complete thesis as PDF
Contents
1. amp m success buffer get char amp m if success 0 fatal s MONITOR ANS MODULI failed func 0 if p BN new NULL fatal s BN new failed func 0 if g BN new NULL fatal s BN new failed func 0 buffer get bignum2 amp m p buffer get bignum2 amp m g debug3 s remaining d _ func buffer len amp m buffer free amp m return dh new group g p int mm key sign Key key u_char sigp u int lenp u_char data u int datalen Kex kex pmonitor m pkex Buffer m debug3 s entering _ func 0 buffer init amp m buffer put int amp m kex host key index key buffer put string amp m data datalen MYSEA Change m recvfd tp childsendfd mm request send pmonitor m recvfd MONITOR REQ SIGN amp m debug3 s waiting for MONITOR ANS SIGN func Change m recvfd to m childrecvfd mm request receive expect pmonitor m recvfd MONITOR ANS SION amp m sigp buffer get string amp m lenp buffer free amp m return 0 struct passwd mm getpwnamallow const char login Buffer m struct passwd pw u int pwlen debug3 s entering _ func 0 buffer init amp m buffer put cstring amp m login 155 MYSEA Change m recvfd to m childsendfd mm request send pmonitor m recvfd MONITOR REQ PWNAM amp m debug3 s waiting for MONITOR ANS PWNAM X f2. snprintf cmd sizeof cmd s q options xauth_location f popen cmd w Tf Gf 4 fprintf f remove s auth display fprintf f add s s s n s auth display s auth proto S auth data pclose f else fprintf stderr Could not run s n cmd s n static void do_nologin struct passwd pw FILE f NULL char buf 1024 ifdef HAVE LOGIN CAP if login getcapbool l1c ignorenologin 0 amp amp pw pw uid 88 f fopen login getcapstr lc nologin PATH NOLOCGIN PATH NOLOGIN r else if pw gt pw_uid f fopen PATH NOLOGIN r fendif Xf Ey 4 etc nologin exists Print its contents and exit logit User 100s not allowed because s exists pw pw name PATH NOLOGIN while fgets buf sizeof buf f fputs buf stderr fclose f fflush NULL exit 254 Set login name uid gid and groups void do_setusercontext struct passwd pw MYSEA Change these numbers to the UID of the user the daemon will run as ifndef HAVE_CYGWIN if getuid geteuid 3 fendif HAVE CYGWIN ifdef HAVE_SETPCRED if setpcred pw gt pw_name char NULL 1 fatal Failed to set process credentials endif HAVE SETPCRED ifdef HAVE LOGIN CAP ifdef bsdi setpgid 0 0 endif if setusercontext lc pw
3. Called from the main program after receiving SIGHUP Restarts the server static void sighup restart void logit Received SIGHUP restarting close listen socks close startup pipes execv saved argv 0 saved argv logit RESTART FAILED av 0 J 100s error 100s saved argv 0 strerror errno exit 1 Generic signal handler for terminating signals in the master daemon ry static void sigterm_handler int sig received_sigterm sig 111 SIGCHLD handler This is called whenever a child dies This will then reap any zombies left by exited children static void main sigchld handler int sig int save_errno errno pid_t pid int status while pid waitpid 1 amp status WNOHANG gt 0 pid lt 0 amp amp errno EINTR E signal SIGCHLD main sigchld handler rrno save errno Signal handler for the alarm after the login grace period has expired Xy static void grace alarm handler int sig XXX no idea how fix this signal handler Log error and exit fatal Timeout before authentication for Ss get remote ipaddr Signal handler for the key regeneration alarm Note that this alarm only occurs in the daemon waiting for connections and it does not do anything with the private key or random state before forking Thus there should be no concurrency co
4. MYSEA Enable the Privileges old_priv enable_uid_priv ifdef SAVED_IDS_WORK_WITH_SETEUID debug restore uid Su su u_int saved_euid u_int saved_egid Set th ffective uid back to the saved privileged uid if seteuid saved_euid lt 0 fatal seteuid Su 100s u int saved euid strerror errno if setegid saved_egid lt 0 fatal setegid Su 100s u_int saved_egid strerror errno else SAVED IDS WORK WITH SETEUID We are unable to restore th real uid to its unprivileged value Propagate the real uid usually more privileged to effective uid as well ey setuid getuid setgid getgid endif SAVED IDS WORK WITH SETEUID MYSEA Setgroups is not implmented on the XTS 400 for now comment out if setgroups saved egroupslen saved egroups lt 0 fatal setgroups 100s strerror errno temporarily_use_uid_effective 0 144 MYSEA Drop the Privileges set priv old priv Permanently sets all uids to the given uid This cannot be called while temporarily use uid is effective ry void permanently_set_uid struct passwd pw MYSEA Privilege Code here as well xts_privilege_t old_priv uid t old uid getuid gid t old gid getgid if temporarily use uid effective fatal permanently set uid
5. Set the session key From this on all communications will be encrypted 139 packet set encryption key session key SSH SESSION KEY LENGTH cipher type Destroy our copy of the session key It is no longer needed ad memset session_key 0 sizeof session_key debug Received session key encryption turned on Send an acknowledgment packet Note that this packet is sent encrypted packet_start SSH_SMSG_SUCCESS packet send packet write wait SSH2 key exchange diffie hellman groupl shal T static void do ssh2 kex void Kex kex if options ciphers NULL myproposal PROPOSAL_ENC_ALGS_CTOS myproposal PROPOSAL_ENC_ALGS_STOC options ciphers myproposal PROPOSAL ENC ALGS CTOS compat cipher proposal myproposal PROPOSAL ENC ALGS CTOS myproposal PROPOSAL ENC ALGS STOC compat cipher proposal myproposal PROPOSAL ENC ALGS STOC if options macs NULL myproposal PROPOSAL MAC ALGS CTOS myproposal PROPOSAL MAC ALGS STOC options macs if options compression myproposal PROPOSAL COMP ALGS CTOS myproposal PROPOSAL COMP ALGS STOC none myproposal PROPOSAL SERVER HOST KEY ALGS list hostkey types start key exchange kex kex setup myproposal kex kex KEX DH GRP1 SHA1 kexdh server kex 5kex KEX DH
6. authenticated buffer get int amp m buffer free amp m debug3 s user sauthenticated func authenticated nob s return authenticated wn endif GSSAPI 174 APPENDIX C SSH DAEMON CONFIGURATION FILE The purpose of this appendix is provide instructions on how to modify the SSH daemon configuration files that will be used by the OpenSSH daemons running on the XTS 400 Section A provides instructions on the modifications that need to be made Section B provides a sample configuration file The key word MYSEA is used to identify where the changes should occur A SUMMARY OF REQUIRED CHANGES There are six lines in the sshd config file that need to be changed The first line is the Protocol option Remove the from the beginning of the line and remove the 1 The line should look like the line in the sshd config file provided The next line is the ListenAddress Option Remove the from the beginning of the line and change the 0 0 0 0 IP address to the IP address assigned to the network interface The next option is PasswordAuthentication Remove the from the beginning of the line and change the yes to no Refer to the sample file provided The next line has the PrintMotd option Remove the and change the yes to no The next line is PrintLastLog Remove the and change the yes to no The next line is the UsePrivilegeSeparation Remove the and change t
7. const char original command NULL data define MAX SESSIONS 10 Session sessions MAX SESSIONS ifdef HAVE LOGIN CAP login cap t lc endif Name and directory of socket for authentication agent forwarding static static char auth_sock_name NULL char auth_sock_dir NULL removes the agent forwarding socket static auth_s static auth i void ock_cleanup_proc void _pw struct passwd pw _pw if auth sock name NULL temporarily use uid pw unlink auth sock name rmdir auth sock dir auth sock name NULL restore uid int nput request forwarding struct passwd pw Channel nc int sock struct sockaddr un sunaddr if auth sock name NULL error authentication forwarding requested twice return 0 Temporarily drop privileged uid for mkdir bind temporarily use uid pw Allocate a buffer for the socket name and format the name auth sock name xmalloc MAXPATHLEN 68 auth sock dir xmalloc MAXPATHLEN strlcpy auth sock dir tmp ssh XXXXXXXX MAXPATHL zi z lI Create private directory for socket if mkdtemp auth sock dir NULL packet send debug Agent forwarding disabled mkdtemp failed 100s strerror errno restore uid xfree auth sock name xfree auth sock dir auth sock name NULL auth sock dir NULL return 0 T snprintf
8. if stat PATH PRIVSEP CHROOT DIR amp st 1 S ISDIR st st mode 0 fatal Missing privilege separation directory s PATH PRIVSEP CHROOT DIR r T ifdef HAVE_CYGWIN if check_ntsec _PATH_PRIVSEP_CHROOT_DIR amp amp st st_uid getuid st st mode amp S_IWGRP S_IWOTH 0 else MYSEA Change test to 3 for network user on XTS400 if st st uid 3 st st mode amp S IWGRP S IWOTH 0 fendif fatal s must be owned by root and not group or world writable PATH PRIVSEP CHROOT DIR Configuration looks good so exit if in test mode 126 if test flag exit 0 Clear out any supplemental groups we may have inherited This prevents inadvertent creation of files with bad modes in the portable version at least it s certainly possible for PAM to create a file and we can t control the code in every module which might be used Ey MYSEA setgroups is not implemented if setgroups 0 NULL 0 debug setgroups failed 200s strerror errno xo X Initialize the log it is reinitialized below in case we forked if debug flag amp amp inetd_flag log stderr 1 log init progname options log level options log facility log stderr If not in debugging mode and not started from inetd disconnect from the controlling terminal and fork exits if debug
9. NAVAL POSTGRADUATE SCHOOL MONTEREY CALIFORNIA THESIS USE OF OPENSSH SUPPORT FOR REMOTE LOGIN TO A MULTILEVEL SECURE SYSTEM by Christopher Fred Herbig December 2004 Thesis Advisor Cynthia E Irvine Thesis Co Advisor Thuy D Nguyen Approved for public release distribution is unlimited THIS PAGE INTENTIONALLY LEFT BLANK REPORT DOCUMENTATION PAGE Public reporting burden for this collection of information is estimated to average 1 hour per response including the time for reviewing instruction searching existing data sources gathering and maintaining the data needed and completing and reviewing the collection of information Send comments regarding this burden estimate or any other aspect of this collection of information including suggestions for reducing this burden to Washington headquarters Services Directorate for Information Operations and Reports 1215 Jefferson Davis Highway Suite 1204 Arlington VA 22202 4302 and to the Office of Management and Budget Paperwork Reduction Project 0704 0188 Washington DC 20503 1 AGENCY USE ONLY Leave blank 2 REPORT DATE 3 REPORT TYPE AND DATES COVERED December 2004 Master s Thesis 4 TITLE AND SUBTITLE USE OF OPENSSH SUPPORT FOR REMOTE 5 FUNDING NUMBERS LOGIN TO A MULTILEVEL SECURE SYSTEM 6 AUTHOR S Christopher Fred Herbig 7 PERFORMING ORGANIZATION NAME S AND ADDRESS ES 8 PERFORMING Naval Postgraduate School ORGANIZATION REPORT Monterey CA 939
10. Set th ffective uid to the given unprivileged uid MYSEA PRIVILEGED CODE old_priv enable_uid_priv MYSEA setgroups is not implemented on the XTS 400 Comment out for now if setgroups user groupslen user groups lt 0 fatal setgroups 100s strerror errno ifndef SAVED IDS WORK WITH SETEUID Propagate the privileged gid to all of our gids if setgid getegid 0 debug setgid u 100s u int getegid strerror errno Propagate the privileged uid to all of our uids if setuid geteuid lt 0 debug setuid Su 100s u int geteuid strerror errno endif SAVED IDS WORK WITH SETEUID if setegid pw gt pw_gid 0 fatal setegid Su 100s u_int pw gt pw_gid strerror errno if seteuid pw gt pw_uid 1 143 fatal seteuid u 100s Mn u int pw pw uid strerror errno MYSEA Release the Privileges set priv old priv Restores to the original privileged uid ES void restore_uid void MYSEA Need to add privileges here too in order to change the user and group ids xts_privilege_t old_priv it s a no op unless privileged if privileged debug restore uid unprivileged n return if temporarily_use_uid_effective fatal restore uid temporarily use uid not effective
11. This key verify needs to send the key type along because the privileged parent makes the decision if the key is allowed for authentication Ay int mm key verify Key key u char sig u int siglen u char data u int datalen Buffer m u_char blob u_int len int verified 0 debug3 s entering __func__ Convert the key to a blob and the pass it over if key to blob key amp blob amp len return 0 buffer init amp m buffer put string amp m blob len buffer put string amp m sig siglen buffer put string amp m data datalen xfree blob MYSEA Change m_recvfd to m_childsendfd mm request send pmonitor m recvfd MONITOR REQ KEYVERIFY amp m debug3 s waiting for MONITOR ANS KEYVERIFY X func 2 Change m recvfd to m childrecvfd mm request receive expect pmonitor m recvfd MONITOR ANS KEYVERIFY amp m verified buffer get int amp m buffer free amp m return verified Export key state after authentication Newkeys mm_newkeys_from_blob u_char blob int blen 159 ifdef endif gt ciphe len Buffer b u int len Newkeys newkey NULL Enc enc Mac mac Comp comp debug3 s p d func blob blen DEBUG PK dump_base64 stderr blob blen buffer_init amp b buffer append amp b blob blen newkey xmalloc
12. if for s t 0 i lt num listen socks itt FD_ISSET listen_socks i fdset continue fromlen sizeof from newsock accept listen socks il struct if amp fromlen if newsock 0 TE errno l EINTR amp amp errno l error accept 100s continue if fcntl newsock F SETFL 0 lt 0 error newsock del O NONBLOCK Ss close newsock continue if drop_connection startups 1 debug drop connection d startups close newsock continue if pipe startup_p 1 close newsock continue for j 0 j lt options max startups jtt startup pipes j 1 startup pipes j startup pI 0 if maxfd lt startup p 0 maxfd startup p 0 startupstt break if Got connection Fork a child to handle it 131 we are in debugging mode y if debug flag In debugging mode Close the listening socket and start processing the connection without forking debug Server will not fork when running in debugging mode close listen socks SOCk in newsock SOCk out newsock startup pipe 1 pid getpid break else Normal production daemon Fork and have the child process the connection The parent continues listening Py if pid fork 0 Child Close the listening and max startup i Sockets Start using the accepted socket Reinitialize log
13. n VNQIUS value strchr cp if value NULL 82 fprintf stderr Bad line u in 100s n lineno filename continue Replace the equals sign by nul and advance value to the value string A value 0 value child set env env nvsize cp value fclose f ifdef HAVE_ETC_DEFAULT_LOGIN Return named variable from specified environment or NULL if not present Static char child get env char env const char name int i size_t len len strlen name for i 0 env i NULL i if strncmp name env i len 0 amp amp env i len return env i len 1 return NULL Read etc default login We pick up the PATH or SUPATH for root and UMASK xy static void read etc default login char env u int envsize uid t uid char tmpenv NULL var u_int i tmpenvsize 0 mode_t mask We don t want to copy the whole file to the child s environment so we use a temporary environment and copy the variables we re interested in read environment file amp tmpenv amp tmpenvsize etc default login if tmpenv NULL return if uid 0 83 var child get env tmpenv SUPATH else var child get env tmpenv PATH if var NULL child set env env envsize PATH var if var child get env tmpenv UMASK NULL i
14. E fendif I HAVE SYS UN H dif defined BROKEN SYS define STRUCT WINSIZE struct winsize unsigned unsigned unsigned unsigned TERMIO H WS rOW ws col ws xpixel wS ypixel short short short short endif nto qnx does not define this amp amp amp amp defined HAVE AF UNIX path name defined STRU rows in columns horizonta SS FAMILY IN SS defined HAVE SS FAMILY IN SS gag CT WINSIZE characters in character vertical l size pixels size pixels in th stem headers type Sy ifdef MISSING FD MASK typedef unsigned long int fd mask fendif Paths ifndef PATH BSHEL define PATH BSHE bin sh endif ifndef PATH CSHEL t define PATH CSHE bin csh endif ifndef _PATH_SHELLS define PATH SHELLS etc shells endif ifdef USER PATH ifdef PATH STDPATH undef PATH STDPATH endif define PATH STDPATH USER PATH 60 amp amp endif ifndef PATH STDPATH define PATH STDPATH usr bin bin usr sbin sbin endif ifndef SUPERUSER PATH define SUPERUSER PATH PATH STDPATH endif I ifndef PATH DEVNULL define PATH DEVNULL dev null endif ifndef MAIL DIRECTORY define MAIL DIREC
15. MYSEA Change m recvfd to m childsendfd mm request send pmonitor m recvfd MONITOR REQ PTYCLEANUP amp m buffer free amp m closed dup ed master if close s ptymaster lt 0 error close s ptymaster unlink pty from session s ttyfd 1 ifdef USE PAM void mm start pam char user u_int Buffer m T Strerror errno debug3 s entering X func 0 if l options use pam fatal UsePAM no but ended up in s anyway X func buffer init amp m buffer put cstring amp m user MYSEA Change m recvfd to m childsendfd mm request send pmonitor m recvfd MONITOR REQ PAM START amp m buffer free amp m mm do pam account void 165 Buffer m u int ret debug3 s entering _ func 2 if l options use pam fatal UsePAM no but ended up in s anyway X func buffer init amp m MYSEA Change m recvfd to m childsendfd mm request send pmonitor m recvfd MONITOR REQ PAM ACCOUNT amp m Change m recvfd to m childrecvfd mm request receive expect pmonitor m recvfd MONITOR ANS PAM ACCOUNT amp m ret buffer get int amp m buffer free amp m debug3 s returning d X func ret return ret void mm sshpam init ctx Authctxt authctxt amp M Buffer m int success debug3 s func buffer init amp m buffer put cstring
16. requests It is better to start this daemon as soon as possible and leave it running continuously Each OpenSSH daemon will require its own entropy daemon The entropy daemons will have to have the same session levels as its corresponding OpenSSH daemon For instance if the OpenSSH daemon will be run at s11 1l3 then an entropy daemon will have to run with those same levels Repeat the above process three times starting at daemon edit specifying the session levels as those of the network interfaces typically they will be sll il3 sl2 i13 and sl13 113 You will also have to give each daemon a unique name so for the daemon running at sl1 1l3 the name should be egd nipr The daemon running at s12 113 should have the name egd sipr The daemon running at s13 113 should have the name egd jwics 2 Zlib compression libraries and tools a Installation Instructions The zlib libraries should be installed by the admin user The source can be downloaded from http www gzip org zlib Move the file zlib tar to the XTS 400 and save in the usr src directory Login as admin at slO and oss i13 all compartments Type tar xvf zlib tar This will create a directory called zlib Change to the zlib directory Run the following commands make test make install The make install will install the libz files in the usr local lib directory and zlib h in the usr local include directory 3 OpenSSL Encryption Libraries
17. server version string client version string fatal cleanup Destroy the host and server keys They will no longer be needed void destroy sensitive data void int iy if sensitive_data server_key key free sensitive data server key sensitive data server key NULL 115 for i 0 i lt options num host key files i if sensitive data host keys i key free sensitive data host keys il sensitive data host keys i NULL sensitive_data sshl_host_key NULL memset sensitive_data sshl_cookie 0 SSH SESSION KEY j Demote private to public keys for network child void demote sensitive data void Key tmp int i if sensitive_data server_key tmp key demote sensitive data server key key free sensitive data server key sensitive data server key tmp for i i lt options num host key files i 0 if sensitive data host keys i tmp key demote sensitive data host keys i key free sensitive data host keys il sensitive data host keys i tmp if tmp type KEY RSA1 sensitive data sshl host key tmp We do not clear sshl_host key and cookie XXX p static void privsep_preauth_child void u_int32_t rnd 256 gid_t gidset 1 struct passwd pw Int Enable challenge respons authentication for separation privsep_challenge_enable for i 0 i lt 256 itt rnd i a
18. u_char session id 16 same for ssh2 char session id2 NULL u int session id2 len 0 record remote hostname or ip nt utmp len MAXHOSTNAMELEN p options max startup sized array of fd ints int startup pipes NULL int startup pipe in child variables used for privilege separation int use privsep struct monitor pmonitor message to be displayed after login Buffer loginmsg Prototypes for various functions defined later in this file void destroy sensitive data void void demote sensitive data void static void do ssh1 kex void Static void do ssh2 kex void MYSEA Implement daemon function as daemonize int daemonize int nochdir int noclose Close all listening sockets static void close_listen_socks void int iy for i 0 i lt num listen socks i close listen socks i num listen socks 1 110 static void close startup pipes void int i if startup_pipes for i 0 i lt options max startups i if startup pipes i 1 close startup pipes i Signal handler for SIGHUP Sshd execs itself when it receives SIGHUP the effect is to reread the configuration file and to regenerate the server key ati static void sighup_handler int sig int save_errno errno received sighup 1 signal SIGHUP sighup handler rrno save errno
19. 2 System Functions There are many system functions that are used by OpenSSH The untrusted environment of the XTS 400 strongly resembles Redhat Linux 8 0 This strong resemblanceis only superficial In fact many of these functions were not implemented on the XTS 400 and were only APIs with functional stubs The chroot system call was identified by the configuration file as being available on the XTS 400 however it would exit with the error Function not implemented In the XTS 400 documentation chroot is listed as an unsupported system call DIGO3c Support for this system call must be built into the operating system but this is not an option The solution used involved commenting out all references to the chroot system 17 call in the source code The modifications occurred in the privsep preauth child function in the sshd c file Privilege separation is not implemented and this function should never be called but it has remained commented out to ensure that the daemon does not exit prematurely The setgroups function is also not implemented on the XTS 400 as mentioned in the User s Manual for the XTS 400 DIGO3c All references to this system call were commented out The modifications are in the main and privsep preauth child functions of the sshd c file and the temporarily use uid and restore uid functions in the uidswap c file The initgroups system call is not supported either All references to this system
20. MONITOR ANS SKEYQUERY amp M success buffer get int amp m if success 0 debug3 s no challenge X func buffer free amp m return 1 Get the challenge and format the response challeng buffer_get_string amp m NULL buffer free amp m debug3 s received challenge s _ func challenge mm chall setup name infotxt numprompts prompts echo on len strlen challenge strlen SKEY PROMPT 1 p xmalloc len strlcpy p challenge len strlcat p SKEY PROMPT len prompts 0 p xfree challenge return 0 int mm_skey_respond void ctx u_int numresponses char responses 170 Buffer m int authok debug3 s entering X func 0 if numresponses 1 return 1 buffer init amp m buffer put cstring amp m responses 0 MYSEA Change m recvfd to m childsendfd mm request send pmonitor m recvfd MONITOR REQ SKEYRESPOND amp m Change m recvfd to m childrecvfd mm request receive expect pmonitor m recvfd MONITOR ANS SKEYRESPOND amp m authok buffer get int amp m buffer free amp m return authok 0 1 0 void mm_sshl_session_id u_char session_id 16 Buffer m int L debug3 s entering __func__ buffer init amp m for i 0 i 16 i buffer put char amp m session id il MYSEA Change m recvfd to m childsendfd mm request send p
21. buffer init amp m buffer put string amp m blob blen xfree blob MYSEA CHange m_recvfd to m_childsendfd mm request send pmonitor m recvfd MONITOR REQ RSACHALLENGE amp M Change m_recvfd to m_childrecvfd mm request receive expect pmonitor gt m_recvfd MONITOR ANS RSACHALLENGE amp m buffer get bignum2 amp m challenge buffer free amp m return challenge 172 int mm auth rsa verify response Key key BIGNUM p u_char response 16 Buffer m u_char blob u int blen int success 0 debug3 s entering __func__ key gt type KEY RSA XXX cheat for key_to_blob if key to blob key amp blob amp blen 0 fatal s key to blob failed func key gt type KEY RSA buffer init amp m buffer put string amp m blob blen buffer put string amp m response 16 xfree blob MYSEA Change m_recvfd to m_childsendfd mm request send pmonitor m recvfd MONITOR REQ RSARESPONSE amp m Change m recvfd to m childrecvfd mm request receive expect pmonitor m recvfd MONITOR ANS RSARESPONSE amp m success buffer get int amp m buffer free amp m return success ifdef GSSAPI OM uint32 mm ssh gssapi server ctx Gssctxt ctx gss OID oid Buffer m OM_uint32 major Client doesn t get to see the context ctx NULL buffer init amp
22. mm key allowed MM RSAHOSTKEY user host key key gt type KEY RSA return ret static void mm send debug Buffer m char msg while buffer_len m msg buffer_get_string m NULL debug3 s Sending debug s func msg packet send debug s msg xfree msg int mm key allowed enum mm keytype type char user char host Key key Buffer m u_char blob u_int len int allowed 0 have_forced 0 debug3 s entering __func__ Convert the key to a blob and the pass it over if key to blob key amp blob amp len return 0 buffer init amp m buffer put int amp m type buffer put cstring amp m user user buffer put cstring amp m host host buffer put string amp m blob len xfree blob MYSEA Change m_recvfd to m_childsendfd mm request send pmonitor m recvfd MONITOR R debug3 s waiting for MONITOR ANS KEYALLOWE EQ KEYALLOWED amp m Change m recvfd to m childrecvfd mm request receive expect pmonitor m recvfd MONITOR ANS KEYALLOWED amp m allowed buffer get int amp m fake forced command auth clear options 158 Dey tunec 5 have forced buffer get int amp m forced command have forced xstrdup true NULL Send potential debug messages mm send debug amp m buffer free amp m return allowed
