openssh unix dev - May 2004 - Debian / SE/Linux - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=193664

dear openssh developers,

i was wondering if you were aware of some patches for security
enhancements to openssh - to support SE/Linux.

www.nsa.gov/selinux.

i am at present compiling a status report for debian/selinux.

could someone be kind enough to provide me with some information
that i can put on my report?

sincerely,

l.

Luke Kenneth Casson Leighton wrote:
> dear openssh developers,
> 
> i was wondering if you were aware of some patches for security
> enhancements to openssh - to support SE/Linux.
I eventually found a patch at:

http://www.nsa.gov/selinux/patches/openssh-selinux.patch.gz
(from http://www.nsa.gov/selinux/code/download5.cfm)

but it doesn't seem to do much at all - the only code change is the
marking of a ssh-agent fd to be close-on-exec.

Is this the patch that you are referring to?

-d

Luke Kenneth Casson Leighton wrote:
> On Sun, May 30, 2004 at 07:43:52PM +1000, Damien Miller wrote:
>>but it doesn't seem to do much at all - the only code change is the
>>marking of a ssh-agent fd to be close-on-exec.
>  
>  that, and the inclusion of  pam_selinux.so as a required session
>  plugin, and the setting of a security context on the DSA and
>  RSA keys in sshd initialisation (a redhat rpm thing?)
I think we should leave these changes for the vendors of SELinux
enabled distributions. We want the current files to work for everyone.

The files in contrib/redhat get synced from time to time. so they will
pick up changes in their distribution (eventually).
>>Is this the patch that you are referring to?
>  
>   yes it is.
> 
>   the ssh-agent fd close-on-exec is actually a really important
>   security bug because otherwise you end up with an open file
>   descriptor being passed over to a process that should have no
>   rights or use for it.
The FD in question is to /dev/null and closed anyway if it isn't
dup'd to one of std{in.out,err} so I can't see how this achieves
anything.
>   SE/Linux is really cool in that respect: the audit process
>   logged that this file handle was being passed over to a child
>   process, and the policy for ssh-agent said that that wasn't
>   allowed.
> 
>   cool, huh? :)
Not in this case, no :)
>   [apparently, PAM has a similar bug in /sbin/unix_verify:
> 
> 	   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=248310
> 
>    but the debian maintainer for pam is being a bit of idiot
>    and won't look at it.  sorry, mr hartmans, but it's bypass time,
>    and your comments _are_ a matter of public record, after all]
Please don't drag SELinux fights onto our list, we have enough of
our own.

-d