From owner-freebsd-security Wed Jun 26 17:46:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from lurza.secnetix.de (lurza.secnetix.de [212.66.1.130]) by hub.freebsd.org (Postfix) with ESMTP id 862C737C171 for ; Wed, 26 Jun 2002 16:34:55 -0700 (PDT) Received: (from olli@localhost) by lurza.secnetix.de (8.11.6/8.11.6) id g5QNYhQ40207; Thu, 27 Jun 2002 01:34:43 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Date: Thu, 27 Jun 2002 01:34:43 +0200 (CEST) Message-Id: <200206262334.g5QNYhQ40207@lurza.secnetix.de> From: Oliver Fromme To: freebsd-security@FreeBSD.ORG Subject: sshd + jail (was Re: OpenSSH Security) X-Newsgroups: list.freebsd-security User-Agent: tin/1.5.4-20000523 ("1959") (UNIX) (FreeBSD/4.5-RELEASE (i386)) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Poul-Henning Kamp wrote: > Which reminds me that we should really tweak the code and put it in a > jail instead of a chroot. Slightly related ... For a custom application I modified the sshd source to make a jail() call right after the username had been transferred. So user authentication already happens within the jail, using the spwd.db inside the jail and so on. I added a config option for sshd_config to specify jail parameters (chroot directory, IP, hostname) per-user. I had to do that because for certain reasons we weren't able to run a separate sshd in each and every jail. Patching the sshd source as described above enabled us to run just one sshd on the machine. Of course, it also has disadvantages, the largest ist that a user who logs in twice is actually in two different jails (although they're the same chroot dir), so he can't see nor kill his own processes running in the other session. But that's something we can easily live with. I considered subitting my patches, but to be honest, I wasn't sure where to submit them. To the OpenSSH people? Nope, the patches are clearly FreeBSD-specific. So submit them to the FreeBSD people? I don't know. Also, the patches are for openssh 2.9. I haven't looked at the openssh 3.3 or 3.4 sources yet, but I fear that it will be difficult to merge the patches there, and it's probably impossible to use them with privsep enabled, because jail() requires superuser priviledges, but the authentication is performed as the sshd user when privsep is enabled. (Please someone correct me if I'm wrong.) Anyway. If anyone wants to look at my jail() patches for sshd (openssh 2.9), I'll be happy to mail them or put them up on some webpage. We use them in production for almost a year now. Regards Oliver -- Oliver Fromme, secnetix GmbH & Co KG, Oettingenstr. 2, 80538 München Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "All that we see or seem is just a dream within a dream" (E. A. Poe) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message