23. successfully authenticates itself So we set up an alarm which is cleared after successful authentication A limit of zero indicates no limit Note that we don t set the alarm in debugging mode it is just annoying to have the server exit just when you are about to discover the bug signal SIGALRM grace alarm handler if debug flag alarm options login grace time sshd exchange identification sock in sock out packet set nonblocking prepare buffers to collect authentication messages buffer init amp loginmsg 134 if use privsep if authctxt privsep preauth NULL goto authenticated perform the key exchange authenticate user and start session if compat20 do ssh2 kex authctxt do authentication2 else do sshl kex authctxt do authentication If we use privilege separation the unprivileged transfers the current keystate and exits if use privsep mm send keystate pmonitor exit 0 authenticated In privilege separation we fork another child and prepare file descriptor passing 4 if use privsep privsep_postauth authctxt the monitor process priv will not return if compat20 destroy sensitive data Perform session preparation do authenticated authctxt The connection has been terminated verbose Closing connection to 100s remote ip ifdef USE PAM
24. this is referred to as read down The property allows for write access if the integrity level of the subject is equal to or dominates the integrity level of the object BIB77 The discretionary access control policies are enforced by two mechanisms access control lists ACLs and capability lists referred to as subtypes in the context of the XTS 400 For a detailed discussion of these two types of access control mechanisms refer to LAM74 The differences between the development and target platforms provided the greatest challenges in porting OpenSSH to the XTS 400 Software dependencies created a few minor challenges for the port OpenSSH relies on other software packages and libraries in order to function These extra packages were not present on the XTS 400 A discussion of these packages follows C SOFTWARE DEPENDENCIES According to BARO1 and SSH04 OpenSSH requires the following software in order for it to run Zlib 1 1 4 or greater and OpenSSL 0 9 6 or greater Further inspection revealed that OpenSSL depends on a random number generator that is normally available 12 in Linux through the dev random or dev urandom device entries The XTS 400 does not provide a kernelized random number generator the above mentioned devices are not listed anywhere in the file system Both the OpenSSL and OpenSSH installation instructions recommended the use of either the PRNGd pseudo random number generator daemon or
25. 1lu get remote ipaddr len u_long sizeof session key rsafail t else memset session_key 0 sizeof session_key BN_bn2bin session_key_int session key sizeof session_key len compute_session_id session_id cookie sensitive_data sshl_host_key gt rsa gt n sensitive data server key rsa n Xor the first 16 bytes of the session key with the session id pid for i 0 i lt 16 i session key i session id i if rsafail int bytes BN num bytes session key int u_char buf xmalloc bytes MD5_CTX mg logit do connection generating a fake encryption key BN bn2bin session key int buf MD5 Init amp md MD5 Update amp md buf bytes MD5 Update amp md sensitive data sshl cookie KEY LENGTIH SSH SESSION MD5 Final session key amp md MD5 Init amp md MD5 Update amp md session key 16 MD5 Update amp md buf bytes F K D5 Update amp md sensitive data sshl cookie SSH SESSION KEY LENGTH MD5 Final session key 16 amp md memset buf 0 bytes xfree buf for i 0 i lt 16 i session_id i session_key i session key i 16 Destroy the private and public keys No longer destroy_sensitive_data if use_privsep mm sshl session id session id Destroy the decrypted integer It is no longer needed BN clear free session key int
26. For now assume that the level of the CD ROM is min oss If it is not then use sda to set the access level of the CD ROM to the level of the current session 1 Entropy Gathering Daemon Source code for the entropy gathering daemon can be obtained from http egd sourceforge net The user installing the daemon should be logged in as admin at a level of min oss It is suggested that the source be downloaded to the usr src directory Untar the file by issuing the command tar xvf egd tar This will create a directory called egd and subdirectory under that directory called egd 0 9 Navigate to the egd 0 9 directory and issue the following commands perl Makefile PL make make test 43 make install This will install the egd pl perl script in the usr bin directory As user admin enter the trusted environment by issuing the SAK Use sl to change your session level to min security and max integrity administrator all compartments Use fsm to copy the egd pl script to the sys daemon directory Type fsm Type copy for the request Enter usr bin egd pl as the input path name Enter sys daemon egd pl for the output path name Type yes for create output file A message is displayed that states that n bytes were copied While still in fsm type change Enter sys daemon egd pl for the pathname Type no for modify access level Enter network for the new owner Enter network for the new group Type yes for change discretion
27. Read clients reply cipher type and session key packet read expect SSH CMSG SESSION KEY Get cipher type and check whether we accept this cipher type packet get char if cipher mask ssh1 0 amp 1 lt lt cipher type packet disconnect Warning client selects unsupported cipher Get check bytes from the packet These must match those we match the the sent earlier with the public key packet for CP Ose 1 cc 87 UE if cookie i packet get cnhar packet disconnect IP Spoofing check bytes do not ur debug Encryption type 200s cipher name cipher type Get the encrypted integer if session key int BN new NULL fatal do_sshl_kex BN new failed packet_get_bignum session_key_int protocol flags packet get int packet set protocol flags protocol flags packet check eom Decrypt session key int using host server keys rsafail PRIVSEP sshl session key session key int Extract session key from the decrypted integer The key is in least significant 256 bits of the integer the first byte of key is in the highest bits ry if rsafail BN mask bits session key int sizeof session key 8 138 len BN num bytes session key int if len 0 len sizeof session key error do connection bad session key len from s Session key int d gt sizeof session key
28. Table 17 Table 18 Table 19 Table 20 Table 21 Table 22 Table 23 Table 24 Table 25 Table 26 LIST OF TABLES OpenBSD Features Used by OpenSSH seen 10 XTS 400 Implementation Differences eese ene 11 NAG Policy Enforcement Testis aue dee aio E cess 25 MAC Policy Test Definitions cre renati ie en team ena ee Me Bea e EU aan 26 DAC Policy Enforcement Test odo ee e iei ea eos is eo Evo Ute awe eocebdyun 29 TPE Viewing Capability Test for OpenSSH Created Files 30 TPE Viewing Capability Test for Files Modified by OpenSSH 31 Single Level LAN Simultaneous User Logins eee 32 Multiple Single Level LANs Simultaneous User Logins 32 Public Key Authentication Test sesessseesseessessseeesseessstessrtssersseresseeesseesseesse 33 Miscellaneous l 685 55 2 etd oed o esu a i ae a d t odreess 33 MAC Policy Enforcement Test Validation Results esses 34 DAC Policy Enforcement Test Validation Results sess 35 TPE Viewing Capability for OpenSSH Created Files Test Validation Dic 36 TPE Viewing Capability with OpenSSH Modified Files Test Validation Diode wextattealghacad edger bees e Toca A N A O Lap mateo bates 36 Single Level LAN Simultaneous User Logins Test Validation Results 37 Multiple Single Level LANs Simultaneous U
29. call have been commented out The modifications are in the temporarily use uid function in the uidswap c file and the do setusercontext function in the session c file The socketpair system call is not implemented This call returns with the error invalid argument The XTS 400 documentation states that unsupported interprocess communication IPC mechanisms will return the error Invalid Argument DIGO3c OpenSSH provides compatibility for the use of UNIX domain socket pairs or pairs of pipes for IPC A modification had to be made to force OpenSSH to use pairs of pipes instead of socket pairs The modification was to uncomment the line define USE PIPES 1 in the defines h file Socketpair is used extensively in the monitor code that is used when privilege separation is enabled In an attempt to support privilege separation pairs of pipes were created to replace the socket pair Privilege separation appeared to work through the pre authentication phase of a user login but because file descriptor passing is not supported no tests could be conducted to verify that this phase of privilege separation did work as intended All modifications made to the monitor specific files have been commented out The files that were modified are monitor c monitor wrap c and monitor h There are many functions that can be used to set the real and effective user and group IDs of a process These functions are listed in Table 1 and Table 2
30. debug3 s no challenge func buffer free amp m return 1 int Get the challenge and format the response challeng buffer_get_string amp m NULL buffer free amp m mm chall setup name infotxt numprompts prompts echo on prompts 0 challenge debug3 s received challenge Ss _ func challenge return 0 mm bsdauth respond void ctx u int numresponses char responses amp M Buffer m int authok debug3 s entering X func 2 if numresponses 1 return 1 buffer init amp m buffer put cstring amp m responses 0 MYSEA Change m recvfd to m childsendfd mm request send pmonitor m recvfd MONITOR REQ BSDAUTHRESPOND 169 Change m recvfd to m childrecvfd mm request receive expect pmonitor m recvfd MONITOR ANS BSDAUTHRESPOND amp m authok buffer get int amp m buffer free amp m return authok 0 1 0 int mm skey query void ctx char name char infotxt u int numprompts char prompts u int echo on Buffer m int len u_int success char p challenge debug3 s entering X func 2 buffer init amp m MYSEA Change m recvfd to m childsendfd mm request send pmonitor m recvfd MONITOR REQ SKEYQUERY amp m Change m recvfd to m childrecvfd mm request receive expect pmonitor gt m_recvfd
31. e g due to a dropped connection 7 void session_pty_cleanup2 void session Session s session if s NULL error session pty cleanup no session return if s gt ttyfd 1 100 if we get aborted return debug session pty cleanup session d release s s gt self s gt tty Record that the user has logged out if s gt pid 0 record logout s pid s gt tty s gt pw gt pw_name Release the pseudo tty debug Going to Release PTY n if getuid 0 pty_release s gt tty debug Released the PTY n Close the server side of the socket pairs We must do this after the pty cleanup so that another process doesn t get this pty while we re still cleaning up m if close s ptymaster lt 0 error close s ptymaster d Ss S ptymaster strerror errno unlink pty from session s ttyfd 1 debug end of pty cleanup function void session_pty_cleanup void session PRIVSEP session_pty_cleanup2 session static char sig2name int sig define SSH_SIG x if sig SIG x return x SSH SIG ABRT SSH SIG ALRM SSH SIG FPE SSH SIG HUP SSH SIG ILL SSH SIG INT SSH SIG KILL SSH SIG PIPE SSH SIG QUIT SSH SIG SEGV SSH_SIG TERM SSH_SIG USR1 SSH SIG USR2 undef SSH_SIG return SIG openssh com 101 static void session
32. if options use pam finish pam endif USE PAM packet close if use privsep mm terminate close tf1 close tf2 close tf3 exit 0 135 child Decrypt session key int using our private server key and private host key key with larger modulus first Au int sshl session key BIGNUM session key int int rsafail 0 if BN_cmp sensitive_data server_key gt rsa gt n sensitive data sshl host key rsa n gt 0 Server key has bigger modulus if BN num bits sensitive data server key rsa n lt BN num bits sensitive data sshl host key rsa n SSH KEY BITS RESERVED fatal do connection s server key d host key d SSH KEY BITS RESERVED d get remote ipaddr BN num bits sensitive data server key rsa n BN num bits sensitive data sshl host key rsa 2n SSH KEY BITS RESERVED if rsa private decrypt session key int session key int sensitive data server key rsa lt 0 rsafailtt if rsa private decrypt session key int session key int sensitive data sshl host key rsa lt 0 rsafailtt else Host key has bigger modulus or they are equal if BN num bits sensitive data sshl host key rsa n lt BN num bits sensitive data server key rsa n SSH KEY BITS RESERVED fatal do connection s host key d server
33. options allow_tcp_forwarding channel permit all opens if compat20 do authenticated2 authctxt else do authenticatedl authctxt remove agent socket if auth sock name NULL auth sock cleanup proc authctxt gt pw ifdef KRB5 if options kerberos ticket cleanup krb5 cleanup proc authctxt fendif Prepares for an interactive session This is called after the user has been successfully authenticated During this message exchange pseudo terminals are allocated X11 TCP IP and authentication agent forwardings are requested TOs ay static void do authenticatedl Authctxt authctxt Session s char command int success type screen_flag int enable_compression_after_reply 0 u_int proto_len data_len dlen compression_level 0 s session_new s gt authctxt authctxt S pw authctxt pw We stay in this loop until the client requests to execute a shell or a command for success 0 70 Get a packet from the client type packet read Process the packet switch type case SSH CMSG REQUEST COMPRESSION compression level packet get int packet check eom if compression level 1 compression level gt 9 packet send debug Received illegal compression level d compression level break if options compression debug2 compre
34. options use_pam endif do_pam_set_tty s gt tty do pam setcred 1 Fork the child changed if pid fork 0 fatal remove all cleanups fe Chak Reinitialize the log because the pid has log_init __progname options log_level options log_facility log_stderr ifndef HAV Close the master side of the pseudo tty close ptyfd Make the pseudo tty our controlling tty pty make controlling tty amp ttyfd s gt tty Redirect stdin stdout stderr from the pseudo tty if dup2 ttyfd 0 lt 0 error dup2 stdin Ss strerror errno if dup2 ttyfd 1 lt 0 error dup2 stdout Ss strerror errno if dup2 ttyfd 2 0 error dup2 stderr s strerror errno Close the extra descriptor for the pseudo tty close ttyfd record login etc similar to login 1 E OSF SIA if options use login amp amp command NULL ifdef _UNICOS f cray init job s pw set up cray jid and tmpdir 76 endif UNICOS do login s command ifdef LOGIN NEEDS UTMPX else do pre login s endif endif Do common processing for the child such as execing the command do child s command NOTREACHED ifdef _UNICOS signal WJSIGNAL cray job termination handler endif UNICOS ifdef HAVE CYGWIN if is winnt cygw
35. pw uid get remote name or ip utmp len options use dns struct sockaddr amp from fromlen ifdef USE_PAM If password change is needed do it now This needs to occur before the hushlogin check Py if options use pam amp amp is pam password change required print pam messages do pam chauthtok XXX signal net parent to enable forwardings fendif if check quietlogin s command return ifdef USE_PAM 79 if options use pam amp amp is pam password change required print pam messages endif USE PAM display post login message if buffer len amp loginmsg gt 0 buffer append amp loginmsg NO 1 printf Ss n char buffer ptr amp loginmsg buffer_free amp loginmsg ifndef NO_SSH_LASTLOG if options print lastlog amp amp s last login time 0 time string ctime amp s last login time if strchr time string n strchr time string n 0 if strcmp s hostname 0 printf Last login sNrMn time string else printf Last login s from s r n time string S hostname endif NO SSH LASTLOG do motd Display the message of the day void do_motd void FILE f char buf 256 if options print motd ifdef HAVE LOGIN CAP f fopen login getcapstr lc welcome etc motd etc motd p else f f
36. tv gt tv_sec ts gt tv_nsec tv tv usec 1000 endif ifndef TIMESPEC TO TIMEVAL define TIMESPEC TO TIMEVAL tv ts tv 5tv sec ts tv sec tv tv usec ts tv nsec 1000 endif ifndef P define _ P x x endif if defined IN6_IS_ADDR_V4MAPPED define IN6_IS_ADDR_V4MAPPED a a_int32_t a 0 amp amp N 0 amp amp u int32 t a 1 u int32 t a 2 htonl Oxffff endif defined IN6 IS ADDR VAMAPPED if defined GNUC __GNUC__ lt 2 define attribute x endif defined GNUC GNUC 2 nto qnx doesn t define this macro in th ifdef MISSING HOWMANY define howmany x y CCGO CGO 71 GO endif ifndef OSSH ALIGNBYTES define OSSH ALIGNBYTES sizeof int 1 endif ifndef CMSG ALIGN 62 ari system headers define CMSG ALIGN p C u int p OSSH_ALIGNBYTES amp OSSH_ALIGNBYTES endif Length of the contents of a control message of length len ifndef CMSG_LEN define CMSG_LEN len __CMSG_ALIGN sizeof struct cmsghdr len endif Length of the space taken up by a padded control message of length len ifndef CMSG_SPACE define CMSG_SPACE len __CMSG_ALIGN sizeof struct cmsghdr __CMSG_ALIGN len endif given p
37. typing a short text message in each test ogarwx txt test ogrwx txt test orwx txt test orw txt test or txt test none txt dtest ogarwx txt dtest ogrwx txt dtest_orwxgrw txt 193 dtest orwxgr txt dtest orwx txt atest grwx txt Issue the following commands chmod 777 test ogarwx txt chmod 770 test ogrwx txt chmod 700 test orwx txt chmod 600 test orw txt chmod 400 test or txt chmod 000 test none txt chmod 777 dtest_ogarwx txt chown demo dtest_ogarwx txt chmod 770 dtest_ogrwx txt chown demo dtest_ogrwx txt chmod 760 dtest_orwxgrw txt chown demo dtest_orwxgrw txt chmod 740 dtest_orwxgr txt chown demo dtest orwxgr txt chmod 700 dtest_orwx txt chown demo dtest_orwx txt chmod 070 atest_grwx txt chgrp stop atest_grwx txt chown demo atest_grwx txt 194 Use vi to create a C program test c This program should be the typical hello world program Compile the program gcc c test c Build the program gcc o test test o Issue the following commands cp test test ogarwx chmod 777 test ogarwx cp test test ogrwx chmod 770 test ogrwx cp test test orwx chmod 700 test orwx cp test test orw chmod 600 test orw cp test test or chmod 400 test or cp test test none chmod 000 test none cp test dtest ogarwx chmod 777 dtest ogarwx chown demo dtest ogarwx cp test dtest ogrwx chmod 770 dtest_ogrwx chown demo dtest_ogrwx cp test dtest_orwxgrw 195 chmod 740 dtest_orwxgr chown demo dtest_orwxgr cp tes
38. 8 typedef long long int int64 t endif endif endif ifndef HAVE U INT64 T if SIZEOF LONG INT 8 typedef unsigned long int u int64 t else if SIZEOF LONG LONG INT 8 typedef unsigned long long int u int64 t endif endif endif ifndef HAVE U CHAR typedef unsigned char u char define HAVE U CHAR endif HAVE U CHAR ifndef SIZE T MAX define SIZE T MAX ULONG MAX endif SIZE T MAX ifndef HAVE SIZE T typedef unsigned int size t define HAVE SIZE endif HAVE SIZE T ifndef HAVE SSIZE typedef int ssize t define HAVE SSIZE T endif HAVE SSIZE T ifndef HAVE CLOCK T typedef long clock t define HAVE CLOCK T endif HAVE CLOCK T Gl ifndef HAVE SA FAMILY T typedef int sa family t define HAVE SA FAMILY T endif HAVE SA FAMILY T ifndef HAVE PID T typedef int pid t 59 define HAVE PID T endif HAVE PID Te ifndef HAVE SIG ATOMIC T typedef int sig atomic t define HAVE SIG ATOMIC T endif HAVE SIG ATOMIC T I Gl ifndef HAVE_MODE_T typedef int mode_t define HAVE MODE T endif HAVE MODE T if defined HAVE SS FAMILY IN SS define ss family ss family endif LX defined HAVE SA FAMILY IN SS ifndef HAVE SYS UN H struct Sockaddr un short sun family char sun path 108
39. Fh Fh Fh Fh bu bu bu Fh Fh Fh kex Buffer m Kex kex fer put int m kex gt flags mm send keystate struct monitor pmonitor Buffer m u_char blob p u_int bloblen plen u int32 t seqnr packets u int64 t blocks buffer init amp m if compat20 u char iv 24 u char key u int ivlen keylen fer put string m kex session id kex session id len fer put int m kex we need fer put int m kex hostkey type fer put int m kex kex type fer put string m buffer ptr amp kex my fer put string m buffer ptr amp kex peer buffer len amp kex buffer len amp kex my fer put cstring m kex client version string fer put cstring m kex server version string buffer put int amp m packet get protocol flags buffer put int amp m packet get sshl cipher debug3 s Sending sshl K keyl key xmalloc keylentl EY IV add Funes n packet get encryption key NULL 1 if keylen 0 keylen packet get encryption key key buffer put string amp m key memset key 0 keylen xfree key keylen ivlen packet get keyiv len MODE OUT packet get keyiv MODE OUT iv ivlen buffer put string amp m iv ivlen ivlen packet get keyiv len MODE OUT packet get keyiv MODE IN iv ivlen buffer put string amp m iv ivlen goto skip else Ke
40. H H H H H H H H H H H H E OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE nclude includes h SID SOpenBSD sshd c v 1 276 2003 08 28 12 54 34 markus Exp nclude lt openssl dh h gt nclude lt openssl bn h gt nclude lt openssl md5 h gt nclude lt openssl rand h gt fdef HAVE_SECUREWARE nclude lt sys security h gt nclude lt prot h gt ndif nclude ssh h nclude sshl h nclude ssh2 h nclude xmalloc h nclude rsa h nclude sshpty h nclude packet h nclude mpaux h nclude log h nclude servconf h 107 DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON T INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF TH D TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF LH nclude uidswap h nclude compat h nclude buffer h nclude cipher h nclude kex h nclude key h nclude dh h nclude myproposal h nclude authfile h nclude pathnames h nclude atomicio h nclude canohost h nclude auth h nclude misc h nclude dispatch h nclude channels h nclude session h nclude monitor mm h nclude monitor h H H p pe p b H H H H p H H H p pe p He p H bp fdef LIBWRAP nclude lt tcpd h gt nclude lt syslog h gt H H 0 5 5 H H H ndif LIBWRAP ifndef O_NOCTTY define O_NOCTTY 0 endif ifdef HAVE___P
41. MAX PORTS fprintf stderr too many ports Mn a2port optarg 0 Bad port number n convtime optarg Invalid login grace time n options key regeneration time Invalid key regeneration 123 case h if options num host key files gt MAX HOSTKEYS fprintf stderr too many host keys n exit 1 E options host_key_files options num_host_key_filestt optarg break case t test flag 1 break case u utmp len atoi optarg if utmp len gt MAXHOSTNAMELEN fprintf stderr Invalid utmp length n exit 1 break case o if process server config line amp options optarg command line 0 0 exit 1 break case default usage break SSLeay add all algorithms channel set af IPv4orO0 Force logging to stderr until we have loaded the private host key unless started from inetd Ey log init progname options log level SYSLOG LEVEL NOT SET SYSLOG LEVEL INFO options log level options log facility SYSLOG FACILITY NOT SET SYSLOG FACILITY AUTH options log facility log stderr inetd flag ifdef _UNICOS endif T f Cray can define user privs drop all prives now Not needed on PRIV SU systems E drop cray privs seed rng Read server configuration options from the configuration file read se
42. Table 8 Test Number LAN Level User Name Successful Logins Expected Results el s 1 113 cherbig Pass demo Pass testuser Pass Table 8 Single Level LAN Simultaneous User Logins f Multiple Single Level LANs Simultaneous User Logins The purpose of this test suite is to verify that users can login from multiple networks of varying classifications The test plan is presented in Table 9 Each user specified by the username logs in at each network Success is determined by the user being presented with a shell and the command whoami returns the correct username and the level command returns the correct session level Test Number LAN Level Username Successful Login Expected Result fl s 1 113 cherbig Yes sI2 113 demo Yes s13 113 testuser Yes Table 9 Multiple Single Level LANs Simultaneous User Logins g Public Key Authentication Tests The purpose of these tests is to verify that the public key authentication mechanism works properly The test plan is presented in Table 10 In this test suite a valid username means that the user does exist within the system An invalid user means that a username was supplied but that user does not exist on the system A correct private key means that the private key has a corresponding public key belonging to the user attempting to login A wrong private key means that the private key used does not match the public key presente
43. ai ai next if ai gt ai_family AF INET amp amp ai gt ai_family AF_INET6 continue if num_listen_socks gt MAX_LISTEN_SOCKS fatal Too many listen sockets Enlarge MAX LISTEN SOCKS if getnameinfo ai ai addr ai ai addrlen ntop sizeof ntop strport sizeof strport NI NUMERICHOST NI NUMERICSERV 0 error getnameinfo failed continue I Create socket for listening listen sock socket ai ai family ai ai socktype ai ai protocol if listen sock 0 kernel may not support ipv6 verbose socket 100s strerror errno continue if fcntl listen sock F SETFL O NONBLOCK error listen sock O NONBLOCK strerror errno close listen sock continue Set socket options Allow local port reuse in TIME WAIT if setsockopt listen sock SOL SOCKET SO amp on sizeof on 1 error setsockopt SO REUSEADDR strerror errno 128 lt 0 EUS debug Bind to port s on s strport ntop Bind the socket to the desired port if bind listen sock ai gt ai_addr ai gt ai_addrlen lt 0 if lai ai next error Bind to port s on s failed 200s strport ntop strerror errno close listen sock continue listen socks num listen socks listen sock num listen socks t Start listening
44. amp setsid 0 error setsid 100s strerror errno fendif Disable the key regeneration alarm We will not regenerate the key since we are no longer in a position to give it to anyone We will not restart on SIGHUP since it no longer makes sens X alarm 0 signal SIGALRM SIG DFL signal SIGHUP SIG DFL signal SIGTERM SIG DFL signal SIGQUIT SIG DFL signal SIGCHLD SIG DFL signal SIGINT SIG DFL Set keepalives if requested if options keepalives amp amp setsockopt sock in SOL SOCKET SO_K 133 I EPALIVE amp on sizeof on 0 error setsockopt SO_K I EPALIVE 100s strerror errno Register our connection This turns encryption off because we do not have a key packet set connection sock in sock out remote port get remote port remote ip get remote ipaddr ifdef LIBWRAP Check whether logins are denied from this host struct request_info req request init amp req RQ DAEMON __progname RQ FILE sock in fromhost amp req if hosts_access amp req debug Connection refused by tcp wrapper refuse amp req NOTREACHED fatal libwrap refuse returns endif LIBWRAP Log the connection verbose Connection from 500s port Sa remote_ip remote port We don t want to listen forever unless the other sid
