openssh unix dev - Aug 2006 - RFC: non-root ssh tun access

The attached patch is against openssh-4.3_p2 to allow non-root users to
vpn in over ssh.  root access is still needed on client side (or an sudo
solution).  Currently, I have it working with an sudo command to
configure a tap interface on the server side. eg to ssh into my gentoo
server:

# ssh -fw any:any user at ssh_server.box "sudo /etc/init.d/net.tap0
restart"

Then, configure the tap interface on the client side.

So far,
	1.) the patch applies cleanly to 4.3_p2
	2.) compiles cleanly on a Linux x86 system
	3.) successfully permits non-root users to login, then access the tun
		 interface (via 'ioctl(fd, TUNSETOWNER, uid)')

To be done:
	1.) propagate the change to the other platforms to clean up the 
		 "#if defined(...)'s"
	2.) verify no bugs have been introduced.
	3.) verify I'm not smoking crack.  :)

This is my first attempt at modifying openssh, so I'm sure I've screwed
up
a few conventions or security procedures.  Let me know if I did and I'll
fix it.

thx,

Jason.
-------------- next part --------------
diff -Nurd openssh-4.3p2.orig/misc.c openssh-4.3p2/misc.c
--- openssh-4.3p2.orig/misc.c	2006-01-31 05:49:28.000000000 -0500
+++ openssh-4.3p2/misc.c	2006-08-25 09:01:31.000000000 -0400
@@ -579,12 +579,15 @@
 	return -1;
 }
 
+#if defined(SSH_TUN_LINUX)
 int
-tun_open(int tun, int mode)
+tun_open(int tun, int mode, uid_t uid)
 {
-#if defined(CUSTOM_SYS_TUN_OPEN)
-	return (sys_tun_open(tun, mode));
+	return (sys_tun_open(tun, mode, uid));
 #elif defined(SSH_TUN_OPENBSD)
+int
+tun_open(int tun, int mode)
+{
 	struct ifreq ifr;
 	char name[100];
 	int fd = -1, sock;
diff -Nurd openssh-4.3p2.orig/misc.h openssh-4.3p2/misc.h
--- openssh-4.3p2.orig/misc.h	2006-01-31 05:49:28.000000000 -0500
+++ openssh-4.3p2/misc.h	2006-08-25 09:01:57.000000000 -0400
@@ -55,7 +55,11 @@
 int	 ask_permission(const char *, ...) __attribute__((format(printf, 1, 2)));
 int	 read_keyfile_line(FILE *, const char *, char *, size_t, u_long *);
 
-int	 tun_open(int, int);
+#if defined(SSH_TUN_LINUX)
+int	 tun_open(int, int, uid_t);
+#else
+int    tun_open(int, int);
+#endif
 
 /* Common definitions for ssh tunnel device forwarding */
 #define SSH_TUNMODE_NO		0x00
diff -Nurd openssh-4.3p2.orig/openbsd-compat/port-tun.c
openssh-4.3p2/openbsd-compat/port-tun.c
--- openssh-4.3p2.orig/openbsd-compat/port-tun.c	2006-01-01 05:15:51.000000000
-0500
+++ openssh-4.3p2/openbsd-compat/port-tun.c	2006-08-25 09:02:36.000000000 -0400
@@ -39,7 +39,7 @@
 #include <linux/if_tun.h>
 
 int
-sys_tun_open(int tun, int mode)
+sys_tun_open(int tun, int mode, uid_t uid)
 {
 	struct ifreq ifr;
 	int fd = -1;
@@ -77,6 +77,12 @@
 		goto failed;
 	}
 
+   if (ioctl(fd, TUNSETOWNER, uid) == -1) {
+      debug("%s: failed to set tunnel owner (uid %d): %s", __func__, 
+         uid, strerror(errno));
+      goto failed;
+   }
+
 	if (tun == SSH_TUNID_ANY)
 		debug("%s: tunnel mode %d fd %d", __func__, mode, fd);
 	else
diff -Nurd openssh-4.3p2.orig/openbsd-compat/port-tun.h
openssh-4.3p2/openbsd-compat/port-tun.h
--- openssh-4.3p2.orig/openbsd-compat/port-tun.h	2006-01-01 03:47:06.000000000
-0500
+++ openssh-4.3p2/openbsd-compat/port-tun.h	2006-08-25 09:02:59.000000000 -0400
@@ -19,7 +19,10 @@
 
