|
|
1bd961 |
diff -up openssh-7.3p1/monitor_wrap.c.audit-race openssh-7.3p1/monitor_wrap.c
|
|
|
1bd961 |
--- openssh-7.3p1/monitor_wrap.c.audit-race 2016-12-15 14:27:22.376603747 +0100
|
|
|
1bd961 |
+++ openssh-7.3p1/monitor_wrap.c 2016-12-15 14:27:22.381603742 +0100
|
|
|
1bd961 |
@@ -1256,4 +1256,48 @@ mm_audit_destroy_sensitive_data(const ch
|
|
|
f8987c |
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SERVER_KEY_FREE, &m);
|
|
|
f8987c |
buffer_free(&m);
|
|
|
f8987c |
}
|
|
|
f8987c |
+
|
|
|
f8987c |
+int mm_forward_audit_messages(int fdin)
|
|
|
f8987c |
+{
|
|
|
1bd961 |
+ u_char buf[4];
|
|
|
1bd961 |
+ u_int blen, msg_len;
|
|
|
1bd961 |
+ Buffer m;
|
|
|
1bd961 |
+ int ret = 0;
|
|
|
1bd961 |
+
|
|
|
1bd961 |
+ debug3("%s: entering", __func__);
|
|
|
1bd961 |
+ buffer_init(&m);
|
|
|
f8987c |
+ do {
|
|
|
1bd961 |
+ blen = atomicio(read, fdin, buf, sizeof(buf));
|
|
|
1bd961 |
+ if (blen == 0) /* closed pipe */
|
|
|
1bd961 |
+ break;
|
|
|
1bd961 |
+ if (blen != sizeof(buf)) {
|
|
|
1bd961 |
+ error("%s: Failed to read the buffer from child", __func__);
|
|
|
1bd961 |
+ ret = -1;
|
|
|
1bd961 |
+ break;
|
|
|
1bd961 |
+ }
|
|
|
1bd961 |
+
|
|
|
1bd961 |
+ msg_len = get_u32(buf);
|
|
|
1bd961 |
+ if (msg_len > 256 * 1024)
|
|
|
1bd961 |
+ fatal("%s: read: bad msg_len %d", __func__, msg_len);
|
|
|
1bd961 |
+ buffer_clear(&m);
|
|
|
1bd961 |
+ buffer_append_space(&m, msg_len);
|
|
|
1bd961 |
+ if (atomicio(read, fdin, buffer_ptr(&m), msg_len) != msg_len) {
|
|
|
1bd961 |
+ error("%s: Failed to read the the buffer content from the child", __func__);
|
|
|
1bd961 |
+ ret = -1;
|
|
|
1bd961 |
+ break;
|
|
|
f8987c |
+ }
|
|
|
1bd961 |
+ if (atomicio(vwrite, pmonitor->m_recvfd, buf, blen) != blen ||
|
|
|
1bd961 |
+ atomicio(vwrite, pmonitor->m_recvfd, buffer_ptr(&m), msg_len) != msg_len) {
|
|
|
1bd961 |
+ error("%s: Failed to write the message to the monitor", __func__);
|
|
|
1bd961 |
+ ret = -1;
|
|
|
1bd961 |
+ break;
|
|
|
f8987c |
+ }
|
|
|
1bd961 |
+ } while (1);
|
|
|
1bd961 |
+ buffer_free(&m);
|
|
|
1bd961 |
+ return ret;
|
|
|
f8987c |
+}
|
|
|
f8987c |
+void mm_set_monitor_pipe(int fd)
|
|
|
f8987c |
+{
|
|
|
f8987c |
+ pmonitor->m_recvfd = fd;
|
|
|
f8987c |
+}
|
|
|
f8987c |
#endif /* SSH_AUDIT_EVENTS */
|
|
|
1bd961 |
diff -up openssh-7.3p1/monitor_wrap.h.audit-race openssh-7.3p1/monitor_wrap.h
|
|
|
1bd961 |
--- openssh-7.3p1/monitor_wrap.h.audit-race 2016-12-15 14:27:22.376603747 +0100
|
|
|
1bd961 |
+++ openssh-7.3p1/monitor_wrap.h 2016-12-15 14:27:22.381603742 +0100
|
|
|
1bd961 |
@@ -88,6 +88,8 @@ void mm_audit_unsupported_body(int);
|
|
|
f8987c |
void mm_audit_kex_body(int, char *, char *, char *, char *, pid_t, uid_t);
|
|
|
f8987c |
void mm_audit_session_key_free_body(int, pid_t, uid_t);
|
|
|
f8987c |
void mm_audit_destroy_sensitive_data(const char *, pid_t, uid_t);
|
|
|
f8987c |
