187 @@ +/* + * Copyright (c) 2011 Damien Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "includes.h" + +#ifdef SANDBOX_SYSTRACE + +#include +#include +#include +#include +#include + +#include + +#include +#include +#include +#include +#include +#include +#include +#include + +#include "atomicio.h" +#include "log.h" +#include "sandbox.h" +#include "xmalloc.h" + +static const int preauth_policy[] = { + SYS___sysctl, + SYS_close, + SYS_exit, + SYS_getpid, + SYS_gettimeofday, + SYS_madvise, + SYS_mmap, + SYS_mprotect, + SYS_poll, + SYS_munmap, + SYS_read, + SYS_select, + SYS_sigprocmask, + SYS_write, + -1 +}; + +struct ssh_sandbox { + int child_sock; + int parent_sock; + int systrace_fd; + pid_t child_pid; + struct systrace_policy policy; +}; + +struct ssh_sandbox * +ssh_sandbox_init(void) +{ + struct ssh_sandbox *box; + int s[2]; + + debug3("%s: preparing systrace sandbox", __func__); + box = xcalloc(1, sizeof(*box)); + if (socketpair(AF_UNIX, SOCK_STREAM, 0, s) == -1) + fatal("%s: socketpair: %s", __func__, strerror(errno)); + box->child_sock = s[0]; + box->parent_sock = s[1]; + box->systrace_fd = -1; + box->child_pid = 0; + + return box; +} + +void +ssh_sandbox_child(struct ssh_sandbox *box) +{ + char whatever = 0; + + close(box->parent_sock); + /* Signal parent that we are ready */ + debug3("%s: ready", __func__); + if (atomicio(vwrite, box->child_sock, &whatever, 1) != 1) + fatal("%s: write: %s", __func__, strerror(errno)); + /* Wait for parent to signal for us to go */ + if (atomicio(read, box->child_sock, &whatever, 1) != 1) + fatal("%s: read: %s", __func__, strerror(errno)); + debug3("%s: started", __func__); + close(box->child_sock); +} + +static void +ssh_sandbox_parent(struct ssh_sandbox *box, pid_t child_pid, + const int *allowed_syscalls) +{ + int dev_systrace, i, j, found; + char whatever = 0; + + debug3("%s: wait for child %ld", __func__, (long)child_pid); + box->child_pid = child_pid; + close(box->child_sock); + /* Wait for child to signal that it is ready */ + if (atomicio(read, box->parent_sock, &whatever, 1) != 1) + fatal("%s: read: %s", __func__, strerror(errno)); + debug3("%s: child %ld ready", __func__, (long)child_pid); + + /* Set up systracing of child */ + if ((dev_systrace = open("/dev/systrace", O_RDONLY)) == -1) + fatal("%s: open(\"/dev/systrace\"): %s", __func__, + strerror(errno)); + if (ioctl(dev_systrace, STRIOCCLONE, &box->systrace_fd) == -1) + fatal("%s: ioctl(STRIOCCLONE, %d): %s", __func__, + dev_systrace, strerror(errno)); + close(dev_systrace); + debug3("%s: systrace attach, fd=%d", __func__, box->systrace_fd); + if (ioctl(box->systrace_fd, STRIOCATTACH, &child_pid) == -1) + fatal("%s: ioctl(%d, STRIOCATTACH, %d): %s", __func__, + box->systrace_fd, child_pid, strerror(errno)); + + /* Allocate and assign policy */ + bzero(&box->policy, sizeof(box->policy)); + box->policy.strp_op = SYSTR_POLICY_NEW; + box->policy.strp_maxents = SYS_MAXSYSCALL; + if (ioctl(box->systrace_fd, STRIOCPOLICY, &box->policy) == -1) + fatal("%s: ioctl(%d, STRIOCPOLICY (new)): %s", __func__, + box->systrace_fd, strerror(errno)); + + box->policy.strp_op = SYSTR_POLICY_ASSIGN; + box->policy.strp_pid = box->child_pid; + if (ioctl(box->systrace_fd, STRIOCPOLICY, &box->policy) == -1) + fatal("%s: ioctl(%d, STRIOCPOLICY (assign)): %s", + __func__, box->systrace_fd, strerror(errno)); + + /* Set per-syscall policy */ + for (i = 0; i < SYS_MAXSYSCALL; i++) { + for (j = found = 0; allowed_syscalls[j] != -1 && !found; j++) { + if (allowed_syscalls[j] == i) + found = 1; + } + box->policy.strp_op = SYSTR_POLICY_MODIFY; + box->policy.strp_code = i; + box->policy.strp_policy = found ? + SYSTR_POLICY_PERMIT : SYSTR_POLICY_KILL; + if (found) + debug3("%s: policy: enable syscall %d", __func__, i); + if (ioctl(box->systrace_fd, STRIOCPOLICY, + &box->policy) == -1) + fatal("%s: ioctl(%d, STRIOCPOLICY (modify)): %s", + __func__, box->systrace_fd, strerror(errno)); + } + + /* Signal the child to start running */ + debug3("%s: start child %ld", __func__, (long)child_pid); + if (atomicio(vwrite, box->parent_sock, &whatever, 1) != 1) + fatal("%s: write: %s", __func__, strerror(errno)); + close(box->parent_sock); +} + +void +ssh_sandbox_parent_finish(struct ssh_sandbox *box) +{ + /* Closing this before the child exits will terminate it */ + close(box->systrace_fd); + + free(box); + debug3("%s: finished", __func__); +} + +void +ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid) +{ + ssh_sandbox_parent(box, child_pid, preauth_policy); +} + +#endif /* SANDBOX_SYSTRACE */ Index: sandbox.h =================================================================== RCS file: sandbox.h diff -N sandbox.h --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ sandbox.h 22 Jun 2011 09:17:44 -0000 @@ -0,0 +1,22 @@ +/* + * Copyright (c) 2011 Damien Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +struct ssh_sandbox; + +struct ssh_sandbox *ssh_sandbox_init(void); +void ssh_sandbox_child(struct ssh_sandbox *); +void ssh_sandbox_parent_finish(struct ssh_sandbox *); +void ssh_sandbox_parent_preauth(struct ssh_sandbox *, pid_t); Index: servconf.c =================================================================== RCS file: /var/cvs/openssh/servconf.c,v retrieving revision 1.217 diff -u -p -r1.217 servconf.c --- servconf.c 20 Jun 2011 04:43:11 -0000 1.217 +++ servconf.c 22 Jun 2011 09:17:44 -0000 @@ -280,7 +280,7 @@ fill_default_server_options(ServerOption /* Turn privilege separation on by default */ if (use_privsep == -1) - use_privsep = 1; + use_privsep = PRIVSEP_SANDBOX; #ifndef HAVE_MMAP if (use_privsep && options->compression == 1) { @@ -701,6 +701,12 @@ static const struct multistate multistat { "no", 0 }, { NULL, -1 } }; +static const struct multistate multistate_privsep[] = { + { "sandbox", PRIVSEP_SANDBOX }, + { "yes", PRIVSEP_ON }, + { "no", PRIVSEP_OFF }, + { NULL, -1 } +}; int process_server_config_line(ServerOptions *options, char *line, @@ -1066,7 +1072,8 @@ process_server_config_line(ServerOptions case sUsePrivilegeSeparation: intptr = &use_privsep; - goto parse_flag; + multistate_ptr = multistate_privsep; + goto parse_multistate; case sAllowUsers: while ((arg = strdelim(&cp)) && *arg != '\0') { @@ -1549,31 +1556,34 @@ parse_server_config(ServerOptions *optio } static const char * -fmt_intarg(ServerOpCodes code, int val) +fmt_multistate_int(int val, const struct multistate *m) { - if (code == sAddressFamily) { - switch (val) { - case AF_INET: - return "inet"; - case AF_INET6: - return "inet6"; - case AF_UNSPEC: - return "any"; - default: - return "UNKNOWN"; - } - } - if (code == sPermitRootLogin) { - switch (val) { - case PERMIT_NO_PASSWD: - return "without-password"; - case PERMIT_FORCED_ONLY: - return "forced-commands-only"; - case PERMIT_YES: - return "yes"; - } + u_int i; + + if (val == -1) + return "unset"; + for (i = 0; m[i].key != NULL; i++) { + if (m[i].value == val) + return m[i].key; } - if (code == sProtocol) { + return "UNKNOWN"; +} + +static const char * +fmt_intarg(ServerOpCodes code, int val) +{ + switch (code) { + case sAddressFamily: + return fmt_multistate_int(val, multistate_addressfamily); + case sPermitRootLogin: + return fmt_multistate_int(val, multistate_permitrootlogin); + case sGatewayPorts: + return fmt_multistate_int(val, multistate_gatewayports); + case sCompression: + return fmt_multistate_int(val, multistate_compression); + case sUsePrivilegeSeparation: + return fmt_multistate_int(val, multistate_privsep); + case sProtocol: switch (val) { case SSH_PROTO_1: return "1"; @@ -1584,20 +1594,18 @@ fmt_intarg(ServerOpCodes code, int val) default: return "UNKNOWN"; } + default: + switch (val) { + case -1: + return "unset"; + case 0: + return "no"; + case 1: + return "yes"; + default: + return "UNKNOWN"; + } } - if (code == sGatewayPorts && val == 2) - return "clientspecified"; - if (code == sCompression && val == COMP_DELAYED) - return "delayed"; - switch (val) { - case -1: - return "unset"; - case 0: - return "no"; - case 1: - return "yes"; - } - return "UNKNOWN"; } static const char * Index: servconf.h =================================================================== RCS file: /var/cvs/openssh/servconf.h,v retrieving revision 1.90 