[Bug 231172] ssh login fails if server is set sysctl kern.trap_enotcap=1
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Wed Sep 5 08:47:28 UTC 2018
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=231172
Bug ID: 231172
Summary: ssh login fails if server is set sysctl
kern.trap_enotcap=1
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: bin
Assignee: bugs at FreeBSD.org
Reporter: naito.yuichiro at gmail.com
Created attachment 196883
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=196883&action=edit
sshd.patch
Problem
-------
While I'm debugging my program which runs in capability mode on remote machine,
I set sysctl kern.trap_enotcap=1 to make my kernel triggers SIGTRAP when
capability violation occurs.
If I quit a ssh session by accident, I can never ssh login again.
Reason
------
Sshd uses login_getpwclass(3) for authentication, but it is not allowed in
capability mode because of accessing to '/etc/login.conf' and
'${HOME}/.login.conf'. Authentication failure triggers to close ssh session.
Please note that this is not a security problem. Sshd checks
login_getpwclass(3)
in several times. One of these checks is sandboxed and fails in capability
mode.
And sshd calls auth_timeok(3) after login_getpwcalss(3). In auth_timeok(3),
localtime(3) is called and it opens '/etc/localtime'. This is not allowed
neither.
Reproduce
---------
1. stop sshd
# service sshd stop
2. set kern.trap_enotcap=1
# sysctl kern.trap_enotcap=1
3. truss sshd
# truss -f -o /tmp/sshd.log /usr/sbin/sshd -D
4. ssh login
$ ssh localhost
5. check the logfile
$ grep 'capability' /tmp/sshd.log
6637: lstat("/etc/login.conf",0x7fffffffd850) ERR#94 'Not permitted in
capability mode'
Workaround
----------
Apply the attached `sshd.patch` and rebuild sshd. This patch adds wrapper
function of login_getpwclass(3), and fixes the sandboxed process to call this
function.
Question
--------
I know sshd is a contributed software from OpenSSH project. And it seems
FreeBSD project applies specific patches to sshd. Is my code a part of FreeBSD
specific patches? If so, please review my code.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list