bugzilla-daemon at mindrot.org
2003-Sep-12 21:59 UTC
[Bug 637] ssh records that the user has logged out even though an sftp session is active
http://bugzilla.mindrot.org/show_bug.cgi?id=637
Summary: ssh records that the user has logged out even though an
sftp session is active
Product: Portable OpenSSH
Version: 3.6.1p2
Platform: All
OS/Version: All
Status: NEW
Severity: security
Priority: P1
Component: ssh
AssignedTo: openssh-bugs at mindrot.org
ReportedBy: micah at cs.swt.edu
problem: whenever you startup a ssh session with a graphical ssh client, fork a
sftp session, and exit the ssh session the wtmp log indicates the user has
logged out even though they still have an open sftp session.
reproducibility: always
workaround: startup a sftp session first, then fork a ssh session.
I believe this bug is related to "session_destroy_all(NULL);" in
"server_loop2(Authctxt *authctxt)" from "serverloop.c". it
appears that the
sftp session is being closed in the wtmp log whenever the parent ssh process
exits.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-12 22:59 UTC
[Bug 637] ssh records that the user has logged out even though an sftp session is active
http://bugzilla.mindrot.org/show_bug.cgi?id=637 ------- Additional Comments From mouring at eviladmin.org 2003-09-13 08:59 ------- sftp sessions are never creates a 'wtmp'. So I don't see this as really a bug. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-13 00:44 UTC
[Bug 637] ssh records that the user has logged out even though an sftp session is active
http://bugzilla.mindrot.org/show_bug.cgi?id=637 ------- Additional Comments From micah at cs.swt.edu 2003-09-13 10:44 ------- so if the user is actively using an sftp session they aren't logged on? all of the major ftp servers seem to disagree with your stance as they DO log to the wtmp log whenever a user begins and ends an ftp session. therefore, the sftp server needs to log user logons/logoffs to the wtmp log. if yo u don't, the wtmp log will not be accurate and some insitutions, such as universities, need accurate logs of who is using the system at all times. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-13 05:24 UTC
[Bug 637] ssh records that the user has logged out even though an sftp session is active
http://bugzilla.mindrot.org/show_bug.cgi?id=637
mouring at eviladmin.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
------- Additional Comments From mouring at eviladmin.org 2003-09-13 15:24
-------> [..] major ftp servers seem to disagree [..]
Who said sshd was a ftp server? Ignoring the fact this 'feature' was
added
about four/five years ago. Against a lot of people's believes that it was
an
abuse of the wtmp file.
Besides, there is no clear way of saying "this is an sftp" session.
Tagging
all subsystems as a 'must have wtmp' is wrong since subsystems is a
generic
concept. And you can always do 'sftp -1 localhost' under OpenSSH which
skips
the subsystem since SSH v1 protocol does not support it.
try:
ssh localhost /bin/ksh
or
scp file localhost:/tmp
or
ssh localhost 'cat /my/file' > file
none of them create wtmp entry. Try the rsh versions and you'll see they
the
same behavior.
- Ben
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-13 07:04 UTC
[Bug 637] ssh records that the user has logged out even though an sftp session is active
http://bugzilla.mindrot.org/show_bug.cgi?id=637
micah at cs.swt.edu changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|INVALID |
------- Additional Comments From micah at cs.swt.edu 2003-09-13 17:04
-------> Besides, there is no clear way of saying "this is an sftp"
session.
couldn't ssh just write to the wtmp log whenever sftp-server starts and
exits
respectively?
> Tagging all subsystems as a 'must have wtmp' is wrong since
subsystems is a
generic concept.
the generic nature of subsystems like shells, etc is irrelevant, IMHO. sshd
forks for every user session and doesn't exist until the command, shell, etc
has
exited. so here is a typical senario:
1.) sshd recieves a connection and authenicates the user
2.) sshd forks to handle the user's session
3.) the child(sshd) writes to the wtmp log that the user has logged on
4.) the child(sshd) executes a command or subsystem(if any) and waits on the
child
5.) the command or subsystem process exits
6.) the child(sshd) recieves the exit status and writes to the wtmp log that
user has logged off
6.) the child(sshd) exits
apparantly, you believe that logging user sessions to the wtmp log is abuse? I
consider it nothing less than mandatory. consider this situation: a university
student executes "ssh user at host /bin/ksh" and does something malign
to the
system intentionally or unintentially. it would help tremedously if the wtmp
log reflected who actually logged on during that period.
basically, openssh provides several loopholes around proper user session logging
through subsystems and I find this to be a huge security risk. I've spoken
with
a couple of sysadmins at neighboring universities and they have the same
problem/concerns. I'm just the first one to speak up about it.
don't get me wrong, I love what you guys are doing with openssh but this is
a
serious issue.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-13 15:36 UTC
[Bug 637] ssh records that the user has logged out even though an sftp session is active
http://bugzilla.mindrot.org/show_bug.cgi?id=637
markus at openbsd.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |RESOLVED
Resolution| |INVALID
------- Additional Comments From markus at openbsd.org 2003-09-14 01:36 -------
wtmp is not for logins, it's for ttys.
using it for sftp is an abuse and causes portability nightmares.
we could abuse wtmp, but not now.
