Re: SSH breaks RBAC

From: Richard E. Silverman (slade@shore.net)
Date: 05/17/02

  • Next message: Al Smith: "Re: openssh-3.2.2p1 on solaris broken?"

    From: slade@shore.net (Richard E. Silverman)
    Date: 17 May 2002 17:01:36 -0400
    
    

    First of all -- details? What SSH? What OS? What is "RBAC?"

    I'm going to guess the answers are perhaps OpenSSH, Solaris 8, and
    Role-Based Access Control, but this is not obvious. There are "3.1"
    versions of both OpenSSH and the ssh.com product. Assuming these are
    correct...

        SM> "SSH breaks RBAC"

    No, SSH didn't "break" anything. You broke your own system by installing
    a non-RBAC-aware program in a security-sensitive position and then
    expecting it to follow RBAC rules. Perhaps you misunderstand how RBAC
    works. It does not directly enforce restrictions on who can make system
    calls, like e.g. the VMS mandatory access controls (different privilege
    bits for "mount volume," "read all files," etc.). It establishes a system
    for defining roles, "transactions" which those roles are authorized to
    execute, and a method for users to assume those roles. Role authorization
    must be checked by each program granting a right; that is, privileged
    programs must be made RBAC-aware. OpenSSH is not. I don't know of an SSH
    implementation that is. Perhaps Sun has plans to integrate RBAC into is
    OpenSSH port at some point?

    You might be able to get the effect you want by causing sshd to use an
    RBAC-aware program at some critical point. For instance, if you set
    "UseLogin yes" to have it use the host's login program, and login enforces
    the RBAC restrictions, then maybe you'll get what you want. However, you
    should check carefully. A particular sshd might use login only for
    interactive logins; an SSH connection which did only executes a remote
    command might bypass that, as might a connection which creates no session
    channel by exists only to allow port forwarding.

    -- 
      Richard Silverman
      slade@shore.net
    



    Relevant Pages

    • Re: SSH breaks RBAC
      ... Role-Based Access Control, ... versions of both OpenSSH and the ssh.com product. ... Perhaps you misunderstand how RBAC ... "UseLogin yes" to have it use the host's login program, ...
      (comp.security.ssh)
    • Re: [RFC][PATCH 0/9] Network receive deadlock prevention for NBD
      ... openssh or some other priveledge separation protocol to the machine due ... if there is any remote management that we absolutely require to be ... the time being since we don't actually know of any such mandatory login ... unix sockets require page sized allocation frequently which will endup ...
      (Linux-Kernel)
    • Re: Upcoming OpenSSH vulnerability
      ... openssh that do not have privelege seperation. ... Theo de Raadt claims there is a potential remote root hole ... seems very likely that it would NOT require a valid login to exploit, ...
      (comp.security.ssh)
    • Re: Upcoming OpenSSH vulnerability
      ... openssh that do not have privelege seperation. ... Theo de Raadt claims there is a potential remote root hole ... seems very likely that it would NOT require a valid login to exploit, ...
      (comp.security.ssh)
    • Expired password, openssh not invoking password change.
      ... We have an OpenLDAP backend for user authentication and everything is ... When I attempt to login I get this: ... You are required to change your LDAP password immediately. ... OpenSSH isn't calling the passwd application when the users password is ...
      (comp.security.ssh)