+int mm_forward_audit_messages(int);
|
|
|
f8987c |
+void mm_set_monitor_pipe(int);
|
|
|
f8987c |
#endif
|
|
|
f8987c |
|
|
|
f8987c |
struct Session;
|
|
|
1bd961 |
diff -up openssh-7.3p1/session.c.audit-race openssh-7.3p1/session.c
|
|
|
1bd961 |
--- openssh-7.3p1/session.c.audit-race 2016-12-15 14:27:22.378603745 +0100
|
|
|
1bd961 |
+++ openssh-7.3p1/session.c 2016-12-15 14:27:22.382603741 +0100
|
|
|
1bd961 |
@@ -164,6 +164,10 @@ static Session *sessions = NULL;
|
|
|
f8987c |
login_cap_t *lc;
|
|
|
f8987c |
#endif
|
|
|
f8987c |
|
|
|
f8987c |
+#ifdef SSH_AUDIT_EVENTS
|
|
|
f8987c |
+int paudit[2];
|
|
|
f8987c |
+#endif
|
|
|
f8987c |
+
|
|
|
f8987c |
static int is_child = 0;
|
|
|
f8987c |
|
|
|
f8987c |
static int have_dev_log = 1;
|
|
|
1bd961 |
@@ -457,6 +457,8 @@ do_authenticated1(Authctxt *authctxt)
|
|
|
1bd961 |
}
|
|
|
1bd961 |
}
|
|
|
1bd961 |
|
|
|
1bd961 |
+void child_destory_sensitive_data();
|
|
|
1bd961 |
+
|
|
|
1bd961 |
#define USE_PIPES 1
|
|
|
1bd961 |
/*
|
|
|
1bd961 |
* This is called to fork and execute a command when we have no tty. This
|
|
|
1bd961 |
@@ -588,6 +592,8 @@ do_exec_no_pty(Session *s, const char *c
|
|
|
1bd961 |
cray_init_job(s->pw); /* set up cray jid and tmpdir */
|
|
|
1bd961 |
#endif
|
|
|
1bd961 |
|
|
|
1bd961 |
+ child_destory_sensitive_data();
|
|
|
1bd961 |
+
|
|
|
1bd961 |
/* Do processing for the child (exec command etc). */
|
|
|
1bd961 |
do_child(s, command);
|
|
|
1bd961 |
/* NOTREACHED */
|
|
|
1bd961 |
@@ -722,6 +728,9 @@ do_exec_pty(Session *s, const char *comm
|
|
|
1bd961 |
/* Close the extra descriptor for the pseudo tty. */
|
|
|
1bd961 |
close(ttyfd);
|
|
|
1bd961 |
|
|
|
1bd961 |
+ /* Do this early, so we will not block large MOTDs */
|
|
|
1bd961 |
+ child_destory_sensitive_data();
|
|
|
1bd961 |
+
|
|
|
1bd961 |
/* record login, etc. similar to login(1) */
|
|
|
1bd961 |
#ifndef HAVE_OSF_SIA
|
|
|
1bd961 |
if (!(options.use_login && command == NULL)) {
|
|
|
1bd961 |
@@ -903,6 +912,8 @@ do_exec(Session *s, const char *command)
|
|
|
f8987c |
}
|
|
|
f8987c |
if (s->command != NULL && s->ptyfd == -1)
|
|
|
f8987c |
s->command_handle = PRIVSEP(audit_run_command(s->command));
|
|
|
f8987c |
+ if (pipe(paudit) < 0)
|
|
|
f8987c |
+ fatal("pipe: %s", strerror(errno));
|
|
|
f8987c |
#endif
|
|
|
f8987c |
if (s->ttyfd != -1)
|
|
|
f8987c |
ret = do_exec_pty(s, command);
|
|
|
1bd961 |
@@ -918,6 +929,20 @@ do_exec(Session *s, const char *command)
|
|
|
f8987c |
*/
|
|
|
f8987c |
buffer_clear(&loginmsg);
|
|
|
f8987c |
|
|
|
f8987c |
+#ifdef SSH_AUDIT_EVENTS
|
|
|
f8987c |
+ close(paudit[1]);
|
|
|
f8987c |
+ if (use_privsep && ret == 0) {
|
|
|
f8987c |
+ /*
|
|
|
f8987c |
+ * Read the audit messages from forked child and send them
|
|
|
f8987c |
+ * back to monitor. We don't want to communicate directly,
|
|
|
f8987c |
+ * because the messages might get mixed up.