45. amp m authctxt user MYSEA Change m recvfd to m childsendfd mm request send pmonitor m recvfd MONITOR REQ PAM INIT CIX debug3 s waiting for MONITOR ANS PAM INIT CIX func 2 change m recvfd to m childrecvfd mm request receive expect pmonitor m recvfd MONITOR ANS PAM INIT CTX amp m int success buffer get int amp m if success 0 debug3 s pam init ctx failed _ func buffer free amp m return NULL buffer free amp m return authctxt mm sshpam query void ctx char name char info u_int num char prompts u_int echo_on Buffer m int i ret 166 debug3 s func buffer init amp m MYSEA Change m recvfd to m childsendfd mm request send pmonitor m recvfd MONITOR REO PAM QUERY amp m debug3 s waiting for MONITOR ANS PAM QUERY _ func 2 Change m recvfd to m childrecvfd mm request receive expect pmonitor m recvfd MONITOR ANS PAM QUERY amp m ret buffer get int amp m debug3 s pam query returned d _ func ret name buffer get string amp m NULL info buffer get string amp m NULL num buffer get int amp m prompts xmalloc num 1 sizeof char echo on xmalloc num 1 sizeof u int for i 0 i lt num i prompts i buffer get string amp m NULL echo on i buff
46. auth sock name MAXPATHLEN s agent ld auth sock dir long getpid delete agent socket on fatal fatal add cleanup auth sock cleanup proc pw Create the socket sock socket AF UNIX SOCK STREAM 0 if sock 0 packet disconnect socket 100s strerror errno Bind it to the name memset amp sunaddr 0 sizeof sunaddr sunaddr sun family AF UNIX strlcpy sunaddr sun path auth sock name sizeof Sunaddr sun_path if bind sock struct sockaddr amp sunaddr sizeof sunaddr 0 packet_disconnect bind 100s strerror errno Restore the privileged uid restore_uid Start listening on the socket if listen sock 5 lt 0 packet disconnect listen 100s strerror errno Allocate a channel for the authentication agent socket nc channel new auth socket SSH CHANNEL AUTH SOCKET sock sock 1 CHAN X11 WINDOW DEFAULT CHAN X11 PACKET DEFAULT 0 auth socket 1 strlcpy nc path auth sock name sizeof nc path return 1 void do_authenticated Authctxt authctxt setproctitle s authctxt pw pw name 69 lt T Cancel the alarm we set to limit the time taken for authentication ky alarm 0 if startup pipe 1 close startup pipe startup pipe 1 setup the channel layer if no_port_forwarding_flag amp amp
47. bind child Socket sWMn strerror errno amp M 0 printf child s n unix_addr sun_path MYSEA initialize server socket but don t connect memset amp serv addr 0 sizeof serv_addr serv addr sun family AF LOCAL sprintf serv addr sun path s d path getppid debug3 s waiting for MONITOR ANS PTY X func Change m recvfd to m childrecvfd mm request receive expect pmonitor m recvfd MONITOR ANS PTY MYSEA now call connect length SUN LEN amp serv addr if connect sockfd struct sockaddr amp serv addr length lt printf Could not connect from child s n strerror errno success buffer get int amp m if success 0 debug3 s pty alloc failed X func 0 buffer free amp m return 0 p buffer_get_string amp m NULL buffer free amp m strlcpy namebuf p namebuflen Possible truncation 164 void xfree p MYSEA use the new file descriptor Change both fds to sockfd ptyfd mm receive fd pmonitor m recvfd ttyfd mm receive fd pmonitor m recvfd MYSEA destroy the sockets now close sockfd aunlink unix_addr sun_path Success return 1 mm_session_pty_cleanup2 void session Session s session Buffer m if s gt ttyfd 1 return buffer init amp m buffer put cstring amp m s tty
48. cherbig other read Allowed Allowed b11 test_orw txt write Allowed Allowed b12 execute Fail Fail b13 T cherbig other read Allowed Allowed b14 test_or txt write Fail Fail b15 execute Fail Fail bl6 cherbig other read Fail Fail b17 test_none txt write Fail Fail b18 execute Fail Fail b19 IWXIWXIWX demo other read Allowed Allowed b20 dtest ogarwx txt write Allowed Allowed b21 execute Allowed Allowed b22 IWXIWX demo other read Allowed Allowed b23 dtest ogrwx txt write Allowed Allowed b24 execute Allowed Allowed b25 IWXIW demo other read Allowed Allowed b26 dtest_orwxgrw txt write Allowed Allowed b27 execute Fail Fail b28 IWXI demo other read Allowed Allowed b29 dtest orwxgr txt write Fail Fail b30 execute Fail Fail b31 IWX demo other read Fail Fail b32 dtest_orwx txt write Fail Fail b33 execute Fail Fail b34 IWX demo stop read Fail Fail b35 atest_grwx txt write Fail Fail b36 execute Fail Fail Table 13 DAC Policy Enforcement Test Validation Results 35 c TPE Testing with File Created by OpenSSH Test Validation Results This suite of tests validated the claim that files created through OpenSSH can be viewed from the MLS LAN through the TPEs Test TPE Login Object Levels TPE Viewable Actual Number Level Expected Results Results cl sl1 i13 s 1
49. d alloc s for SSH1 the tty modes length is not given s gt tty session d alloc failed s gt self sizeof s s gt self s tty connection gets s gt xpixel s if compat20 n bytes packet remaining tty parse modes s ttyfd amp n bytes Add a cleanup function to clear the utmp entry and record logout time in case we call fatal e g the closed X fatal add cleanup session pty cleanup void s if use privsep pty setowner s pw s tty Set window size from the packet pty change window size s ptyfd s row s col gt ypixel packet check eom session proctitle s return 1 static int session subsystem req Session s struct stat st u_int len int success 0 char cmd subsys intl packet get string amp len packet check eom logit subsystem request for 100s 97 subsys for i 0 i lt options num subsystems i if strcmp subsys options subsystem name i cmd options subsystem command i if stat cmd amp st lt 0 error subsystem cannot stat s strerror errno break debug subsystem exec s cmd S is subsystem 1 do exec s cmd success 1 break if success 9 logit Subsystem request for 100s failed found subsys xfree subsys return success static int session xl11l req Session s int success S single connectio
50. default session levels should be min il3 The mandatory access levels of their home directories should be min il3 Each user account should have a public and private key Refer to Appendix D for instructions on how to create and install keys 1 MAC POLICY ENFORCEMENT Login at the console as the demo user at default session level Create the following directories with mkdir as specified by the directory name column in the table Directory Name Mandatory Levels s 0113 s 0 113 s 1il3 s 1 113 s 2i13 s 2 113 s13i13 s 3 113 s 4il3 s 4 113 s 1110 s 1 110 sllill sl1 il1 s 1i12 s 1 112 Table 25 MAC Policy Test Directories Create the following files with vi typing a short text message in each 191 Filename Mandatory Levels Directory test sIOil3 txt s 0 113 sl0i13 test_s 1i13 txt s11 113 s 1i13 test_s 2i13 txt s 2 113 s 2i13 test sI3il3 txt s13 113 s13i13 test_s 4i13 txt s 4 113 s14i13 test_s 1i10 txt s11 110 s 1i10 test sIlill txt sll ill sllill test_sllil2 txt sl1 112 sl1i12 Table 26 MAC Policy Test Files Issue SAK Type fsm Use the change command in fsm to change the mandatory levels of the above files to their respective levels Use the Table 26 to identify which levels to associate with the appropriate files Make sure all permissions are turned on for all files and directories This can be done through the change command in fsm when changing
51. exit message Session s int status Channel c if c channel lookup s chanid NULL fatal session exit message session d no channel d s gt self s chanid debug session exit message session d channel d pid ld s gt self s chanid long s gt pid if WIFEXITED status channel request start s chanid exit status 0 packet put int WEXITSTATUS status packet send else if WIFSIGNALED status channel request start s chanid exit signal 0 packet put cstring sig2name WTERMSIG status ifdef WCOREDUMP packet put char WCOREDUMP status else WCOREDUMP packet put char 0 endif WCOREDUMP GI packet_put_cstring packet_put_cstring packet_send else Some weird exit cause Just exit packet_disconnect wait returned status 04x status disconnect channel debug session exit message release channel d s gt chanid channel cancel cleanup s chanid emulate a write failure with chan write failed nobody will be interested in data we write Note that we must not call chan read failed since there could be some more data waiting in the pipe if c gt ostate CHAN OUTPUT CLOSED chan write failed c s gt chanid 1 void session_close Session s debug session close session d pid 1ld s
52. fail and all integrity read up and read equal tests should pass The property of the mandatory integrity policy does not allow a subject to modify an object if the integrity level of the subject is dominated by the integrity level of the object All integrity write up tests should fail The formal model for the mandatory integrity policy allows for the theoretical write down from a subject to an object but this is not allowed on the XTS 400 and all integrity write down tests should fail Only the integrity write equal tests should pass b DAC Policy Enforcement The purpose of this test suite is to verify that the discretionary access control policies enforced by the XTS 400 are still enforced when logged in through OpenSSH The test plan is presented in Table 5 The username and group name used to run this test should remain constant i e the same user login cherbig with a default group of other is used to test all cases The object permissions identify the permissions of the object that can be seen when the ls l command is issued The object name identifies how the object was named to help keep track of the permissions The naming convention is discussed later The object owner identifies the username of the owner of the object and the object group identifies the group name of the owning group The action identifies the type of access tested For read access the command more will be used to attempt to read the file The vi tool will
53. file descriptors to other processes System chroot create a new root directory for a process FUUCHODS setgroups sets the supplementary group IDs for a process initgroups initializes the supplementary group list socketpair creates a pair of UNIX domain sockets that are linked together setuid seteuid setreuid sets the real and effective user ID of a process setgid setgegid setregid sets the real and effective group ID of a process daemon forks the process into the background and disconnects it from the controlling terminal System Files passwd provides user information such as username user ID default group ID home directory and shell shadow provides the user s encrypted password utmp contains a record of users logged in to the system wtmp records all of the logins and logouts to the system group provides information about the groups in the system and which users belong in each group Environment daemon environment the init process provides an environment for all processes Table 1 OpenBSD Features Used by OpenSSH The next section will discuss how these features are different on the XTS 400 2 XTS 400 The XTS 400 provides a Linux Binary Compatible Interface This interface is not complete because not all features of Linux are supported through this interface OpenSSH has been ported to numerous Linux distributions and is compatible with the 10 interface provided by the XTS 400 However not all
54. flag inetd flag no daemon flag ifdef TIOCNOTTY int fd endif TIOCNOTTY MYSEA Use daemonize function instead of daemon They are the same thing if daemonize 0 0 lt 0 fatal daemon failed 200s strerror errno The original process Disconnect from the controlling tty ifdef TIOCNOTTY fd open PATH TTY O_RDWR O_NOCTTY if fd gt 0 void ioctl fd TIOCNOTTY NULL close fd fendif TIOCNOTTY Reinitialize the log because of the fork above log_init __progname options log_level options log_facility log stderr Initialize the random number generator arc4random_stir Chdir to the root directory so that the current disk can be unmounted if desired chdir ignore SIGPIPE 127 signal SIGPIPE SIG IGN Start listening for a socket unless started from inetd if inetd flag int ST sl dup 0 Make sure descriptors 0 1 in use dup sl sock_in dup 0 sock_out dup 1 startup pipe 1 By and 2 are We intentionally do not close the descriptors 0 1 and as our code for setting the descriptors won t work if ttyfd happens to be one of those uA debug inetd sockets after dupping d sd sock_in SOCk out if options protocol amp SSH PROTO 1 generate ephemeral server key else for ai options listen addrs ai ai
55. h addr list 0 sizeof struct in addr snprintf display sizeof display 50s u u inet ntoa my addr s display number s gt screen else snprintf display sizeof display 400s u u hostname s gt display_number s gt screen endif s display xstrdup display s gt auth_display xstrdup display return 1 static void do authenticated2 Authctxt authctxt server_loop2 authctxt dif defined GSSAPTI if options gss_cleanup_creds ssh_gssapi_cleanup_creds NULL endif C SSHD C Author Tatu Ylonen lt ylo cs hut fi gt Copyright c 1995 Tatu Ylonen lt ylo cs hut fi gt Espoo Finland F All rights reserved This program is the ssh daemon It listens for connections from clients and performs authentication xecutes us commands or shell and forwards information to from the application to the user client over an encrypted connection This can also handle forwarding of X11 TCP IP and authentication agent connections As far as I am concerned the code I have written for this software can be used freely for any purpose Any derived versions of this software must be clearly marked as such and if the derived work is incompatible with the protocol description in the RFC file it must F F 0X be called by a name other than ssh or Secure Shell 106 06 X X Xo X F F x F the di WARRANTIES
56. in the parent wy XXX better use close on exec markus channel close all Close any extra file descriptors Note that there may still be descriptors left by system functions They will be closed later 2 endpwent Close any extra open file descriptors so that we don t have them hanging around in clients Note that we want to do this after initgroups because at least on Solaris 2 3 it leaves file descriptors open for i 3 i lt 64 i close i Must take new environment into use so that ssh rc 92 etc ssh sshrc and xauth are run in the proper environment environ env Change current directory to the user s home directory if chdir pw pw dir lt 0 fprintf stderr Could not chdir to home directory s s n pw pw dir strerror errno ifdef HAVE_LOGIN_CAP if login_getcapbool lc requirehome 0 exit 1 T endif if options use_login do_rc_files s shell restore SIGPIPE for child signal SIGPIPE SIG DFL if options use login launch login pw hostname NEVERREACHED Get the last component of the shell name if shellO strrchr shell NULL shell0 else shellO shell If we have no command xecute the shell In this case the shell name to be passed in argv 0 is preceded by to indicate that this is a login
57. key d SSH KEY BITS RESERVED d get remote ipaddr BN num bits sensitive data sshl host key rsa 2n BN num bits sensitive data server key rsa n SSH KEY BITS RESERVED if rsa_private_decrypt session_key_int session_key_int sensitive_data sshl_host_key gt rsa lt 0 rsafailtt if rsa private decrypt session key int session key int sensitive data server key rsa lt 0 rsafailtt return rsafail SSH1 key exchange static void do sshl kex void 136 int i len int rsafail 0 BIGNUM session key int u char session key SSH SESSION KEY LENGTH u char cookie 8 u int cipher type auth mask protocol flags u int32 t rnd 0 Generate check bytes that the client must send back in the user packet in order for it to be accepted this is used to defy ip spoofing attacks Note that this only works against somebody doing IP spoofing from a remote machine any machine on the local network can still see outgoing packets and catch the random cookie This only affects rhosts authentication and this is one of the reasons why it is inherently insecure for i 0 i lt 8 itt if i 4 0 rnd arc4random cookie i rnd amp Oxff rnd gt gt 8 Send our public key We include in the packet 604 bits of random data that must be matched in the reply in order
58. labeling information with sensitivity levels For the Military the standard levels are UNCLASSIFIED CONFIDENTIAL SECRET and TOP SECRET In commerce the levels might be PUBLIC PROPRIETARY and SENSITIVE The use of these classifications is intended to prevent the unauthorized disclosure of the information requiring protection As a military example military plans must be kept confidential so as to defeat opposing forces If the opposing forces discovered a secret military operational plan then they could counter that operation and our military forces would suffer great losses in the form of lives equipment and technology For a commercial example consider the following information regarding a product of a company is labeled proprietary and this information is not intended for public dissemination its disclosure perhaps to competitors could cause a company to lose its market edge and ultimately money Sensitive information needs sufficient protection but access to this information needs to be granted when appropriate What is required is a multilevel secure MLS architecture One such architecture is the Monterey Security Architecture MYSEA project The MYSEA project incorporates the protection mechanisms required to ensure only the authorized disclosure of information to authorized users So far the MYSEA project has focused on the military sector but it can also be used in the commercial sector with little modification To facilitate
59. m buffer put string amp m oid elements oid length MYSEA Change m recvfd to m childsendfd mm request send pmonitor m recvfd MONITOR REQ GSSSETUP amp m Change m recvfd to m childrecvfd mm request receive expect pmonitor m recvfd MONITOR ANS GSSSETUP amp m major buffer get int amp m buffer free amp m return major 173 OM uint32 mm ssh gssapi accept ctx Gssctxt ctx gss buffer desc in gss buffer desc out OM uint32 flags Buffer m OM_uint32 major u_int len buffer init amp m buffer put string amp m in value in gt length MYSEA Change m recvfd to m childsendfd mm request send pmonitor m recvfd MONITOR REQ GSSSTEP amp m Change m recvfd to m childrecvfd mm request receive expect pmonitor m recvfd MONITOR ANS GSSSTEP amp m major buffer get int amp m out value buffer get string amp m amp len out length len if flags flags buffer get int amp m buffer free amp m return major int mm ssh gssapi userok char user Buffer m int authenticated 0 buffer init amp m MYSEA Change m recvfd to m childsendfd mm request send pmonitor m recvfd MONITOR REQ GSSUSEROK amp m Change m recvfd to m childrecvfd mm request receive expect pmonitor m recvfd MONITOR ANS GSSUSEROK amp m
60. private keys usr local src etc ssh host rsa key usr local src etc ssh host dsa key and usr local src etc ssh host key Enter usr local src etc private key file Do not modify the mandatory access levels Type network for the owner and group Do not modify the discretionary access To manually start the daemons issue SAK Type start daemon and enter the names of the daemons To verify that the daemons have started set the session level to max max and then run proc edit Type list and all three daemons should be present If ssh rand helper is also listed in proc edit then there is not enough entropy and the OpenSSH daemon is trying to generate more Wait about 10 minutes or more before attempting to login Because the daemon was installed using ftp edit the command stop daemon will not terminate the daemon Using the remove function of proc edit will not stop the daemon either The only way to terminate the daemon is with a system reboot 51 Edit the etc passwd to include the proper default group with each user The fourth field is what is used to identify the groups By default these numbers will be 0 Change to the appropriate group ID for the user OpenSSH Issue SAK Type sl max is the security level max is the integrity level Issue SAK Type ua_edit Type display Enter the user name of the user that will be allowed to login remotely via Look for the user s default group and rememb
61. sizeof newkey nc amp newkey gt enc mac amp newkey mac comp amp newkey comp Enc structure nc name buffer_get_string amp b NULL buffer get amp b amp enc cipher sizeof enc gt cipher nc enabled buffer get int amp b enc block size buffer get int amp b nc 5key buffer get string amp b amp enc 5key len nc iv buffer get string S amp b amp len if len enc block size fatal s bad ivlen expected Su Su _ func enc block size len if enc nam NULL cipher_by_name enc name l nc r fatal s bad cipher name s or pointer p X func nc name enc cipher Mac structure mac name buffer get string amp b NULL if mac gt name NULL mac init mac mac name 1 fatal s can not init mac s _ func mac name mac enabled buffer get int amp b mac key buffer get string amp b amp len if len gt mac key len fatal s bad mac key length Su gt Sd X func len mac key len mac key len len Comp structure comp type buffer get int amp b comp enabled buffer get int amp b comp name buffer get string amp b NULL len buffer len amp b if len 0 error newkeys from blob remaining bytes in blob oo c buffer_free amp b return newkey 160 int mm newkeys to blob int
62. sl0 oss demo sl0 il3 public html sl1 0ss public html slO il3 niprnet siprnet jwics unclass secret topsecret sll il3 sl2 il3 sl3 il3 sIl il3 sI2 i3 sI3 il3 Figure 2 File System Structure for TPE Testing d TPE Testing with Files Modified by OpenSSH The purpose of this test suite is to verify that changes made to pre existing files through OpenSSH are viewable from the MLS LAN through the TPEs This test plan is very similar to the previous test The test plan is presented in Table 7 Test objects were created at the console of the XTS 400 prior to the execution of the tests The objects are within the three network classified directories under the public_html subdirectory This allows for a user logged in through OpenSSH to modify the files Test Number TPE Login Level Object Levels TPE Viewable Expected Results dl s 1 113 s 1 113 Yes d2 sI2 113 No d3 s13 113 No d4 sI2 113 s 1 113 Yes d5 s 2 113 Yes d6 s13 113 No d7 s 3 113 s 1 113 Yes d8 s 2 113 Yes d9 s13 113 Yes Table 7 TPE Viewing Capability Test for Files Modified by OpenSSH 31 e Single Level LAN Simultaneous User Logins The purpose of this test suite is to verify that multiple users on the same single level LAN can login Success is determined by the user being presented with a shell and the command whoami returns the user s correct username The test plan is presented in
63. temporarily use uid effective debug permanently_set_uid u u u_int pw gt pw_uid u_int pw gt pw_gid MYSEA Enable Privileges old_priv enable_uid_priv dif defined HAVE_SETRESGID if setresgid pw pw gid pw gt pw_gid pw gt pw_gid lt 0 fatal setresgid Su 100s u_int pw gt pw_gid strerror errno elif defined HAVE_SETREGID amp amp defined BROKEN SETREGID if setregid pw pw gid pw gt pw_gid lt 0 fatal setregid u 100s u_int pw gt pw_gid strerror errno else if setegid pw gt pw_gid lt 0 fatal setegid Sur 100s u_int pw gt pw_gid strerror errno if setgid pw gt pw_gid lt 0 fatal setgid Su 100s u_int pw gt pw_gid strerror errno fendif fif defined HAVE SETRESUID if setresuid pw pw uid pw pw uid pw pw uid lt 0 fatal setresuid Su 100s u int pw pw uid strerror errno 145 elif defined HAVE SETREUID amp amp defined BROKEN SETREUID if setreuid pw pw uid pw pw uid lt 0 fatal setreuid Su 100s u int pw pw uid strerror errno else ifndef SETEUID BREAKS SETUID if seteuid pw pw uid lt 0 fatal seteuid Su 100s u int pw pw uid strerror errno endif if setuid pw gt pw_
64. that would require privileges to access it the solution was to disable support for these files This was accomplished by giving the OpenSSH configuration script a few extra options that disabled support for these files The options given to the configuration script can be seen in Appendix A The last system file presented is the etc group file This file stores information on all groups including a list of users associated with each group This file would normally be used by the setgroups and initgroups system calls but as mentioned these calls are not supported The etc groups file is generated by the xtsmkgroup command This command does not produce a correct etc group file After examining the file no users were listed with their associated groups In the event that setgroups and initgroups are implemented this file will have to be modified manually to contain the correct information that these system calls will require The functionality of the etc group file is provided by the two trusted group databases the group access authorization database and the group access information database These two databases are stored at the highest secrecy level and protected by the subtype DAC mechanism To support the proper association of users to groups access to these databases would have to be granted through privileges The analysis required to identify where the privileged code should be added was beyond the scope of
65. the EGD entropy gathering daemon EGD was chosen for use because the PRNGd documentation referenced the EGD Installation instructions for these three software packages are in Appendix A of this report A discussion of these three packages will follow 1 Zlib Zlib 1 1 4 is a compression library with utilities OpenSSH and OpenSSL use zlib in order to compress data when communicating over a network The compression occurs before encryption so the delay in transmission due to encryption is reduced BAROI J The use of compression is also a daemon runtime configuration option as can be seen in Appendix C SSH daemon configuration file However this file is not used until the SSH daemon executes Simply changing the option Compression Yes to Compression No will not stop the tests by the configuration file to look for the zlib libraries and header files In order to bypass the configuration file tests either false libraries and header files would have to be created or the configuration file would have to be modified to not check for zlib After a quick analysis of the zlib documentation it was determined that the installation of zlib would not be difficult In this case it was easier to install the required software than to provide false libraries or modify the configuration file 2 OpenSSL OpenSSL is a project designed to provide a robust commercial grade full featured and Open Source toolkit implementing the Secure Sockets Layer SS
