[rsbac] sshd problems

[Sven Seeland]

I turned off privilege seperation and it didn't help. I can't say for sure but 
it seems like the (priviliged) parent process is now doing the communication and 
after authentication spawns a process for setuid. So the authentication and the 
setuid are still in different processes. I'm considering turning privilige 
seperation back on again and imposing only very, very loose restrictions on it 
with RSBAC, trusting it to be a secure program... I really don't like the 
feeling of this. I mean, this is not what I'm using RSBAC for. Still, I can use 
RSBAC to secure less trustworthy things like apache, mysql and a few other 
net-apps, but SSH is a pretty big part of my internet connectivity since it will 
be used for remote administration as well as for file-transfers. The 
file-transfers will possibly be done by quite a few people and there might be 
significant traffic via SSH.
Maybe I'll restrict SSHD to setuid only to a range of unpriviliged accounts (for 
up- and downloading) and one login account, which is then in turn privileged to 
setuid to secoff. Not great but it's a start. Any better ideas?

Again, thanks a lot for the help.

Amon Ott schrieb:
> Only last night I realized that it is not the process doing the 
> authentication which tries to setuid in the end. Instead, sshd 
> creates one child process to do authentication and a new child 
> process for setuid. So it cannot work this way.
> 
> Blame sshd Privilege Separation scheme for this...
> 
> You might consider turning that scheme off with
> UsePrivilegeSeparation no
> in sshd_config.
> 
> I will think about a secure solution to this problem - obviously we 
> cannot set last_auth for every parent process, too, so that other 
> children can get it inherited. During my tests, I added inheritance 
> to child processes, so in other cases we might have some benefit.
> 
> Amon.