diff -u -p -r1.90 servconf.h --- servconf.h 29 May 2011 11:39:39 -0000 1.90 +++ servconf.h 22 Jun 2011 09:17:44 -0000 @@ -36,6 +36,11 @@ #define PERMIT_NO_PASSWD 2 #define PERMIT_YES 3 +/* use_privsep */ +#define PRIVSEP_OFF 0 +#define PRIVSEP_ON 1 +#define PRIVSEP_SANDBOX 2 + #define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */ #define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */ Index: sshd.c =================================================================== RCS file: /var/cvs/openssh/sshd.c,v retrieving revision 1.405 diff -u -p -r1.405 sshd.c --- sshd.c 20 Jun 2011 04:42:23 -0000 1.405 +++ sshd.c 22 Jun 2011 09:17:44 -0000 @@ -118,6 +118,7 @@ #endif #include "monitor_wrap.h" #include "roaming.h" +#include "sandbox.h" #include "version.h" #ifdef LIBWRAP @@ -624,18 +625,23 @@ privsep_preauth(Authctxt *authctxt) { int status; pid_t pid; + struct ssh_sandbox *box = NULL; /* Set up unprivileged child process to deal with network data */ pmonitor = monitor_init(); /* Store a pointer to the kex for later rekeying */ pmonitor->m_pkex = &xxx_kex; + if (use_privsep == PRIVSEP_SANDBOX) + box = ssh_sandbox_init(); pid = fork(); if (pid == -1) { fatal("fork of unprivileged child failed"); } else if (pid != 0) { debug2("Network child is on pid %ld", (long)pid); + if (box != NULL) + ssh_sandbox_parent_preauth(box, pid); pmonitor->m_pid = pid; monitor_child_preauth(authctxt, pmonitor); @@ -643,10 +649,21 @@ privsep_preauth(Authctxt *authctxt) monitor_sync(pmonitor); /* Wait for the child's exit status */ - while (waitpid(pid, &status, 0) < 0) + while (waitpid(pid, &status, 0) < 0) { if (errno != EINTR) - break; - return (1); + fatal("%s: waitpid: %s", __func__, + strerror(errno)); + } + if (WIFEXITED(status)) { + if (WEXITSTATUS(status) != 0) + fatal("%s: preauth child exited with status %d", + __func__, WEXITSTATUS(status)); + } else if (WIFSIGNALED(status)) + fatal("%s: preauth child terminated by signal %d", + __func__, WTERMSIG(status)); + if (box != NULL) + ssh_sandbox_parent_finish(box); + return 1; } else { /* child */ close(pmonitor->m_sendfd); @@ -659,8 +676,11 @@ privsep_preauth(Authctxt *authctxt) if (getuid() == 0 || geteuid() == 0) privsep_preauth_child(); setproctitle("%s", "[net]"); + if (box != NULL) + ssh_sandbox_child(box); + + return 0; } - return (0); } static void From djm at mindrot.org Wed Jun 22 23:06:45 2011 From: djm at mindrot.org (Damien Miller) Date: Wed, 22 Jun 2011 23:06:45 +1000 (EST) Subject: sandbox pre-auth privsep child In-Reply-To: References: Message-ID: On Wed, 22 Jun 2011, Damien Miller wrote: > Hi, > > This patch (relative to -HEAD) defines an API to allow sandboxing of the > pre-auth privsep child and a couple of sandbox implementations. If you want to verify that the sandbox is actually working, you might want to try this little hack. Needless to say, don't bother doing this will the null sandbox :) --- sshd.c.orig 2011-06-22 23:05:21.000000000 +1000 +++ sshd.c 2011-06-22 23:05:28.000000000 +1000 @@ -676,8 +676,14 @@ if (getuid() == 0 || geteuid() == 0) privsep_preauth_child(); setproctitle("%s", "[net]"); - if (box != NULL) + if (box != NULL) { ssh_sandbox_child(box); + if (fork() != -1) + fatal("fork() succeeded despite sandbox"); + if (socket(AF_INET, SOCK_STREAM, 0) != -1) + fatal("fork() succeeded despite sandbox"); + debug("sandbox seems to be working"); + } return 0; } From alex at alex.org.uk Thu Jun 23 01:21:20 2011 From: alex at alex.org.uk (Alex Bligh) Date: Wed, 22 Jun 2011 16:21:20 +0100 Subject: sandbox pre-auth privsep child In-Reply-To: References: Message-ID: <9B3B175EB97518B8AAE346B6@Ximines.local> --On 22 June 2011 22:53:05 +1000 Damien Miller wrote: > The idea here is to heavily restrict what the network-face pre-auth > process can do. This was the original intent behind dropping to a > dedicated uid and chrooting to an empty directory, but even this still > allows a compromised slave process to make new network connections and > try to exploit local kernel attack surface Perhaps not ready for primetime, but at least on Linux have you looked at CLONE_NEWNET etc.? This generates a child with (essentially) an unconfigured network stack; the other CLONE_XXX flags may be useful too. -- Alex Bligh From dkg at fifthhorseman.net Thu Jun 23 00:07:14 2011 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Wed, 22 Jun 2011 10:07:14 -0400 Subject: sandbox pre-auth privsep child In-Reply-To: References: Message-ID: <4E01F712.3040405@fifthhorseman.net> On 06/22/2011 09:06 AM, Damien Miller wrote: >> This patch (relative to -HEAD) defines an API to allow sandboxing of the >> pre-auth privsep child and a couple of sandbox implementations. thanks for doing this, Damien. I like this approach. A quick note on this test: > - if (box != NULL) > + if (box != NULL) { > ssh_sandbox_child(box); > + if (fork() != -1) > + fatal("fork() succeeded despite sandbox"); > + if (socket(AF_INET, SOCK_STREAM, 0) != -1) > + fatal("fork() succeeded despite sandbox"); i think this error message should mention socket() instead of fork(). Regards, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1030 bytes Desc: OpenPGP digital signature URL: From scott_n at xypro.com Thu Jun 23 01:20:06 2011 From: scott_n at xypro.com (Scott Neugroschl) Date: Wed, 22 Jun 2011 08:20:06 -0700 Subject: sandbox pre-auth privsep child In-Reply-To: References: Message-ID: <78DD71C304F38B41885A242996B96F7302BB145A@xyservd.XYPRO-23.LOCAL> > On Wed, 22 Jun 2011, Damien Miller wrote: > > > Hi, > > > > This patch (relative to -HEAD) defines an API to allow sandboxing of > the > > pre-auth privsep child and a couple of sandbox implementations. > > If you want to verify that the sandbox is actually working, you might > want to try this little hack. > > Needless to say, don't bother doing this will the null sandbox :) > > --- sshd.c.orig 2011-06-22 23:05:21.000000000 +1000 > +++ sshd.c 2011-06-22 23:05:28.000000000 +1000 > @@ -676,8 +676,14 @@ > if (getuid() == 0 || geteuid() == 0) > privsep_preauth_child(); > setproctitle("%s", "[net]"); > - if (box != NULL) > + if (box != NULL) { > ssh_sandbox_child(box); > + if (fork() != -1) > + fatal("fork() succeeded despite sandbox"); > + if (socket(AF_INET, SOCK_STREAM, 0) != -1) > + fatal("fork() succeeded despite sandbox"); > + debug("sandbox seems to be working"); > + } > > return 0; > } The message in the second fatal() call should probably read "socket() succeeded..." instead of "fork() succeeded..." From danielsh at apache.org Thu Jun 23 01:17:10 2011 From: danielsh at apache.org (Daniel Shahaf) Date: Wed, 22 Jun 2011 18:17:10 +0300 Subject: Logging failed attempts to correct usernames Message-ID: <20110622151710.GA8800@daniel3.local> [ using FreeBSD 8.2, but I don't think the problem is specific to their port ] For fail2ban purposes I'd like to log failed SSH authentication attempts of correct (i.e., existing) usernames. I have no issue with the logging of authn attempts to non-existing usernames. I've tried to set LogLevel=VERBOSE and MaxAuthAttempts=1 in sshd_config, but even then I didn't see /var/log/auth.log entries for failed login attempts from a third host to an existing username. (I didn't spot any other relevant knobs in sshd_config(5).) I assumed I'd see such log entries since the docs of MaxAuthAttempts state any failed attempts after MaxAuthAttempts/2 will be logged, so I interpreted that even the first failed authn attempt would be logged when MaxAuthAttempts=1. How can I cause sshd to log all failed authentication attempts to existing usernames? Thanks, From djm at mindrot.org Thu Jun 23 20:51:24 2011 From: djm at mindrot.org (Damien Miller) Date: Thu, 23 Jun 2011 20:51:24 +1000 (EST) Subject: sandbox for OS X Message-ID: Hi, The systrace and rlimit sandboxes have been committed and will be in snapshots dated 20110623 and later. This diff adds support for pre-auth privsep sandboxing using the OS X sandbox_init(3) service. It's a bit disappointing that the OS X developers chose such as namespace-polluting header and function names "sandbox.h", "sandbox_init()", etc. It already forced me to rename a header in OpenSSH. Anyway, the OS X sandbox uses the strictest of the canned