apart from that only rlogin causes wtmp entries, rsh
does not. sshd tried to emulate this from the beginning. now
every
ssh host ls
would create a wtmp entry, same about cvs over ssh.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-13 15:37 UTC
[Bug 637] ssh records that the user has logged out even though an sftp session is active
http://bugzilla.mindrot.org/show_bug.cgi?id=637
markus at openbsd.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Severity|security |enhancement
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-13 15:39 UTC
[Bug 637] ssh records that the user has logged out even though an sftp session is active
http://bugzilla.mindrot.org/show_bug.cgi?id=637
markus at openbsd.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|INVALID |
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-13 15:39 UTC
[Bug 637] ssh records that the user has logged out even though an sftp session is active
http://bugzilla.mindrot.org/show_bug.cgi?id=637
markus at openbsd.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |RESOLVED
Resolution| |LATER
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-13 18:39 UTC
[Bug 637] ssh records that the user has logged out even though an sftp session is active
http://bugzilla.mindrot.org/show_bug.cgi?id=637 ------- Additional Comments From micah at cs.swt.edu 2003-09-14 04:39 -------> wtmp is not for logins, it's for ttys.from UTMP(5) man page: "The file <utmp.h> declares the structures used to record information about current users in the file utmp, logins and logouts in the file wtmp, and last logins in the file lastlog." furthermore: "Next, the login program opens the file wtmp, and appends the user's utmp record. The same utmp record, with an updated time stamp is later ap- pended to the wtmp file when the user logs out (see init(8))." an empty tty can be included in the log for that user.> using it for sftp is an abuse and causes portability nightmares.correct me if I'm wrong, but you already have "ssh_login.c", etc so the portable wtmp logging code has been there for a while. it's simply a matter of incorporating the existing functionality in the write place i.e. whenever a subsystem is called. as it stands, ssh provides an insecure login method where a user can go undetected by exploiting the subsystem and thus rendering commands such as 'who' and 'last' useless... ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-14 10:56 UTC
[Bug 637] ssh records that the user has logged out even though an sftp session is active
http://bugzilla.mindrot.org/show_bug.cgi?id=637 ------- Additional Comments From markus at openbsd.org 2003-09-14 20:56 ------- correct me if i'm wrong, but wtmp is about 'lines' i.e. ttys and not arbitrary remote command execution. traditionally, in rlogind/rshd/sshd, _login_ refers to login sessions involving terminals. and as i said, no it's not a bug, its intentional in sshd for about 8 years, but, as i said before we might consider changing this. but having all remote command executions in wtmp is a huge change that should not be made without considering all kinds of side effects. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-14 11:19 UTC
[Bug 637] ssh records that the user has logged out even though an sftp session is active
http://bugzilla.mindrot.org/show_bug.cgi?id=637
------- Additional Comments From markus at openbsd.org 2003-09-14 21:19 -------
tility functions
SYNOPSIS
#include <utmp.h>
#include <util.h>
void
login(struct utmp *ut);
int
logout(const char *line);
void
logwtmp(const char *line, const char *name, const char *host);
DESCRIPTION
The login(), logout(), and logwtmp() functions operate on the database
of
current users in /var/run/utmp and on the logfile /var/log/wtmp of
logins
and logouts.
The login() function updates the /var/run/utmp and /var/log/wtmp files
with user information contained in ut.
The logout() function removes the entry from /var/run/utmp
corresponding
to the device line.
The logwtmp() function adds an entry to /var/log/wtmp. Since login()
will add the appropriate entry for /var/log/wtmp during a login,
logwtmp() is usually used for logouts.
RETURN VALUES
logout() returns non-zero if it was able to find and delete an entry
for
line, and zero if there is no entry for line in /var/run/utmp.
XXX, need unique ttyline
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-14 11:21 UTC
[Bug 637] ssh records that the user has logged out even though an sftp session is active
http://bugzilla.mindrot.org/show_bug.cgi?id=637 ------- Additional Comments From markus at openbsd.org 2003-09-14 21:21 ------- XXX adding wtmp logging to subsystems only will lead to a false sense of so called security since sftp will not be logged for sftp -s /usr/libexec/sftp-server server ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-14 11:22 UTC
[Bug 637] ssh records that the user has logged out even though an sftp session is active
http://bugzilla.mindrot.org/show_bug.cgi?id=637
markus at openbsd.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|LATER |
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-14 19:42 UTC
[Bug 637] ssh records that the user has logged out even though an sftp session is active
http://bugzilla.mindrot.org/show_bug.cgi?id=637 ------- Additional Comments From micah at cs.swt.edu 2003-09-15 05:42 ------- I looked at creating a patch for the current version, but I ran into problems with "privilege separation" i.e. setuid(). I noticed that you fork several times to handle a user logons, especially using privilege separation, which makes it bit more confusing. the change is located in "session.c" where you have two functions to handle the user: void do_exec_pty(Session *s, const char *command) void do_exec_no_pty(Session *s, const char *command) and the only difference is "do_exec_pty" calls "do_login" which calls "record_login" in "sshlogin.c" because "do_exec_pty" handles shell invocations. the logon(writing to the wtmp file) only occurs if privilege separation is not used so it's a bit confusing. so the obvious fix to the nieve developer, me, is to add "do_login" to the "do_exec_no_pty" function to handle all subsystem invocations but this doesn't work if privilege separation is used because the executing process is running as the user who was authenticated and not root. any ideas? FYI, executing "sftp -s /usr/libexec/sftp-server <host>" goes through "do_exec_no_pty" just like all subsystem commands so it would be logged too... ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2003-Sep-15 08:09 UTC
[Bug 637] ssh records that the user has logged out even though an sftp session is active
http://bugzilla.mindrot.org/show_bug.cgi?id=637 ------- Additional Comments From markus at openbsd.org 2003-09-15 18:09 ------- the unprivileged process, needs to tell the monitor that it executes a command. this requires a new privsep message. but as is said before: having all remote command executions in wtmp is a huge change that should not be made without considering all kinds of side effects. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.