Re: PRIVSEP annoys me.

From: James Dennis (jdennis@law.harvard.edu)
Date: 03/28/03

  • Next message: Janus N.: "Re: How to configure .rhosts or .shosts so as not to ask password"
    Date: Fri, 28 Mar 2003 12:45:00 -0500
    From: James Dennis <jdennis@law.harvard.edu>
    To: 东方 蠡文 <phanix@hotmail.com>, secureshell@securityfocus.com
    
    

    Because the sshd user is chrooted and doesn't have access to that part
    of the file system. It's stuck in /var/empty, which is empty. You'll
    have to re-order things.
    -James

    东方 蠡文 wrote:
    >
    > I added a new authentication method to openssh called
    > ICCAuthentication(IC card).
    > When server receives SSH_CMSG_AUTH_ICC, it reads the rsa public key file in
    > the user's home dir(e. g. /home/peter/.icc/authorized_key), gets the
    > pubkey,
    > generates an 32 8-bit long random number, encrypts it with the pubkey,
    > and send
    > it to the client as an challenge, just like RSAAuthentication. The
    > client then
    > decrypts the challenge with the private key in the user's IC card, and
    > send a
    > response to the server.
    >
    > Here is the auth_icc_prepare_key() function in my auth-icc.c.
    > This function gets the pubkey in the ~/.icc/authorized_key file.
    >
    > int
    > auth_icc_prepare_key(struct passwd *pw, Key **rkey)
    > {
    > char line[8192], file[MAXPATHLEN];
    > u_char n_e[131];
    > FILE *f;
    > struct stat st;
    > Key *key;
    >
    > /* Temporarily use the user's uid. */
    > temporarily_use_uid(pw);
    >
    > /* The authorized key file. */
    > snprintf( file, sizeof file, "%.500s/%.100s", pw->pw_dir,
    > _PATH_SSH_USER_ICC_PERMITTED_KEY );
    >
    > debug("trying public RSA key file %s", file);
    >
    > /* Fail quietly if file does not exist */
    > /* If UsePriviledgeSeperation is yes, stat() always fails. */
    > if (stat(file, &st) < 0) {
    > /* Restore the privileged uid. */
    > debug("Public key file does not exist.");
    > restore_uid();
    > return 0;
    > }
    >
    > /* Open the file containing the authorized keys. */
    > f = fopen(file, "r");
    > if (!f) {
    > packet_send_debug("Could not open file %.900s
    > for reading.",file);
    > packet_send_debug("If your home is on an NFS volume,
    > it may need to be world-readable.");
    > /* Restore the privileged uid. */
    > restore_uid();
    > return 0;
    > }
    >
    > if (options.strict_modes &&
    > secure_filename(f, file, pw, line, sizeof(line)) != 0) {
    > fclose(f);
    > log("Authentication refused: %s", line);
    > restore_uid();
    > return 0;
    > }
    >
    > key = key_new(KEY_RSA);
    >
    > /* * Get the public key from the file. If ok, perform a
    > * challenge-response dialog to verify that the user has
    > * the right IC card.
    > */
    > if( fread( n_e, 131, 1, f ) < 1 ) {
    > restore_uid();
    > packet_send_debug("Read file %.900s error.",file);
    > return 0;
    > }
    > key->rsa->n = BN_bin2bn( n_e, 128, NULL );
    > key->rsa->e = BN_bin2bn( n_e+128, 3, NULL );
    >
    > /* Restore the privileged uid. */
    > restore_uid();
    >
    > /* Close the file. */
    > fclose(f);
    >
    > /* return key if allowed */
    > if ( rkey != NULL ) {
    > *rkey = key;
    > return 1;
    > } else {
    > key_free(key);
    > return 0;
    > }
    > }
    >
    > Everything is ok if in sshd_config: "UsePriviledgeSeperation no".
    > If I set "UsePriviledgeSeperation" yes, the stat() in the function always
    > returns <0, but the file does exists.
    > I set the file as:
    > /home/peter/.icc/authorized_key peter.peter rw-r--r--
    >
    > Why in privsep the sshd cannot access the file?
    > Please help me.
    > Thank you.
    >
    > xhtech. Beijing
    >
    >
    >
    >
    >
    > _________________________________________________________________
    > 享用世界上最大的电子邮件系统— MSN Hotmail。 http://www.hotmail.com
    >

    -- 
    James Dennis
    Harvard Law School
    "Not everything that counts can be counted,
    and not everything that can be counted counts."
    

  • Next message: Janus N.: "Re: How to configure .rhosts or .shosts so as not to ask password"