policies: "kSBXProfilePureComputation". It passes regress tests and seems to deny calls to fork() as expected. Barring objections, I'll commit this soon - please test. Anyone want to write a FreeBSD capsicum sandbox while I sleep? Take a look at one of the existing sandbox-*c for the API, it's pretty trivial... -d Index: Makefile.in =================================================================== RCS file: /var/cvs/openssh/Makefile.in,v retrieving revision 1.323 diff -u -p -r1.323 Makefile.in --- Makefile.in 22 Jun 2011 22:30:03 -0000 1.323 +++ Makefile.in 23 Jun 2011 10:41:08 -0000 @@ -90,7 +90,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ sftp-server.o sftp-common.o \ roaming_common.o roaming_serv.o \ - sandbox-null.o sandbox-rlimit.o sandbox-systrace.o + sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 Index: configure.ac =================================================================== RCS file: /var/cvs/openssh/configure.ac,v retrieving revision 1.477 diff -u -p -r1.477 configure.ac --- configure.ac 22 Jun 2011 22:30:03 -0000 1.477 +++ configure.ac 23 Jun 2011 10:41:08 -0000 @@ -525,6 +525,8 @@ main() { if (NSVersionOfRunTimeLibrary(" AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV], [Define to a Set Process Title type if your system is supported by bsd-setproctitle.c]) + AC_CHECK_FUNCS([sandbox_init]) + AC_CHECK_HEADERS([sandbox.h]) ;; *-*-dragonfly*) SSHDLIBS="$SSHDLIBS -lcrypt" @@ -2487,6 +2489,11 @@ if test "x$sandbox_arg" = "xsystrace" || ( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then SANDBOX_STYLE="systrace" AC_DEFINE([SANDBOX_SYSTRACE], [1], [Sandbox using systrace(4)]) +elif test "x$sandbox_arg" = "xdarwin" || \ + ( test -z "$sandbox_arg" && test "x$ac_cv_func_sandbox_init" = "xyes" && \ + test "x$ac_cv_header_sandbox_h" = "xyes") ; then + SANDBOX_STYLE="darwin" + AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)]) elif test "x$sandbox_arg" = "xrlimit" || \ ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" ) ; then SANDBOX_STYLE="rlimit" Index: sandbox-darwin.c =================================================================== RCS file: sandbox-darwin.c diff -N sandbox-darwin.c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ sandbox-darwin.c 23 Jun 2011 10:41:08 -0000 @@ -0,0 +1,82 @@ +/* + * Copyright (c) 2011 Damien Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "includes.h" + +#ifdef SANDBOX_DARWIN + +#include + +#include + +#include +#include +#include +#include +#include +#include + +#include "log.h" +#include "sandbox.h" +#include "xmalloc.h" + +/* Darwin/OS X sandbox */ + +struct ssh_sandbox { + pid_t child_pid; +}; + +struct ssh_sandbox * +ssh_sandbox_init(void) +{ + struct ssh_sandbox *box; + + /* + * Strictly, we don't need to maintain any state here but we need + * to return non-NULL to satisfy the API. + */ + debug3("%s: preparing Darwin sandbox", __func__); + box = xcalloc(1, sizeof(*box)); + box->child_pid = 0; + + return box; +} + +void +ssh_sandbox_child(struct ssh_sandbox *box) +{ + char *errmsg; + + debug3("%s: starting Darwin sandbox", __func__); + if (sandbox_init(kSBXProfilePureComputation, SANDBOX_NAMED, + &errmsg) == -1) + fatal("%s: sandbox_init: %s", __func__, errmsg); +} + +void +ssh_sandbox_parent_finish(struct ssh_sandbox *box) +{ + free(box); + debug3("%s: finished", __func__); +} + +void +ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid) +{ + box->child_pid = child_pid; +} + +#endif /* SANDBOX_DARWIN */ From djm at mindrot.org Thu Jun 23 21:34:19 2011 From: djm at mindrot.org (Damien Miller) Date: Thu, 23 Jun 2011 21:34:19 +1000 (EST) Subject: preauth privsep logging via monitor In-Reply-To: References: <20110620080801.GY3437@calimero.vinschen.de> Message-ID: On Tue, 21 Jun 2011, Damien Miller wrote: > > This would break running ssh on Cygwin which still lacks descriptor passing > > via sendmsg/recvmsg. > > > > Out of curiosity, do you see a way to implement the privsep child > > without the need for descriptor passing? Maybe by passing the data over > > the socket instead of by passing the descriptor to the data? > > That's possible but would add a bit of complexity to the monitor - right > now it operates synchronously on two fds, but if it were to process > network traffic too then it would need a non-blocking mainloop of its own. Actually, fd passing is only used by the post-auth monitor. So it should be possible to enable pre-auth privsep on Cygwin if it isn't already. The sandbox may help too if Cygwin support setrlimit(). If there are stronger sandboxing primitives available then we could write a sandbox-cygwin.c to take advantage of them. Unfortunately, the fds that are passed between the post-auth monitor and its user-privilege child are ptys and these are not as amenable to basic shuffling data back and forth as network sockets. -d From vinschen at redhat.com Fri Jun 24 01:33:25 2011 From: vinschen at redhat.com (Corinna Vinschen) Date: Thu, 23 Jun 2011 17:33:25 +0200 Subject: preauth privsep logging via monitor In-Reply-To: References: <20110620080801.GY3437@calimero.vinschen.de> Message-ID: <20110623153325.GB20806@calimero.vinschen.de> On Jun 23 21:34, Damien Miller wrote: > On Tue, 21 Jun 2011, Damien Miller wrote: > > > > This would break running ssh on Cygwin which still lacks descriptor passing > > > via sendmsg/recvmsg. > > > > > > Out of curiosity, do you see a way to implement the privsep child > > > without the need for descriptor passing? Maybe by passing the data over > > > the socket instead of by passing the descriptor to the data? > > > > That's possible but would add a bit of complexity to the monitor - right > > now it operates synchronously on two fds, but if it were to process > > network traffic too then it would need a non-blocking mainloop of its own. > > Actually, fd passing is only used by the post-auth monitor. So it should > be possible to enable pre-auth privsep on Cygwin if it isn't already. Yes, preauth privsep works already. > The sandbox may help too if Cygwin support setrlimit(). I didn't test your latest changes so far. Sadly, setrlimit support is ...limited. Right now Cygwin only supports setting RLIMIT_CORE and RLIMIT_NOFILE and both are more or less faked. You can't set the NOFILE limit lower than the current internal file table size. The call succeeds, but the size of the table is not reduced. There's also no OS support for this functionality, so malicious code would always be able to open and create files using the underlying OS functions, within the bounds of the user's permissions. > If there are stronger sandboxing primitives available then we could > write a sandbox-cygwin.c to take advantage of them. Hmm, I have to think about that. I'm not sure if the security models match enough to do something useful. Typically the sshd account should be set up to have not much rights anyway. A normal user account has only a bare minimum user token, so there's not much to gain by dropping privileges from the token. Maybe we could drop some groups, or we could lower the integrity level of the process on Vista and later, but I'm not sure if that's feasible. > Unfortunately, the fds that are passed between the post-auth monitor and > its user-privilege child are ptys and these are not as amenable to basic > shuffling data back and forth as network sockets. Ptys are just named pipes in Cygwin since Windows lacks native pty support. Anyway, I would be more glad if I had a good idea how to implement descriptor passing in Cygwin instead. Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat From djm at mindrot.org Fri Jun 24 09:45:30 2011 From: djm at mindrot.org (Damien Miller) Date: Fri, 24 Jun 2011 09:45:30 +1000 (EST) Subject: sandbox for OS X In-Reply-To: References: Message-ID: On Thu, 23 Jun 2011, Damien Miller wrote: > > Hi, > > The systrace and rlimit sandboxes have been committed and will be in > snapshots dated 20110623 and later. This diff adds support for > pre-auth privsep sandboxing using the OS X sandbox_init(3) service. > > It's a bit disappointing that the OS X developers chose such as > namespace-polluting header and function names "sandbox.h", > "sandbox_init()", etc. It already forced me to rename a header in > OpenSSH. > > Anyway, the OS X sandbox uses the strictest of the canned policies: > "kSBXProfilePureComputation". It passes regress tests and seems to > deny calls to fork() as expected. Barring objections, I'll commit > this soon - please test. Markus points out that, despite its name, the kSBXProfilePureComputation sandbox actually allows the sandboxed process to create sockets (WTH?). So here is a revised version of the diff that uses setrlimit() to prevent that too. -d Index: ChangeLog =================================================================== RCS file: /var/cvs/openssh/ChangeLog,v retrieving revision 1.5912 diff -u -p -r1.5912 ChangeLog --- ChangeLog 23 Jun 2011 09:45:51 -0000 1.5912 +++ ChangeLog 23 Jun 2011 23:41:14 -0000 @@ -1,3 +1,7 @@ +20110624 + - (djm) [configure.ac Makefile.in sandbox-darwin.c] Add a sandbox for + Darwin/OS X using sandbox_init() + setrlimit() + 20110623 - OpenBSD CVS Sync - djm at cvs.openbsd.org 2011/06/22 21:47:28 Index: Makefile.in =================================================================== RCS file: /var/cvs/openssh/Makefile.in,v retrieving revision 1.323 diff -u -p -r1.323 Makefile.in --- Makefile.in 22 Jun 2011 22:30:03 -0000 1.323 +++ Makefile.in 23 Jun 2011 22:33:38 -0000 @@ -90,7 +90,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ sftp-server.o sftp-common.o \ roaming_common.o roaming_serv.o \ - sandbox-null.o sandbox-rlimit.o sandbox-systrace.o + sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 Index: configure.ac =================================================================== RCS file: /var/cvs/openssh/configure.ac,v retrieving revision 1.477 diff -u -p -r1.477 configure.ac --- configure.ac 22 Jun 2011 22:30:03 -0000 1.477 +++ configure.ac 23 Jun 2011 22:33:38 -0000 @@ -525,6 +525,8 @@ main() { if (NSVersionOfRunTimeLibrary(" AC_DEFINE([SPT_TYPE], [SPT_REUSEARGV], [Define to a Set Process Title type if your system is supported by bsd-setproctitle.c]) + AC_CHECK_FUNCS([sandbox_init]) + AC_CHECK_HEADERS([sandbox.h]) ;; *-*-dragonfly*) SSHDLIBS="$SSHDLIBS -lcrypt" @@ -2487,6 +2489,11 @@ if test "x$sandbox_arg" = "xsystrace" || ( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then SANDBOX_STYLE="systrace" AC_DEFINE([SANDBOX_SYSTRACE], [1], [Sandbox using systrace(4)]) +elif test "x$sandbox_arg" = "xdarwin" || \ + ( test -z "$sandbox_arg" && test "x$ac_cv_func_sandbox_init" = "xyes" && \ + test "x$ac_cv_header_sandbox_h" = "xyes") ; then + SANDBOX_STYLE="darwin" + AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)]) elif test "x$sandbox_arg" = "xrlimit" || \ ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" ) ; then SANDBOX_STYLE="rlimit" Index: sandbox-darwin.c =================================================================== RCS file: sandbox-darwin.c diff -N sandbox-darwin.c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ sandbox-darwin.c 23 Jun 2011 22:36:07 -0000 @@ -0,0 +1,98 @@ +/* + * Copyright (c) 2011 Damien Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "includes.h" + +#ifdef SANDBOX_DARWIN + +#include + +#include + +#include +#include +#include +#include +#include +#include + +#include "log.h" +#include "sandbox.h" +#include "xmalloc.h" + +/* Darwin/OS X sandbox */ + +struct ssh_sandbox { + pid_t child_pid; +}; + +struct ssh_sandbox * +ssh_sandbox_init(void) +{ + struct ssh_sandbox *box; + + /* + * Strictly, we don't need to maintain any state here but we need + * to return non-NULL to satisfy the API. + */ + debug3("%s: preparing Darwin sandbox", __func__); + box = xcalloc(1, sizeof(*box)); + box->child_pid = 0; + + return box; +} + +void +ssh_sandbox_child(struct ssh_sandbox *box) +{ + char *errmsg; + struct rlimit rl_zero; + + debug3("%s: starting Darwin sandbox", __func__); + if (sandbox_init(kSBXProfilePureComputation, SANDBOX_NAMED, + &errmsg) == -1) + fatal("%s: sandbox_init: %s", __func__, errmsg); + + /* + * The kSBXProfilePureComputation still allows sockets, so + * we must disable these using rlimit. + */ + rl_zero.rlim_cur = rl_zero.rlim_max = 0; + if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1) + fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s", + __func__, strerror(errno)); + if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1) + fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s", + __func__, strerror(errno)); + if (setrlimit(RLIMIT_NPROC, &rl_zero) == -1) + fatal("%s: setrlimit(RLIMIT_NPROC, { 0, 0 }): %s", + __func__, strerror(errno)); +} + +void +ssh_sandbox_parent_finish(struct ssh_sandbox *box) +{ + free(box); + debug3("%s: finished", __func__); +} + +void +ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid) +{ + box->child_pid = child_pid; +} + +#endif /* SANDBOX_DARWIN */ From guettli at thomas-guettler.de Wed Jun 29 20:57:15 2011 From: guettli at thomas-guettler.de (=?ISO-8859-15?Q?Thomas_G=FCttler?=) Date: Wed, 29 Jun 2011 12:57:15 +0200 Subject: Enhance sftp protocol: get SHA hash of file Message-ID: <4E0B050B.7000701@thomas-guettler.de> Hi, it would be great, if the sftp protocol could be enhanced: get sha (or other hash value) from a file or part of a file. This would make it possible to run a rsync like file transfer on sftp. I would suggest a protocol like this Client sends to Server: get-supported hash-methods returns whitespace seperated list like md5 sha1 sha256 .... get-hash HASH-METHOD FILENAME STARTOFFSET BYTECOUNT returns: hexlified hash value (all lowercase) To get the hash value of the whole file: STARTOFFSET=0 and BYTECOUNT=0 Anyone interested? Thomas G?ttler From philipp.marek at linbit.com Wed Jun 29 21:04:59 2011 From: philipp.marek at linbit.com (Philipp Marek) Date: Wed, 29 Jun 2011 13:04:59 +0200 Subject: Enhance sftp protocol: get SHA hash of file In-Reply-To: <4E0B050B.7000701@thomas-guettler.de> References: <4E0B050B.7000701@thomas-guettler.de> Message-ID: <201106291304.59377.philipp.marek@linbit.com> On Wednesday 29 June 2011, Thomas G?ttler wrote: > This would make it possible to run a rsync like file transfer > on sftp. Well, this would work for append-only files; if bytes get inserted or deleted in the middle, you'd need a Manber-Hash like rsync uses. But then you'd be reimplementing rsync anyway... > To get the hash value of the whole file: STARTOFFSET=0 and BYTECOUNT=0 Better make that BYTECOUNT=-1, that's easier for divide-and-conquer strategies - and it works for the case when the file is zero bytes long, too. Regards, Phil From guettli at thomas-guettler.de Wed Jun 29 21:57:55 2011 From: guettli at thomas-guettler.de (=?ISO-8859-15?Q?Thomas_G=FCttler?=) Date: Wed, 29 Jun 2011 13:57:55 +0200 Subject: Enhance sftp protocol: get SHA hash of file In-Reply-To: <201106291304.59377.philipp.marek@linbit.com> References: <4E0B050B.7000701@thomas-guettler.de> <201106291304.59377.philipp.marek@linbit.com> Message-ID: <4E0B1343.9030009@thomas-guettler.de> Am 29.06.2011 13:04, schrieb Philipp Marek: > On Wednesday 29 June 2011, Thomas G?ttler wrote: >> This would make it possible to run a rsync like file transfer >> on sftp. > Well, this would work for append-only files; if bytes get inserted or > deleted in the middle, you'd need a Manber-Hash like rsync uses. Hi Phil, I tried to find more info about "Manber-Hash". You are the author of this perl module? Unfortunately the link on this page is broken: http://search.cpan.org/~pmarek/Digest-ManberHash-0.7/ManberHash.pm This page does not exist any more: http://citeseer.nj.nec.com/manber94finding.html. My intention for the hash values enhancement for sftp is a deduplication backup system. I would cut files into chunks with a fixed offset. Thomas From dan at doxpara.com Wed Jun 29 21:05:57 2011 From: dan at doxpara.com (Dan Kaminsky) Date: Wed, 29 Jun 2011 04:05:57 -0700 Subject: Enhance sftp protocol: get SHA hash of file In-Reply-To: <4E0B050B.7000701@thomas-guettler.de> References: <4E0B050B.7000701@thomas-guettler.de> Message-ID: I could see various uses of this, and its not like OpenSSH doesn't already have sha1 built in. It could also be hacked in via a command line channel, seeking sha1sum or a perl oneliner. On Wed, Jun 29, 2011 at 3:57 AM, Thomas G?ttler wrote: > Hi, > > it