openssh unix dev - May 2002 - Problems with UsePrivilegeSeparation (was: port fwd as user != root?

I just upgraded to OpenSSH3.2.3p1 as it seemed that
	UsePrivilegeSeparation yes
might help with my problem (connections forwarded
are owned by root instead of the user I logged in as
on the server), but instead, sshd barfs on receiving
a connection. Without UsePrivilegeSeparation
the server works fine.


# strace -o /tmp/sshd.str sshd -d
debug1: sshd version OpenSSH_3.2.3p1
debug1: private host key: #0 type 0 RSA1
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
Generating 768 bit RSA key.
RSA key generation complete.
debug1: Server will not fork when running in debugging mode.
Connection from 202.42.176.138 port 2483
debug1: Client protocol version 2.0; client software version 3.3.1 SecureCRT
debug1: no match: 3.3.1 SecureCRT
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-1.99-OpenSSH_3.2.3p1
mmap(65536)
debug1: Calling cleanup 0x806a470(0x0)
root at matjes:/usr/local/etc


Here is the tail of the strace:

write(2, "debug1: Client protocol version "..., 78) = 78
write(2, "debug1: no match: 3.3.1 SecureCR"..., 35) = 35
write(2, "Enabling compatibility mode for "..., 46) = 46
write(2, "debug1: Local version string SSH"..., 55) = 55
fcntl(5, F_SETFL, O_RDONLY|O_NONBLOCK)  = 0
socketpair(PF_UNIX, SOCK_STREAM, , 0, [4, 8]) = 0
fcntl(4, F_SETFD, FD_CLOEXEC)           = 0
fcntl(8, F_SETFD, FD_CLOEXEC)           = 0
mmap(0, 65536, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_ANONYMOUS, -1, 0) = -1
EINVAL (Invalid argument)
write(2, "mmap(65536)\r\n", 13)         = 13
write(2, "debug1: Calling cleanup 0x806a47"..., 40) = 40
shutdown(5, 2 /* send and receive */)   = 0
close(5)                                = 0
_exit(255)                              = ?


The kernel is a somewhat older Linux 2.2.13.

regards

You do have a user called 'sshd' in your /etc/passwd right?

- Ben

On Tue, 28 May 2002, Mathias Koerber wrote:
> I just upgraded to OpenSSH3.2.3p1 as it seemed that
> 	UsePrivilegeSeparation yes
> might help with my problem (connections forwarded
> are owned by root instead of the user I logged in as
> on the server), but instead, sshd barfs on receiving
> a connection. Without UsePrivilegeSeparation
> the server works fine.
>
>
> # strace -o /tmp/sshd.str sshd -d
> debug1: sshd version OpenSSH_3.2.3p1
> debug1: private host key: #0 type 0 RSA1
> debug1: read PEM private key done: type RSA
> debug1: private host key: #1 type 1 RSA
> debug1: read PEM private key done: type DSA
> debug1: private host key: #2 type 2 DSA
> debug1: Bind to port 22 on 0.0.0.0.
> Server listening on 0.0.0.0 port 22.
> Generating 768 bit RSA key.
> RSA key generation complete.
> debug1: Server will not fork when running in debugging mode.
> Connection from 202.42.176.138 port 2483
> debug1: Client protocol version 2.0; client software version 3.3.1
SecureCRT
> debug1: no match: 3.3.1 SecureCRT
> Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-1.99-OpenSSH_3.2.3p1
> mmap(65536)
> debug1: Calling cleanup 0x806a470(0x0)
> root at matjes:/usr/local/etc
>
>
> Here is the tail of the strace:
>
> write(2, "debug1: Client protocol version "..., 78) = 78
> write(2, "debug1: no match: 3.3.1 SecureCR"..., 35) = 35
> write(2, "Enabling compatibility mode for "..., 46) = 46
> write(2, "debug1: Local version string SSH"..., 55) = 55
> fcntl(5, F_SETFL, O_RDONLY|O_NONBLOCK)  = 0
> socketpair(PF_UNIX, SOCK_STREAM, , 0, [4, 8]) = 0
> fcntl(4, F_SETFD, FD_CLOEXEC)           = 0
> fcntl(8, F_SETFD, FD_CLOEXEC)           = 0
> mmap(0, 65536, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_ANONYMOUS, -1, 0) = -1
> EINVAL (Invalid argument)
> write(2, "mmap(65536)\r\n", 13)         = 13
> write(2, "debug1: Calling cleanup 0x806a47"..., 40) = 40
> shutdown(5, 2 /* send and receive */)   = 0
> close(5)                                = 0
> _exit(255)                              = ?
>
>
> The kernel is a somewhat older Linux 2.2.13.
>
> regards
>
>

On Tue, May 28, 2002 at 11:55:26AM +0800, Mathias Koerber
wrote:
> mmap(0, 65536, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_ANONYMOUS, -1, 0) = -1
> EINVAL (Invalid argument)
> 
> The kernel is a somewhat older Linux 2.2.13.
i don't know.
what can cause EINVAL from that mmap() call?