66. the sharing of information with appropriate and authorized uses the MYSEA project permits access from a MLS local area network LAN to one of several single level networks To aid in the sharing of information a service was required so that users on the single level networks could access resources with the multilevel network The motivation for this study is to provide secure remote login capabilities for use over the single level networks in support of the Monterey Security Architecture MYSEA project The MYSEA project uses the XTS 400 as its multilevel secure server called the MYSEA server The MYSEA server is connected to a number of single level networks and a MLS LAN From the MLS LAN users can use the Trusted Path Extension TPE devices to connect to the MYSEA server and view information at varying secrecy and integrity levels From the single level networks only information that has the same security classification as that of the network may be seen on these networks Users on these networks do not have TPE devices to authenticate with the MYSEA server Hence there is a need to provide a secure login mechanism for those Users The tool chosen to provide the remote interactive session is OpenSSH a network security application that uses the SSH protocols to implement secure remote login capabilities B PURPOSE OF STUDY The purpose of this study is to port OpenSSH to the XTS 400 run on a multilevel secure MLS server to provide sec
67. to prevent IP spoofing x packet start SSH SMSG PUBLIC KEY for i 0 i lt 8 itt packet_put_char cookie i Store our public server RSA key packet put int BN num bits sensitive data server key rsa n packet put bignum sensitive data server key rsa e packet put bignum sensitive data server key rsa n Store our public host RSA key packet put int BN num bits sensitive data sshl host key rsa gt n packet put bignum sensitive data sshl host key rsa e packet put bignum sensitive data sshl host key rsa n Put protocol flags packet put int SSH PROTOFLAG HOST IN FWD OPEN Declare which ciphers we support packet put int cipher mask ssh1 0 Declare supported authentication types auth mask 0 if options rhosts rsa authentication 137 auth mask 1 lt lt SSH AUTH RHOSTS RSA if options rsa authentication auth mask 1 lt lt SSH AUTH RSA if options challenge response authentication 1 auth mask 1 lt lt SSH AUTH TIS if options password authentication auth mask 1 lt lt SSH AUTH PASSWORD packet put int auth mask Send the packet and wait for it to be sent packet send packet write wait debug Sent d bit server key and d bit host key BN num bits sensitive data server key rsa n BN num bits sensitive data sshl host key rsa n
68. with a level of sl1 13 a directory with the same level had to be created to hold the objects Test Number Test Type Session Object Command Expected Level Level Result al Secrecy read up s 1 i13 sI2 13 more Fail a2 s13 113 more Fail a3 sl4 il3 more Fail a4 s12 113 s13 113 more Fail a5 sl4 il3 more Fail a6 s13 113 sl4 il3 more Fail a7 Secrecy read down sI1 113 sl0 il3 more Pass a8 sI2 113 sl0 i13 more Pass a9 sl1 i13 more Pass alo s13 113 sl0 il3 more Pass all s11 1l3 more Pass al2 sI2 113 more Pass al3 Secrecy read equal sI1 13 sI1 13 more Pass al4 s12 113 s12 113 more Pass al5 s13 113 s13 113 more Pass al6 Secrecy write up s11 i13 sI2 113 vi Fail al7 s13 113 vi Fail al8 sl4 il3 vi Fail al9 sI2 113 s13 113 vi Fail a20 sl4 1l3 vi Fail a21 s13 113 sl4 113 vi Fail a22 Secrecy write down sI1 13 sl0 i13 vi Fail a23 sI2 113 sl0 i13 vi Fail a24 s11 113 vi Fail a25 s13 113 sl0 i13 vi Fail a26 s11 1l3 vi Fail a27 s12 113 vi Fail a28 Secrecy write equal sI1 13 sI1 13 vi Pass a29 s12 113 s12 113 vi Pass a30 s13 113 s13 113 vi Pass a31 Integrity read up sI1 13 sI1 0SS more Pass a32 Integrity read down sI1 113 sI1 110 more Fail a33 sl1ll more Fail a34 sl1 il2 more Fail a35 Integrity write up sI1 13 sl1 0SS vi Fail a36 Integrity write down sI1 113 sI1 11
69. 0 vi Fail a37 sl1ill vi Fail a38 sl1 il2 vi Fail Table 3 MAC Policy Enforcement Test 25 As mentioned this suite of tests verifies that the MAC policies are enforced Each MAC policy has two properties that must be maintained a simple security or integrity property and a property Table 4 presents definitions of the types of test used in this suite of tests In this table the Policy Type identifies whether the definition is for the mandatory secrecy or integrity policy The Property column identifies which property of the mandatory policies is being tested The Access Type specifies the type of access The Definition gives the mathematical definition of the property where S represents the subject O represents the object s means the secrecy level i means the integrity level means equality gt means dominates and lt means is dominated by The last column in the table states whether or not the action is allowed given the Property of the Policy type The models that represent the security policies allow for secrecy write up and integrity write down However the XTS 400 does not allow these access types so the expected results for the XTS 400 should be no The effected entries in the table are identified by an asterisk Policy Type Property Access Type Definition Allowed Secrecy simple security Read equal sl S sl O Yes Read dow
70. 16 int listen socks MAX LISTEN SOCKS int num listen socks 0 the client s version string passed by sshd2 in compat mode if NULL sshd will skip the version number exchange char client version string NULL char server version string NULL for rekeying XXX fixme Kex xxx kex Any really sensitive data in the application is contained in this structure The idea is that this structure could be locked into memory so that the pages do not get written into swap However there ar some problems The private key contains BIGNUMs and we do not in principle have access to the internals of them and locking just the structure is not very useful Currently memory locking is not implemented 7 struct Key server key ephemeral server key Key sshl host key sshl host key Key host keys all private host keys int have sshl key 109 int have ssh2 key u char sshl cookie SSH SESSION KEY LENGTH sensitive data Flag indicating whether the RSA server key needs to be regenerated Is set in the SIGALRM handler and cleared when th key is regenerated 2 static volatile sig atomic t key do regen 0 This is set to true when a signal is received static volatile sig atomic t received sighup 0 static volatile sig atomic t received sigterm 0 session identifier used by RSA auth
71. 3 il3 s10 il3 vi Fail Fail a26 s11 1l3 vi Fail Fail a27 s12 113 vi Fail Fail a28 Secrecy sl1 il3 sll il3 vi Pass Fail a29 write s12 113 s12 113 vi Pass Fail a30 equal s13 i13 s13 i13 vi Pass Fail a31 Integrity sll 3 s11 OSS more Pass Pass read up a32 Integrity sll i13 sll il0 more Fail Fail a33 read sll sill more Fail Fail a34 down sl1 il2 more Fail Fail a35 Integrity sll 13 s11 OSS vi Fail Fail write up a36 Integrity sll 3 s11 i10 vi Fail Fail a37 write sl1 ill vi Fail Fail a38 down sI1 il2 vi Fail Fail Table 12 MAC Policy Enforcement Test Validation Results 34 b DAC Policy Enforcement Test Validation Results This suite of tests demonstrated that the XTS 400 DAC policies are still enforced when users are logged in through OpenSSH Test Object Object Object Action Expected Actual Number Permissions Owner Group Results Results Name bl IWXIWXIWX cherbig other read Allowed Allowed b2 test ogarwx txt write Allowed Allowed b3 execute Allowed Allowed b4 IWXIWX cherbig other read Allowed Allowed b5 test ogrwx txt write Allowed Allowed b6 execute Allowed Allowed b7 IWX cherbig other read Allowed Allowed b8 test orwx txt write Allowed Allowed b9 execute Allowed Allowed b10 IW
72. 43 5000 NUMBER 9 SPONSORING MONITORING AGENCY NAME S AND ADDRESS ES 10 SPONSORING MONITORING N A AGENCY REPORT NUMBER 11 SUPPLEMENTARY NOTES The views expressed in this thesis are those of the author and do not reflect the official policy or position of the Department of Defense or the U S Government 12a DISTRIBUTION AVAILABILITY STATEMENT 12b DISTRIBUTION CODE Approved for public release distribution is unlimited 13 ABSTRACT maximum 200 words Complex multilevel secure MLS architectures are emerging that require user identification and authentication services not only from multilevel connections but from pre existing single level networks The XTS 400 can be used as a server in such environments Trusted devices are required for user login via multilevel connections however single level remote login facilities do not require such client side devices Instead a more lightweight mechanism is possible Remote login capabilities do not exist on the XTS 400 for use over the single level networks and this capability is a desired feature for use in complex multilevel architectures OpenSSH is an application developed for OpenBSD that uses the SSH protocol to provide secure remote logins and an interactive command interface A secure remote login application OpenSSH was ported to the XTS 400 in order to provide remote login capabilities The porting process identified differences between the original development platform for Open
73. 6 Use IPv6 only n fprintf stderr o option Process the option as if it was read from a configuration file n exit 1 Main program for the daemon int main int ac char av extern char optarg extern int optind 121 start ifdef endif it ifnde endif int opt sock in 0 sock out 0 newsock j i fdsetsz on pid_t pid socklen_t fromlen fd set fdset truct sockaddr storage from onst char remote ip nt remote port ILE f truct addrinfo ai har ntop NI MAXHOST strport NI_MAXSERV nt listen sock maxfd nt startup p 2 nt startups 0 uthctxt authctxt ey key nt ret key used 0 MYSEA Need to Create File Descriptors so that descriptors will umbering above 2 nte tid ja ee TEES BP ONPR PP ee OY HEAD HAVE SECUREWARE void set auth parameters ac av progname ssh get progname av 0 init rng MYSEA OPen files so that descriptors are above 2 tfl open PATH DEVNULL O RDWR 0 tf2 open PATH DEVNULL O RDWR 0 tf3 open PATH DEVNULL O RDWR 0 Save argv Duplicate so setproctitle emulation doesn t clobber saved argc ac saved argv xmalloc sizeof saved argv ac 1 for i 0 i lt ac i saved argv i xstrdup av i saved_argv i NULL f HAVE SETPROCTITLE Prepare for lat
74. All changes are from m recvfd to either m childsendfd or m childrecvfd Ry include includes h RCSID SOpenBSD monitor wrap c v 1 31 2003 08 28 12 54 34 markus Exp 152 include openssl bn h include openssl dh h include ssh h include dh h include kex h include auth h include auth options h include buffer h include bufaux h include packet h include mac h include log h include zlib h include monitor h include monitor wrap h include xmalloc h include atomicio h include monitor fdpass h include getput h include servconf h include auth h include channels h include session h ifdef GSSAPI include ssh gss h endif Imports extern int compat20 xtern Newkeys newkeys extern z stream incoming stream extern z stream outgoing stream extern struct monitor pmonitor extern Buffer input output extern ServerOptions options void mm request send int socket enum u_int mlen buffer_len m u_char buf 5 debug3 s entering type Sd __ PUT_32BIT buf mlen 1 buf 4 u_char type ik XJ if atomicio vwrite socket buf fatal s write check 1 if atomicio vwrite socket fatal s write check 2 monitor reqtype type func Buffer m type lst byte of payload is mesg type sizeof buf fune buffer_ptr m 153 tune size
75. DI BU USI ANY US i SSH2 implementation Privilege Separation Copyright c 2000 2001 2002 Markus Friedl All rights reserved Copyright c 2002 Niels Provos All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyrig notice this list of conditions and the following disclaimer ht documentation and or other materials provided with stribution THIS SOFTWARE IS PROVIDED BY THE AUTHOR AS IS AND ANY EXPRESS IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPL in the OR IE I OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE SCLAIMED IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING T T Gl NOT LIMIT Ep E HEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TOR RC O H H b b H
76. DIX F TEST PROCEDURES u csssccsssscssscscsscccssscccssccccssscccssscccnscccessccccnncees 191 1 MAC POLICY ENFORCEMEN T ccccsssscssssccssscccssscccsscccsssccsssccccencees 191 2 DAC POLICY ENFORCEMENT vsssssssocavssciessassscsecavevecevesevadssneasocesasenvicodes 193 3 TPE TESTING WITH FILES CREATED BY OPENSSH 196 4 TPE TESTING WITH FILES MODIFIED BY OPENSSH 197 5 SINGLE LEVEL LAN SIMULTANEOUS USER LOGINS 197 6 MULTIPLE SINGLE LEVEL LANS SIMULTANEOUS USER LOGINS RE 198 7 PUBLIC KEY AUTHENTICATION eee ee eere eere eee ro seen nest tn ae eto 198 8 MISCELLANEOUS TESTS sissssssscssscdesseisevasvetisesticseaceseebsccatacesavevasssaseledeses 198 LIST OF REFERENCBES iet vei su QieksegubE eua eR a eia CO YA euge aa oU van pon Urt bR Eee bro ege REM Sito Eo nica 201 INITIAL DISTRIBUTION LIST Lii uecesee oen vea erred k dede even aa deua o asee 203 1X THIS PAGE INTENTIONALL Y LEFT BLANK Figure 1 Figure 2 Figure 3 LIST OF FIGURES Developmental Testing Network Topology eere File System Structure for TPE Testing MLS Testbed Network Topology taken from TRV04 xi THIS PAGE INTENTIONALL Y LEFT BLANK xii Table 1 Table 2 Table 3 Table 4 Table 5 Table 6 Table 7 Table 8 Table 9 Table 10 Table 11 Table 12 Table 13 Table 14 Table 15 Table 16
77. E XTS 400 eere 15 A GOATS DOT E 15 B METHODOLOGY 5 uidGdavesse spp HE PME Pe se seios osisteks sossa sibo ENTERA PER URER EUROS 15 C PORTING RESUS iesiceiccaintessiesiocan chon sbiesibincdendastupbcagevencctobivnds cautocpuceaansbeven 16 D CHALLENGES ENCOUNTERED scccsscscsssssccsscsccsscsccssscccseessoesencees 16 1 System Features ise evene sesessoesseseseursscevesscusnsvonsssvensassvevevsvensiens 16 2 System Functions e RENE 17 3 System Files cg te ROO EXER o soea seasan Eoee EIN NUR Sisi Eeoae TSE sina 19 4 En vVITODBIIel iecit sen eine Fe SEE ENS HERES UYR soosoo esir o PP NS PUR even teoriee 22 INTEGRATION TESTING rods tics chcpeeyFixevouln osexsedv edvekesvice on uds vac veypo ehe vadis tvnss regno 23 A DEVELOPMENTAL TESTING scsssesssecsesesscsssscvacosissvedsesasvestsopesvesssenessensnoens 23 1 Hr Wurm T 23 a MAC Policy Enforcement eeeee eee e eren ee eren een 24 b DAC Policy Enforcement eee eee eee eene eere eerte 27 c TPE Testing with Files Created by OpenSSH 29 d TPE Testing with Files Modified by OpenSSH 31 e Single Level LAN Simultaneous User Logins 32 f Multiple Single Level LANs Simultaneous User Logins 32 g Public Key Authentication Tests ecce eere eere 32 h Miscellaneous Tests ii esse p ati rre EXER E chos eae 33 Vi
78. EUID debug restore uid u u u int saved euid u_int saved_egid Set th ffective uid back to the saved privileged uid if seteuid saved_euid lt 0 fatal seteuid Su 100s u int saved euid strerror errno if setegid saved_egid lt 0 fatal setegid Su 100s u_int saved_egid strerror errno 149 else SAVED IDS WORK WITH SE We are unable to restore th real uid to its unprivileged EUID H value Propagate the real uid usually more privileged to effective uid as well Sy setuid getuid setgid getgid endif SAVED IDS WORK WITH SETEUID MYSEA Setgroups is not implmented on the XTS 400 for now comment out if setgroups saved egroupslen saved egroups 0 fatal setgroups 100s strerror errno temporarily use uid effective 0 MYSEA Drop the Privileges set priv old priv Permanently sets all uids to the given uid This cannot be called while temporarily_use_uid is effective Au void permanently set uid struct passwd pw MYSEA Privilege Code here as well xts_privilege_t old_priv uid_t old_uid getuid gid_t old_gid getgid if temporarily use uid effective fatal permanently set uid temporarily use uid effective debug permanently_set_uid u u u_int pw gt pw_ui
79. GEX SHA1 kexgex server kex gt server 1 kex client version string client version string kex 5server version string server version string kex 2load host key amp get hostkey by type kex host key index amp get hostkey index XXX kex kex dispatch run DISPATCH BLOCK amp kex done kex 140 Session id2 kex session ig Session id2 len kex session id len ifdef DEBUG KEXDH send 1st encrypted maced compressed message packet start SSH2 MSG IGNORE packet put cstring markus packet send packet write wait endif debug KEX done MYSEA Definition of daemonize function int daemonize int nochdir int noclose rae 06 FF X Xo X X o oO IS int fd switch fork case 1 return 1 case 0 break default _exit 0 if setsid 1 return 1 if nochdir void chdir if noclose amp amp fd open PATH DEVNULL O_RDWR 0 1 void dup2 fd STDIN_FILEN void dup2 fd STDOUT_FILE void dup2 fd STDERR_FILE if fd gt 2 void close fd ziv i OO return 0 UIDSWAP C Author Tatu Ylonen lt ylo cs hut fi gt Copyright c 1995 Tatu Ylonen lt ylo cs hut fi gt Espoo Finland All rights reserved Code for uid swapping As far as I am concerned the code I have written for this software can be
80. L v2 v3 and Transport Layer Security TLS v1 protocols as well as a full strength general purpose cryptography library SSLO4 The OpenSSL libraries and header files provide the cryptographic ciphers needed by OpenSSH to perform encryption Without the use of the libraries then OpenSSH would be reduced to the ordinary telnet and file transfer protocols A quick glance at the XTS 400 lib directory showed that the OpenSSL shared libraries were already installed however the OpenSSH configuration file did not accept the libraries Unlike zlib this application is absolutely necessary in order for 13 OpenSSH to work so simple file substitution was not an option and neither was modifying the configuration file A quick review of the OpenSSL documentation revealed that the installation like zlib should not be difficult The latest source openssl 0 9 7d was downloaded and installed 3 Entropy Gathering Daemon The entropy gathering daemon is needed to provide a software based pseudo random number generator It was quickly discovered that without some type of random number generator OpenSSH will not run the application will exit with the error prng not seeded A quick alternative was needed As mentioned both the OpenSSH and OpenSSL documentation mentioned two software based random number generators the pseudo random number generator daemon PRNGd and the entropy gathering daemon EGD Both daemons stated compatibility with Op
81. OpenSSH including its history available clients available authentication methods and its modes of operation The second section provides information about the port of OpenSSH to the XTS 400 Within this section features used by OpenSSH but have a different behavior on the XTS 400 are discussed Then the way the XTS 400 handles those features is discussed along with a brief description of security policies available on the XTS 400 The last section will cover the software dependencies of OpenSSH A ARCHITECTURAL BACKGROUND 1 MYSEA Project MYSEA provides a trusted distributed operating environment for enforcing multilevel security policies and utilization of support for incorporation of unmodified commodity productivity applications for user activities IRVO4 This means that the MYSEA project uses a client server architecture where the server called the MYSEA server is responsible for the enforcement of security policies This server is one of the very few specialized hardware components required by MYSEA The other specialized hardware components are the Trusted Path Extensions TPE and the Trusted Channel Modules TCM The TPE is a device that will provide an unforgeable communications link between the server and the client machine The TCMs authenticate network sensitivity levels to the MYSEA server so that the information received from that network may be labeled correctly The clients are intended to have no permanent writeable st
82. ROGNAME extern char progname else char __progname endif nclude monitor wrap h nclude monitor fdpass h t allow severity LOG INFO t deny severity LOG WARNING Server configuration options ServerOptions options Name of the server configuration file char config file name PATH SERVER CONFIG FILE Flag indicating whether IPv4 or IPv6 This can be set on the command line Default value is AF UNSPEC means both IPv4 and IPv6 p int IPv4or6 AF UNSPEC Debug mode flag This can be set on the command line If debug mode is enabled extra debugging output will be sent to the system log the daemon will not go to background and will exit after processing 108 the first connection xy int debug flag 0 TOSS Flag indicating that the daemon should only test the configuration and keys nt test flag 0 p SS Flag indicating that the daemon is being started from inetd nt inetd flag 0 p WO Flag indicating that sshd should not detach and become a daemon nt no daemon flag 0 p debug goes to stderr unless inetd flag is set int log stderr 0 Saved arguments to main char saved argv nt saved argc p The sockets that the server is listening this is used in the SIGHUP signal handler A define MAX_LISTEN_SOCKS
83. ROTO_1 if options protocol amp SSH_PROTO_2 amp amp sensitive data have ssh2 key logit Disabling protocol version 2 Could not load host key options protocol amp SSH PROTO 2 if options protocol amp SSH_PROTO_1 SSH_PROTO_2 logit sshd no hostkeys available exiting 125 exit 1 Check certain values for sanity if options protocol amp SSH PROTO 1 if options server key bits 512 options server key bits gt 32768 fprintf stderr Bad server key size n exit 1 Check that server and host key lengths differ sufficiently This is necessary to make double encryption work with rsaref Oh I hate software patents I dont know if this can go Niels g if options server key bits BN num bits sensitive data sshl host key rsa n SSH KEY BITS RESERVED amp amp options server key bits BN num bits sensitive data sshl host key rsa n d SSH KEY BITS RESERVED options server key bits BN num bits sensitive data sshl host key rsa n SSH_KEY_BITS_RESERVED debug Forcing server key to d bits to make it differ from host key options server key bits if use_privsep struct passwd pw SELUCE stat St if pw getpwnam SSH PRIVSEP USER NULL fatal Privilege separation user s does not exist SSH PRIVSEP USER
84. SSH and the XTS 400 Solutions in the form of source code modifications were made to overcome problems resulting from the compatibility differences encountered during the port Testing was conducted to ensure that the port was successful and did not violate any security policies enforced by the XTS 400 14 SUBJECT TERMS OpenSSH XTS 400 Remote Login 15 NUMBER OF PAGES 225 16 PRICE CODE 17 SECURITY 18 SECURITY 19 SECURITY 20 LIMITATION CLASSIFICATION OF CLASSIFICATION OF THIS CLASSIFICATION OF OF ABSTRACT REPORT PAGE ABSTRACT Unclassified Unclassified Unclassified UL NSN 7540 01 280 5500 Standard Form 298 Rev 2 89 Prescribed by ANSI Std 239 18 THIS PAGE INTENTIONALL Y LEFT BLANK ii Approved for public release distribution is unlimited USE OF OPENSSH SUPPORT FOR REMOTE LOGIN TO A MULTILEVEL SECURE SYSTEM Christopher F Herbig Civilian Naval Postgraduate School B S St Edward s University 2002 Submitted in partial fulfillment of the requirements for the degree of MASTER OF SCIENCE IN COMPUTER SCIENCE from the NAVAL POSTGRADUATE SCHOOL December 2004 Author Christopher Fred Herbig Approved by Cynthia E Irvine Thesis Advisor Thuy D Nguyen Co Advisor Peter J Denning Chairman Department of Computer Science iii THIS PAGE INTENTIONALLY LEFT BLANK iv ABSTRACT Complex multilevel secure MLS architectures are emerging that require user identification and authentication service
85. TORY var spool mail endif ifndef MAILDIR define MAILDIR MAIL DIRECTORY endif if defined PATH MAILDIR amp amp defined MAILDIR define PATH MAILDIR MAILDIR endif defined PATH MAILDIR amp amp defined MAILDIR ifndef PATH NOLOGIN define PATH NOLOGIN etc nologin endif Define this to be the path of the xauth program ifdef XAUTH PATH define PATH XAUTH XAUTH PATH endif XAUTH PATH derived from XF4 xc lib dps Xlibnet h ifndef X UNIX PATH ifdef hpux define X UNIX PATH var spool sockets X11 u else define X UNIX PATH tmp X11 unix X u endif endif X UNIX PATH define PATH UNIX X X UNIX PATH ifndef PATH TTY define PATH TTY dev tty endif Macros if defined HAVE LOGIN GETCAPBOOL amp amp defined HAVE LOGIN CAP H define HAVE LOGIN CAP endif ifndef MAX define MAX a b a gt b a b define MIN a b a lt b a b endif ifndef roundup endif ifndef timersub define timersub a b result do define roundup x y CCCGO Cy 71 y y result tv sec a tv sec b tv sec N result tv usec a tv usec b tv usec if result tv usec lt 0 result tv sec result gt tv_usec 1000000 while 0 endif ifndef TIMEVAL TO TIMESPEC define TIMEVAL TO TIMESPEC tv ts ts tv sec
86. These system calls are supported by the XTS 400 but require special XTS 400 privileges to operate properly The specific privilege that they require is set owner group on the XTS 400 18 DIGO3b Privileges can be granted to programs by installing the program with tp edit To follow the principle of least privilege the privileges should be granted when necessary and then be revoked when not needed The MYSEA libraries provide APIs to request and revoke the set owner group privilege The modifications made to the source code were to the temporarily use uid restore uid and permanently set uid functions in the uidswap c file The header files for the MYSEA libraries had to be included in the uidswap c file in order for the C compiler to locate and link the appropriate functions when the executable is being constructed The OpenSSH configuration script had to be given extra arguments to specify the location of the libraries and which libraries to use The options given to the configuration script can be seen in Appendix A The daemon system call is not supported in the XTS 400 untrusted environment The OpenSSH source code provides a directory called openbsd compat under the openssh 3 7 1p2 source directory that provides certain functions that may not be implemented on the target platform Daemon is one of the functions provided in the openbsd compat directory However the OpenSSH configuration file identified the daemon API as bei