|
|
|
f8987c |
+ * Continue after the pipe gets closed (all messages sent).
|
|
|
f8987c |
+ */
|
|
|
f8987c |
+ ret = mm_forward_audit_messages(paudit[0]);
|
|
|
f8987c |
+ }
|
|
|
f8987c |
+ close(paudit[0]);
|
|
|
f8987c |
+#endif /* SSH_AUDIT_EVENTS */
|
|
|
f8987c |
+
|
|
|
f8987c |
return ret;
|
|
|
f8987c |
}
|
|
|
f8987c |
|
|
|
1bd961 |
@@ -1751,6 +1776,33 @@ child_close_fds(void)
|
|
|
1bd961 |
endpwent();
|
|
|
1bd961 |
}
|
|
|
f8987c |
|
|
|
1bd961 |
+void
|
|
|
1bd961 |
+child_destory_sensitive_data()
|
|
|
1bd961 |
+{
|
|
|
f8987c |
+#ifdef SSH_AUDIT_EVENTS
|
|
|
1bd961 |
+ int pparent = paudit[1];
|
|
|
f8987c |
+ close(paudit[0]);
|
|
|
f8987c |
+ /* Hack the monitor pipe to avoid race condition with parent */
|
|
|
f8987c |
+ if (use_privsep)
|
|
|
1bd961 |
+ mm_set_monitor_pipe(pparent);
|
|
|
f8987c |
+#endif
|
|
|
f8987c |
+
|
|
|
1bd961 |
+ /* remove hostkey from the child's memory */
|
|
|
f8987c |
+ destroy_sensitive_data(use_privsep);
|
|
|
f8987c |
+ /*
|
|
|
f8987c |
+ * We can audit this, because we hacked the pipe to direct the
|
|
|
f8987c |
+ * messages over postauth child. But this message requires answer
|
|
|
f8987c |
+ * which we can't do using one-way pipe.
|
|
|
f8987c |
+ */
|
|
|
1bd961 |
+ packet_destroy_all(0, 1);
|
|
|
1bd961 |
+
|
|
|
f8987c |
+#ifdef SSH_AUDIT_EVENTS
|
|
|
f8987c |
+ /* Notify parent that we are done */
|
|
|
1bd961 |
+ close(pparent);
|
|
|
f8987c |
+#endif
|
|
|
f8987c |
+
|
|
|
1bd961 |
+}
|
|
|
1bd961 |
+
|
|
|
1bd961 |
/*
|
|
|
1bd961 |
* Performs common processing for the child, such as setting up the
|
|
|
1bd961 |
* environment, closing extra file descriptors, setting the user and group
|
|
|
1bd961 |
@@ -1768,12 +1820,6 @@ do_child(Session *s, const char *command
|
|
|
1bd961 |
struct passwd *pw = s->pw;
|
|
|
1bd961 |
int r = 0;
|
|
|
1bd961 |
|
|
|
1bd961 |
- /* remove hostkey from the child's memory */
|
|
|
1bd961 |
- destroy_sensitive_data(1);
|
|
|
1bd961 |
- /* Don't audit this - both us and the parent would be talking to the
|
|
|
1bd961 |
- monitor over a single socket, with no synchronization. */
|
|
|
1bd961 |
- packet_destroy_all(0, 1);
|
|
|
1bd961 |
-
|
|
|
f8987c |
/* Force a password change */
|
|
|
f8987c |
if (s->authctxt->force_pwchange) {
|
|
|
f8987c |
do_setusercontext(pw);
|