On Tue, May 28, 2002 at 11:55:26AM +0800, Mathias Koerber
wrote:
> I just upgraded to OpenSSH3.2.3p1 
[snip]
> Without UsePrivilegeSeparation
> the server works fine.
[snip]
> mmap(65536)
[snip]
> mmap(0, 65536, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_ANONYMOUS, -1, 0) = -1
> EINVAL (Invalid argument)
> write(2, "mmap(65536)\r\n", 13)         = 13
[snip]
> The kernel is a somewhat older Linux 2.2.13.
[snip]

Herein lies your problem.  

The flag combination (MAP_SHARED|MAP_ANONYMOUS) is not supported in
the linux 2.2 kernels.  Searching the linux-mm list archives reveals
that this can't be trivially added due the linux-2.2 VM's assumption
that all swap cache pages are read-only; see the linux-mm thread that
starts at http://mail.nl.linux.org/linux-mm/1999-01/msg00034.html for
some proposals for adding shared anonymous mappings to the linux 2.2 VM
that didn't quite work out

The linux-2.4 VM supports shared anonymous mappings.  I'm not prepared
to move my production boxes to a 2.4 kernel, and it would seem that
adding shared anonymous mappings to the v2.2 VM is not a trivial matter.
All this being said, I'm really interested in using the Privilege
Separation feature of OpenSSH.  As such, I'm going to try to add SYSV
IPC SHM support to openssh... Unless someone else beats me to it, of
course. :-)

				Josh

Please try the attached patch. It tests for a working mmap that
supports MAP_ANONYMOUS. You'll need autoconf 2.52 installed
Run autoreconf after applying the patch.

If you don't have autoconf 2.52 installed,
grab the new configure from
	http://www.multitalents.net/openssh/configure-map-anon.gz
or
	ftp://ftp.multitalents.net/pub/openssh/configure-map-anon.gz
and add the following line to config.h.in
#undef HAVE_MMAP


On Tue, 28 May 2002, Mathias Koerber wrote:
> I just upgraded to OpenSSH3.2.3p1 as it seemed that
> 	UsePrivilegeSeparation yes
> might help with my problem (connections forwarded
> are owned by root instead of the user I logged in as
> on the server), but instead, sshd barfs on receiving
> a connection. Without UsePrivilegeSeparation
> the server works fine.
[snip]
> mmap(0, 65536, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_ANONYMOUS, -1, 0) = -1
> EINVAL (Invalid argument)
> write(2, "mmap(65536)\r\n", 13)         = 13
> write(2, "debug1: Calling cleanup 0x806a47"..., 40) = 40
> shutdown(5, 2 /* send and receive */)   = 0
> close(5)                                = 0
> _exit(255)                              = ?
>
>
> The kernel is a somewhat older Linux 2.2.13.
>
> regards
-- 
Tim Rice				Multitalents	(707) 887-1469
tim at multitalents.net

-------------- next part --------------
--- openssh/acconfig.h.old	Sun May 12 20:25:01 2002
+++ openssh/acconfig.h	Tue May 28 12:36:48 2002
@@ -355,6 +355,9 @@
 /* Path that unprivileged child will chroot() to in privep mode */
 #undef PRIVSEP_PATH
 
+/* Define if you have the `mmap' function. with working MAP_ANONYMOUS */
+#undef HAVE_MMAP
+
 @BOTTOM@
 