87. ad access is more This command only requires and uses read access modification of the file is not required The command used for writing is vi the visual editor Vi is a common editor that is available on most systems Vi needs to be able to both modify and save the modifications The integrity levels of OSS and Admin are defined as il3 all integrity compartments and il7 all integrity compartments respectively In this suite of tests a result of pass means that the operation was allowed e g more was able to display the file and vi was able to edit the file and save the changes A result of fail means that the operation was not permitted Vi can appear to make modifications but if the modifications cannot be saved then the write access test fails The objects are text files with the following naming convention test_sl il txt where the two pound signs are replaced with the appropriate object level numbers e g test_sl il3 txt if the object level is sl1 113 The permissions on the objects are read write and execute for owner group and world This ensures that the 24 discretionary policies do not interfere with the tests Because the XTS 400 does not allow subjects to write to objects if the level of the parent directory is dominated by the level of the subject or object directories had to be created to hold the objects at the specific sensitivity levels in order to allow tests for writing For example for objects
88. ad of socketpairs for communicating with the client program Socketpairs do not seem to work on all systems 64 configure ac sets problems but you may need to set it yourself TUA MYSEA Manually changed to use pipes fdefine USE PIPES 1 this for a login recorder definitions FIXME put default paths back in ifndef UTMP FILE ifdef PATH UTMP define UTMP FILE else ifdef CONF UTMP FILE define UTMP FILE CONF UTMP FILE endif endif endif ifndef WTMP FILE ifdef PATH WTMP define WTMP FILE else ifdef CONF WTMP FILE define WTMP FILE CONF WTMP FIL endif endif endif PATH UTMP PATH WTMP E few OS s which are known to pick up the user s location for lastlog if given ifndef LASTLOG FILE ifdef PATH LASTLOG define LASTLOG FIL else ifdef CONF LASTLOG FILE I PATH LASTLOG define LASTLOG FILE endif endif endif CONF LASTLOG FIL The login if defined HAVE LOGIN amp amp define USE LOGIN else Simply select your library function in libutil defined DISABL favourite login types is first choice _ LOGIN gr 65 several ik UTMPX sigh E UTMP E WTMPX Can t do if else b
89. al setuid Su 100s u int pw pw uid or errno MYSEA Drop the privileges now set priv old priv Try restoration of GID if changed test clearing of saved gid if old gid pw pw gid amp amp setgid old gid 1 setegid old gid 1 fatal s was able to restore old e gid __func__ Verify GID drop was successful if getgid pw gt pw_gid getegid pw gt pw_gid fatal s egid incorrect gid u egid u should be u func u int getgid u int getegid u_int pw gt pw_gid f HAVE CYGWIN Try restoration of UID if changed test clearing of saved uid 151 if old uid pw pw uid amp amp setuid old uid 1 seteuid old uid 1 fatal s was able to restore old e uid func 0 endif 6 F X X F X Xo ox the distribution WARRANTIES DISCLAIMED BUT USI Ry p P E OF Verify UID drop was successful if getuid pw pw uid geteuid pw pw uid fatal s euid incorrect uid u euid u should be u func u int getuid u int geteuid u int pw pw uid MONITOR WRAP C Copyright 2002 Niels Provos lt provos citi umich edu gt Copyright 2002 Markus Friedl lt markus openbsd org gt All rights reserved Redistribution and use in source and binary forms with or without modification are per
90. alation The 12 USENIX Security Symposium Saltzer J H amp Schroeder M D 1975 The Protection of Information in an Information System Fourth ACM Symposium on Operating System Principles Stevens W R 1993 Advanced Programming in the UNIX Environment Indianapolis IN Addison Wesley Tatham S 2004 PuTTY A Free Telnet SSH Client Available http www chiark greeenend org uk sgtathum putty Accessed December 15 2004 202 INITIAL DISTRIBUTION LIST Defense Technical Information Center Ft Belvoir VA Dudley Knox Library Naval Postgraduate School Monterey CA Dr Diana Gant National Science Foundation Arlington VA Dr Cynthia E Irvine Naval Postgraduate School Monterey CA Thuy D Nguyen Naval Postgraduate School Monterey CA Chris Herbig Civilian Naval Postgraduate School Monterey CA 203
91. als of this project the methodology used to accomplish those goals the results of the research and solutions to the problems encountered A GOALS The goals of this project are to port OpenSSH to the XTS 400 with as much of the functionality preserved as possible The key functions desired are the interactive session and the use of PKI for authentication An extra benefit of this work is the provision of a better understanding of the functions supported by the XTS 400 This may inform future porting projects on the XTS 400 B METHODOLOGY To port a particular application to the XTS 400 a number of steps must be completed One step is to look at the documentation of the application that will be ported Here it is important to identify any references to other software packages that the application requires If these additional software packages are not available on the XTS 400 then they must be ported first Another item to look for in the documentation is the process architecture of the application When the process architecture is not available a thorough examination of the source code will help to determine the process architecture The process architecture is important because the XTS 400 enforces mandatory security policies and will not allow processes at different sensitivity levelsto communicate with one another unless privileges are given to both processes Another step is to review the documentation for the XTS 400 and look for any syste
92. and Tools a Installation Instructions The source for OpenSSL can be obtained from http www openssl org The current version is 0 9 7d Download the source code or use source on the CD ROM and load it onto the XTS 400 in the usr src directory Login as admin at slO and oss Un pack the file by issuing the following command tar zxvf openssl tar gz This will uncompress the files into a directory called openssl 0 9 7d Navigate to that directory and issue the following commands 46 Jconfig zlib make make test make install The configuration option zlib will allow OpenSSL to use the zlib libraries for compression The make command will compile the source The make test command will test the compilation and the encryption algorithms The make install command will install the libraries in usr local directory The man pages will not install properly but they are not needed in order for openssl to function properly B OPENSSH Create a directory called src under the usr local directory This directory should have the levels min oss this directory and its contents will be downgraded later The MYSEA software must be installed in the usr local mysea directory Login as admin at min oss Copy the openssh tar gz file into the usr local src directory Issue SAK Type fsm Type change Enter usr local src openssh tar gz for the pathname Type yes to modify the access level Type min for security level Type 113
93. and if the derived work is incompatible with the protocol description in the RFC file it must be called by a name other than ssh or Secure Shell rA include includes h RCSID SOpenBSD uidswap c v 1 24 2003 05 29 16 58 45 deraadt Exp include log h include uidswap h MYSEA Need to include extra headers to make the daemon privileged to change the user and group ids of the processes nu i i include usr local mysea include priv util h include lt usr local mysea include util h gt include lt xts types h gt Note all these functions must work in all of the following cases X 1 euid 0 ruid 0 2 euid 0 ruid 0 e 3 euid 0 ruid 0 Additionally they must work regardless of whether the system has POSIX saved uids or not XI if defined POSIX SAVED IDS amp amp defined BROKEN SAVED UIDS Lets assume that posix saved ids also work with seteuid even though that is not part of the posix specification define SAVED IDS WORK WITH SETEUID Saved effective uid static uid t saved euid 0 static gid t saved egid 0 endif Saved effective uid static int privileged 0 static int temporarily_use_uid_effective 0 static gid t saved egroups NGROUPS MAX user groups NGROUPS MAX static int saved egroupslen 1 user groupslen 1 Temporarily changes to the given uid If
94. ar to the etc passwd file mentioned earlier The user access authorization database is stored at the highest secrecy and integrity levels and is protected by the subtype DAC mechanism Without the etc shadow file password authentication will not succeed For password authentication to work the OpenSSH daemon would have to be granted access to the user databases and in order to accomplish this more privileges would have to be granted to the OpenSSH daemon The specific privileges are simple security exempt and subtype exempt It was determined that further and more detailed analysis would be needed to determine where to insert the privileged code There was no solution for fixing the absence of the etc shadow file 20 The workaround was to disable password authentication so that the OpenSSH daemon would not attempt to access a nonexistent file The next two files are related and are discussed together The var log wtmp file contains a record of all user logins and logouts This file is not present on the XTS 400 as its functionality is provided by the trusted user access authorization database discussed earlier The var run utmp file contains a record of all users currently logged in to the system This file is not present either These files are used for account login auditing in a Linux system Because these files are not present and the functionality of only one is provided through a trusted database
95. ary access Type rwx for owner Hit enter for name of specific owner Type rwx for group Hit enter for specific group Type rwx for others Type no to display the object Type no to hex dump the object 44 Type yes to okay to change Next use daemon edit to have egd pl act as a daemon Issue SAK Type daemon edit Type add Enter the egd as the name of the daemon For the command line type egd pl For the arguments use tmp entropy Type enter for environment setting Answer yes to starting the daemon at startup Answer no to high integrity Answer no to controls a device The security level for the daemon should be min The integrity level should be il3 Run the daemon as user network and group network If seeing the current starting order for daemons is desired type yes otherwise say no To add the daemon to the end of the list press enter otherwise enter a starting index Press enter for the delay at startup question Press enter for the delay at stop Type entropy gathering daemon for the description A message stating that the daemon was added should appear To start the daemon use the trusted start daemon command A list of available daemons will be presented Choose egd A message stating that the daemon has started should appear To verify this use the proc edit command and type list There should be an entry for egd pl It is possible that the daemon may not be able to keep up with all entropy 45
96. at the privileges are acquired only when needed and then revoked when no longer in use Password authentication would be very convenient for users because they would not have to carry a key file and the XTS 400 administrator would not have to worry about key generation and installation issues Another project is to implement support for proper group association The setgroups and initgroups calls are not implemented and the etc group file is incorrect so improper associations of users to groups could result in inadequate access permissions for users This project would involve assessing the trusted group databases and implementing the functionality that setgroups and initgroups would normally implement An analysis of where to acquire and revoke the privileges required to access the trusted databases would be required Another project would be to incorporate the remote shell capabilities of OpenSSH with the the MYSEA secure session server Currently the MYSEA server does not implement a remote shell for the MLS LAN user The incorporation of the of the remote shell functionality would enable the MYSEA server to provide an interactive session to the user The entropy gathering daemon is used to provide randomness which is required for cryptography Software based pseudo random number generators do not perform as well as hardware based pseudo random number generators A future project would be to design and implement a pseudo random numbe
97. be used to test for write access To test for execute access the file name will be entered at the shell prompt i e the file will have to be a program 27 The objects for read and write access tests are text files The objects used for execute access are simple c programs that print a message to the screen The naming convention for the text files are test o or g or a gt lt r or w or x txt where o means owner g means group and a means all and r means read w means write and x means execute The or specified in the filename is not exclusive For example the file test orwx txt means that the object permissions are read write and execute for the owner The programs used for testing execute access will have the same file name without the txt extension The session and object levels will remain fixed in order to prevent the MAC protection mechanisms from interfering with the tests 28 Test Object Object Object Action Expected Number Permissions Owner Group Results Name bl TWXIWXIWX cherbig other read Allowed b2 test ogarwx txt write Allowed b3 execute Allowed b4 IWXIWX cherbig other read Allowed b5 test ogrwx txt write Allowed b6 execute Allowed b7 IWX cherbig other read Allowed b8 test_orwx txt write Allowed b9 execute All
98. bug3 s entering _ func 0 buffer init amp m buffer put cstring amp m service buffer put cstring amp m style style MYSEA Change m recvfd to m childsendfd mm request send pmonitor m recvfd MONITOR REQ AUTHSERV amp m WENS buffer_free amp m Do the password authentication int mm auth password Authctxt authctxt char password Buffer m int authenticated 0 debug3 s entering __func__ buffer init amp m buffer put cstring amp m password MYSEA Change m recvfd to m childsendfd mm request send pmonitor m recvfd MONITOR REQ AUTHPASSWORD amp M debug3 s waiting for MONITOR ANS AUTHPASSWORD _ func 2 Change m recvfd to m childrecvfd mm request receive expect pmonitor m recvfd MONITOR ANS AUTHPASSWORD amp m authenticated buffer get int amp m buffer free amp m debug3 s user sauthenticated unc authenticated 7 mot y return authenticated int mm user key allowed struct passwd pw Key key return mm key allowed MM USERKEY NULL NULL key int mm hostbased key allowed struct passwd pw char user char host Key key return mm key allowed MM HOSTKEY user host key int 157 mm auth rhosts rsa key allowed struct passwd pw char user char host Key key int ret key gt type KEY RSA XXX hack for key to blob ret
99. cket pair and make the child side the standard input x close pin 1 if dup2 pin 0 0 0 perror dup2 stdin close pin 0 Redirect stdout close pout 0 if dup2 pout 1 1 0 perror dup2 stdout close pout 1 Redirect stderr close perr 0 if dup2 perr 1 2 O perror dup2 stderr close perr 1 else USE PIPES Redirect stdin stdout and stderr Stdin and stdout will use the same socket as some programs particularly rdist as stdin dendif US ifdef UNIC endif seem to depend on it x7 close inout 1 close err 1 if dup2 inout 0 0 lt 0 stdin perror dup2 stdin if dup2 inout 0 1 lt 0 stdout Note same socket perror dup2 stdout if dup2 err 0 2 O stderr perror dup2 stderr E PIPES OS cray init job s pw set up cray jid and tmpdir 74 Do processing for the child exec command etc do child s command NOTREACHED ifdef _UNICOS signal WJSIGNAL cray job termination handler endif UNICOS ifdef HAVE CYGWIN if is winnt cygwin set impersonation token INVALID HANDLE VALUE endif if pid 0 packet disconnect fork failed 100s strerror errno S pid pid Set interactive non interactive mode packet set interactive s d
100. ctxt int chanid Session s session new debug session open channel d chanid if s NULL error no more sessions return 0 S authctxt authctxt S pw authctxt pw if s gt pw NULL fatal no user for session d s self debug session open session d link with channel d s gt self chanid s gt chanid chanid return 1 Session session_by_tty char tty intii for i 0 i lt MAX_SESSIONS i Session s amp sessions i if s gt used amp amp s gt ttyfd 1 amp amp strcmp s gt tty tty 0 debug session by tty session d tty s i tty return S debug session by tty unknown tty 100s tty session dump return NULL static Session session_by_channel int id Xn for i 0 i lt MAX SESSIONS itt Session s amp sessions i if s used amp amp s chanid id debug session by channel session d channel d i AGL s return s debug session by channel unknown channel d id session dump return NULL static Session session by pid pid t pid 95 int is debug session by pid pid 1d long pid for i 0 i lt MAX SESSIONS i Session s amp sessions i if s used amp amp s pid pid return S error session by pid unknown pid 1d long pid session dump return NULL static int session window change req Sessio
101. cure Trusted Operating Program Trusted Channel Module Trusted Path Extension XV THIS PAGE INTENTIONALL Y LEFT BLANK xvi ACKNOWLEDGMENTS I would like to thank Dr Irvine Thuy Jean Khosalim and David Shifflett for their help and support with this project I would also like to thank Tanya Raven and Naomi Falby for their support and encouragement during my stay at the Naval Postgraduate School I thank my parents and sister for their love and support This material is based upon work supported by the National Science Foundation under Grant No DUE 0114018 Any opinions findings and conclusions or recommendations expressed in this material are those of the author s and do not necessarily reflect the views of the National Science Foundation xvii THIS PAGE INTENTIONALLY LEFT BLANK xvili EXECUTIVE SUMMARY It is general opinion that high assurance systems present challenging user interfaces Therefore users tend to use untrusted low assurance systems that do not provide sufficient security The MYSEA project incorporates both high and low assurance systems with trusted and untrusted applications The high assurance system used in the MYSEA project is the DigitalNet XTS 400 This system provides high assurance enforcement of policies to protect information from both unauthorized disclosure and unauthorized modification Both commercial off the shelf and open source productivity applications are provided to gain user acceptabi
102. d u_int pw gt pw_gid MYSEA Enable Privileges old_priv enable_uid_priv if defined HAVE_SETRESGID if setresgid pw pw gid pw gt pw_gid pw gt pw_gid lt 0 fatal setresgid Su 100s u_int pw gt pw_gid strerror errno elif defined HAVE SETREGID amp amp defined BROKEN SETREGID if setregid pw pw gid pw pw gid lt 0 fatal setregid u 100s u_int pw gt pw_gid strerror errno else if setegid pw gt pw_gid lt 0 150 fatal setegid Sur 100s u int pw pw gid strerror errno if setgid pw gt pw_gid lt 0 fatal setgid Su 100s u_int pw gt pw_gid strerror errno endif fif de fined HAVE_SETRESUID if setresuid pw gt pw_uid pw gt pw_uid pw gt pw_uid lt 0 fatal setresuid Su 100s u int pw pw uid strerror errno elif defined HAVE SETREUID amp amp defined BROKEN SETREUID strerr else if setreuid pw pw uid pw pw uid lt 0 fatal setreuid Su 100s u int pw pw uid or errno ifndef SETEUID_BREAKS_SETUID strerr endi strerr endif sj ifnde f if seteuid pw pw uid lt 0 fatal Seteuid Su 100s u int pw pw uid or errno f if setuid pw pw uid lt 0 fat
103. d be 1024 Click on the Generate button in the actions section of the window Follow the instructions for moving the mouse to help generate some randomness Enter a passphrase in the Key Passphrase field in the key section of the window Reenter the passphrase in the Confirm passphrase field Click on the Save Public Key and Save Private Key buttons in the Actions section Go to the Conversions menu and select Export OpenSSH Key For the name of the file to save enter id_dsa pub and click on Save This file should be moved to disk or CD and given to the Administrator of the XTS 400 The Private key should be used when connecting to the XTS 400 The Administrator should use mcopy to copy the key file from the disk that the user has provided to the usr local src bin directory Repeat steps 1 3 5 and 6 from section A of this Appendix In step 3 do not attempt to copy the id dsa file 184 D OPENSSH GENERATED KEYS ON LINUX Login to Linux system under a normal user account not the root user account Open a terminal Type the command ssh keygen t dsa Enter a passphrase when prompted Reenter passphrase to confirm This will create a directory called ssh directly under the user s home directory and there will be two files in that directory id_dsa pub and id dsa Copy the id_dsa pub file to disk and give to the Administrator of the XTS 400 The Administrat
104. d by the user 32 Test Number User Name Private Key Passphrase Expected Results gl Valid Correct Correct Succeed g2 Valid Correct Wrong Fail g3 Valid Wrong Correct Fail g4 Invalid Correct Correct Fail Table 10 Public Key Authentication Test h Miscellaneous Tests To test how OpenSSH reacts when the user s account is created incorrectly a set of experiments was created The test plan is presented in Table 11 The first case tests to see how OpenSSH reacts when a user s home directory is not present i e it was never created The second test determines what happens when either the user or the Administrator revoke all permissions on the user s home directory The third test determines what happens when a user logs in from a network with a lower security classification than that of his home directory Test Number Case Environment Expected Results hl Home directory not Home directory not Cannot login no key present present file h2 permissionson _ HOME Cannot login cannot home directory read key file incorrect h3 level on home level HOME Cannot login cannot directory incorrect s12 il13 session level read key file s11 il3 Table 11 Miscellaneous Tests 2 Test Validation Report This section provides the results of the above tests as conducted on the developmental system for the port The tables from the test plan have been re
105. dsa as the output pathname The keys that are in the usr local src bin directory may now be deleted Type delete Enter usr local src bin id dsa pub as the input pathname Type no to display the object Type yes to delete it Type delete 181 Enter usr local src bin id dsa as the input pathname Type no to display the object Type yes to delete the file Use fsm s change command to change the ownership and discretionary permission of the files Type change Enter the path home lt username gt ssh id_dsa Type no to modify mandatory access levels the levels should be min il3 Enter the username of the user for the owner Enter the group name of the user s default group for the group Type yes for change discretionary permissions Type rw for owner Hit enter for specific user Type none for group Hit enter for specific group Type none for others Type no to display Types yes for okay to change Type change Enter the path home lt username gt ssh id_dsa pub Type no to modify mandatory access levels the levels should be min il3 Enter the username of the user for the owner Enter the group name of the user s group for the group Type yes for change discretionary permissions 182 Type rw for owner Hit enter for specific user Type r for group Hit enter for specific group Type r for others Type no to display Types yes for okay to change 6 Use fsm to copy the id dsa pub file to the same directory but re
106. e login fails a message appears stating that the connection to the host was closed To exit do not type exit or logout Use the key sequence of a tilde and a period to close the connection 2 Putty Make sure the PuTTY client is installed on the Windows machine Refer to section C in Appendix A for instructions on how to install PuTTY Make sure that the user has a private key that corresponds to the public key installed on the XTS 400 Refer to Appendix D for instructions on how to generate keys and install the public key on the XTS 400 187 Double click on the PuTTY icon This opens the PuTTY configuration window In the Host Name field enter the host name or IP address of the XTS 400 Click on the Auth option under the SSH category on the lower left side of the Window Click on the Browse button to select the private key file A new Open File dialog box is presented Locate the private key file and click on the Open button Click on the Open button in the PuTTY configuration window This will open a terminal Enter a username when prompted for one Enter the passphrase of the private key when asked A shell is returned To exit close the window by clicking on the x in the top right corner of the window B DEVELOPMENT TOOLS 1 Fedora core 1 linux This distribution of Linux was used as a hands on experimentation system The experiments conducted on this system were used to provide ba
107. e times Name each of 48 the three files a different name such as sshd_config nipr sshd config sipr and sshd config jwics Modify each of these three files as described in Appendix C Invoke the Trusted Path with the SAK Set session levels to min max Run the tp edit command Enter cd to change to the system directory Type add to install the OpenSSH daemon in this directory For program name type sshd For path enter usr local src sbin sshd For maximum integrity enter admin For minimum integrity enter ilO For assign privileges type yes and answer no to all privileges except for Set owner group A message will be displayed stating that the program has been installed Exit tp edit Start daemon edit Type add For the daemon name specify three different daemon names for the three levels at which the OpenSSH daemons will run Three suggested names are sshd nipr sshd sipr sshd jwics For the command line type sshd For arguments type f usr local src etc sshd config Specify the configuration file that corresponds to the level of the network interface and the level of the daemon For example if the daemon is to run at sl1 il3 then the config file is sshd config nipr For the environment setting type TERM dev console This is to allow the daemon to start from the console but it will detach from it 49 Type no for start daemon at start up This can be changed to yes but make su
