[Bug 231172] ssh login fails if server is set sysctl kern.trap_enotcap=1

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Wed Sep 5 08:47:28 UTC 2018 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=231172

            Bug ID: 231172
           Summary: ssh login fails if server is set sysctl
                    kern.trap_enotcap=1
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: bugs at FreeBSD.org
          Reporter: naito.yuichiro at gmail.com

Created attachment 196883
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=196883&action=edit
sshd.patch

Problem
-------

While I'm debugging my program which runs in capability mode on remote machine,
I set sysctl kern.trap_enotcap=1 to make my kernel triggers SIGTRAP when
capability violation occurs.

If I quit a ssh session by accident, I can never ssh login again.

Reason
------

Sshd uses login_getpwclass(3) for authentication, but it is not allowed in
capability mode because of accessing to '/etc/login.conf' and
'${HOME}/.login.conf'. Authentication failure triggers to close ssh session.

Please note that this is not a security problem. Sshd checks
login_getpwclass(3)
in several times. One of these checks is sandboxed and fails in capability
mode.

And sshd calls auth_timeok(3) after login_getpwcalss(3). In auth_timeok(3),
localtime(3) is called and it opens '/etc/localtime'. This is not allowed
neither.

Reproduce
---------

1. stop sshd
   # service sshd stop

2. set kern.trap_enotcap=1
   # sysctl kern.trap_enotcap=1

3. truss sshd
   # truss -f -o /tmp/sshd.log /usr/sbin/sshd -D

4. ssh login
   $ ssh localhost

5. check the logfile
   $ grep 'capability' /tmp/sshd.log
     6637: lstat("/etc/login.conf",0x7fffffffd850)   ERR#94 'Not permitted in
capability mode'

Workaround
----------

Apply the attached `sshd.patch` and rebuild sshd. This patch adds wrapper
function of login_getpwclass(3), and fixes the sandboxed process to call this
function.

Question
--------

I know sshd is a contributed software from OpenSSH project. And it seems
FreeBSD project applies specific patches to sshd. Is my code a part of FreeBSD
specific patches? If so, please review my code.

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list