would be great, if the sftp protocol could be > enhanced: get sha (or other hash value) from a file or part of a file. > > This would make it possible to run a rsync like file transfer > on sftp. > > I would suggest a protocol like this > > Client sends to Server: > > get-supported hash-methods > > returns whitespace seperated list like md5 sha1 sha256 .... > > get-hash HASH-METHOD FILENAME STARTOFFSET BYTECOUNT > > returns: hexlified hash value (all lowercase) > > To get the hash value of the whole file: STARTOFFSET=0 and BYTECOUNT=0 > > Anyone interested? > > Thomas G?ttler > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > From philipp.marek at linbit.com Wed Jun 29 22:07:10 2011 From: philipp.marek at linbit.com (Philipp Marek) Date: Wed, 29 Jun 2011 14:07:10 +0200 Subject: Enhance sftp protocol: get SHA hash of file In-Reply-To: <4E0B1343.9030009@thomas-guettler.de> References: <4E0B050B.7000701@thomas-guettler.de> <201106291304.59377.philipp.marek@linbit.com> <4E0B1343.9030009@thomas-guettler.de> Message-ID: <201106291407.10692.philipp.marek@linbit.com> On Wednesday 29 June 2011, Thomas G?ttler wrote: > I tried to find more info about "Manber-Hash". You are the author > of this perl module? Yes. > Unfortunately the link on this page is broken: > > http://search.cpan.org/~pmarek/Digest-ManberHash-0.7/ManberHash.pm That's bad. > This page does not exist any more: > http://citeseer.nj.nec.com/manber94finding.html. The paper was named "Finding Similar Files in a Large File System"; http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.12.3222&rep=rep1&type=pdf seems to be a version of it. > My intention for the hash values enhancement for sftp is a deduplication > backup system. I would cut files into chunks with a fixed offset. Well, if you'd prefer a C implementation, there's http://fsvs.tigris.org/source/browse/fsvs/branches/fsvs-1.2.x/fsvs/src/checksum.c?revision=2423&view=markup with documentation here: http://doc.fsvs-software.org/doxygen-gif/checksum_8c.html#_details Regards, Phil From mouring at eviladmin.org Thu Jun 30 00:40:00 2011 From: mouring at eviladmin.org (Ben Lindstrom) Date: Wed, 29 Jun 2011 09:40:00 -0500 Subject: Enhance sftp protocol: get SHA hash of file In-Reply-To: <201106291407.10692.philipp.marek@linbit.com> References: <4E0B050B.7000701@thomas-guettler.de> <201106291304.59377.philipp.marek@linbit.com> <4E0B1343.9030009@thomas-guettler.de> <201106291407.10692.philipp.marek@linbit.com> Message-ID: <7A95EFCA-0529-4659-88A0-5964606696CF@eviladmin.org> On Jun 29, 2011, at 7:07 AM, Philipp Marek wrote: >> My intention for the hash values enhancement for sftp is a deduplication >> backup system. I would cut files into chunks with a fixed offset. > Well, if you'd prefer a C implementation, there's > http://fsvs.tigris.org/source/browse/fsvs/branches/fsvs-1.2.x/fsvs/src/checksum.c?revision=2423&view=markup > with documentation here: > http://doc.fsvs-software.org/doxygen-gif/checksum_8c.html#_details Incompatible license. =( It would have to be something closer to BSD 2 clause to be acceptable as part of OpenSSH. - Ben From mouring at offwriting.org Thu Jun 30 00:00:18 2011 From: mouring at offwriting.org (Ben Lindstrom) Date: Wed, 29 Jun 2011 09:00:18 -0500 Subject: Enhance sftp protocol: get SHA hash of file In-Reply-To: References: <4E0B050B.7000701@thomas-guettler.de> Message-ID: <69574770-7801-4741-9263-4A05650792A2@offwriting.org> However, sftp doesn't link to crypto libraries by default. =-) A few years back I hacked in a simple "sumslist at eviladmin.org" protocol based on the block size that sftp set for it's window, but instead of SHA1 I was using MD5 at the time. You could simply request a single block or loop through and request a list of blocks. The server side code is dead simple and following the tradition of the rest of sftp-server code be rather unintelligent and very very simple (read: if you wanted a block list the client had to loop through the local file with the current window size and request an MD5 check some per block). It was under 400 lines so it isn't that complex. It didn't support any cool features like sliding windows, etc. But that complexity could be implemented on the client side. It was more a proof of concept than a real implementation (the implementation sucks rocks and I know there are bugs in it). I abandoned it for some reason. I really wish I knew why. I suspect it had to do with the cost of doing the checksum list was approaching the cost of actually downloading the file in the method I choice to implement it. - Ben On Jun 29, 2011, at 6:05 AM, Dan Kaminsky wrote: > I could see various uses of this, and its not like OpenSSH doesn't already > have sha1 built in. It could also be hacked in via a command line channel, > seeking sha1sum or a perl oneliner. > > On Wed, Jun 29, 2011 at 3:57 AM, Thomas G?ttler > wrote: > >> Hi, >> >> it would be great, if the sftp protocol could be >> enhanced: get sha (or other hash value) from a file or part of a file. >> >> This would make it possible to run a rsync like file transfer >> on sftp. >> >> I would suggest a protocol like this >> >> Client sends to Server: >> >> get-supported hash-methods >> >> returns whitespace seperated list like md5 sha1 sha256 .... >> >> get-hash HASH-METHOD FILENAME STARTOFFSET BYTECOUNT >> >> returns: hexlified hash value (all lowercase) >> >> To get the hash value of the whole file: STARTOFFSET=0 and BYTECOUNT=0 >> >> Anyone interested? >> >> Thomas G?ttler >> _______________________________________________ >> openssh-unix-dev mailing list >> openssh-unix-dev at mindrot.org >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >> > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev From tj at castaglia.org Thu Jun 30 02:37:58 2011 From: tj at castaglia.org (TJ Saunders) Date: Wed, 29 Jun 2011 09:37:58 -0700 (PDT) Subject: Enhance sftp protocol: get SHA hash of file In-Reply-To: <4E0B050B.7000701@thomas-guettler.de> References: <4E0B050B.7000701@thomas-guettler.de> Message-ID: > it would be great, if the sftp protocol could be > enhanced: get sha (or other hash value) from a file or part of a file. > > This would make it possible to run a rsync like file transfer > on sftp. > > I would suggest a protocol like this > > Client sends to Server: > > get-supported hash-methods > > returns whitespace seperated list like md5 sha1 sha256 .... > > get-hash HASH-METHOD FILENAME STARTOFFSET BYTECOUNT > > returns: hexlified hash value (all lowercase) > > To get the hash value of the whole file: STARTOFFSET=0 and BYTECOUNT=0 > > Anyone interested? Rather than reinventing the wheel, you might take a look at the (expired) Draft which proposed the "check-file-name" and "check-file-handle" SFTP extensions: http://tools.ietf.org/html/draft-ietf-secsh-filexfer-extensions-00 These extensions have been implemented by various SFTP clients and servers. Cheers, TJ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To spend too much time in studies is sloth. -Francis Bacon ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From guettli at thomas-guettler.de Thu Jun 30 06:25:10 2011 From: guettli at thomas-guettler.de (=?ISO-8859-1?Q?Thomas_G=FCttler?