Debian Bug report logs - #189425
PrivSep option doesn't work on GNU/Hurd (pending patch)

Package: openssh; Maintainer for openssh is Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>;

Reported by: Robert Millan <rmh@aybabtu.com>

Date: Thu, 17 Apr 2003 16:33:04 UTC

Severity: normal

Tags: moreinfo

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Matthew Vernon <matthew@debian.org>, openssh@packages.qa.debian.org:
Bug#189425; Package openssh. Full text and rfc822 format available.

Acknowledgement sent to Robert Millan <zeratul2@wanadoo.es>:
New Bug report received and forwarded. Copy sent to Matthew Vernon <matthew@debian.org>, openssh@packages.qa.debian.org. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Robert Millan <zeratul2@wanadoo.es>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Cc: debian-bsd@lists.debian.org, debian-hurd@lists.debian.org
Subject: openssh: with default config, sshd fails on kernels other than Linux > 2.0
Date: Thu, 17 Apr 2003 18:24:24 +0200
Package: openssh
Version: unavailable; reported 2003-04-17
Severity: normal

As noted in the debconf template:

  NB! If you are running a 2.0 series Linux kernel, then privilege
  separation will not work at all, and your sshd will fail to start
  unless you explicitly turn privilege separation off.

I suggest that defaults are reverted for both when sshd_config needs
to be generated in postinst and when sshd_config is taken from the
packaged file, so that any kernel other than Linux later than 2.0
gets a default config without priviledge separation.

On the non-linux ports: note that priviledge separation is not supported
on GNU, and will probably never be, since it has a different concept of
user priviledges. I'm not sure about the *BSD ports.

-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux aragorn 2.2.22 #1 dl nov 25 21:59:43 CET 2002 i586
Locale: LANG=ca_ES.ISO-8859-1, LC_CTYPE=ca_ES@euro (ignored: LC_ALL set)



Information forwarded to debian-bugs-dist@lists.debian.org, Matthew Vernon <matthew@debian.org>, openssh@packages.qa.debian.org:
Bug#189425; Package openssh. Full text and rfc822 format available.

Acknowledgement sent to Colin Watson <cjwatson@debian.org>:
Extra info received and forwarded to list. Copy sent to Matthew Vernon <matthew@debian.org>, openssh@packages.qa.debian.org. Full text and rfc822 format available.

Message #10 received at 189425@bugs.debian.org (full text, mbox):

From: Colin Watson <cjwatson@debian.org>
To: Robert Millan <zeratul2@wanadoo.es>, 189425@bugs.debian.org
Cc: debian-bsd@lists.debian.org, debian-hurd@lists.debian.org
Subject: Re: Bug#189425: openssh: with default config, sshd fails on kernels other than Linux > 2.0
Date: Sun, 27 Apr 2003 16:49:53 +0100
On Thu, Apr 17, 2003 at 06:24:24PM +0200, Robert Millan wrote:
> Package: openssh
> Version: unavailable; reported 2003-04-17
> Severity: normal
> 
> As noted in the debconf template:
> 
>   NB! If you are running a 2.0 series Linux kernel, then privilege
>   separation will not work at all, and your sshd will fail to start
>   unless you explicitly turn privilege separation off.
> 
> I suggest that defaults are reverted for both when sshd_config needs
> to be generated in postinst and when sshd_config is taken from the
> packaged file, so that any kernel other than Linux later than 2.0
> gets a default config without priviledge separation.

Now that we've gone to all the effort of introducing it, I do think that
the default should be to enable privilege separation; the cases where
it's a problem are exceptions (PAM is still a problem, but I think
that's going to be improved upstream soon). We could turn it off for
some specific known cases, though. If you could provide a reasonably
reliable way to identify them then that would be helpful.

However, if at all possible I'd prefer to fix privsep.

> On the non-linux ports: note that priviledge separation is not supported
> on GNU, and will probably never be, since it has a different concept of
> user priviledges.

I don't understand why. Privilege separation just requires a separate
user and group which is used for processing network data, the ability
for sshd running as root to setuid(), setgid(), and setgroups() to that
user and group, and an empty chroot. I didn't think GNU was so different
that this would be unavailable; in fact, I would expect all of these
features to be available on any Debian system. The reason why privilege
separation doesn't work on Linux 2.0 was originally due to the lack of
anonymous memory mapping, and now that that has been worked around it's
due to a simple bug (#150976).

Could you please explain the problem on GNU in more detail?

> I'm not sure about the *BSD ports.

Since privilege separation was developed on BSD, it seems highly likely
that the BSD ports will support it.

