Hosting Provided By

RE: PRIVSEP annoys me.

From: Temp <temp(at)eguesswork.co.uk>
Date: Fri Mar 28 2003 - 12:25:43 EST

Peter,

I've just been integrating some support for RSA's SecurID Token and had some real headaches with Privilege Seperation. The OpenSSH FAQ says Privilege Seperation uses a well defined interface; it's well defined, but very poorly documented!

Through a lot of trial and error I finally managed to get everything to work, but it was a real struggle.

The only information that I have come across is a link to a document someone gave me http://www.citi.umich.edu/u/provos/ssh/privsep.html

You have to look at the document and then try to work out how it relates to the actual OpenSSH code. A big clue is to look at how the S/Key authentication has been implemented.

Basically you need a pair of processes mm_auth_icc_prepare_key_query & mm_auth_icc_prepare_key_response in monitor_wrap.c and a pair of processes mm_auth_ans_icc_prepare_key_query & mm_auth_ans_icc_prepare_key_response in monitor.c. You will also need add some lines into monitor.h and monitor_wrap.h to "register" your functions in some arrays. The "query" pair of processes send from the unprivileged process to the privileged process and the "response" pair of processes handle any replies coming back the other way. You also have to use built-in functions to push data into a buffer to be sent and extract data from the buffer at the other end.

The processes called from monitor_wrap.c run in a restricted shell that does not allow access to the filesystem for calls like stat(). You have to put any function calls that require access to the filesystem in the "shadow" functions in monitor.c that run as "root".

Do you need help?

Regards,

Chris Macneill
Educated Guesswork Ltd.
-----Original Message-----
From: Â¶Â«Â·Â½ Ã³Â»ÃŽÃ„ [mailto:phanix@hotmail.com] Sent: 28 March 2003 07:42
To: secureshell@securityfocus.com
Subject: PRIVSEP annoys me.

I added a new authentication method to openssh called ICCAuthentication(IC card).
When server receives SSH_CMSG_AUTH_ICC, it reads the rsa public key file in the user's home dir(e. g. /home/peter/.icc/authorized_key), gets the pubkey,
generates an 32 8-bit long random number, encrypts it with the pubkey, and send
it to the client as an challenge, just like RSAAuthentication. The client then
decrypts the challenge with the private key in the user's IC card, and send a
response to the server.

Here is the auth_icc_prepare_key() function in my auth-icc.c. This function gets the pubkey in the ~/.icc/authorized_key file.

int
auth_icc_prepare_key(struct passwd *pw, Key **rkey) {

	char line[8192], file[MAXPATHLEN];
	u_char n_e[131];
	FILE *f;
	struct stat st;
	Key *key;

	/* Temporarily use the user's uid. */


	temporarily_use_uid(pw);

	/* The authorized key file. */


	snprintf( file, sizeof file, "%.500s/%.100s", pw->pw_dir,
			_PATH_SSH_USER_ICC_PERMITTED_KEY );
	
	debug("trying public RSA key file %s", file);
	

	/* Fail quietly if file does not exist */


         /* If UsePriviledgeSeperation is yes, stat() always fails. */
	if (stat(file, &st) < 0) {
		/* Restore the privileged uid. */
		debug("Public key file does not exist.");
		restore_uid();
		return 0;
	}
	

	/* Open the file containing the authorized keys. */


	f = fopen(file, "r");
	if (!f) {
		packet_send_debug("Could not open file %.900s
                                     for reading.",file);
		packet_send_debug("If your home is on an NFS volume,
                                     it may need to be world-readable.");
		/* Restore the privileged uid. */
		restore_uid();
		return 0;
	}

	if (options.strict_modes &&
	    secure_filename(f, file, pw, line, sizeof(line)) != 0) {
		fclose(f);
		log("Authentication refused: %s", line);
		restore_uid();
		return 0;
	}

	key = key_new(KEY_RSA);

	/* 

	 * Get the public key from the file. If ok, perform a
	 * challenge-response dialog to verify that the user has
	 * the right IC card.
	 */
	if( fread( n_e, 131, 1, f ) < 1 ) {
		restore_uid();
		packet_send_debug("Read file %.900s error.",file);
		return 0;
	}
	key->rsa->n = BN_bin2bn( n_e, 128, NULL );
	key->rsa->e = BN_bin2bn( n_e+128, 3, NULL );
	


	/* Restore the privileged uid. */


	restore_uid();


	/* Close the file. */


	fclose(f);

	/* return key if allowed */


	if ( rkey != NULL ) {
		*rkey = key;
		return 1;
	} else {
		key_free(key);
		return 0;
	}

}

Everything is ok if in sshd_config: "UsePriviledgeSeperation no". If I set "UsePriviledgeSeperation" yes, the stat() in the function always returns <0, but the file does exists.
I set the file as:
/home/peter/.icc/authorized_key peter.peter rw-r--r--

Why in privsep the sshd cannot access the file? Please help me.
Thank you.

xhtech. Beijing

äº«ç”¨ä¸–ç•Œä¸Šæœ€å¤§çš„ç”µåé‚®ä»¶ç³»ç»Ÿâ€” MSN Hotmailã€‚ http://www.hotmail.com

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (
http://www.grisoft.com).
Version: 6.0.463 / Virus Database: 262 - Release Date: 17/03/2003

Received on Fri Mar 28 13:14:30 2003

Do you need more help?

This message: [ Message body ]
Next message: Markus Friedl: "Re: PRIVSEP annoys me."
Previous message: Attica: "Re: How to configure .rhosts or .shosts so as not to ask password"
In reply to ¶«·½ ó»ÎÄ: "PRIVSEP annoys me."
Next in thread: Niels Provos: "Re: PRIVSEP annoys me."
Reply: Niels Provos: "Re: PRIVSEP annoys me."
Reply: Markus Friedl: "Re: PRIVSEP annoys me."

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:56 EDT