=) Date: Wed, 29 Jun 2011 22:25:10 +0200 Subject: Enhance sftp protocol: get SHA hash of file In-Reply-To: References: <4E0B050B.7000701@thomas-guettler.de> Message-ID: <4E0B8A26.5070506@thomas-guettler.de> Am 29.06.2011 18:37, schrieb TJ Saunders: > >> it would be great, if the sftp protocol could be >> enhanced: get sha (or other hash value) from a file or part of a file. ... > > Rather than reinventing the wheel, you might take a look at the (expired) > Draft which proposed the "check-file-name" and "check-file-handle" SFTP > extensions: > > http://tools.ietf.org/html/draft-ietf-secsh-filexfer-extensions-00 > > These extensions have been implemented by various SFTP clients and > servers. Thank you very much! I googled for server which support check-file-hanlde, but I found only proftpd which supports it. The ietf extension is even better than my first proposal: You can give a blocksize and get N hash values with one response. I not a fluent c programmer. Any volunteers to implement this? Thomas G?ttler From philipp.marek at linbit.com Thu Jun 30 16:24:45 2011 From: philipp.marek at linbit.com (Philipp Marek) Date: Thu, 30 Jun 2011 08:24:45 +0200 Subject: Enhance sftp protocol: get SHA hash of file In-Reply-To: <7A95EFCA-0529-4659-88A0-5964606696CF@eviladmin.org> References: <4E0B050B.7000701@thomas-guettler.de> <201106291407.10692.philipp.marek@linbit.com> <7A95EFCA-0529-4659-88A0-5964606696CF@eviladmin.org> Message-ID: <201106300824.45195.philipp.marek@linbit.com> > >> My intention for the hash values enhancement for sftp is a > >> deduplication backup system. I would cut files into chunks with a > >> fixed offset. > > > > Well, if you'd prefer a C implementation, there's > > > > http://fsvs.tigris.org/source/browse/fsvs/branches/fsvs-1.2.x/fsvs/src > > /checksum.c?revision=2423&view=markup > > > > with documentation here: > > http://doc.fsvs-software.org/doxygen-gif/checksum_8c.html#_details > > Incompatible license. =( It would have to be something closer to BSD 2 > clause to be acceptable as part of OpenSSH. Well, as I'm the author of that file, I hereby license the manber-related code in that file as BSD 2 - or whatever else is needed for use in openssh. Perhaps it saves a bit of time - it certainly is no complicated piece of code. Regards, Phil From philipp.marek at linbit.com Thu Jun 30 16:34:09 2011 From: philipp.marek at linbit.com (Philipp Marek) Date: Thu, 30 Jun 2011 08:34:09 +0200 Subject: Enhance sftp protocol: get SHA hash of file In-Reply-To: <69574770-7801-4741-9263-4A05650792A2@offwriting.org> References: <4E0B050B.7000701@thomas-guettler.de> <69574770-7801-4741-9263-4A05650792A2@offwriting.org> Message-ID: <201106300834.09792.philipp.marek@linbit.com> > A few years back I hacked in a simple "sumslist at eviladmin.org" protocol > based on the block size that sftp set for it's window, but instead of > SHA1 I was using MD5 at the time. You could simply request a single > block or loop through and request a list of blocks. ... > I abandoned it for some reason. I really wish I knew why. I suspect it > had to do with the cost of doing the checksum list was approaching > the cost of actually downloading the file in the method I choice to > implement it. Well, I'd expect a simple command "manber-hashes START LENGTH " - perhaps with an optional setting that defines the average block size - that streams (start, length, manber-hash, MD5/SHA1) back to the client to be much more useful; it would be much faster than transmitting the whole file and wouldn't need that many query operations. In the file I referenced in the other mail I use the MD5, the previous-to- last manber hash and the last manber-hash (which has per definition N rightmost bits zero) - that's a few bits more security than just using MD5 (where collisions can be created). Of course, using SHA1 might (at least for the moment ;) be enough. Perhaps, to be on the safe side, another optional parameter could specify "MD5+SHA1+SHA512+CRC32+..." to get all of these checksums ;) Regards, Phil From mouring at offwriting.org Thu Jun 30 16:55:36 2011 From: mouring at offwriting.org (Ben Lindstrom) Date: Thu, 30 Jun 2011 01:55:36 -0500 Subject: Enhance sftp protocol: get SHA hash of file In-Reply-To: <201106300834.09792.philipp.marek@linbit.com> References: <4E0B050B.7000701@thomas-guettler.de> <69574770-7801-4741-9263-4A05650792A2@offwriting.org> <201106300834.09792.philipp.marek@linbit.com> Message-ID: <5B409363-5775-42E1-8C6A-AC1EDCF95A09@offwriting.org> Looking at the RFC that was posted in this thread. It is best to implement that as it is a bit more robust then mine. Again mine was a proof of concept where the server can have a very simple extended feature and the client does all the heavy lifting (e.g. like with our remote_glob() implementation). And it mostly succeeded, and I'm sure it would be been better if the tests were non-localhost. =) At this moment I'm not inclined to breath life into my patch nor implement the RFC. Just isn't in my timeline for the next month or two. However, implement the server extension should be pretty much child's play. The hard part is making a get/put that groks and take effective advantage of it (or so my experience had shown). - Ben On Jun 30, 2011, at 1:34 AM, Philipp Marek wrote: >> A few years back I hacked in a simple "sumslist at eviladmin.org" protocol >> based on the block size that sftp set for it's window, but instead of >> SHA1 I was using MD5 at the time. You could simply request a single >> block or loop through and request a list of blocks. > ... >> I abandoned it for some reason. I really wish I knew why. I suspect it >> had to do with the cost of doing the checksum list was approaching >> the cost of actually downloading the file in the method I choice to >> implement it. > Well, I'd expect a simple command "manber-hashes START LENGTH " - perhaps > with an optional setting that defines the average block size - that streams > (start, length, manber-hash, MD5/SHA1) back to the client to be much more > useful; it would be much faster than transmitting the whole file and > wouldn't need that many query operations. > > > In the file I referenced in the other mail I use the MD5, the previous-to- > last manber hash and the last manber-hash (which has per definition N > rightmost bits zero) - that's a few bits more security than just using MD5 > (where collisions can be created). > Of course, using SHA1 might (at least for the moment ;) be enough. > > Perhaps, to be on the safe side, another optional parameter could specify > "MD5+SHA1+SHA512+CRC32+..." to get all of these checksums ;) > > > Regards, > > Phil > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev From martin.cmelik at gmail.com Thu Jun 30 21:15:18 2011 From: martin.cmelik at gmail.com (=?UTF-8?B?TWFydGluIMSMbWVsw61r?=) Date: Thu, 30 Jun 2011 13:15:18 +0200 Subject: Limit SSH access for users from defined source address Message-ID: Hi all, let me describe my environment and problem. System is RHEL 5.6 with latest stable OpenSSH. In sshd_config is defined "AllowGroups sshusers" but I need limitation to some of users in group to have access only from defined IP address. As I know this can be setup in sshd_config only for AllowUsers, but users in group are changed so I must use allowgroups instead of allowusers. I have modified /etc/pam.d/sshd #%PAM-1.0 auth include system-auth account required pam_access.so accessfile=/etc/security/access-sshd.conf account required pam_nologin.so account include system-auth password include system-auth session optional pam_keyinit.so force revoke session include system-auth session required pam_loginuid.so and setup access file /etc/security/access-sshd.conf - : user1 : ALL EXCEPT 1.1.1.1 - : user2 : ALL EXCEPT 2.2.2.2 This setup works fine. I'm able to login from defined sources, but only via password authentication. When I use ssh keys I'm unable to login and in /var/log/secure is this log --attached-- .ssh directory and authorized_keys have permissions 600 I know that it is more related to PAM modules, but I hope that somebody of you can help me more then PAM developers. Thank you for any feedback! Best regards, ? Martin ?mel?k http://www.security-portal.cz http://www.securix.org Contact me: martin.cmelik at gmail.com Save a tree - kill a beaver From martin.cmelik at gmail.com Thu Jun 30 21:36:34 2011 From: martin.cmelik at gmail.com (=?UTF-8?B?TWFydGluIMSMbWVsw61r?