Cheers,

-- 
Colin Watson                                  [cjwatson@flatline.org.uk]



Information forwarded to debian-bugs-dist@lists.debian.org, Matthew Vernon <matthew@debian.org>, openssh@packages.qa.debian.org:
Bug#189425; Package openssh. Full text and rfc822 format available.

Acknowledgement sent to neal@cs.uml.edu (Neal H. Walfield):
Extra info received and forwarded to list. Copy sent to Matthew Vernon <matthew@debian.org>, openssh@packages.qa.debian.org. Full text and rfc822 format available.

Message #15 received at 189425@bugs.debian.org (full text, mbox):

From: neal@cs.uml.edu (Neal H. Walfield)
To: Colin Watson <cjwatson@debian.org>
Cc: Robert Millan <zeratul2@wanadoo.es>, 189425@bugs.debian.org, debian-bsd@lists.debian.org, debian-hurd@lists.debian.org
Subject: Re: Bug#189425: openssh: with default config, sshd fails on kernels other than Linux > 2.0
Date: 27 Apr 2003 12:15:25 -0400
> I don't understand why. Privilege separation just requires a separate
> user and group which is used for processing network data, the ability
> for sshd running as root to setuid(), setgid(), and setgroups() to that
> user and group, and an empty chroot. I didn't think GNU was so different
> that this would be unavailable; in fact, I would expect all of these
> features to be available on any Debian system. 

[snip]

> Could you please explain the problem on GNU in more detail?

There should be no reason (barring bugs) why privilege separation
should not work on a Hurd based system.  I believe the objection is
that there is a better method on GNU.  This method would involve an
enhanced password server and ssh dropping all privileges on startup.
Thus when it interacted with the user (e.g. negotiated the connection
and obtained the required data for authentication), it would be less
than the other user.  Once it had obtained the authentication data, it
would contact the password server to attempt to gain authorization.

Take a look at this slide [1] and the eight following it.  They
address ftp and not ssh, however, the same principle would be used.


[1] http://web.walfield.org/papers/hurd-conference-ccc-20011228/html/mgp00014.html



Information forwarded to debian-bugs-dist@lists.debian.org, Matthew Vernon <matthew@debian.org>, openssh@packages.qa.debian.org:
Bug#189425; Package openssh. Full text and rfc822 format available.

Acknowledgement sent to Robert Millan <zeratul2@wanadoo.es>:
Extra info received and forwarded to list. Copy sent to Matthew Vernon <matthew@debian.org>, openssh@packages.qa.debian.org. Full text and rfc822 format available.

Message #20 received at 189425@bugs.debian.org (full text, mbox):

From: Robert Millan <zeratul2@wanadoo.es>
To: Colin Watson <cjwatson@debian.org>
Cc: 189425@bugs.debian.org, debian-hurd@lists.debian.org, debian-bsd@lists.debian.org
Subject: Re: Bug#189425: openssh: with default config, sshd fails on kernels other than Linux > 2.0
Date: Mon, 28 Apr 2003 02:10:16 +0200
On Sun, Apr 27, 2003 at 04:49:53PM +0100, Colin Watson wrote:
> > On the non-linux ports: note that priviledge separation is not supported
> > on GNU, and will probably never be, since it has a different concept of
> > user priviledges.
> 
> I don't understand why. Privilege separation just requires a separate
> user and group which is used for processing network data, the ability
> for sshd running as root to setuid(), setgid(), and setgroups() to that
> user and group, and an empty chroot. I didn't think GNU was so different
> that this would be unavailable; in fact, I would expect all of these
> features to be available on any Debian system. The reason why privilege
> separation doesn't work on Linux 2.0 was originally due to the lack of
> anonymous memory mapping, and now that that has been worked around it's
> due to a simple bug (#150976).
> 
> Could you please explain the problem on GNU in more detail?

Neal just explained what i meant. Priviledge handling is one of the typical
features that come out when trying to explain GNU's system core (Hurd/Glibc)
dessign. [*]

I assumed that Priviledge Separation was some kernel-specific feature
introduced with Linux 2.1 that probably wasn't worth implement. but as you
describe it seems simple. maybe we could have it to keep openssh happy

Last time i tried, sshd failed to initialise a session on GNU with PrivSep
turned on. did you mean a PrivSep special API needs to be added, or is sshd
suposed to work on any sane (unlike this one ;)) system?

[*] I just want to add that process spawning and priviledge scalation
don't necessarily correspond to the same program. A shell daemon could
just happily spawn a shell with no priviledges (unidentified user) to
everyone that requests it (without authentification). then the "login"
utility could add priviledges to him/her, no matter where he/she comes
from, just as it does with the users in local terminal.

