openssh, p am and afs.workshop.openafs.org/afsbpw07/talks/simon2.pdf · 2007-05-10 · c om...
TRANSCRIPT
![Page 1: OpenSSH, P AM and AFS.workshop.openafs.org/afsbpw07/talks/simon2.pdf · 2007-05-10 · C om plication 1: P rivsep This model has a root owned process answering and handling all network](https://reader033.vdocuments.net/reader033/viewer/2022050111/5f490f2ede19cf3eac6febae/html5/thumbnails/1.jpg)
OpenSSH, PAM and AFS.
A N U N H O L Y T R I N I T Y ?
![Page 2: OpenSSH, P AM and AFS.workshop.openafs.org/afsbpw07/talks/simon2.pdf · 2007-05-10 · C om plication 1: P rivsep This model has a root owned process answering and handling all network](https://reader033.vdocuments.net/reader033/viewer/2022050111/5f490f2ede19cf3eac6febae/html5/thumbnails/2.jpg)
Overview
Lots of people have issues with getting AFS and OpenSSH working together
Quickly cover the causes of these
Not a general AFS & PAM talk - Russ will do that tomorrow!
![Page 3: OpenSSH, P AM and AFS.workshop.openafs.org/afsbpw07/talks/simon2.pdf · 2007-05-10 · C om plication 1: P rivsep This model has a root owned process answering and handling all network](https://reader033.vdocuments.net/reader033/viewer/2022050111/5f490f2ede19cf3eac6febae/html5/thumbnails/3.jpg)
Basic ssh Architecture
Incoming connections are answered by a process
That process forks off a shell, and forwards network connections to the shell
root user
sshd shell
![Page 4: OpenSSH, P AM and AFS.workshop.openafs.org/afsbpw07/talks/simon2.pdf · 2007-05-10 · C om plication 1: P rivsep This model has a root owned process answering and handling all network](https://reader033.vdocuments.net/reader033/viewer/2022050111/5f490f2ede19cf3eac6febae/html5/thumbnails/4.jpg)
Complication 1:Privsep
This model has a root owned process answering and handling all network traffic
Buffer overflows & other bugs in any part sshd result in machine compromise
OpenSSH’s solution is privsep
Have a minimal state machine to perform trusted acts. Everything else (especially network actions) in an untrusted process
![Page 5: OpenSSH, P AM and AFS.workshop.openafs.org/afsbpw07/talks/simon2.pdf · 2007-05-10 · C om plication 1: P rivsep This model has a root owned process answering and handling all network](https://reader033.vdocuments.net/reader033/viewer/2022050111/5f490f2ede19cf3eac6febae/html5/thumbnails/5.jpg)
PrivsepRough model for an authenticated connection is:
nobody user
root sshd monitor
sshd shell
Not quite so simple, unfortunately ...
![Page 6: OpenSSH, P AM and AFS.workshop.openafs.org/afsbpw07/talks/simon2.pdf · 2007-05-10 · C om plication 1: P rivsep This model has a root owned process answering and handling all network](https://reader033.vdocuments.net/reader033/viewer/2022050111/5f490f2ede19cf3eac6febae/html5/thumbnails/6.jpg)
Privsep Complexities
root
sshd root
rootuser
user
Unpriviledged process forked to handle incoming network trafficExisting process remains as root owned ‘monitor’, and handles user authentication
Initial incoming connection
Following authentication, unpriviledged ‘sshd’ user process exitsRoot owned ‘monitor’ forks user owned process to handle continued network accessMonitor forks process to own user’s cellChild sets up sessionShell is exec’d
sshd
monitor
monitor
shell
privsep
privsep
![Page 7: OpenSSH, P AM and AFS.workshop.openafs.org/afsbpw07/talks/simon2.pdf · 2007-05-10 · C om plication 1: P rivsep This model has a root owned process answering and handling all network](https://reader033.vdocuments.net/reader033/viewer/2022050111/5f490f2ede19cf3eac6febae/html5/thumbnails/7.jpg)
Adding Pam to The Mix
Authentication happens in one process
Credentials storage happens in another
root
sshd root
rootuser
user
sshd
monitor
monitor
shell
privsep
privsep
![Page 8: OpenSSH, P AM and AFS.workshop.openafs.org/afsbpw07/talks/simon2.pdf · 2007-05-10 · C om plication 1: P rivsep This model has a root owned process answering and handling all network](https://reader033.vdocuments.net/reader033/viewer/2022050111/5f490f2ede19cf3eac6febae/html5/thumbnails/8.jpg)
Challenge response
PAM interaction doesn’t play well with the OpenSSH monitor system.
ChallengeResponse means that another process appears in the mix
This process isn’t related in anyway to the login process.
![Page 9: OpenSSH, P AM and AFS.workshop.openafs.org/afsbpw07/talks/simon2.pdf · 2007-05-10 · C om plication 1: P rivsep This model has a root owned process answering and handling all network](https://reader033.vdocuments.net/reader033/viewer/2022050111/5f490f2ede19cf3eac6febae/html5/thumbnails/9.jpg)
Now With PAM
root
sshd root
rootuser
user
sshd
monitor
monitor
shell
privsep
privsep
rootpam
![Page 10: OpenSSH, P AM and AFS.workshop.openafs.org/afsbpw07/talks/simon2.pdf · 2007-05-10 · C om plication 1: P rivsep This model has a root owned process answering and handling all network](https://reader033.vdocuments.net/reader033/viewer/2022050111/5f490f2ede19cf3eac6febae/html5/thumbnails/10.jpg)
ChallengeResponse and Threads
OpenSSH does support using threads instead of forking a process for ChallengeResponse
Not well tested, or documented!
![Page 11: OpenSSH, P AM and AFS.workshop.openafs.org/afsbpw07/talks/simon2.pdf · 2007-05-10 · C om plication 1: P rivsep This model has a root owned process answering and handling all network](https://reader033.vdocuments.net/reader033/viewer/2022050111/5f490f2ede19cf3eac6febae/html5/thumbnails/11.jpg)
Overview
ChallengeResponse won’t work with PAM modules that expect authentication and credentials storage to happen in the same process
Solution is to use threads, or a pam_krb5 module that is clever
![Page 12: OpenSSH, P AM and AFS.workshop.openafs.org/afsbpw07/talks/simon2.pdf · 2007-05-10 · C om plication 1: P rivsep This model has a root owned process answering and handling all network](https://reader033.vdocuments.net/reader033/viewer/2022050111/5f490f2ede19cf3eac6febae/html5/thumbnails/12.jpg)
Cascading Credential
Renewal
![Page 13: OpenSSH, P AM and AFS.workshop.openafs.org/afsbpw07/talks/simon2.pdf · 2007-05-10 · C om plication 1: P rivsep This model has a root owned process answering and handling all network](https://reader033.vdocuments.net/reader033/viewer/2022050111/5f490f2ede19cf3eac6febae/html5/thumbnails/13.jpg)
Motivation
Credentials expire
Renew on workstation
Then, have to individually renew everywhere else
Must be an easier way!
![Page 14: OpenSSH, P AM and AFS.workshop.openafs.org/afsbpw07/talks/simon2.pdf · 2007-05-10 · C om plication 1: P rivsep This model has a root owned process answering and handling all network](https://reader033.vdocuments.net/reader033/viewer/2022050111/5f490f2ede19cf3eac6febae/html5/thumbnails/14.jpg)
Implementation
GSSAPI Key exchange lets us delegate credentials as a by-product of keying a connection
SSH supports (and encourages) regular connection rekeying
![Page 15: OpenSSH, P AM and AFS.workshop.openafs.org/afsbpw07/talks/simon2.pdf · 2007-05-10 · C om plication 1: P rivsep This model has a root owned process answering and handling all network](https://reader033.vdocuments.net/reader033/viewer/2022050111/5f490f2ede19cf3eac6febae/html5/thumbnails/15.jpg)
Implementation II
Client watches the credentials cache for renewed credentials
When credentials have been renewed, and following sanity checks, it initiates a rekey with the server
Server modified to accept delegated credentials following rekey and, after snatiy checks, store them to disk
![Page 16: OpenSSH, P AM and AFS.workshop.openafs.org/afsbpw07/talks/simon2.pdf · 2007-05-10 · C om plication 1: P rivsep This model has a root owned process answering and handling all network](https://reader033.vdocuments.net/reader033/viewer/2022050111/5f490f2ede19cf3eac6febae/html5/thumbnails/16.jpg)
Code Availability
Patch available now
Two configuration options:
GSSAPIRenewalForcesRekey
GSSAPIStoreCredentialsOnRekey