Re: PRIVSEP annoys me.
From: James Dennis (jdennis@law.harvard.edu)
Date: 03/28/03
- Previous message: Markus Friedl: "Re: PRIVSEP annoys me."
- In reply to: 东方 蠡文: "PRIVSEP annoys me."
- Next in thread: Chris Macneill: "RE: PRIVSEP annoys me. - Part 2"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 28 Mar 2003 12:45:00 -0500 From: James Dennis <jdennis@law.harvard.edu> To: 东方 蠡文 <phanix@hotmail.com>, secureshell@securityfocus.com
Because the sshd user is chrooted and doesn't have access to that part
of the file system. It's stuck in /var/empty, which is empty. You'll
have to re-order things.
-James
东方 蠡文 wrote:
>
> I added a new authentication method to openssh called
> ICCAuthentication(IC card).
> When server receives SSH_CMSG_AUTH_ICC, it reads the rsa public key file in
> the user's home dir(e. g. /home/peter/.icc/authorized_key), gets the
> pubkey,
> generates an 32 8-bit long random number, encrypts it with the pubkey,
> and send
> it to the client as an challenge, just like RSAAuthentication. The
> client then
> decrypts the challenge with the private key in the user's IC card, and
> send a
> response to the server.
>
> Here is the auth_icc_prepare_key() function in my auth-icc.c.
> This function gets the pubkey in the ~/.icc/authorized_key file.
>
> int
> auth_icc_prepare_key(struct passwd *pw, Key **rkey)
> {
> char line[8192], file[MAXPATHLEN];
> u_char n_e[131];
> FILE *f;
> struct stat st;
> Key *key;
>
> /* Temporarily use the user's uid. */
> temporarily_use_uid(pw);
>
> /* The authorized key file. */
> snprintf( file, sizeof file, "%.500s/%.100s", pw->pw_dir,
> _PATH_SSH_USER_ICC_PERMITTED_KEY );
>
> debug("trying public RSA key file %s", file);
>
> /* Fail quietly if file does not exist */
> /* If UsePriviledgeSeperation is yes, stat() always fails. */
> if (stat(file, &st) < 0) {
> /* Restore the privileged uid. */
> debug("Public key file does not exist.");
> restore_uid();
> return 0;
> }
>
> /* Open the file containing the authorized keys. */
> f = fopen(file, "r");
> if (!f) {
> packet_send_debug("Could not open file %.900s
> for reading.",file);
> packet_send_debug("If your home is on an NFS volume,
> it may need to be world-readable.");
> /* Restore the privileged uid. */
> restore_uid();
> return 0;
> }
>
> if (options.strict_modes &&
> secure_filename(f, file, pw, line, sizeof(line)) != 0) {
> fclose(f);
> log("Authentication refused: %s", line);
> restore_uid();
> return 0;
> }
>
> key = key_new(KEY_RSA);
>
> /* * Get the public key from the file. If ok, perform a
> * challenge-response dialog to verify that the user has
> * the right IC card.
> */
> if( fread( n_e, 131, 1, f ) < 1 ) {
> restore_uid();
> packet_send_debug("Read file %.900s error.",file);
> return 0;
> }
> key->rsa->n = BN_bin2bn( n_e, 128, NULL );
> key->rsa->e = BN_bin2bn( n_e+128, 3, NULL );
>
> /* Restore the privileged uid. */
> restore_uid();
>
> /* Close the file. */
> fclose(f);
>
> /* return key if allowed */
> if ( rkey != NULL ) {
> *rkey = key;
> return 1;
> } else {
> key_free(key);
> return 0;
> }
> }
>
> Everything is ok if in sshd_config: "UsePriviledgeSeperation no".
> If I set "UsePriviledgeSeperation" yes, the stat() in the function always
> returns <0, but the file does exists.
> I set the file as:
> /home/peter/.icc/authorized_key peter.peter rw-r--r--
>
> Why in privsep the sshd cannot access the file?
> Please help me.
> Thank you.
>
> xhtech. Beijing
>
>
>
>
>
> _________________________________________________________________
> 享用世界上最大的电子邮件系统— MSN Hotmail。 http://www.hotmail.com
>
-- James Dennis Harvard Law School "Not everything that counts can be counted, and not everything that can be counted counts."
- Previous message: Markus Friedl: "Re: PRIVSEP annoys me."
- In reply to: 东方 蠡文: "PRIVSEP annoys me."
- Next in thread: Chris Macneill: "RE: PRIVSEP annoys me. - Part 2"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