-- 
Robert Millan

make: *** No rule to make target `war'.  Stop.

Another world is possible - Just say no to genocide



Information forwarded to debian-bugs-dist@lists.debian.org, Matthew Vernon <matthew@debian.org>, openssh@packages.qa.debian.org:
Bug#189425; Package openssh. Full text and rfc822 format available.

Acknowledgement sent to Colin Watson <cjwatson@debian.org>:
Extra info received and forwarded to list. Copy sent to Matthew Vernon <matthew@debian.org>, openssh@packages.qa.debian.org. Full text and rfc822 format available.

Message #25 received at 189425@bugs.debian.org (full text, mbox):

From: Colin Watson <cjwatson@debian.org>
To: Robert Millan <zeratul2@wanadoo.es>
Cc: 189425@bugs.debian.org, debian-hurd@lists.debian.org
Subject: Re: Bug#189425: openssh: with default config, sshd fails on kernels other than Linux > 2.0
Date: Mon, 28 Apr 2003 01:50:26 +0100
[removing debian-bsd]

On Mon, Apr 28, 2003 at 02:10:16AM +0200, Robert Millan wrote:
> On Sun, Apr 27, 2003 at 04:49:53PM +0100, Colin Watson wrote:
> > I don't understand why. Privilege separation just requires a
> > separate user and group which is used for processing network data,
> > the ability for sshd running as root to setuid(), setgid(), and
> > setgroups() to that user and group, and an empty chroot. I didn't
> > think GNU was so different that this would be unavailable; in fact,
> > I would expect all of these features to be available on any Debian
> > system. The reason why privilege separation doesn't work on Linux
> > 2.0 was originally due to the lack of anonymous memory mapping, and
> > now that that has been worked around it's due to a simple bug
> > (#150976).
> > 
> > Could you please explain the problem on GNU in more detail?
> 
> Neal just explained what i meant. Priviledge handling is one of the
> typical features that come out when trying to explain GNU's system
> core (Hurd/Glibc) dessign. [*]
> 
> I assumed that Priviledge Separation was some kernel-specific feature
> introduced with Linux 2.1 that probably wasn't worth implement. but as
> you describe it seems simple. maybe we could have it to keep openssh
> happy

It's not a kernel feature, it's an OpenSSH feature. It is not something
you need to implement. It's simply a name for the way the code in sshd
that interacts with network data during authentication runs with as
close to zero privileges as possible to isolate the potential damage
caused by any programming errors in that (substantial) part of the code.

I appreciate that there are other things made possible by GNU's
architecture, but until someone writes the code privsep is still useful.

> Last time i tried, sshd failed to initialise a session on GNU with
> PrivSep turned on. did you mean a PrivSep special API needs to be
> added, or is sshd suposed to work on any sane (unlike this one ;))
> system?

Privsep should on the whole be fairly portable, although it occasionally
needs tweaking. It should be a perfectly normal porting task for you
guys though. Running sshd with the -ddd option (lots of debugging) may
provide some clues.

Cheers,

-- 
Colin Watson                                  [cjwatson@flatline.org.uk]



Information forwarded to debian-bugs-dist@lists.debian.org, Matthew Vernon <matthew@debian.org>, openssh@packages.qa.debian.org:
Bug#189425; Package openssh. Full text and rfc822 format available.

Acknowledgement sent to Robert Millan <zeratul2@wanadoo.es>:
Extra info received and forwarded to list. Copy sent to Matthew Vernon <matthew@debian.org>, openssh@packages.qa.debian.org. Full text and rfc822 format available.

Message #30 received at 189425@bugs.debian.org (full text, mbox):

From: Robert Millan <zeratul2@wanadoo.es>
To: Colin Watson <cjwatson@debian.org>
Cc: 189425@bugs.debian.org, debian-hurd@lists.debian.org
Subject: Re: Bug#189425: openssh: with default config, sshd fails on kernels other than Linux > 2.0
Date: Mon, 28 Apr 2003 19:14:36 +0200
retitle 189425 PrivSep option doesn't work on GNU/Hurd (pending patch)
thanks

On Mon, Apr 28, 2003 at 01:50:26AM +0100, Colin Watson wrote:
> [removing debian-bsd]
> Privsep should on the whole be fairly portable, although it occasionally
> needs tweaking. It should be a perfectly normal porting task for you
> guys though. Running sshd with the -ddd option (lots of debugging) may
> provide some clues.

ok, someone should look at that. i'm retitling the bug.

-- 
Robert Millan

make: *** No rule to make target `war'.  Stop.

Another world is possible - Just say no to genocide



Changed Bug title. Request was from Robert Millan <zeratul2@wanadoo.es> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Matthew Vernon <matthew@debian.org>:
Bug#189425; Package openssh. Full text and rfc822 format available.

Acknowledgement sent to Colin Watson <cjwatson@debian.org>:
Extra info received and forwarded to list. Copy sent to Matthew Vernon <matthew@debian.org>. Full text and rfc822 format available.

Message #37 received at 189425@bugs.debian.org (full text, mbox):

From: Colin Watson <cjwatson@debian.org>
To: Robert Millan <zeratul2@wanadoo.es>
Cc: 189425@bugs.debian.org, debian-hurd@lists.debian.org, control@bugs.debian.org
Subject: Re: Bug#189425: openssh: with default config, sshd fails on kernels other than Linux > 2.0
Date: Wed, 3 Sep 2003 09:35:40 +0100
tags 189425 moreinfo
thanks

On Mon, Apr 28, 2003 at 07:14:36PM +0200, Robert Millan wrote:
> retitle 189425 PrivSep option doesn't work on GNU/Hurd (pending patch)
> thanks
> 
> On Mon, Apr 28, 2003 at 01:50:26AM +0100, Colin Watson wrote:
> > [removing debian-bsd]
> > Privsep should on the whole be fairly portable, although it occasionally
> > needs tweaking. It should be a perfectly normal porting task for you
> > guys though. Running sshd with the -ddd option (lots of debugging) may
> > provide some clues.
> 
> ok, someone should look at that. i'm retitling the bug.

Hi,

Is anyone looking at this? I would rather not leave this open with no
information beyond a vague "it failed last time I tried"; we have enough
bugs to deal with as it is.

The ssh package currently in the archive for hurd-i386 should be quite
adequate for somebody to install this and at least try it out.

Thanks,

-- 
Colin Watson                                  [cjwatson@flatline.org.uk]



Tags added: moreinfo Request was from Colin Watson <cjwatson@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Matthew Vernon <matthew@debian.org>:
Bug#189425; Package openssh. Full text and rfc822 format available.

Acknowledgement sent to Robert Millan <zeratul2@wanadoo.es>:
Extra info received and forwarded to list. Copy sent to Matthew Vernon <matthew@debian.org>. Full text and rfc822 format available.

Message #44 received at 189425@bugs.debian.org (full text, mbox):

From: Robert Millan <zeratul2@wanadoo.es>
To: Colin Watson <cjwatson@debian.org>
Cc: 189425@bugs.debian.org, debian-hurd@lists.debian.org
Subject: Re: Bug#189425: openssh: with default config, sshd fails on kernels other than Linux > 2.0
Date: Thu, 4 Sep 2003 16:17:21 +0000
On Wed, Sep 03, 2003 at 09:35:40AM +0100, Colin Watson wrote:
> tags 189425 moreinfo
> thanks
> 
> On Mon, Apr 28, 2003 at 07:14:36PM +0200, Robert Millan wrote:
> > retitle 189425 PrivSep option doesn't work on GNU/Hurd (pending patch)
> > thanks
> 
> Hi,
> 
> Is anyone looking at this? I would rather not leave this open with no
> information beyond a vague "it failed last time I tried"; we have enough
> bugs to deal with as it is.
> 
> The ssh package currently in the archive for hurd-i386 should be quite
> adequate for somebody to install this and at least try it out.

I don't currently have a usable GNU system to try with this (blame the kid
who cracked gnuftp), please could anyone do it?

IIRC the problem is with default configuration (ie, PrivSep enabled) sshd
doesn't accept logins.

Colin: please keep the bug open untill fixed, it'd be very impractical for us
to lose all the logged information.

-- 
Robert Millan

"[..] but the delight and pride of Aule is in the deed of making, and in the
thing made, and neither in possession nor in his own mastery; wherefore he
gives and hoards not, and is free from care, passing ever on to some new work."

 -- J.R.R.T, Ainulindale (Silmarillion)



Changed Bug submitter from Robert Millan <zeratul2@wanadoo.es> to Robert Millan <rmh@debian.org>. Request was from Robert Millan <rmh@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Changed Bug submitter from Robert Millan <rmh@debian.org> to Robert Millan <rmh@aybabtu.com>. Request was from Robert Millan <rmh@aybabtu.com> to control@bugs.debian.org. Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 09:45:36 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.