OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Oliver Fromme (ollisecnetix.de)
Date: Wed Jun 26 2002 - 18:34:43 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Poul-Henning Kamp <phkcritter.freebsd.dk> wrote:
    > Which reminds me that we should really tweak the code and put it in a
    > jail instead of a chroot.

    Slightly related ...

    For a custom application I modified the sshd source to make
    a jail() call right after the username had been transferred.
    So user authentication already happens within the jail, using
    the spwd.db inside the jail and so on. I added a config
    option for sshd_config to specify jail parameters (chroot
    directory, IP, hostname) per-user.

    I had to do that because for certain reasons we weren't able
    to run a separate sshd in each and every jail. Patching the
    sshd source as described above enabled us to run just one
    sshd on the machine. Of course, it also has disadvantages,
    the largest ist that a user who logs in twice is actually in
    two different jails (although they're the same chroot dir),
    so he can't see nor kill his own processes running in the
    other session. But that's something we can easily live with.

    I considered subitting my patches, but to be honest, I wasn't
    sure where to submit them. To the OpenSSH people? Nope, the
    patches are clearly FreeBSD-specific. So submit them to the
    FreeBSD people? I don't know.

    Also, the patches are for openssh 2.9. I haven't looked at
    the openssh 3.3 or 3.4 sources yet, but I fear that it will
    be difficult to merge the patches there, and it's probably
    impossible to use them with privsep enabled, because jail()
    requires superuser priviledges, but the authentication is
    performed as the sshd user when privsep is enabled. (Please
    someone correct me if I'm wrong.)

    Anyway. If anyone wants to look at my jail() patches for
    sshd (openssh 2.9), I'll be happy to mail them or put them
    up on some webpage. We use them in production for almost
    a year now.

    Regards
       Oliver 

    -- 
Oliver Fromme, secnetix GmbH & Co KG, Oettingenstr. 2, 80538 München
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.

    "All that we see or seem is just a dream within a dream" (E. A. Poe)

    To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message