108. ecause some systems us if defined UTMPX FILE amp amp defined DISAB define USE UTMPX endif if defined UTMP FILE amp amp defined DISABL define USE UTMP endif if defined WTMPX FILE amp amp defined DISAB define USE WTMPX have endif if defined WTMP FILE amp amp defined DISABLE WTMP define USE WTMP endif I endif I hope that the presence of LASTLOG FILE is enough to detect this if defined LASTLOG FILE amp amp defined DISABLE LASTLOG define USE LASTLOG endif end of login recorder definitions dendif DEFINES H B SESSION C Copyright c 1995 Tatu Ylonen lt ylo cs hut fi gt Espoo Finland All rights reserved As far as I am concerned the code I have written for this software can be used freely for any purpose Any derived versions of this software must be clearly marked as such and if the derived work is incompatible with the protocol description in the RFC file it must ok X X X F b oO called by a name other than ssh or Secure Shell SSH2 support by Markus Friedl Copyright c 2000 2001 Markus Friedl All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaime
109. el cancel cleanup s chanid S chanid 1 session close s void session_destroy_all void closefunc Session ine iy for i 0 i lt MAX SESSIONS i Session s amp sessions i if s gt used if closefunc NULL closefunc s else session close s static char session_tty_list void static char buf 1024 int i char cp buf 0 O for i 0 i lt MAX SESSIONS i Session s amp sessions i if s used amp amp s gt ttyfd 1 if strncemp s gt tty dev 5 0 cp strrchr s gt tty cp cp NULL s gt tty cp 1 else cp s gt tty 5 if buf 0 O stricat buf sizeof buf strlcat buf cp sizeof buf if buf 0 O strlcpy buf notty sizeof buf return buf void session_proctitle Session s if s gt pw NULL error no user for session d s self else setproctitle Ss s s pw pw name session tty list 104 int session setup xllfwd Session s struct stat st char display 512 auth display 512 char hostname MAXHOSTNAMELEN if no x11 forwarding flag packet send debug X11 forwarding disabled in user configuration file return 0 if options x11 forwarding debug X11 forwarding disabled in server configuration file return 0 if options xauth location stat options xauth locatio
110. en E EC PEDE 1 B PURPOSE OE STUDY iiatetsq pee ek eME QA Qe ke Seo CXREPVEN QUERN Re PEE URR UAE UUQE eu UR COPA 2 C ORGANIZATION OF PAPER e eeee ee esee eese ease tasse seen setas sense sees eoa 2 BACKGROUND 55 rerekevtedits dosere ns rosso Revo or beds enc vbe ve o r Skot E pU Repub Cad ve ve sadias eee 3 A ARCHITECTURAL BACKGROUND ecce eee esee enses etes tas tnase 3 1 MYSEA Proj Cta ence hore iov e Gebote e n ur ien CEPR NAE 3 2 OpenSSH c M 4 a Overview of OpenSSH sisiccscrissscnssesvscsssviasiensnssinscsvoviassuntssenestvens 4 b ANTES DIE RS 5 c AUN CNN COON gs s eseeiseseseisive disi xx Oe RIVE EVE VERE RR SES EV edP 5 d Modes of Op ration aus e einst ete aa etnP RR Y Pn d e tuk aee 7 B PORTING BACKGROUND e eere scenes eene enses tosta setas etos sette seta setas eco 9 1 BSD DISCHSSIODG ccsesisiscocciaiecietedansiteetseussceciseonctadsateosdunusseasienberepivencsoaby 9 2 NX LS 40035 ioi eoo tetti ni Rabe a RESO RD ee ERE RE M IE 10 C SOFTWARE DEPENDENCIES ccccccsssscssesscosscssessenessenscoscsscossenesconscosens 12 1 LAUD sisting suds uacy ect er 13 2 Opens sos are IUE RO iS td t eM ius 13 3 Entropy Gathering Daemoon e ecce ee eee eene eere ee ete setae sena 14 4 MYSEX Libraries sci icisscescentecsdasibessocusuae ress chicas SPEECH ERE REP RER E ERR ERL Un 14 INTEGRATION OF OPENSSH ONTO TH
111. enSSL and OpenSSH The PRNGd documentation also mentioned that the PRNGd also provided an interface to the EGD This implies that the EGD provides greater compatibility with more systems A test of each random number generator was not conducted and is beyond the scope of this report The EGD is a perl script that monitors processes and provides random data based on information gathered from the processes This data is then stirred each time a request for random data is made It should be mentioned that the mandatory security policies prevent the EGD from viewing all possible processes resulting in a smaller pool of processes from which to gather random data The EGD can only view processes running at the same secrecy and integrity levels as itself For each OpenSSH daemon running there must be an EGD running at the same level This is very important because if the random number generator is exhausted then OpenSSH will stop functioning either by waiting for random data to become available or by the daemon refusing to start Both would result in an inability to function It is suggested that an alternative to the EGD be found or developed 4 MYSEA Libraries As shown in Table 2 some of the system calls require privileges The MYSEA libraries provide APIs for acquiring and revoking privileges The MYSEA libraries must be installed so that OpenSSH can operate properly 14 IIl INTEGRATION OF OPENSSH ONTO THE XTS 400 This chapter will provide the go
112. endif 57 if SIZEOF SHORT INT 2 typedef short int intl6 t else ifdef UNICOS if SIZEOF SHORT INT 4 typedef short intl16 t else typedef long intl6_t endif else error 16 bit int type not found endif _UNICOS endif if SIZEOF_INT 4 typedef int int32_t else ifdef _UNICOS typedef long int32_t else error 32 bit int type not found endif _UNICOS endif endif If sys types h does not supply u intXX t supply them ourselves ifndef HAVE U INTXX T ifdef HAVE UINTXX T typedef uint8 t u int8 t typedef uinti16 t u intl6 t typedef uint32 t u int32 t define HAVE U INTXX T 1 else if SIZEOF CHAR 1 typedef unsigned char u int8 t else error 8 bit int type not found endif if SIZEOF SHORT INT 2 typedef unsigned short int u intl16 t else ifdef UNICOS if SIZEOF SHORT INT 4 typedef unsigned short u intl6 t else typedef unsigned long u intl6 t endif else error 16 bit int type not found endif endif if SIZEOF INT 4 typedef unsigned int u int32 t else ifdef UNICOS typedef unsigned long u int32 t else error 32 bit int type not found 58 endif endif endif define BIT TYPES DEFINED endif 64 bit types ifndef HAVE INT64 T if SIZEOF LONG INT 8 typedef long int int64 t else if SIZEOF LONG LONG INT
113. ent gets confused and exits In the main function of the sshd c file the developers of OpenSSH placed comments stating that the file descriptors 0 1 and 2 should be reserved and never closed To solve this problem the dev null file was opened three times so that the first three entries in the file descriptor table would be in use This will cause the file descriptor numbering to begin after 2 The modifications made were in the main function of the sshd c file 22 IV INTEGRATION TESTING After porting an application to a different platform testing is required to ensure that the application still functions as specified The functionality of the ported application may have been altered by the modifications to the source code In order to detect any difference in functionality comprehensive testing is required Developmental testing tests the functionality of the ported application in a simple environment To ensure that the ported application can function in a more realistic environment a larger and more realistic testing environment is needed The testing in this environment is called Testbed testing Due to time constraints only the developmental testing was performed for the OpenSSH port to the XTS 400 Both testing methods will be discussed in this chapter however only the results for the developmental testing will be provided A DEVELOPMENTAL TESTING 1 Test Plan The developmental test plan describes the results u
114. er get int amp m buffer free amp m return ret int mm sshpam respond void ctx u_int num Buffer m int i ret debug3 s func buffer init amp m buffer put int amp m num for i 0 i lt num i buffer put cstring amp m MYSEA Change m recvfd to m childsendfd char resp resp i mm request send pmonitor m recvfd MONITOR REQ PAM RESPOND amp M debug3 s waiting for MONITOR ANS PAM RESPOND __func__ Change m recvfd to m childrecvfd mm request receive expect pmonitor m recvfd MONITOR ANS PAM RESPOND amp m ret buffer get int amp m debug3 s pam respond returned d _ func ret buffer free amp m return ret void mm sshpam free ctx void ctxtp Buffer m debug3 s __func__ buffer init amp m MYSEA 167 amp m MONITO endif Change m_recvfd to m_childsendfd mm request send pmonitor m recvfd MONITOR REQ PAM FREE _CTX debug3 s waiting for MONITOR ANS PAM FREE CIX func s Change m recvfd to m childrecvfd mm request receive expect pmonitor m recvfd R ANS PAM FREE CTX amp m buffer free amp m USE PAM Request process termination void mm ter int minate void Buffer m buffer init amp m MYSEA Change m recvfd to m childsend mm request send p
115. er it or write it down Type exit Issue SAK Type sl min is the security level oss is the integrity level Issue SAK and type run Change directories to the etc directory Type vi group Look for the user s default group and record the group ID number Exit vi Type vi passwd 52 Look for the user s entry and change the fourth field from 0 to the group ID of the user s default group Each time a user is added the etc passwd file will have to be updated The xtsmkpasswd command does not create a correct passwd file C PUTTY INSTALLATION This is the Windows SSH client Do not attempt to install this on a Linux system or the XTS 400 Login to the Windows machine as Administrator Copy the installer from the CD Double click on the installer and follow the on screen instructions 53 THIS PAGE INTENTIONALLY LEFT BLANK 54 APPENDIX B SOURCE CODE LISTING The following files are the source code files that were modified in order to port OpenSSH to the XTS 400 All modifications are preceded with comments and the keyword MYSEA A DEFINES H Copyright c 1999 2003 Damien Miller All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary for
116. er setproctitle emulation compat init setproctitle ac av av saved argv Initialize configuration options to their default values initialize server options amp options Parse command line arguments while opt getopt ac av f p b k h g u o dDeiqtQ46 1 switch opt case 4 IPv4or6 AF INET break case 6 case case case case case case case case case case case convtime optarg interval n IPv4or6 break Ug config file name break Eos if debug flag debug flag options AF INE Tj H o optarg 0 og_level SYSLOG_LEVEL_DEBUG1 else if opti lt SYSLOG_LEVEL_DEBUG3 ons _ level options og_level t break IDs no_daemon_flag break e log_stderr break pts inetd flag break Ors ignored break guis 1 1 options log level 1 SYSLOG_LEVEL_QUIET break pts options server break pts key bits atoi optarg options ports from cmdline 1 XE exit 1 options ports options num_ports fprintf stderr fprintf stderr if exit 1 break gis if exit 1 break rks if 1 exit 1 break options ports options num_ports 1 fprintf stderr options login grace time options num ports gt
117. erforms user ID checks to verify that the daemon is running as the root user If these checks fail then the daemon assumes that it is not running with root user privileges and will not function properly In the XTS 400 the OpenSSH daemon must run as the network user so that port 22 can be opened Port 22 is the default port for the SSH protocol To account for the non existence of the root user the user ID checks were altered to check for the user ID of the network user The modifications were made to the temporarily use uid and the permanently set uid functions in the uidswap c file and the do setusercontext function in the session c file File descriptor passing is required for SSH privilege separation The system feature of file descriptor passing through UNIX domain sockets is not supported by the XTS 400 DIGO3a The only solution would be to build support for this feature into the operating system The operating system for the XTS 400 is called the Secure Trusted Operating Program STOP STOP is proprietary and cannot be modified without invalidating the evaluated assurance level assigned by the National Institute of Standards and Technology and the National Security Agency Because there is no feasible solution for this problem privilege separation has been disabled These problems were the only ones encountered for this category of challenges The next category to be discussed is the system functions provided by the XTS 400
118. erman BAROI The default keys used for OpenSSH running under Version 2 of the SSH protocol are DSA keys RhostsRSA is similar to public key authentication but it only provides host authentication not user authentication Each host generates a pair of RSA keys The server then sends a numerical challenge to the client host and the client host must sign and send the message back to the server This method differs from the previous method because the user does not have to specify the key or its passphrase Rhosts is a very insecure method of authentication it involves creating a file that will allow a host listed in that file to establish a connection without any further authentication checks This is the method used by the rlogin rsh rcp commands In this method when the server receives a connection it checks the IP address and the hostname of the remote host against the etc rhosts file If the IP address and hostname are located in the file the host is authenticated and the user is granted access to the server assuming that a valid username was supplied Rhosts is very insecure because it assumes that the client machine can protect itself from compromise If the machine is compromised then the server could be compromised as well because this authentication method does not require the user to prove their identity with a password or private key The use of passwords has always been popular because users can remember passwords easil
119. erver Developmental tests were conducted and the results of those tests were provided These tests ensure that the security policies cannot be violated by users when they are logged in through OpenSSHA plan for validation of the results on the MLS testbed was developed but due to time constraints was not executed The latter test plan is provided for future projects B LESSONS LEARNED Software porting with the XTS 400 as the target platform is difficult and time consuming however it can be achieved in most cases For this study more time should have been allocated to discovering the differences between the XTS 400 and Linux systems This would have reduced the time spent tracking down errors A greater knowledge of the C programming language would have reduced the time spent analyzing the OpenSSH source code and provided a greater understanding of that code The porting process involved more time than anticipated C FUTURE WORK The port of OpenSSH to the XTS 400 was successful but the port resulted in a minor loss of functionality in OpenSSH This section suggests future projects that could restore the lost functionality to the OpenSSH port One project is to implement password authentication with the XTS 400 To do this more privileges will have to be granted to the OpenSSH daemon The MYSEA libraries will help with this project but the specific modifications to the OpenSSH source 4 code will have to be investigated to ensure th
120. es between the XTS 400 and other operating systems The XTS 400 differs from most popular operating systems because unlike Linux which only enforces discretionary access control policies the XTS 400 also enforces mandatory access control policies The XTS 400 enforces a 11 total of three policies a mandatory secrecy policy a mandatory integrity policy and a discretionary policy The mandatory secrecy policy is represented by the Bell and La Padula secrecy formal model This model prevents the unauthorized disclosure of sensitive information by maintaining two properties the simple security property and the property BEL76 The simple security property prevents a subject from accessing an object if the secrecy level of the subject is dominated by the secrecy level of the object BEL76 this is referred to as read up The property only allows write access if the secrecy level of the object is equal to or dominates the secrecy level of the subject BEL76 The mandatory integrity policy is represented by the Biba integrity formal model This model prevents the unauthorized modification of information Like the previous model this model also has two properties that must be maintained the simple integrity property and the property BIB77 The simple integrity property does not allow for a subject to have observe access to an object if the integrity level of the subject dominates the integrity level of the object BIB77
121. evel login Login s11 113 Table 19 Miscellaneous Test Validation Results B MLS TEST BED TESTING 1 Test Plan The purpose of testing the OpenSSH port in the MLS testbed is to verify OpenSSH functionality in a more realistic environment The only tests that need to be performed are the OpenSSH login and TPE tests because the XTS 400 in the testbed should also enforce the same policies as the XTS 400 used in the developmental testing so it is redundant to repeat the MAC and DAC tests The network topology for the MLS testbed is taken from IRV04 and is presented in Figure 3 The clients used to connect to the XTS 400 are the web servers for each single level LAN The XTS 400 is the MYSEA MLS server in the diagram CONTROLLED ENVIRONMENT Web Enablement Mall server Portal Server Application Server 4 MY2EA MLS Servers 2MTP IMAP HTTP a Gis baa Wed Enablement Portal Server Mail cerver Web Er Portal MYSEA Architecture Overview 38 Figure3 MLS Testbed Network Topology taken from IRV04 a TPE Testing with Files Created by OpenSSH The same test performed for the developmental testing is repeated for in the testbed environment See the developmental test plan for more details on these tests The test plan is presented in Table 20 Test Number TPE Login Level Object Levels TPE Viewable Expected Results Ba
122. exec no pty Session s const char command pid_t pid ifdef USE_PIPES int pin 2 pout 2 perr 2 Allocate pipes for communicating with the program if pipe pin lt 0 pipe pout lt 0 pipe perr lt 0 packet_disconnect Could not create pipes 100s strerror errno else USE_PIPES int inout 2 err 2 Uses socket pairs to communicate with the program if socketpair AF UNIX SOCK STREAM 0 inout lt 0 Socketpair AF UNIX SOCK STREAM 0 err lt 0 packet disconnect Could not create socket pairs 100s strerror errno endif USE PIPES if s NULL fatal do exec no pty no session session proctitle s dif defined USE PAM if options use pam do pam setcred 1 if is pam password change required packet disconnect Password change required but no TTY available endif USE PAM Fork the child if pid fork 0 fatal remove all cleanups 73 7 Childs Reinitialize the log since the pid has changed log_init __progname options log_level options log_facility log_stderr Create a new session and process group since the 4 4BSD setlogin affects th ntire process group if setsid 0 error setsid failed 100s strerror errno ifdef USE PIPES Redirect stdin We close the parent side of the so
123. f sscanf var 510 amp mask 1 umask mask for i 0 tmpenv i NULL i xfree tmpenv il xfree tmpenv endif HAVE_ I ETC DEFAULT LOGIN void copy environment char source char env u int envsize char var_name var_val int i if source NULL return for i 0 source i NULL itt var name xstrdup source il if var val strstr var name NULL xfree var name continue var_val 0O debug3 Copy environment s s var name var val child set env env envsize var name var val xfree var name Static char do setup env Session s const char shell char buf 256 u_int i envsize char env laddr path NULL struct passwd pw s gt pw Initialize the environment envsize 100 env xmalloc envsize sizeof char env 0 NULL ifdef HAVE CYGWIN The Windows environment contains some setting which are important for a running system They must not be dropped 84 copy environment environ endif ifdef GSSAPI amp env amp envsize Allow any GSSAPI methods that we ve used to alter the childs environment as they see fit k ssh gssapi do child amp env endif if options use login amp envsize Set basic environment child set env amp env amp envsize USER pw pw name child set e
124. fatal fork of unprivileged child failed else if pid 0 fatal remove cleanup void void packet close NULL debug2 Network child is on pid 1d long pid MYSEA Need to close both of the child s file descriptors close pmonitor m recvfd close pmonitor m childrecvfd close pmonitor m childsendfd authctxt monitor child preauth pmonitor MYSEA now close both of the parent s file descriptors close pmonitor m sendfd 117 close pmonitor m parentrecvfd close pmonitor m parentsendfd Sync memory monitor sync pmonitor Wait for the child s exit status while waitpid pid amp status 0 0 if errno EINTR break Reinstall since the child has finished fatal add cleanup void void packet close NULL return authctxt else child MYSEA close the parent side of the file descriptors close pmonitor gt m_sendfd close pmonitor m parentrecvfd close pmonitor m parentsendfd Demote the child MYSEA no root user 3 is network user if getuid geteuid 3 privsep preauth child setproctitle s net return NULL static void privsep postauth Authctxt authctxt extern Authctxt x_authctxt XXX Remote port forwarding x authctxt authctxt ifdef DISABLE FD PASSING if 1 else MYSEA network user i
125. fatal cleanup Client protocol version d d client software version remote major remote minor remote version compat datafellows remote version if da if da mismat switch tafellows amp SSH BUG PROBE logit probed from s with s Don t panic get remote ipaddr client version string fatal cleanup tafellows amp SSH BUG SCANNER logit Scanned from s with s Don t panic get remote ipaddr client version string fatal cleanup ch 0 remote_major 114 case 1 if remote minor 99 if options protocol amp SSH PROTO 2 enable compat20 else mismatch 1 break if options protocol amp SSH_PROTO_1 mismatch 1 break if remote_minor lt 3 packet_disconnect Your ssh version is too old and is no longer supported Please install a newer version else if remote minor 3 note that this disables agent forwarding enable compati13 break case 2 if options protocol amp SSH PROTO 2 enable compat20 break FALLTHROUGH default mismatch 1 break chop server version string debug Local version string 200s server version string if mismatch S Protocol major versions differ n void atomicio vwrite sock out s strlen s close sock in close sock out logit Protocol major versions differ for s 200s vs 200s get remote ipaddr
126. features required by OpenSSH as presented in Table 1 behave in the same way on the XTS 400 as they do in Linux or OpenBSD The differences in the features are listed in Table 2 Category Name XTS 400 Implementation Difference System Features the root user there is no root user on the XTS 400 file descriptor passing this feature is not implemented System Functions chroot there is an API but there is no underlying system support setgroups there is an API but there is no underlying system support initgroups there is an API but there is no underlying system support socketpair there is an API but there is no underlying system support setuid seteuid setreuid these system calls require the privilege set owner group setgid setgegid setregid these system calls require the privilege set owner group daemon there is an API but there is no underlying system support System Files passwd stub file provided for Linux compatibility not used for XTS 400 authentication shadow does not exist on the system utmp does not exist on the system wtmp does not exist on the system group stub file provided for Linux compatibility Environment daemon environment no init process for daemons daemons are started from the daemon database Table 2 XTS 400 Implementation Differences The features presented in Table 1 are not the only differenc
127. for integrity level Type yes for the question is the level correct Hit enter for new owner name Hit enter for new group name Type no for modify discretionary access 47 Type no for display the object Type yes for okay to change While still in fsm Type change Enter usr local src for the pathname Type yes to modify the access level Enter min for security level Enter 1l3 for the integrity level Hit enter for new owner name Hit enter for new group name Type no for modify discretionary access Type no for display the object Type yes for okay to change Uncompress and unpack the files by issuing the following command tar zxvf openssh tar gz This will create a directory called openssh 3 7 1p2 Navigate to that directory and type the following commands Jconfigure prefix usr local src_ with prngd socket tmp entropy with default path xts untrusted bin bin usr bin usr X 1l I R bin disable lastlog disable utmp disable utmpx disable wtmp disable wtmpx with ldflags L usr local mysea lib with libs lut oss lut_xts loss make make install The make install command will create directories within the usr local src directory The directories are bin etc libexec sbin share and man Verify that the file sshd is in the usr local src sbin directory Navigate to the usr local src etc directory and copy the sshd config file thre