 /* ******************* Shouldn't need to edit below this line
************** */
--- openssh/configure.ac.old	Mon May 27 17:37:33 2002
+++ openssh/configure.ac	Tue May 28 12:26:38 2002
@@ -569,12 +569,34 @@
 	getaddrinfo getcwd getgrouplist getnameinfo getopt \
 	getrlimit getrusage getttyent glob inet_aton inet_ntoa \
 	inet_ntop innetgr login_getcapbool md5_crypt memmove \
-	mkdtemp mmap ngetaddrinfo openpty ogetaddrinfo readpassphrase \
+	mkdtemp ngetaddrinfo openpty ogetaddrinfo readpassphrase \
 	realpath recvmsg rresvport_af sendmsg setdtablesize setegid \
 	setenv seteuid setlogin setproctitle setresgid setreuid setrlimit \
 	setsid setvbuf sigaction sigvec snprintf socketpair strerror \
 	strlcat strlcpy strmode strsep sysconf tcgetpgrp truncate utimes \
 	vhangup vsnprintf waitpid __b64_ntop _getpty)
+
+AC_MSG_CHECKING([for mmap with working MAP_ANONYMOUS])
+AC_TRY_RUN(
+	[
+#include <stdio.h>
+#include <sys/mman.h>
+#if !defined(MAP_ANON) && defined(MAP_ANONYMOUS)
+#define MAP_ANON MAP_ANONYMOUS
+#endif
+main() { void *address;
+address = mmap(NULL, 10, PROT_WRITE|PROT_READ, MAP_ANON|MAP_SHARED, -1, 0);
+if (address == MAP_FAILED)
+	exit(1);
+exit(0);
+}
+	],
+	[
+		AC_MSG_RESULT(yes)
+		AC_DEFINE(HAVE_MMAP)
+	], 
+	[ AC_MSG_RESULT(no) ]
+)
 
 dnl IRIX and Solaris 2.5.1 have dirname() in libgen
 AC_CHECK_FUNCS(dirname, [AC_CHECK_HEADERS(libgen.h)] ,[

This was talked about a few posts ago.  Go to where the mmap() call is for
the alternation version and change MAP_PRIVATE to MAP_SHARED

- Ben


On Thu, 30 May 2002, Mathias Koerber wrote:
> Tim,
>
> thanks, it gets further, but now I get a problem with
> 	buffer_uncompress: inflate returned -3
> This only happens when I use privsep.
>
> regards
>
> # sshd -d
> debug1: sshd version OpenSSH_3.2.3p1
> debug1: private host key: #0 type 0 RSA1
> debug1: read PEM private key done: type RSA
> debug1: private host key: #1 type 1 RSA
> debug1: read PEM private key done: type DSA
> debug1: private host key: #2 type 2 DSA
> debug1: Bind to port 22 on 0.0.0.0.
> Server listening on 0.0.0.0 port 22.
> Generating 768 bit RSA key.
> RSA key generation complete.
> debug1: Server will not fork when running in debugging mode.
> Connection from 202.42.176.138 port 4718
> debug1: Client protocol version 2.0; client software version 3.3.1
SecureCRT
> debug1: no match: 3.3.1 SecureCRT
> Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-1.99-OpenSSH_3.2.3p1
> debug1: list_hostkey_types: ssh-rsa,ssh-dss
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug1: kex: client->server aes128-cbc hmac-md5 zlib
> debug1: kex: server->client aes128-cbc hmac-md5 zlib
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received
> debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
> debug1: dh_gen_key: priv key bits set: 127/256
> debug1: bits set: 548/1024
> debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
> debug1: bits set: 510/1024
> debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
> debug1: kex_derive_keys
> debug1: newkeys: mode 1
> debug1: Enabling compression at level 6.
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: waiting for SSH2_MSG_NEWKEYS
> debug1: newkeys: mode 0
> debug1: SSH2_MSG_NEWKEYS received
> debug1: KEX done
> debug1: userauth-request for user mathias service ssh-connection method
none
> debug1: attempt 0 failures 0
> Failed none for mathias from 202.42.176.138 port 4718 ssh2
> Failed none for mathias from 202.42.176.138 port 4718 ssh2
> debug1: userauth-request for user mathias service ssh-connection method
> password
> debug1: attempt 1 failures 1
> Accepted password for mathias from 202.42.176.138 port 4718 ssh2
> debug1: monitor_child_preauth: mathias has been authenticated by privileged
> process
> Accepted password for mathias from 202.42.176.138 port 4718 ssh2
> debug1: newkeys: mode 0
> debug1: newkeys: mode 1
> debug1: Entering interactive session for SSH2.
> debug1: fd 11 setting O_NONBLOCK
> debug1: fd 12 setting O_NONBLOCK
> debug1: server_init_dispatch_20
> buffer_uncompress: inflate returned -3
> debug1: Calling cleanup 0x806a490(0x0)
> debug1: Calling cleanup 0x806a490(0x0)
>
> _______________________________________________
> openssh-unix-dev at mindrot.org mailing list
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>