=) Date: Thu, 30 Jun 2011 13:36:34 +0200 Subject: Limit SSH access for users from defined source address In-Reply-To: <20110630113143.GP21361@shell.ziirish.info> References: <20110630113143.GP21361@shell.ziirish.info> Message-ID: Hi Benjamin, Match Access is new feature in OpenSSH 5.1, but I have OpenSSH_4.3p2. If I wrote "latest stable openssh" I means latest stable in RHEL 5.6 Thank you ? Martin ?mel?k http://www.security-portal.cz http://www.securix.org Contact me: martin.cmelik at gmail.com Save a tree - kill a beaver 2011/6/30 Benjamin SANS : > Martin ?mel?k wrote: >> Hi all, >> >> let me describe my environment and problem. >> >> System is RHEL 5.6 with latest stable OpenSSH. >> >> In sshd_config is defined "AllowGroups sshusers" but I need limitation >> to some of users in group to have access only from defined IP address. >> >> As I know this can be setup in sshd_config only for AllowUsers, but >> users in group are changed so I must use allowgroups instead of >> allowusers. >> >> I have modified /etc/pam.d/sshd >> >> #%PAM-1.0 >> auth ? ? ? include ? ? ?system-auth >> account ? ?required ? ? pam_access.so accessfile=/etc/security/access-sshd.conf >> account ? ?required ? ? pam_nologin.so >> account ? ?include ? ? ?system-auth >> password ? include ? ? ?system-auth >> session ? ?optional ? ? pam_keyinit.so force revoke >> session ? ?include ? ? ?system-auth >> session ? ?required ? ? pam_loginuid.so >> >> and setup access file /etc/security/access-sshd.conf >> >> - : user1 : ALL EXCEPT 1.1.1.1 >> - : user2 : ALL EXCEPT 2.2.2.2 >> >> This setup works fine. I'm able to login from defined sources, but >> only via password authentication. >> >> When I use ssh keys I'm unable to login and in /var/log/secure is this log > > Hi Martin, > > Maybe you could define a Match block like the following: > > Match Address x.x.x.0/y > ? ?PubkeyAuthentication yes > >> >> --attached-- >> >> .ssh directory and authorized_keys have permissions 600 >> >> I know that it is more related to PAM modules, but I hope that >> somebody of you can help me more then PAM developers. >> >> Thank you for any feedback! >> >> Best regards, >> >> ? >> Martin ?mel?k >> >> http://www.security-portal.cz >> http://www.securix.org >> Contact me: martin.cmelik at gmail.com >> Save a tree - kill a beaver > >> _______________________________________________ >> openssh-unix-dev mailing list >> openssh-unix-dev at mindrot.org >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > > Regards, > > -- > Benjamin SANS > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (GNU/Linux) > > iQEcBAEBAgAGBQJODF6fAAoJEHLbIppktU5GhvcH/1Q0EdGa5mS8ksRpX4pzAJR3 > BAz6lWYGJ8CVR/8EcVsvspWccmSvzSnTOHavo2pQvB2VA7nrdFrLD/Wcaq8BIyrv > WZnQ5ZjtcYM2BWFpY04HMyTRnQp2l6ghRcw6NsVskcS697iAdXr1snm98QohKBGo > UFPQ06IcQZln2oUxSHa6qntkahRW9Ob1+Wbxf+u1lPdOP5VUi5d/NOmznDbdg+w5 > b2ymANYBjD8UCG9Dp0CrlwVBEEDq7PuLKOWeiM/gXQBI9x6R9pX/fLBN9ZrvjfkI > xXgcW04hO1PetEYIMrMNZ7uMZJwKIwd/X/FGMtDDOKgmpdEc3ZUcvfq0A7JIEdI= > =3Y7q > -----END PGP SIGNATURE----- > > From eanderle at umich.edu Thu Jun 30 22:28:53 2011 From: eanderle at umich.edu (Eric Anderle) Date: Thu, 30 Jun 2011 08:28:53 -0400 Subject: Privilege Separation Design Question In-Reply-To: References: <20110616192803.GA27882@munich.citi.umich.edu> Message-ID: <20110630122853.GA3465@munich.citi.umich.edu> Hello Damien, Thank you for your reply. Here at CITI, we have a security requirement that forces users to reauthenticate with SSH periodically, even if there is activity on the connection. We are using getpwnamallow() to ensure that the user is still authorized to use the system (e.g., /etc/passwd hasn't been modified or something like that). Our code enables the MONITOR_REQ_PWNAM call at all times for this reason. That brings me to my next question. Another requirement is that all channels have to be temporarily disabled during reauth until the user has successfully reauthenticated with the openSSH server. Is there any mechanism to do that? I've tried many things, mainly in the server_loop2() and channel_input_data() functions, but I can't get any channels to stop accepting input/output and then start accepting it upon successful reauthentication. Thank you, Eric On 06/17, Damien Miller wrote: > On Thu, 16 Jun 2011, Eric Anderle wrote: > > > Hello all, > > > > I have a question about the design of the privilege separation aspect of > > openSSH. From what I understand, the interface between the privileged > > process and the unprivileged one is implemented as a set of well-defined > > operations with only a small subset of these operations enabled at any > > given time. These operations are enabled and disabled depending on the > > task at hand. > > > > What I am wondering is why it was chosen to implement privilege > > separation in this fashion, particularly the security implications of > > this design. > > The design and motivation of privsep is described in the paper: > http://www.citi.umich.edu/u/provos/papers/privsep.pdf > > Operations are generally only exposed when they are needed to limit the > attack surface of the monitor, enforce correct protocol flow and reduce > the opportunities for a compromised slave to reconnoiter through or > request undesirable state changes of the monitor. > > > Also, I would like to know if security would be weakened by allowing a > > slightly larger subset of operations (namely, PWNAM) to be executed at > > any time. > > getpwnamallow() is used as a state-changing operation in the monitor, > as it is called right before user authentication starts so you'd have to > untangle that to begin with. > > Why would you want to call it more often? The user name isn't supposed > to change during a session. > > -d > > > From cal.leeming at simplicitymedialtd.co.uk Thu Jun 30 22:40:01 2011 From: cal.leeming at simplicitymedialtd.co.uk (Cal Leeming [Simplicity Media Ltd]) Date: Thu, 30 Jun 2011 13:40:01 +0100 Subject: Privilege Separation Design Question In-Reply-To: <20110630122853.GA3465@munich.citi.umich.edu> References: <20110616192803.GA27882@munich.citi.umich.edu> <20110630122853.GA3465@munich.citi.umich.edu> Message-ID: May i ask, how are you going to handle shared key reauthentication?? What if the auth happened via a different pam module?? Simply checking passwd or shadow is going to be crude and not very effective. Unless i have missed something?? On 30 Jun 2011 13:36, "Eric Anderle" wrote: > Hello Damien, > > Thank you for your reply. Here at CITI, we have a security requirement > that forces users to reauthenticate with SSH periodically, even if there > is activity on the connection. We are using getpwnamallow() to ensure > that the user is still authorized to use the system (e.g., /etc/passwd > hasn't been modified or something like that). Our code enables the > MONITOR_REQ_PWNAM call at all times for this reason. > > That brings me to my next question. Another requirement is that all > channels have to be temporarily disabled during reauth until the user > has successfully reauthenticated with the openSSH server. Is there any > mechanism to do that? I've tried many things, mainly in the > server_loop2() and channel_input_data() functions, but I can't get any > channels to stop accepting input/output and then start accepting it upon > successful reauthentication. > > Thank you, > Eric > > On 06/17, Damien Miller wrote: >> On Thu, 16 Jun 2011, Eric Anderle wrote: >> >> > Hello all, >> > >> > I have a question about the design of the privilege separation aspect of >> > openSSH. From what I understand, the interface between the privileged >> > process and the unprivileged one is implemented as a set of well-defined >> > operations with only a small subset of these operations enabled at any >> > given time. These operations are enabled and disabled depending on the >> > task at hand. >> > >> > What I am wondering is why it was chosen to implement privilege >> > separation in this fashion, particularly the security implications of >> > this design. >> >> The design and motivation of privsep is described in the paper: >> http://www.citi.umich.edu/u/provos/papers/privsep.pdf >> >> Operations are generally only exposed when they are needed to limit the >> attack surface of the monitor, enforce correct protocol flow and reduce >> the opportunities for a compromised slave to reconnoiter through or >> request undesirable state changes of the monitor. >> >> > Also, I would like to know if security would be weakened by allowing a >> > slightly larger subset of operations (namely, PWNAM) to be executed at >> > any time. >> >> getpwnamallow() is used as a state-changing operation in the monitor, >> as it is called right before user authentication starts so you'd have to >> untangle that to begin with. >> >> Why would you want to call it more often? The user name isn't supposed >> to change during a session. >> >> -d >> >> >> > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev From eanderle at umich.edu Thu Jun 30 22:50:57 2011 From: eanderle at umich.edu (Eric Anderle) Date: Thu, 30 Jun 2011 08:50:57 -0400 Subject: Privilege Separation Design Question In-Reply-To: References: <20110616192803.GA27882@munich.citi.umich.edu> <20110630122853.GA3465@munich.citi.umich.edu> Message-ID: <20110630125057.GB3465@munich.citi.umich.edu> Currently, yes, we are forcing the reauthentication to happen via password, regardless of how the user authenticated in the first place. The plan is to start with password and then move toward making the reauthentication more generic as to work with many authentication methods. On 06/30, Cal Leeming [Simplicity Media Ltd] wrote: > May i ask, how are you going to handle shared key reauthentication?? What if > the auth happened via a different pam module?? Simply checking passwd or > shadow is going to be crude and not very effective. Unless i have missed > something?? > On 30 Jun 2011 13:36, "Eric Anderle" wrote: > > Hello Damien, > > > > Thank you for your reply. Here at CITI, we have a security requirement > > that forces users to reauthenticate with SSH periodically, even if there > > is activity on the connection. We are using getpwnamallow() to ensure > > that the user is still authorized to use the system (e.g., /etc/passwd > > hasn't been modified or something like that). Our code enables the > > MONITOR_REQ_PWNAM call at all times for this reason. > > > > That brings me to my next question. Another requirement is that all > > channels have to be temporarily disabled during reauth until the user > > has successfully reauthenticated with the openSSH server. Is there any > > mechanism to do that? I've tried many things, mainly in the > > server_loop2() and channel_input_data() functions, but I can't get any > > channels to stop accepting input/output and then start accepting it upon > > successful reauthentication. > > > > Thank you, > > Eric > > > > On 06/17, Damien Miller wrote: > >> On Thu, 16 Jun 2011, Eric Anderle wrote: > >> > >> > Hello all, > >> > > >> > I have a question about the design of the privilege separation aspect > of > >> > openSSH. From what I understand, the interface between the privileged > >> > process and the unprivileged one is implemented as a set of > well-defined > >> > operations with only a small subset of these operations enabled at any > >> > given time. These operations are enabled and disabled depending on the > >> > task at hand. > >> > > >> > What I am wondering is why it was chosen to implement privilege > >> > separation in this fashion, particularly the security implications of > >> > this design. > >> > >> The design and motivation of privsep is described in the paper: > >> http://www.citi.umich.edu/u/provos/papers/privsep.pdf > >> > >> Operations are generally only exposed when they are needed to limit the > >> attack surface of the monitor, enforce correct protocol flow and reduce > >> the opportunities for a compromised slave to reconnoiter through or > >> request undesirable state changes of the monitor. > >> > >> > Also, I would like to know if security would be weakened by allowing a > >> > slightly larger subset of operations (namely, PWNAM) to be executed at > >> > any time. > >> > >> getpwnamallow() is used as a state-changing operation in the monitor, > >> as it is called right before user authentication starts so you'd have to > >> untangle that to begin with. > >> > >> Why would you want to call it more often? The user name isn't supposed > >> to change during a session. > >> > >> -d > >> > >> > >> > > _______________________________________________ > > openssh-unix-dev mailing list > > openssh-unix-dev at mindrot.org > > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev From djm at mindrot.org Thu Jun 30 23:45:10 2011 From: djm at mindrot.org (Damien Miller) Date: Thu, 30 Jun 2011 23:45:10 +1000 (EST) Subject: Privilege Separation Design Question In-Reply-To: <20110630122853.GA3465@munich.citi.umich.edu> References: <20110616192803.GA27882@munich.citi.umich.edu> <20110630122853.GA3465@munich.citi.umich.edu> Message-ID: On Thu, 30 Jun 2011, Eric Anderle wrote: > Hello Damien, > > Thank you for your reply. Here at CITI, we have a security requirement > that forces users to reauthenticate with SSH periodically, even if there > is activity on the connection. We are using getpwnamallow() to ensure > that the user is still authorized to use the system (e.g., /etc/passwd > hasn't been modified or something like that). Our code enables the > MONITOR_REQ_PWNAM call at all times for this reason. > > That brings me to my next question. Another requirement is that all > channels have to be temporarily disabled during reauth until the user > has successfully reauthenticated with the openSSH server. Is there any > mechanism to do that? I've tried many things, mainly in the > server_loop2() and channel_input_data() functions, but I can't get any > channels to stop accepting input/output and then start accepting it upon > successful reauthentication. No, there is no mechanism to do this in OpenSSH mostly because there is no support in the protocol for reauthentication. I guess you could use the packet queuing that we use for key reexchange to hold packets during reauthentication, but there might be nasty interations if key rexechange happens at the same time. -d From postbus111 at gmail.com Thu Jun 30 23:48:21 2011 From: postbus111 at gmail.com (Hans Harder) Date: Thu, 30 Jun 2011 15:48:21 +0200 Subject: Privilege Separation Design Question In-Reply-To: <20110630125057.GB3465@munich.citi.umich.edu> References: <20110616192803.GA27882@munich.citi.umich.edu> <20110630122853.GA3465@munich.citi.umich.edu> <20110630125057.GB3465@munich.citi.umich.edu> Message-ID: And if you don't use passwords at all..... ? for instance disabled the keyboard interactive login method.... We only use sshkeys and sshcertificates, so there is no need for having a password.enabled account That reduces a lot off password administration Also if you do that in the middle of automatic script activity, I have no idea what will go wrong From sans.benjamin at gmail.com Thu Jun 30 21:31:43 2011 From: sans.benjamin at gmail.com (Benjamin SANS) Date: Thu, 30 Jun 2011 13:31:43 +0200 Subject: Limit SSH access for users from defined source address In-Reply-To: References: Message-ID: <20110630113143.GP21361@shell.ziirish.info> Martin ?mel?k wrote: > Hi all, > > let me describe my environment and problem. > > System is RHEL 5.6 with latest stable OpenSSH. > > In sshd_config is defined "AllowGroups sshusers" but I need limitation > to some of users in group to have access only from defined IP address. > > As I know this can be setup in sshd_config only for AllowUsers, but > users in group are changed so I must use allowgroups instead of > allowusers. > > I have modified /etc/pam.d/sshd > > #%PAM-1.0 > auth include system-auth > account required pam_access.so accessfile=/etc/security/access-sshd.conf > account required pam_nologin.so > account include system-auth > password include system-auth > session optional pam_keyinit.so force revoke > session include system-auth > session required pam_loginuid.so > > and setup access file /etc/security/access-sshd.conf > > - : user1 : ALL EXCEPT 1.1.1.1 > - : user2 : ALL EXCEPT 2.2.2.2 > > This setup works fine. I'm able to login from defined sources, but > only via password authentication. > > When I use ssh keys I'm unable to login and in /var/log/secure is this log Hi Martin, Maybe you could define a Match block like the following: Match Address x.x.x.0/y PubkeyAuthentication yes > > --attached-- > > .ssh directory and authorized_keys have permissions 600 > > I know that it is more related to PAM modules, but I hope that > somebody of you can help me more then PAM developers. > > Thank you for any feedback! > > Best regards, > > ? > Martin ?mel?k > > http://www.security-portal.cz > http://www.securix.org > Contact me: martin.cmelik at gmail.com > Save a tree - kill a beaver > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev Regards, -- Benjamin SANS -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 490 bytes Desc: Digital signature URL: