Page 1 of 1

SSHD problem when rbac enabled

PostPosted: Thu Sep 13, 2007 7:27 am
by xperience
I have problem when I enable rbac system.
After initialization via gradm -E everything works correctly, but when I try to connect to the host via ssh I server closes connection and in log I have information like:
sshd: "openpty returns device for which ttyname fails"

My system is HLFS with 2.6.19.2 kernel, sshd is compiled to use privilige separation. Grsec policy is taken from gradm with no modification.
Problem persist even when I give objects to sshd subject like
/dev rwx
/proc rwx
It doesnt happen when rbac is disabled.

Any help is welcome.
xPerience

PostPosted: Tue Sep 18, 2007 1:02 pm
by xperience
As in post above, but I tried to investigate why it doesn't work.

When sshd authorizes connection allocates pty for new session via openpty glibc call. Then tries to get path name to terminal via ttyname call. In ttyname call path name is taken via readlink function of /proc/self/fd.
But when I enable rbac in grsec, there are no fd entries for new processes in /proc/self/fd, but for processes started before rbac enabled have those links already.

My configuration:
HLFS system
glibc-2.5.1
kernel-2.6.22.6 or 2.6.19.2
openssh-4.6p1 or openssh-4.7p1

My rbac policy is:

--------------------
role admin sA
subject / rvka
/ rwcdmlxi

role default G
role_transitions admin
subject /
/ r
/opt rx
/home rwxcd
/mnt rw
/dev
/dev/grsec h
/dev/urandom r
/dev/random r
/dev/zero rw
/dev/input rw
/dev/psaux rw
/dev/null rw
/dev/tty? rw
/dev/console rw
/dev/tty rw
/dev/pts rw
/dev/ptmx rw
/dev/dsp rw
/dev/mixer rw
/dev/initctl rw
/dev/fd0 r
/dev/cdrom r
/dev/mem h
/dev/kmem h
/dev/port h
/bin rx
/sbin rx
/lib rx
/usr rx
# compilation of kernel code should be done within the admin role
/usr/src h
/etc rx
/proc rwx
/proc/kcore h
/proc/sys r
/root r
/tmp rwcd
/var rwxcd
/var/tmp rwcd
/var/log r
# hide the kernel images
/boot h
/etc/grsec h
/etc/ssh h

# if sshd needs to be restarted, it can be done through the admin role
/usr/sbin/sshd

-CAP_KILL
-CAP_SYS_TTY_CONFIG
-CAP_LINUX_IMMUTABLE
-CAP_NET_RAW
-CAP_MKNOD
-CAP_SYS_ADMIN
-CAP_SYS_RAWIO
-CAP_SYS_MODULE
-CAP_SYS_PTRACE
-CAP_NET_ADMIN
-CAP_NET_BIND_SERVICE
-CAP_NET_RAW
-CAP_SYS_CHROOT
-CAP_SYS_BOOT

# RES_AS 100M 100M

# connect 192.168.1.0/24:22 stream tcp
# bind 0.0.0.0 stream dgram tcp udp

# the d flag protects /proc fd and mem entries for sshd
# all daemons should have 'p' in their subject mode to prevent
# an attacker from killing the service (and restarting it with trojaned
# config file or taking the port it reserved to run a trojaned service)

subject /usr/sbin/sshd dpo
/ h
/bin/bash x
/dev h
/dev/log rw
/dev/random r
/dev/urandom r
/dev/null rw
/dev/ptmx rw
/dev/pts rwx
/dev/tty rw
/dev/tty? rw
/etc r
/etc/grsec h
/home
/lib rx
/root
/proc r
/proc/kcore h
/proc/sys h
/proc/self
/proc/self/fd rwx
/proc/self/fd/* rwx
/usr/lib rx
/usr/share/zoneinfo r
/var/log
/var/mail
/var/log/lastlog rw
/var/log/wtmp w
/var/run/sshd
/var/run/utmp rw

-CAP_ALL
+CAP_CHOWN
+CAP_SETGID
+CAP_SETUID
+CAP_SYS_CHROOT
+CAP_SYS_RESOURCE
+CAP_SYS_TTY_CONFIG

subject /usr/X11R6/bin/XFree86
/dev/mem rw

+CAP_SYS_ADMIN
+CAP_SYS_TTY_CONFIG
+CAP_SYS_RAWIO

-PAX_SEGMEXEC
-PAX_PAGEEXEC
-PAX_MPROTECT

subject /usr/bin/ssh
/etc/ssh/ssh_config r

subject /sbin/klogd
+CAP_SYS_ADMIN

subject /sbin/syslog-ng
+CAP_SYS_ADMIN

subject /usr/sbin/fcron
/dev/log rw

subject /bin/login
/dev/log rw
/var/log/wtmp w
/var/log/faillog rwcd
/var/log/lastlog rw

subject /sbin/agetty
/var/log/wtmp w

subject /sbin/init
/var/log/wtmp w
/etc/rc.d/init.d/sysklogd x
/bin/bash x
/bin/login

subject /etc/rc.d/init.d/bin/dd
+CAP_SYS_ADMIN

subject /sbin/init:/bin/bash
+CAP_SYS_TTY_CONFIG

PostPosted: Thu Sep 20, 2007 5:50 am
by xperience
It started to work when I removed "o" option from sshd subject. But I don't know it is right or not.

same problem, detailed report

PostPosted: Thu Sep 27, 2007 4:26 am
by Einon
Hi!

I run into the same problem. Here is a bit more detailed report:

Code: Select all
einon@misato:~$ ssh -vvv root@X.Y.Z.V
OpenSSH_4.6p1 Debian-5, OpenSSL 0.9.8e 23 Feb 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to X.Y.Z.V [X.Y.Z.V] port 22.
debug1: Connection established.
[...]
debug1: Authentication succeeded (publickey).
debug2: fd 6 setting O_NONBLOCK
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Entering interactive session.
debug2: callback start
[...]
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug1: channel 0: free: client-session, nchannels 1
debug3: channel 0: status: The following connections are open:
  #0 client-session (t4 r0 i0/0 o0/0 fd 4/5 cfd -1)

debug3: channel 0: close_fds r 4 w 5 e 6 c -1
debug1: fd 2 clearing O_NONBLOCK
Connection to X.Y.Z.V closed by remote host.
Connection to X.Y.Z.V closed.
debug1: Transferred: stdin 0, stdout 0, stderr 85 bytes in 0.1 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 1198.8
debug1: Exit status -1
einon@misato:~$


output of sshd on server in debug mode:

Code: Select all
server:~# /usr/sbin/sshd -D -ddd
debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 652
debug2: parse_server_config: config /etc/ssh/sshd_config len 652
debug3: /etc/ssh/sshd_config:5 setting Port 22
debug3: /etc/ssh/sshd_config:9 setting Protocol 2
debug3: /etc/ssh/sshd_config:11 setting HostKey /etc/ssh/ssh_host_rsa_key
debug3: /etc/ssh/sshd_config:12 setting HostKey /etc/ssh/ssh_host_dsa_key
debug3: /etc/ssh/sshd_config:14 setting UsePrivilegeSeparation yes
debug3: /etc/ssh/sshd_config:17 setting KeyRegenerationInterval 3600
debug3: /etc/ssh/sshd_config:18 setting ServerKeyBits 768
debug3: /etc/ssh/sshd_config:21 setting SyslogFacility AUTH
debug3: /etc/ssh/sshd_config:22 setting LogLevel INFO
debug3: /etc/ssh/sshd_config:25 setting LoginGraceTime 120
debug3: /etc/ssh/sshd_config:26 setting PermitRootLogin yes
debug3: /etc/ssh/sshd_config:27 setting StrictModes yes
debug3: /etc/ssh/sshd_config:29 setting RSAAuthentication yes
debug3: /etc/ssh/sshd_config:30 setting PubkeyAuthentication yes
debug3: /etc/ssh/sshd_config:34 setting IgnoreRhosts yes
debug3: /etc/ssh/sshd_config:36 setting RhostsRSAAuthentication no
debug3: /etc/ssh/sshd_config:38 setting HostbasedAuthentication no
debug3: /etc/ssh/sshd_config:43 setting PermitEmptyPasswords no
debug3: /etc/ssh/sshd_config:47 setting ChallengeResponseAuthentication no
debug3: /etc/ssh/sshd_config:50 setting PasswordAuthentication yes
debug3: /etc/ssh/sshd_config:62 setting X11Forwarding no
debug3: /etc/ssh/sshd_config:63 setting X11DisplayOffset 10
debug3: /etc/ssh/sshd_config:64 setting PrintMotd no
debug3: /etc/ssh/sshd_config:65 setting PrintLastLog no
debug3: /etc/ssh/sshd_config:66 setting TCPKeepAlive yes
debug3: /etc/ssh/sshd_config:73 setting AcceptEnv LANG LC_*
debug3: /etc/ssh/sshd_config:75 setting Subsystem sftp /usr/lib/openssh/sftp-server
debug1: sshd version OpenSSH_4.6p1 Debian-5
debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-D'
debug1: rexec_argv[2]='-ddd'
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
socket: Address family not supported by protocol
debug3: fd 4 is not O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 7 config len 652
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7
debug1: inetd sockets after dupping: 3, 3
Connection from V.Z.Y.X port 63714
debug1: Client protocol version 2.0; client software version OpenSSH_4.6p1 Debian-2
debug1: match: OpenSSH_4.6p1 Debian-2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.6p1 Debian-5
[...]
Accepted publickey for root from V.Z.Y.X port 63714 ssh2
[...]
debug1: channel 0: new [server-session]
debug1: session_new: init
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug1: server_input_channel_req: channel 0 request pty-req reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req pty-req
debug1: Allocating pty.
openpty returns device for which ttyname fails.
debug1: do_cleanup
debug1: session_pty_cleanup: session 0 release
chown  0 0 failed: No such file or directory
chmod  0666 failed: No such file or directory
server:~#


The relevant part with strace:

Code: Select all
write(2, "debug1: Allocating pty.\r\n", 25 ) = 25
open("/dev/ptmx", O_RDWR)               = 6
statfs("/dev/pts", {f_type="DEVPTS_SUPER_MAGIC", f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255, f_frsize=4096}) = 0
ioctl(6, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(6, TIOCGPTN, [4])                 = 0
stat64("/dev/pts/4", {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 4), ...}) = 0
statfs("/dev/pts/4", {f_type="DEVPTS_SUPER_MAGIC", f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255, f_frsize=4096}) = 0
ioctl(6, TIOCSPTLCK, [0])               = 0
ioctl(6, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(6, TIOCGPTN, [4])                 = 0
stat64("/dev/pts/4", {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 4), ...}) = 0
open("/dev/pts/4", O_RDWR|O_NOCTTY)     = 7
ioctl(7, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
readlink("/proc/self/fd/7", 0x80073210, 4095) = -1 ENOENT (No such file or directory)
write(2, "openpty returns device for which"..., 49 ) = 49
write(2, "debug1: do_cleanup\r\n", 20 )  = 20
write(2, "debug1: session_pty_cleanup: ses"..., 49 ) = 49
getuid32()                              = 0
chown32("", 0, 0)                       = -1 ENOENT (No such file or directory)
write(2, "chown  0 0 failed: No such file "..., 46 ) = 46
chmod("", 0666)                         = -1 ENOENT (No such file or directory)
write(2, "chmod  0666 failed: No such file"..., 47 ) = 47
close(0)                                = 0
exit_group(255)                         = ?
Process 7334 detached


sshd acl is:

Code: Select all
subject /usr/sbin/sshd dpko {
        /                       h
        /bin/bash               x

        /dev
        /dev/log*               rw
        /dev/ptmx               rw
        /dev/pts                rw
        /dev/tty                rw
        /dev/tty?               rw
        /dev/null               rwa
        /dev/urandom            r
        /dev/random             r

        /etc                    r
        /etc/ssh                r
        /etc/grsec              h
        /etc/nsswitch.conf              r
        /etc/nss-mysql.conf             r
        /etc/resolv.conf                r
        /etc/hosts                      r
        /etc/host.conf                  r
        /etc/ld.so.cache                r
       
        /home                   r
        /root

        /proc                   r
        /proc/kcore             h
        /proc/sys               h

        /lib                    rx
        /usr/lib                rx

        /usr/share              r
        /var/mail
        /var/run/utmp           rw
        /var/run/sshd
        /var/run/sshd.pid       rw
        /var/run/motd           r
        /var/run/.nscd_socket           rw
       
        /var/log               
        /var/log/lastlog        rwa
        /var/log/wtmp           rwa
       
        /root/.ssh/authorized_keys      r
        /proc/sys/kernel/version        s

        include </etc/grsec2/local/ssh>

        -CAP_ALL
        +CAP_CHOWN
        +CAP_SETGID
        +CAP_SETUID
        +CAP_SYS_CHROOT
        +CAP_SYS_RESOURCE
        +CAP_SYS_TTY_CONFIG
        +CAP_DAC_OVERRIDE
        +CAP_NET_ADMIN

        RES_CRASH 1 10m

        connect 0.0.0.0:0 ip                               
        connect 0.0.0.0:22              stream dgram tcp udp
        connect 0.0.0.0/0:53            stream dgram ip tcp udp
        connect 127.0.0.1:3307          stream tcp
        connect 81.2.253.201:3307       stream tcp

        bind    0.0.0.0/0:22            stream tcp
}


sshd: 4.3p2-9
libc6: 2.6.1-1+b1
kernel: 2.6.22.6
grsec+gradm: 2.1.11

removing o from subject line does not help.

There is no grsec error in the syslog. So I'm out of ideas now.
Without RBAC it works

PostPosted: Sun Oct 07, 2007 4:01 pm
by xperience
I left only p option. Works fine. But I supose there might be some security impact.