I'm working on integrating OpenSSH into Trusted IRIX. SGI has performed
some manner of change and created their own binary distributions.
Unfortunately, we have to wait until their quarterly release to get
updated versions. To that end, I'd like to make the appropriate changes
and feed them back into the main OpenSSH tree.
I've started work and created a very quick-n-dirty hack to show it can
work. I set this up using SGI's distribution of PAM. I'm also quite
certain that this is not a complete fix.
To my (limited) understanding, the following changes have to take place:
1) Change the MAC (Mandatory Access Control) label of the process to the
label requested by the user. This is loaded by the SGI pam_mac module
into the PAM envinronment variable "MAC". I'm assuming this should
happen sometime around permanently_set_uid in uidswap.c.
2) Change the capabilities of the process to the capabilities requested
by the user. This is loaded by the SGI pam_cap module into the PAM
encironment variable "CAP". I'm also assuming this should happen
sometime around permanently_set_uid in uidswap.c.
3) Ignore the sanity checks at the end of permanently_set_uid that
ensures the user cannot change back to the prior uid. If they request,
and are granted, the capabilities to do that, then it's ok.
This works with UsePrivilegeSeparation set to OFF, and UseLogin set to
OFF. In the Trusted OS realm, UsePrivilegeSeparation has little meaning.
We have run with UseLogin set to ON previously, but this requires
authenticating to ssh and to login, as SGI login does not support -f. In
addition, failure lockout password controls are not enforced on the
first password authentication. Using keys to avoid the initial password
prompt is not feasable in our environment.
Please let me know if this appears to hunt down the right track, and
what manner I should provide a diff when the time comes. This is just an
initial investigation at this point, and all that is tested is
PasswordAuthentication and a basic user shell.
Thanks,
Jason