128. gh OpenSSH at each network and modify the file for the corresponding network Login through the TPE at each network level and try to view the files through the web browser 5 SINGLE LEVEL LAN SIMULTANEOUS USER LOGINS Ensure that there is a ssh directory under each user s home directory on the XTS 400 and that within that directory there is a file named authorized keys2 that holds the user s public key Refer to Appendix D for instructions on key generation and installation Connect three clients to the switch or network Make sure they are on the proper subnet Use each client as a different user to connect to the same daemon on the same network 197 6 MULTIPLE SINGLE LEVEL LANS SIMULTANEOUS USER LOGINS Repeat the above procedure but make sure that each client machine is on a different LAN and connects to a different daemon 7 PUBLIC KEY AUTHENTICATION Connect one client to the network Any user may be used for this test Attempt to login with a valid username and a valid private key with a valid passphrase Attempt to login with a valid username a valid private key and the wrong passphrase Attempt to login with a valid username with the wrong private key file This can be done in PuTTY by selecting the auth category on the left hand side of the configuration window Next specify a private key file by using the browse button Make sure that the private key does not correspond to the user s public ke
129. ging since our pid has changed We break out of the loop to handle the connection S startup pipe startup p 1 close startup pipes close listen socks SOCk in newsock SOCk out newsock log init progname options log level options log facility log stderr break Parent Stay in the loop if pid lt 0 error fork 100s strerror errno else debug Forked child 1d long pid close startup p 1 Mark that the key has been used it was given to the child 132 if options protocol amp SSH PROTO 1 amp amp key used 0 y Schedul Server key regeneration alarm signal SIGALRM key regeneration alarm alarm options key regeneration time key used 1 arc4random_stir Close the new socket the child is now taking care of it close newsock child process check or debug mode if num_listen_socks lt 0 break This is the child processing a new connection Create a new session and process group since the 4 4BSD setlogin affects th ntire process group We don t want the child to be able to affect the parent dif defined SSHD ACQUIRES CTTY If setsid is called on some platforms sshd will later acquire a controlling terminal which will result in could not set controlling tty errors xy if debug flag amp amp inetd flag amp
130. he benefit of confining an intruder if they manage to compromise the child to the child s address space and prevents the inheritance of privileges The work done in PROO3 proposed a framework for implementing privilege separation and OpenSSH was chosen as the test application that would demonstrate privilege separation Privilege separation has now been fully integrated into OpenSSH and is a default option If privilege separation is disabled then the OpenSSH daemon follows the standard client server model i e the daemon handles all user transactions B PORTING BACKGROUND In porting an application from one platform to another it is useful to know the differences between the original development platform and the target platform This section will discuss how the features required by OpenSSH differ between OpenBSD and the XTS 400 1 BSD Discussion OpenSSH uses many features available on its development platform OpenBSD Many of these features are also available on many of the other platforms to which OpenSSH has been ported such as the various distributions of Linux Table 1 provides a description of the features used by OpenSSH that do not have the same behavior on the XTS 400 as they do on OpenBSD Category Name Description System root user a user with unlimited access to the system Features all privileges are given to this user file descriptor passing ability for processes to pass
131. he yes to no Refer to the sample configuration file below B SAMPLE CONFIGURATION FILE SOpenBSD sshd config v 1 65 2003 08 28 12 54 34 markus Exp This is the sshd server system wide configuration file See sshd config 5 for more information This sshd was compiled with PATH usr bin bin usr sbin sbin home cherbig bin The strategy used for options in the default sshd config shipped with OpenSSH is to specify options with their default value where possible but leave them commented Uncommented options change a default value 175 MYSEA uncomment the option for Protocol and use only 2 as shown MYSEA uncomment the ListenAddress option and change the 0 0 0 0 to the IP address of the network interface that this daemon will listen to Port 22 Protocol 2 ListenAddress 192 168 100 22 ListenAddress HostKey for protocol version 1 HostKey home cherbig etc ssh host key HostKeys for protocol version 2 HostKey home cherbig etc ssh host rsa key HostKey home cherbig etc ssh host dsa key Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 1h ServerKeyBits 768 Logging obsoletes QuietMode and FascistLogging SyslogFacility AUTH LogLevel INFO Authentication LoginGraceTime 2m PermitRootLogin yes StrictModes yes RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile ssh authorized keys For this to work you will also need host key
132. ic int saved egroupslen 1 user groupslen 1 Temporarily changes to the given uid If th ffective user id is not root this does nothing This call cannot be nested void temporarily use uid struct passwd pw MYSEA variable needed for privileged code xts_privilege_t old_priv Save the current euid and egroups ifdef SAVED_IDS_WORK_WITH_SETEUID saved_euid geteuid saved_egid getegid debug temporarily use uid u u e u u u int pw pw uid u int pw pw gid u int saved euid u int saved egid I MYSEA Change this to be the user the program will run as if saved euid 3 privileged 0 return 142 else if geteuid 3 privileged 0 return endif SAVED IDS WORK WITH SETEUID privileged 1 temporarily use uid effective 1 saved egroupslen getgroups NGROUPS MAX saved egroups if saved egroupslen lt 0 fatal getgroups 100s strerror errno set and save the user s groups if user groupslen 1 MYSEA initgroups is not implemented on the XTS 400 Comment out for now if initgroups pw pw name pw pw gid lt 0 fatal initgroups s 100s pw pw name strerror errno user groupslen getgroups NGROUPS_MAX user groups if user groupslen 0 fatal getgroups 100s strerror errno
133. id pw endif ifdef HAVE CYGWIN if is_winnt endif if getuid pw pw uid geteuid pw gt pw_uid fatal Failed to set uids to u u int pw pw uid static void launch_login struct passwd pw const char hostname Launch login 1 execl LOGIN PROGRAM login h hostname ifdef xxxLOGIN NEEDS TERM s gt term s gt term unknown endif LOGIN NEEDS TERM ifdef LOGIN NO ENDOPT p f pw pw name char NULL else 90 p f pw pw name char NULL fendif Login couldn t b xecuted die perror login exit 1 Performs common processing for the child such as setting up the environment closing extra file descriptors setting the user and group ids and executing the command or shell void do child Session s const char command extern char environ char env char argv 10 const char shell shellO hostname NULL struct passwd pw s pw imt remove hostkey from the child s memory destroy sensitive data login 1 is only called if w xecute the login shell if options use login amp amp command NULL options use login 0 ifdef _UNICOS cray_setup pw gt pw_uid pw gt pw_name command endif _UNICOS Login 1 does this as well and it needs uid O0 for the h switch s
134. il3 Yes Yes c2 s12 113 No No c3 s 3 il3 No No c4 sI2 113 s 1 il3 Yes Yes c5 s12 113 Yes Yes c6 s13 113 No No c7 s 3 il3 s 1 il3 Yes Yes c8 s12 113 Yes Yes c9 s13 113 Yes Yes Table 14 TPE Viewing Capability for OpenSSH Created Files Test Validation Results d TPE Testing with Files Modified by OpenSSH Test Validation Results This suite of tests validated that files created at the console of the XTS 400 and modified by a user logged in through OpenSSH can be viewed from the MLS LAN through the TPEs Test TPE Login Object TPE Viewable Actual Number Level Levels Expected Results Results di s11 113 s11 113 Yes Yes d2 sI2 113 No No d3 s 3 il3 No No d4 sl12 113 sl1 113 Yes Yes d5 sl2 113 Yes Yes d6 s13 113 No No d7 sl3 113 sl1 113 Yes Yes d8 sl2 113 Yes Yes d9 s13 113 Yes Yes Table 15 TPE Viewing Capability with OpenSSH Modified Files Test Validation Results e Single Level LAN Simultaneous User Logins Test Validation Results This test demonstrated that a single level OpenSSH daemon could handle multiple simultaneous user logins 36 Test LAN Level User Name Successful Logins Actual Results Number Expected Results el sI1 1l3 cherbig Pass Pass demo Pass Pass testuser Pass Pass Table 16 Single Level LAN Simultaneous User Logins Test Validation Results f Multiple Single Leve
135. in set impersonation token INVALID HANDLE VALUE endif if pid 0 packet disconnect fork failed 100s strerror errno S pid pig Parent Close the slave side of the pseudo tty close ttyfd Create another descriptor of the pty master side for use as the standard input We could use the original descriptor but this simplifies code in server loop The descriptor is bidirectional EI fdout dup ptyfd if fdout lt 0 packet_disconnect dup 1 failed 100s strerror errno we keep a reference to the pty master ptymaster dup ptyfd if ptymaster lt 0 packet_disconnect dup 2 failed 100s strerror errno S ptymaster ptymaster Enter interactive session packet set interactive 1 if compat20 session set fds s ptyfd fdout 1 else server loop pid ptyfd fdout 1 server loop has closed ptyfd and fdout 77 ifdef LOGIN N static void do pre login Session s I EDS UTMPX Socklen t fromlen struct sockaddr storage from pid t pid getpid Get IP address of client If the connection is not a socket let the address be 0 0 0 0 wy memset amp from 0 sizeof from fromlen sizeof from if packet_connection_is_on_socket if getpeername packet_get_connection_in struct sockaddr amp from amp fromlen lt 0 debug getpeername 100s strerror errno fa
136. ions max startups rate p startups options max startups begin p double options max_startups options max_startups_begin p options max_startups_rate p 100 0 r arc4random double UINT_MAX debug drop connection p g r g p r return r lt p 1 0 static void usage void fprintf stderr sshd version s n SSH_VERSION fprintf stderr Usage s options n __progname fprintf stderr Options n fprintf stderr f file Configuration file default s n _PATH_SERVER_CONFIG_FILE fprintf stderr d Debugging mode multiple d means more debugging n fprintf stderr i Started from inetd n fprintf stderr D Do not fork into daemon mode n fprintf stderr E Only test configuration file and keys n fprintf stderr q Quiet no logging n fprintf stderr p port Listen on the specified port default 22 n fprintf stderr k seconds Regenerat Server key every this many seconds default 3600 n fprintf stderr g seconds Grace period for authentication default 600 n fprintf stderr b bits Size of server RSA key default 768 bits Mn fprintf stderr h file File from which to read host key default s n PATH HOST KEY FILE fprintf stderr u len Maximum hostname length for utmp recording Nn fprintf stderr 4 Use IPv4 only n fprintf stderr
137. isplay NULL ifdef USE PIPES We are the parent Close the child sides of the pipes close pin 0 close pout 1 close perr 1 if compat20 session set fds s pin 1 pout 0 s is subsystem 1 perr 0 else Enter the interactive session server_loop pid pin 1 pout 0 perr 0 server loop has closed pin 1 pout 0 and perr 0 felse USE PIPES We are the parent Close the child sides of the socket pairs close inout 0 close err 0 Enter the interactive session Note server loop must be able to handle the case that fdin and fdout are the same if compat20 session_set_fds s inout 1 inout 1 s gt is_subsystem 1 err 1 else server loop pid inout 1 inout 1 err 1 server loop has closed inout 1 and err 1 endif USE_PIPES This is called to fork and execute a command when we have a tty This will call do child from the child and server loop from the parent after setting up file descriptors controlling tty updating wtmp utmp 75 lastlog void do exec pty and other such operations Session s const char command int fdout ptyfd ttyfd ptymaster pid_t if s ptyfd ttyfd dif defined pid NULL fatal do exec pty no session s gt ptyfd s gt ttyfd USE_PAM if
138. ith certain servers OpenSSH is 4 an application that incorporates both protocol versions OpenSSH clients and servers can negotiate with other clients and servers as to which protocol version to use OpenSSH is the preferred implementation of SSH because it recognizes both versions of the protocol and it is highly portable although the server must run on a Linux or BSD like system OpenSSH clients have been developed for many popular operating systems such as Microsoft Windows and the various Linux Distributions A discussion of the PuTTY OpenSSH client follows b SSH Clients There are numerous clients for OpenSSH as can be seen on http www freessh org Under the Windows section of the website 27 different listings can be found for clients that can be run on the Windows Operating System Some of these clients are freeware and others are shareware One popular Windows based client is PuTTY PuTTY is very modular there are separate executables for about every function available to the OpenSSH client such as an SSH client a telnet client a secure copy and secure FTP client a secure tunneling client and a key generation client PuTTY is compatible with OpenSSH because like OpenSSH it supports the two versions of the SSH protocol PuTTY was developed and is maintained by a small team lead by Simon Tatham in Cambridge England TAT04 PuTTY was selected as the Windows SSH client for use in this study c Authentication One impor
139. izeof buf SSH d d 100s n major minor SSH_VERSION server version string xstrdup buf Send our protocol version identification if atomicio vwrite sock out server version string strlen server version string strlen server version string logit Could not write ident string to s get remote ipaddr fatal cleanup Read other sides version identification memset buf 0 sizeof buf for i 0 i lt sizeof buf 1 113 i if atomicio read sock in amp buf i 1 1 logit Did not receive identification string from get remote ipaddr fatal cleanup if buf i r buf i 0 Kludge for F Secure Macintosh lt 1 0 2 if i 12 amp amp strncemp buf SSH 1 5 W1 0 12 0 break continue if buf i n buf i 0 break zeof buf 1 0 _version_string xstrdup buf ck that the versions match In future this might accept several versions and set appropriate flags to handle them Ss buf si client Che Ef if ss amp r Ss debug 100s canf client version string SSH d d n n emote major amp remote minor remote version 3 S Protocol mismatch n void atomicio vwrite sock out s strlen s close sock in close sock out logit Bad protocol version identification 100s from client version string get_remote_ipaddr
140. l 2 Test Validation Re por tivsccccccssscdeccessssecessisscenseussacatsasssacenarsessdenasacdsetes 33 a MAC Policy Enforcement Test Validation Results 33 b DAC Policy Enforcement Test Validation Results 35 c TPE Testing with File Created by OpenSSH Test Validation Results oie reet ert deepakt deaur 36 d TPE Testing with Files Modified by OpenSSH Test Validation Results oce trei rein been ERR SERERE REV 36 e Single Level LAN Simultaneous User Logins Test Validation Results eerte torte atn erano poesie 36 Multiple Single Level LANs Simultaneous User Logins Test Validation Results inerte tnnt ntn aeta 37 g Public Key Authentication Test Validation Results 37 h Miscellaneous Test Validation Results 37 B MLS TEST BED TESTING ineo etiye ies pete Sabe eaoete exa ose uas eevde n ocoq erus ione 38 1 Test Plah sccsssescccosacssczdasesacsasiupeeatapeovccssnssvcssaunsesensaesenuon bene OM NR NER READ iMd 38 a TPE Testing with Files Created by OpenSSH 39 b TPE Testing with Files Modified by OpenSSH 39 c Single Level LAN Simultaneous User Logins 39 d Multiple Single Level LANs Simultaneous User Logins 40 e Public Key Authentication Tests eeeeeeee eee eere eene 40 V CONCLUSION i rntisscisc teinei ieri doia eset doped ci eue ek ei eua
141. l LANs Simultaneous User Logins Test Validation Results This test demonstrated that multiple users are able to login from multiple single level LANs simultaneously Test LAN Level Username Successful Login Actual Number Expected Result Results fl s 1 113 cherbig Yes Yes s 12 113 demo Yes Yes s13 113 testuser Yes Yes Table 17 g Multiple Single Level LANs Simultaneous User Logins Test Validation Results Public Key Authentication Test Validation Results This suite of tests demonstrated that the public key authentication method works properly Test User Private Passphrase Expected Actual Number Name Key Results Results gl Valid Correct Correct Succeed Succeed g2 Valid Correct Wrong Fail Fail g3 Valid Wrong Correct Fail Fail g4 Invalid Correct Correct Fail Fail Table 18 Public Key Authentication Test Validation Results h Miscellaneous Test Validation Results This suite of tests demonstrated that OpenSSH will react as expected when user accounts are not configured properly 37 Test Case Environment Expected Actual Number Results Results hl Home directory not home directory not Cannot Cannot present present login Login h2 permissions on home HOME Cannot Cannot directory incorrect login Login h3 level on home level HOME Cannot Cannot directory incorrect sI2 13 session l
142. l sll 13 s11 113 Yes Ba2 8123113 No Ba3 s 3 il3 No Ba4 sI2 113 s 1 il3 Yes Ba5 sl12 113 Yes Ba6 s 3 il3 No Ba7 s 3 il3 s11 il3 Yes Ba8 sI2 113 Yes Ba9 s 3 il3 Yes Table 20 MLS Testbed TPE Testing with Files Created Through OpenSSH b TPE Testing with Files Modified by OpenSSH The same test performed for the developmental testing is repeated in the testbed environment See the developmental test plan for more details on these tests The test plan is presented in Table 21 Test Number TPE Login Level Object Levels TPE Viewable Expected Results Bb1 sl1 i13 s11 113 Yes Bb2 sI2 113 No Bb3 s13 113 No Bb4 sI2 113 s11 113 Yes Bb5 sI2 113 Yes Bb6 s13 113 No Bb7 s13 113 s11 113 Yes Bb8 sI2 113 Yes Bb9 s13 113 Yes Table 21 MLS Testbed TPE Testing with Files Modified Through OpenSSH e Single Level LAN Simultaneous User Logins The same test performed for the developmental testing is repeated in the testbed environment See the developmental test plan for more details on these tests The test plan is presented in Table 22 39 Test Number LAN Level User Name Successful Logins Expected Results Bel s 1 113 cherbig Pass demo Pass testuser Pass Table 22 MLS Testbed Single Level LAN Simultaneous User Logins d Multiple Single Level LANs Simultaneous User Logins The same test performed for the deve
143. lity The MYSEA project currently provides logon services for users in a multilevel secure LAN These services require trusted devices at the client systems that are not available to the users on the single level networks The motivation for porting OpenSSH is to provide users with remote access to the XTS 400 from a single level network The methodology used for this research involved platform analysis source code analysis source code modifications debugging and integration testing The XTS 400 provides a Linux Binary Compatible Interface In most cases applications developed in Linux will run on the XTS 400 with no modifications OpenSSH is a special case where the source code had to be modified and the modified source code had to be tested to ensure there was no major loss in functionality Although some functionality was lost in the porting process the goal of providing a secure remote interactive session to the user across the single level LAN was achieved Users are constrained by the security policies enforced on the XTS 400 when they are logged in through OpenSSH as verified by the developmental testing results The conclusion of this study offers suggestions for future projects to extend this Work xix THIS PAGE INTENTIONALL Y LEFT BLANK XX I INTRODUCTION A MOTIVATION OF STUDY In military and commercial contexts information may be classified according to its criticality to its owners The classification process involves
144. lopmental testing is repeated in the testbed environment See the developmental test plan for more details on these tests The test plan is presented in Table 23 Test Number LAN Level Username Successful Login Expected Result Bdl s 1 113 cherbig Yes s 2 113 demo Yes s13 113 testuser Yes Table 23 MLS Testbed Multiple Single Level LANs Simultaneous User Logins e Public Key Authentication Tests The same test performed for the developmental testing is repeated in the testbed environment See the developmental test plan for more details on these tests The test plan is presented in Table 24 Test Number User Name Private Key Passphrase Expected Results Bel Valid Correct Correct Succeed Be2 Valid Correct Wrong Fail Be3 Valid Wrong Correct Fail Be4 Invalid Correct Correct Fail Table 24 MLS Testbed Public Key Authentication Test 40 V CONCLUSION A SUMMARY This study successfully ported OpenSSH without privilege separation enabled to the XTS 400 Challenges caused by the functional differences between the XTS 400 and the Linux and OpenBSD platforms were encountered and solutions that did not require modification of the STOP source code were implemented Remote login capabilities are now supported on the XTS 400 through OpenSSH and can be provided to single level LAN users through the MYSEA project s use of the XTS 400 as the MLS MYSEA S
145. m calls not supported by the operating system that are required by the application Each of these items software dependencies the process architecture and system compatibility can either produce a delay in the port or a complete roadblock For this research the above steps were followed but the process was not sequential but cyclic First the OpenSSH documentation was reviewed then the source code then the XTS 400 documentation When a challenge usually in the form of an unsupported system call was discovered all three sources of information were consulted 15 A helpful tool used to review the source code deserves mention the Linux Cross Reference LXR This tool allows for the browsing of source code through a web browser Like a compiler the LXR will generate a table of symbols and those symbols will be treated as links in the source code This feature allows for the quick lookup of variable and function declarations definitions and references The source code for this tool can be downloaded from http sourceforge net projects Ixr The documentation for the XTS 400 was a little vague or incomplete at times In order to verify that a normal feature on Linux or UNIX was not supported on the XTS 400 the XTS 40 manuals were consulted and then test programs were used Theses test programs were written for a Fedora Core 1 Linux platform and then tested on that platform The test programs were then transferred to the XTS 400 fo
146. m must reproduce the above copyright notice this list of conditions and the following disclaimer in F XE X F F F ct Py oO i documentation and or other materials provided with the distribution THIS SOFTWARE IS PROVIDED BY THE AUTHOR AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITI USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON I Gl D TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF TH USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE LH ifndef DEFINES H define DEFINES H Id defines h v 1 103 2003 09 16 01 52 19 dtucker Exp Constants ifndef SHUT RDWR enum SHUT RD OQ No more receptions SHUT WR No
147. mitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in documentation and or other materials provided with the I THIS SOFTWARE IS PROVIDED BY THE AUTHOR AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING T D TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF NOT LIMIT r GI DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF TH Gl THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE MYSEA This file provides functions that the unprivileged child of the monitor process can use to communicate with the monitor
148. mode u char blobp u int lenp Buffer b int len Enc enc Mac mac Comp comp Newkeys newkey newkeys mode debug3 s converting p _ func newkey if newkey NULL error s newkey NULL __func__ return 0 nc amp newkey gt enc mac amp newkey mac comp amp newkey comp buffer_init amp b Enc structure buffer_put_cstring amp b enc name The cipher struct is constant and shared you export pointer pini buffer append amp b amp enc cipher sizeof enc cipher buffer put int amp b enc enabled buffer put int amp b enc block size buffer put string amp b enc gt key enc key len packet get keyiv mode nc iv nc block size buffer put string amp b enc iv enc block size Mac structure buffer put cstring amp b mac name buffer put int amp b mac enabled buffer put string amp b mac key mac key len Comp structure buffer put int amp b comp gt type buffer put int amp b comp enabled buffer put cstring amp b comp name len buffer len amp b if lenp NULL lenp len if blobp NULL blobp xmalloc len memcpy blobp buffer_ptr amp b len memset buffer_ptr amp b 0 len buffer free amp b return len static void 161 mm send 2peer void bu bu bu bu bu bu Fh Fh
149. monitor m recvfd MONITOR REQ buffer free amp m rH ERM amp m mm sshl session key BIGNUM num int rsafail Buffer m buffer init amp m buffer put bignum2 amp m num MYSEA Change m recvfd to m childsendfd mm request send pmonitor m recvfd MONITOR RE Change m recvfd to m childrecvfd mm request receive expect pmonitor m recvfd by n ESSKEY amp m MONITOR ANS SESSKEY amp m rsafail buffer get int amp m buffer get bignum2 amp m num buffer free amp m return rsafail Static void mm chall setup char name char infotxt u int numprompts char prompts u int echo on name xstrdup infotxt xstrdup numprompts 1 prompts xmalloc numprompts sizeof char echo on xmalloc numprompts sizeof u int 168 int mm bsdauth query void ctx char name char infotxt u int numprompts char prompts u int echo on amp M Buffer m u_int success char challenge debug3 s entering X func 2 buffer init amp m MYSEA Change m recvfd to m childsendfd mm request send pmonitor m recvfd MONITOR REQ BSDAUTHQUERY Change m recvfd to m childrecvfd mm request receive expect pmonitor m recvfd MONITOR ANS BSDAUTHQUERY amp m success buffer get int amp m if success 0
