Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > secureshell > 03 > 030638.html (Request Expert securityfocus.com Support)

RE: PRIVSEP annoys me. - Part 2

From: Chris Macneill <chris.macneill(at)eguesswork.co.uk>
Date: Fri Mar 28 2003 - 13:39:17 EST


Peter,

Markus Friedl makes a valid point; it is simpler than my first response.

To make a function work in Privilege Separation mode, surround your original function with the macro PRIVSEP(), e.g. PRIVSEP(xxxx());

In Privilege Separation mode the macro causes mm_xxxx(); to be executed, not xxxx();, you will also need a function mm_ans_xxxx(); to return the response from your code executed in the Privileged process.

Look at other mm_ and mm_ans_ functions in monitor_wrap.c and monitor.c to get the idea of how to build your own functions.

See how auth_password() is implemented, you'll find an mm_auth_password() function in monitor_wrap.c and an mm_ans_auth_password() in monitor.c. "grep" through the rest of the code to see usage of the PRIVSEP() macro.

Regards,

Chris Macneill
Educated Guesswork Ltd.

Do you need help?X

-----Original Message-----
From: ¶«·½ ó»ÎÄ [mailto:phanix@hotmail.com] Sent: 28 March 2003 07:42
To: secureshell@securityfocus.com
Subject: PRIVSEP annoys me.

I added a new authentication method to openssh called ICCAuthentication(IC card).
When server receives SSH_CMSG_AUTH_ICC, it reads the rsa public key file in the user's home dir(e. g. /home/peter/.icc/authorized_key), gets the pubkey,
generates an 32 8-bit long random number, encrypts it with the pubkey, and send
it to the client as an challenge, just like RSAAuthentication. The client then
decrypts the challenge with the private key in the user's IC card, and send a
response to the server.

Here is the auth_icc_prepare_key() function in my auth-icc.c. This function gets the pubkey in the ~/.icc/authorized_key file.

int
auth_icc_prepare_key(struct passwd *pw, Key **rkey) { 

	char line[8192], file[MAXPATHLEN];
	u_char n_e[131];
	FILE *f;
	struct stat st;
	Key *key;

	/* Temporarily use the user's uid. */


	temporarily_use_uid(pw);

	/* The authorized key file. */


	snprintf( file, sizeof file, "%.500s/%.100s", pw->pw_dir,
			_PATH_SSH_USER_ICC_PERMITTED_KEY );
	
	debug("trying public RSA key file %s", file);
	

	/* Fail quietly if file does not exist */


         /* If UsePriviledgeSeperation is yes, stat() always fails. */
	if (stat(file, &st) < 0) {
		/* Restore the privileged uid. */
		debug("Public key file does not exist.");
		restore_uid();
		return 0;
	}
	

	/* Open the file containing the authorized keys. */


	f = fopen(file, "r");
	if (!f) {
		packet_send_debug("Could not open file %.900s
                                     for reading.",file);
		packet_send_debug("If your home is on an NFS volume,
                                     it may need to be world-readable.");
		/* Restore the privileged uid. */
		restore_uid();
		return 0;
	}

	if (options.strict_modes &&
	    secure_filename(f, file, pw, line, sizeof(line)) != 0) {
		fclose(f);
		log("Authentication refused: %s", line);
		restore_uid();
		return 0;
	}

	key = key_new(KEY_RSA);

	/* 

	 * Get the public key from the file. If ok, perform a
	 * challenge-response dialog to verify that the user has
	 * the right IC card.
	 */
	if( fread( n_e, 131, 1, f ) < 1 ) {
		restore_uid();
		packet_send_debug("Read file %.900s error.",file);
		return 0;
	}
	key->rsa->n = BN_bin2bn( n_e, 128, NULL );
	key->rsa->e = BN_bin2bn( n_e+128, 3, NULL );
	


	/* Restore the privileged uid. */


	restore_uid();


	/* Close the file. */


	fclose(f);

	/* return key if allowed */


	if ( rkey != NULL ) {
		*rkey = key;
		return 1;
	} else {
		key_free(key);
		return 0;
	}

}

Everything is ok if in sshd_config: "UsePriviledgeSeperation no". If I set "UsePriviledgeSeperation" yes, the stat() in the function always returns <0, but the file does exists.
I set the file as:
/home/peter/.icc/authorized_key peter.peter rw-r--r--

Why in privsep the sshd cannot access the file? Please help me.
Thank you.

xhtech. Beijing


享用世界上最大的电子邮件系统— MSN Hotmail。 http://www.hotmail.com 
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (
http://www.grisoft.com).
Version: 6.0.463 / Virus Database: 262 - Release Date: 17/03/2003
Received on Fri Mar 28 15:08:26 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:56 EDT

Do you need more help?X
Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library