 #include "channels.h"
 
-#if defined(SSH_TUN_LINUX) || defined(SSH_TUN_FREEBSD)
+#if defined(SSH_TUN_LINUX)
+# define CUSTOM_SYS_TUN_OPEN
+int	  sys_tun_open(int, int, uid_t);
+#elif defined(SSH_TUN_FREEBSD)
 # define CUSTOM_SYS_TUN_OPEN
 int	  sys_tun_open(int, int);
 #endif
diff -Nurd openssh-4.3p2.orig/serverloop.c openssh-4.3p2/serverloop.c
--- openssh-4.3p2.orig/serverloop.c	2005-12-31 00:33:37.000000000 -0500
+++ openssh-4.3p2/serverloop.c	2006-08-25 08:24:58.000000000 -0400
@@ -941,7 +941,11 @@
 			goto done;
 		tun = forced_tun_device;
 	}
-	sock = tun_open(tun, mode);
+#if defined(SSH_TUN_LINUX)
+	sock = tun_open(tun, mode, the_authctxt->pw->pw_uid);
+#else
+   sock = tun_open(tun, mode);
+#endif
 	if (sock < 0)
 		goto done;
 	c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1,
diff -Nurd openssh-4.3p2.orig/ssh.c openssh-4.3p2/ssh.c
--- openssh-4.3p2.orig/ssh.c	2005-12-31 00:33:37.000000000 -0500
+++ openssh-4.3p2/ssh.c	2006-08-25 08:32:57.000000000 -0400
@@ -1073,8 +1073,13 @@
 		int fd;
 
 		debug("Requesting tun.");
+#if defined(SSH_TUN_LINUX)
+		if ((fd = tun_open(options.tun_local,
+		    options.tun_open, original_real_uid)) >= 0) {
+#else
 		if ((fd = tun_open(options.tun_local,
 		    options.tun_open)) >= 0) {
+#endif
 			c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
 			    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
 			    0, "tun", 1);

A while ago we developed a series of patches we call PMVPN for Poor 
Man's VPN. Basically what we did was intercept open() calls and compare 
the tuple to a set of rules we had (using LD_PRELOAD (windows and OS X 
required more annoying proceedures that we didn't explore in any 
depth)). If the rule matched then we'd automatically open an SSH tunnel 
to the target and forward the appropriate port over it. The nice bit was 
that everything happened on a per user basis so we could actually 
forward 'privileged' ports without being root or impacting anyone else 
on the host (very useful in multiuser setups). We were able to do this 
by not actually touching the privileged ports but by mucking with the 
system calls so even though the application thought it was using port 25 
it was actually using port 27618 as its end of the ssh tunnel.

There were some advantages to this (transparency and ease of use to the 
user) but we never actually followed through on it. Mostly because we 
decided to focus on HPN and we thought one huge set of patches was 
enough to cope with :)

If you, or anyone else here, wants the code to try building on we've 
done I'll dig it up and send it over.


Jason wrote:
> The attached patch is against openssh-4.3_p2 to allow non-root users to
> vpn in over ssh.  root access is still needed on client side (or an sudo
> solution).  Currently, I have it working with an sudo command to
> configure a tap interface on the server side. eg to ssh into my gentoo
> server:
> 
> # ssh -fw any:any user at ssh_server.box "sudo /etc/init.d/net.tap0
restart"
> 
> Then, configure the tap interface on the client side.
> 
> So far,
> 	1.) the patch applies cleanly to 4.3_p2
> 	2.) compiles cleanly on a Linux x86 system
> 	3.) successfully permits non-root users to login, then access the tun
> 		 interface (via 'ioctl(fd, TUNSETOWNER, uid)')
> 
> To be done:
> 	1.) propagate the change to the other platforms to clean up the 
> 		 "#if defined(...)'s"
> 	2.) verify no bugs have been introduced.
> 	3.) verify I'm not smoking crack.  :)
> 
> This is my first attempt at modifying openssh, so I'm sure I've
screwed up
> a few conventions or security procedures.  Let me know if I did and
I'll
> fix it.

Darren Tucker wrote:
>Most DNS requests don't work over the tunnel but hacking a DNS server
to only use tcp would get around that too.

Doesn't that open you up to a mess of DOS attacks due to the handshake,
though?

Jason Burns
Wells Fargo
Information Security Technology
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev at mindrot.org
http://lists.mindrot.org/mailman/listinfo/openssh-unix-dev