150. monitor m recvfd MONITOR REQ SESSID amp m buffer free amp m int mm auth rsa key allowed struct passwd pw BIGNUM client n Key rkey Buffer m Key key u_char blob u int blen int allowed 0 have forced 0 debug3 s entering _ func 2 buffer init amp m buffer put bignum2 amp m client n MYSEA Change m recvfd to m childsendfd mm request send pmonitor m recvfd MONITOR REQ RSAKEYALLOWED amp M 171 Change m recvfd to m childrecvfd mm request receive expect pmonitor m recvfd MONITOR ANS RSAKEYALLOWED amp m allowed buffer get int amp m fake forced command auth clear options have forced buffer get int amp m forced command have forced xstrdup true NULL if allowed amp amp rkey NULL blob buffer get string amp m amp blen if key key from blob blob blen NULL fatal s key from blob failed X func 0 rkey key xfree blob mm send debug amp m buffer free amp m return allowed BIGNUM mm auth rsa generate challenge Key key Buffer m BIGNUM challenge u_char blob u_int blen debug3 s entering __func__ if challenge BN new NULL fatal s BN new failed func 0 key gt type KEY RSA XXX cheat for key to blob if key to blob key amp blob amp blen 0 fatal s key to blob failed _ func key type KEY RSAI1
151. more transmissions 55 SHUT RDWR No more receptions or transmissions define SHUT_RD SHUT_RD define SHUT_WR SHUT_WR define SHUT_RDWR SHUT_RDWR endif ifndef IPTOS LOWDELAY define IPTOS LOWDELAY 0x10 define IPTOS_THROUGHPUT 0x08 define IPTOS_RELIABILITY 0x04 define IPTOS_LOWCOST 0x02 define IPTOS_MINCOST IPTOS_LOWCOST endif IPTOS_LOWDELAY ifndef MAXPATHLEN ifdef PATH_MAX define MAXPATHLEN PATH_MAX else PATH_MAX define MAXPATHLEN 64 Should be safe endif PATH_MAX endif MAXPATHLEN ifndef STDIN_FILENO define STDIN_FILENO 0 endif ifndef STDOUT FILENO define STDOUT FILENO 1 endif ifndef STDERR_FILENO define STDERR_FILENO 2 endif ifndef NGROUPS_MAX Disable groupaccess if NGROUP_MAX is not set X ifdef NGROUPS define NGROUPS_MAX NGROUPS else define NGROUPS_MAX 0 endif endif ifndef O NONBLOCK Non Blocking Open define O NONBLOCK 00004 endif ifndef S ISDIR define S ISDIR mode mode amp S IFMT _S_IFDIR endif S ISDIR ifndef S ISREG define S ISREG mode mode amp S IFMT S IFREGO endif S ISREG ifndef S ISLNK define S ISLNK mode mode amp S IFMT S IFLNK endif S ISLNK 56 ifndef S IXUSR define S IXUSR 0000100 execute search permissi
152. mp amp env i namelen EI het break if env i Reuse the slot xfree env i 81 else New variable Expand if necessary nvsize envsizep if i gt envsize 1 if envsize gt 1000 fatal child set env too many env vars envsize 50 env envp xrealloc env nvsiz sizeof char envsizep envsize Need to set the NULL pointer at end of array beyond the new slot env i 1 NULL Allocate space and format the variable in the appropriate slot env i xmalloc strlen name 1 strlen value 1 snprintf env i strlen name 1 strlen value 1 s s name value Reads environment variables from the given file and adds overrides them into the environment If the file does not exist this does nothing Otherwise it must consist of empty lines comments line starts with and assignments of the form name value No other forms are allowed y static void read environment file char env u int envsize const char filename FILE f char buf 4096 char cp value u int lineno 0 f fopen filename r if f return while fgets buf sizeof buf f if lineno gt 1000 fatal Too many lines in environment file s filename for cp buf cp cp Nt cptt it e et meme Ja epee xm continue if strchr cp n strchr cp
153. n amp st 1 packet send debug No xauth program cannot forward with spoofing return 0 if options use login packet send debug X11 forwarding disabled not compatible with UseLogin yes return 0 T if s gt display NULL debug X11 display already set return 0 if x11 create display inet options x11 display offset options x11 use localhost s single connection amp s display number 1 debug x11 create display inet failed return 0 Set up a suitable value for the DISPLAY variable if gethostname hostname sizeof hostname lt 0 fatal gethostname 100s strerror errno auth display must be used as the displayname when the authorization entry is added with xauth 1 This will be different than the DISPLAY string for localhost displays y if options x11 use localhost snprintf display sizeof display localhost u u s display number s gt screen snprintf auth display sizeof auth display unix u u s display number s gt screen s gt display xstrdup display s gt auth_display xstrdup auth display else ifdef IPADDR_IN_DISPLAY 105 struct hostent he struct in_addr my addr he gethostbyname hostname if he NULL error Can t get IP address for X11 DISPLAY packet send debug Can t get IP address for X11 DISPLAY return 0 memcpy amp my addr he
154. n packet get char S auth proto packet get string NULL S auth data packet get string NULL s gt screen packet get int packet check eom success session setup xllfwd s if success xfree s auth proto xfree s auth data S auth proto NULL S auth data NULL return success static int session shell req Session s packet check eom do exec s NULL return 1 static int session exec req Session s 98 subsystem not u int len char command packet get string amp len packet check eom do exec s command xfree command return 1 static int session break req Session s u int break length break length packet get int ignored packet check eom if s ttyfd 1 tcsendbreak s ttyfd 0 lt 0 return 0 return 1 static int session_auth_agent_req Session s static int called 0 packet check eom if no agent forwarding flag debug session auth agent req no agent forwarding flag return 0 if called return 0 else called 1 return auth_input_request_forwarding s gt pw int session input channel req Channel c const char rtype int success 0 Session s if s session by channel c self NULL logit session input channel reg no session d req 100s c gt self rtype return 0 debug session input channel req
155. n s s gt col packet get int S row packet get int S xpixel packet get int S 2ypixel packet get int packet check eom pty change window size s ptyfd s gt row s col s xpixel s gt ypixel return 1 static int session_pty_req Session s u_int len int n_bytes if no_pty_flag debug Allocating a pty not permitted for this authentication return 0 if s gt ttyfd 1 packet_disconnect Protocol error you already have a pty return 0 Get the time and hostname when the user last logged in if options print_lastlog s gt hostname 0 0O s gt last_login_time get last login time s pw pw uid S pw pw name s hostname sizeof s hostname s gt term packet get string amp len if compat20 s gt col packet get int S row packet get int else s gt row packet get int s gt col packet get int 96 S xpixel packet get int S 2ypixel packet get int if strcomp s term 0 xfree s term S term NULL Allocate a pty and open it debug Allocating pty if PRIVSEP pty allocate amp s ptyfd gt tty amp s ttyfd if s gt term xfree s term s gt term NULL s gt ptyfd 1 s ttyfd Slee error session pty reg return 0 debug session pty req session
156. n sl S gt sl O Yes Read up sl S lt sl O No property Write equal sl S sl O Yes Write down sl S gt sl O No Write up sl S lt sl O Yes Integrity simple integrity Read equal il S il O Yes Read down il S gt il O No Read up il S lt il O Yes property Write equal il S il O Yes Write down il S gt il O Yes Write up il S lt il O No Table 4 MAC Policy Test Definitions In the mandatory secrecy policy the simple security property does not allow a subject to access an object if the secrecy level of the subject does not dominate the secrecy level of the object Therefore all secrecy read up tests should fail AII 26 secrecy read down and read equal tests should pass The property of the secrecy policy does not allow a subject to modify an object if the secrecy level of the subject dominates the secrecy level of the object All secrecy write down tests should fail Theoretically it is possible for a subject to modify an object if the secrecy level of the subject is dominated by the secrecy level of the object however the XTS 400 does not allow this action so all secrecy write up tests should fail as well Only the secrecy write equal tests should pass The simple integrity property of the mandatory integrity policy does not allow a subject to read an object if the integrity level of the subject dominates the integrity level of the object All integrity read down tests should
157. name it authorized keys2 After the file has been created change the ownership and permissions to match that of the id_dsa pub file Repeat step 5 substituting authorized keys2 for id dsa pub B PUTTY CONVERSION OF KEYS FROM XTS 400 For users who do not want to generate their own keys the keys generated on the XTS 400 must be converted before use Take the id dsa file provided by the administrator Double click on puttygen From the Conversions menu select Import Key Choose the file provided from the administrator the file name should be id dsa The user will be asked to enter the passphrase for the key The administrator should have given them the passphrase The key should successfully be imported Click on Save private key Enter a file name of any kind Save the key to a secure location a network drive or a USB drive 183 Click save When connecting using PuTTY specify this new key and not the old one The old key that the system administrator gave to the user may be deleted Safeguard the new private key When attempting to use the key the passphrase will be required C PUTTY GENERATED KEYS For users who want to generate their own keys they can use PuTTY s puttygen to generate keys On a windows machine that has PuTTY installed Double click on the puttygen icon This will open a window Select the SSH2 DSA radio button in the parameters section of the window The number of bits shoul
158. ndif _UNICOS ifdef AIX char S p if cp getenv AUTHSTATE NULL child set env amp env amp envsize AUTHSTATE cp if cp getenv KRB5CCNAME NULL child set env amp env amp envsize KRB5CCNAME cp read environment file amp env amp envsize etc environment endif ifdef KRB5 if s gt authctxt gt krb5_ticket_file child set env amp env amp envsize KRB5CCNAME 86 S authctxt krb5 ticket file fendif ifdef USE PAM Pull in any environment variables that may have been set by PAM F if options use_pam char p fetch_pam_environment copy_environment p amp env amp envsize free pam environment p endif USE PAM if auth sock name NULL child set env amp env amp envsiz auth sock name SSH AUTHSOCKET ENV NAM GI read SHOME ssh environment if options permit user env amp amp options use login snprintf buf sizeof buf 200s ssh environment strcmp pw gt pw_dir pw pw dir read environment file amp env amp envsize buf if debug_flag dump the environment fprintf stderr Environment Nn for i 0 env i i fprintf stderr 200s n env i return env Run SHOME ssh rc etc ssh sshrc or xauth whichever is found first in this order
159. ng supported by the XTS 400 but this is incorrect because the daemon API is only a functional stub The linking order when the executable is being built will not permit the daemon function in openbsd compat to be used instead of the daemon system call provided by the XTS 400 The solution for this was to copy the daemon code from the openbsd compat daemon c file into the sshd c file A new function prototype was added to the sshd c file and the function definition was added to the end of the sshd c file The new daemon function is called daemonize to prevent the linker from calling the daemon system call provided by the XTS 400 These are the solutions for the system calls that were either not supported or that required privileges The next set of challenges involved system files that OpenSSH expects to be present on the system 3 System Files There are four system files that OpenSSH assumes to be present on the system letc passwd etc shadow var run utmp var log wtmp and etc group The passwd file is present on the XTS 400 system while the remaining three files are not 19 The etc passwd file is used by the untrusted environment to assign each user a user ID a home directory and a default shell The etc passwd file is generated by the xtsmkpasswd command This command does not produce a correct passwd file because the default group listed in the file assigns all users to the sys
160. ntrol asynchronous execution problems uA static void generate ephemeral server key void u_int32_t rnd 0 int i verbose Generating s d bit RSA key sensitive_data server_key new n T options server key bits if sensitive data server key NULL key free sensitive data server key sensitive data server key key generate KEY RSAI options server key bits verbose RSA key generation complete for i 0 i lt SSH SESSION KEY LENGTH i 112 if i oe 4 0 rnd arc random sensitive_data sshl_cookie i rnd gt gt 8 rnd amp Oxff arc4random_stir static void key_regeneration_alarm int sig int save_errno errno signal SIGALRM SIG_DFL rrno save_errno key_do_regen 1 static void sshd_exchange_identification int sock_in int sock_out int i mismatch int remote_major remote_minor int major minor char s char buf 256 Must not be larger than remote version char remote version 256 Must be at least as big as buf Xj if options protocol amp SSH_PROTO_1 amp amp options protocol amp SSH PROTO 2 major PROTOCOL MAJOR 1 minor 99 else if options protocol amp SSH PROTO 2 major PROTOCOL MAJOR 2 minor PROTOCOL MINOR 2 else major PROTOCOL MAJOR 1 minor PROTOCOL MINOR 1 snprintf buf s
161. nv amp env amp envsize SHELL shell amp envsize TZ getenv TZ Set custom environment options from RSA authentication if options use login while custom environment 85 struct envstring ce custom environment char str ce gt s for i 0 str i s amp amp str ri g i i if str i str i 0 child_set_env amp env amp envsize str str i custom environment ce gt next xfree ce gt s xfree ce SSH_CLIENT deprecated snprintf buf sizeof buf 50s d d get remote ipaddr get remote port get local port child set env amp env amp envsize SSH CLIENT buf laddr get local ipaddr packet get connection in snprintf buf sizeof buf 50s d 50s d get remote ipaddr get remote port laddr get local port xfree laddr child set env amp env amp envsize SSH CONNECTION buf if s gt ttyfd 1 child set env amp env amp envsize SSH TTY s tty if s gt term child set env amp env amp envsize TERM s term if s display child set env amp env amp envsize DISPLAY s display if original command child set env amp env amp envsize SSH ORIGINAL COMMAND original command ifdef UNICOS if cray tmpdir 0 0 child set env amp env amp envsize TMPDIR cray tmpdir e
162. nv amp env ifdef AIX amp envsize LOGNAME pw pw name child set env amp env endif amp envsize LOGIN pw gt pw_name child set env amp env ifdef HAVE LOGIN CAP amp envsize HOME pw pw dir if setusercontext lc pw pw pw uid LOGIN SETPATH lt 0 child set env amp env amp envsize PATH PATH STDPATH else child set env amp env amp envsize PATH getenv PATH else HAVE LOGIN CAP ifndef HAVE CYGWIN There s no standard path on Windows The path contains important components pointing to the system directories needed for loading shared libraries So the path better remains intact here x ifdef HAVE_ETC_DEFAULT_LOGIN read etc default login amp env amp envsize pw gt pw_uid path child get env env PATH endif HAVE ETC DEFAULT LOGIN if path NULL path 0 child set env amp env amp envsize PATH S pw pw uid 0 SUPERUSER PATH PATH STDPATH endif HAVE CYGWIN endif HAVE LOGIN CAP snprintf buf PATH MAII child set env amp env sizeof buf 200s 50s LDIR pw gt pw_name amp envsize MAIL buf Normal systems set SHELL by default if getenv TZ child set env amp env child set e
163. o sedes Sesto ouk adve hus kokosa Tess V UEe 41 A SUMMARY reipekeseena dvevocesee ueskodvseesdeevub bns Veo ovre debes seta vo do Is clu a deus 41 B LESSONS LEARNED etes eni ose eoe sess eh ac boo Fuse poire bos stessi orres 41 C FUTURE WORK 7455 5 Ai be HER ULP E EORUM ED COS ossos basoen ZR MR o ERR LE soie 41 APPENDIX A SOFTWARE INSTALLATION eee ence ee eee eene enero seen setas etas eta eto 43 A SUPPORT SOEIWARE iocis cero ce ee nist bid ores eive ka vo kac eor ol csto sasore 43 1 Entropy Gathering Daemon eere ecce eee eee eee eee enean seen ns 43 2 Zlib compression libraries and tools e 46 a Installation Instructions eee eee esee einen 46 3 OpenSSL Encryption Libraries and Tools 46 a Installation Instructions eee eese eene eene enne 46 B OPENSSH sees 47 C PUTTY INSTALLATION sssevtsspbevetssivssterspnanntsutevstsshtcvebcconseteasnpussssasverecves 53 APPENDIX B SOURCE CODE LISTING sseesessesossossesocsossesocssssossossesocsossesoossssossossesossosse 55 A DEFINES a EEA E E EE AE 55 B HSS LOINC EA S E EEEE EE ER 66 C eL EIU O EEEE O E E E HM 106 D DDS WV APC nesisrssssscsrssssiessotsosissossissotosesesso IUe Eee PPAR MESUE ERE betores Stoors siio BEER 141 E MONITOR inenr Etre stehe Lei pre rhe oiti bra ep AEN 147 F MONITOR WRAP C cis cicccsieetscetisua
164. o we let login 1 to this for us if options use login ifdef HAVE OSF SIA session setup sia pw s ttyfd 1 NULL s gt tty if check quietlogin s command do motd delse HAVE OSF SIA do nologin pw do setusercontext pw endif HAVE OSF SIA Get the shell from the password data An empty shell field is legal and means bin sh ae shell pw pw shell 0 0O PATH BSHELL pw gt pw_shell Make sure SSHELL points to the shell from the password file 91 even if shell is overridden from login conf nv do setup env s shell ifdef HAVE LOGIN CAP shell login getcapstr lc shell char shell char shell fendif we have to stash the hostname before we close our socket if options use login hostname get remote name or ip utmp len options use dns Close the connection descriptors note that this is the child and the server will still have the socket open and it is important that we do not shutdown it Note that the descriptors cannot be closed before building the environment as we call get remote ipaddr there x if packet get connection in packet get connection out close packet get connection in else close packet get connection in close packet get connection out Close all descriptors related to channels They will still remain open
165. of buf mlen mlen void mm request receive int socket Buffer m u_char buf 4 u_int msg_len ssize_t res debug3 s entering __func__ res atomicio read socket buf sizeof buf if res sizeof buf if res 0 fatal cleanup fatal s read 1d func long res msg_len GET_32BIT buf if msg_len gt 256 1024 fatal s read bad msg len d func msg len buffer clear m buffer append space m msg len res atomicio read socket buffer ptr m msg len if res msg len fatal s read Sld msg len func long res void mm request receive expect int socket enum monitor reqtype type Buffer m u_char rtype debug3 s entering type Sd func type mm request receive socket m rtype buffer get char m if rtype type fatal s read rtype Sd type d __func__ rtype type DH mm_choose_dh int min int nbits int max BIGNUM p g int success 0 Buffer m buffer init amp m buffer put int amp m min buffer put int amp m nbits buffer put int amp m max MYSEA Change m recvfd to childsendfd mm request send pmonitor m recvfd MONITOR REQ MODULI amp m debug3 s waiting for MONITOR ANS MODULI func 0 Change m recvfd to m childrecvfd 154 mm request receive expect pmonitor m recvfd MONITOR ANS MODULI
166. ointer to struct cmsghdr return pointer to data ifndef CMSG_DATA define CMSG DATA cmsg u char cmsg __CMSG_ALIGN sizeof struct cmsghdr endif CMSG_DATA RFC 2292 requires to check msg controllen in case that the kernel returns an empty list for some reasons EJ ifndef CMSG_FIRSTHDR define CMSG_FIRSTHDR mhdr mhdr msg controllen gt sizeof struct cmsghdr struct cmsghdr mhdr msg control struct cmsghdr NULL fendif CMSG FIRSTHDR Function replacement compatibility hacks if defined HAVE GETADDRINFO amp amp defined HAVE OGETADDRINFO defined HAVE_NGETADDRINFO define HAVE_GETADDRINFO endif nde nde nde nde nde HAVE_GETOPT_OPTRESET getopt opterr optind optopt ndef optreset ndef optarg define getopt ac av o BSDgetopt ac av 0 define opterr BSDopterr define optind BSDoptind define optopt BSDoptopt define optreset BSDoptreset define optarg BSDoptarg endif h Fh Fh Fh Fh Fh Fh caaGa a G Hh 63 In older versio ns of libpam pam s
167. on E define S IXGRP 0000010 execute search permission x define S IXOTH 0000001 execute search permission aA define _S_IWUSR 0000200 write permission define S_IWUSR _S_IWUSR write permission owner define S_IWGRP 0000020 write permission group define S_IWOTH 0000002 write permission other define S_IRUSR 0000400 read permission owner define S IRGRP 0000040 read permission group define S IROTH 0000004 read permission other define S IRWXU 0000700 read write execute define S IRWXG 0000070 read write execute define S IRWXO 0000007 read write execute endif S IXUSR if defined MAP ANON amp amp defined MAP ANONYMOUS define MAP ANON MAP ANONYMOUS endif ifndef MAP FAIL define MAP FAIL endif Lr D ED void 1 nto qnx doesn t define this constant in the system headers ifdef MISSING NFDBITS define NFDBITS 8 sizeof unsigned long endif SCO Open Server 3 has INADDR_LOOPBACK defined in rpc rpc h but including rpc rpc h breaks Solaris 6 ar ifndef INADDR LOOPBACK define INADDR LOOPBACK u long 0x7f000001 fendif Types If sys types h does not supply intXX t supply them ourselves or die trying ifndef HAVE U INT typedef unsigned int u int endif ifndef HAVE INTXX T if SIZEOF CHAR 1 typedef char int8 t else error 8 bit int type not found
168. on Bedford MA Biba KJ 1977 Integrity Considerations for Secure Computer Systems ESD TR 76 372 Mitre Corporation Bedford MA DigitalNet Government Solutions LLC 2004 Security Target Version 1 7 for XTS 400 Version 6 0 E Available http niap nist gov cc scheme st ST VID3012 ST pdf Accessed 12 December 2004 DigitalNet Government Solutions LLC 2003 XTS 400 Programmer s Guide XTDOC0006 02 Herndon VA DigitalNet Government Solutions LLC 2003 XTS 400 Trusted Facility Manual XTDOCO0004 02 Herndon VA DigitalNet Government Solutions LLC 2002 XTS 400 User s Manual XTDOCO0005 02 Herndon VA Irvine C E Levin T E Nguyen T D Shifflett D Khosalim J Clark P C Wong A Afinidad F Bibighaus D amp Sears J 2004 Overview of a High Assurance Architecture for Distributed Multilevel Security Proceedings of the 5 IEEE Systems Man and Cybernetics Information Assurance Workshop 38 45 Lampson B W 1974 Protection Proc Fifth Symposium on Information Sciences and Systems Reprinted in Operating Systems Review 8 1 January 1974 pp 18 24 OpenSSH 2004 September Available http www openssh org Accessed December 15 2004 OpenSSL 2004 November Available http www openssl org Accessed December 15 2004 201 PROO3 SAL75 STE93 TATO4 Provos N Friedl M amp Honeyman P 2003 Preventing Privilege Esc
169. on the port logit Server listening on s port s ntop strport if listen listen sock 5 lt 0 fatal listen 100s strerror errno freeaddrinfo options listen addrs if num listen socks fatal Cannot bind any address if options protocol amp SSH PROTO 1 generate ephemeral server key Arrange to restart on SIGHUP The handler needs listen sock tof signal SIGHUP sighup handler signal SIGTERM sigterm handler signal SIGQUIT sigterm handler Arrange SIGCHLD to be caught signal SIGCHLD main sigchld handler Write out the pid fil after th sigterm handler is setup if debug flag Record our pid in var run sshd pid to make it easier to kill the correct sshd We don t want to do this before the bind abov becaus th bind will fail if there already is a daemon and this will overwrite any old pid in the file f fopen options pid file wb if f NULL error Couldn t create pid file s s 129 options pid file strerror errno else fprintf f Sld n long getpid fclose f setup fd set for listen fdset NULL maxfd 0 for i 0 i lt num listen socks i if listen_socks i gt maxfd maxfd listen socks i pipes connected to unauthenticated childs startup_pipes xmalloc options max startups m sizeof int for i 0 i lt
170. open etc motd r fendif if f while fgets buf sizeof buf f fputs buf stdout fclose f Check for quiet login either hushlogin or command given int check quietlogin Session s const char command 80 char buf 256 struct passwd pw s pw struct stat st Return 1 if hushlogin exists or a command given if command NULL return 1 snprintf buf sizeof buf 200s hushlogin pw pw dir ifdef HAVE_LOGIN_CAP if login getcapbool l1c hushlogin 0 stat buf amp st gt 0 return 1 else if stat buf amp st gt 0 return 1 endif return 0 Sets the value of the given variable in the environment If the variable already exists its value is overriden xy void child set env char envp u int envsizep const char name const char value char env u_int envsize u_int i namelen If we re passed an uninitialized list allocate a single null entry before continuing if envp NULL amp amp envsizep 0 envp xmalloc sizeof char envp 0 NULL envsizep 1 Find the slot where the value should be stored If the variable already exists we reuse the slot otherwise we append a new slot at the end of the array expanding if necessary Tu env envp namelen strlen name for i 0 env i itt if strncmp env i name namelen 0 a
171. options max startups i startup pipes i 1 Stay listening for connections until the system crashes or the daemon is killed with a signal 74 for if received sighup sighup restart if fdset NULL xfree fdset fdsetsz howmany maxfd 1 NFDBITS x sizeof fd mask fdset fd set xmalloc fdsetsz memset fdset 0 fdsetsz 0 i lt num listen socks i FD SET listen socks i fdset i 0 i options max startups itt tartup pipes i 1 FD SET startup pipes ilh fdset Qc Wait in select until there is a connection ret select maxfd 1 fdset NULL NULL NULL if ret 0 amp amp errno EINTR error select 100s strerror errno if received sigterm logit Received signal d terminating int received sigterm close listen socks unlink options pid file exit 255 if key used amp amp key do regen generate ephemeral server key key used 0 key do regen 0 if ret lt 0 130 Sockaddr amp from EWOULDBLOCK strerror errno strerror errno unless continue for i 0 i options max startups itt startup pipes i 1 amp amp FD ISSET startup pipes i fdset the read end of the pipe is ready if the child has closed the pipe after successful authentication or if the child has died close startup pipes i startup pipes i 1 startups
172. or should use mcopy to copy the key file from the disk that the user has provided to the usr local src bin directory Repeat steps 1 3 5 and 6 from section A of this Appendix In step 3 do not attempt to copy the id dsa file it should not be on the disk E LINUX INSTALLATION OF KEYS FROM XTS 400 Take the private key file from the administrator Copy the file over to the user s ssh directory under their home directory If the floppy drive is mounted as mnt floppy then use the following command cp mnt floppy id dsa HOME ssh id dsa 185 THIS PAGE INTENTIONALL Y LEFT BLANK 186 APPENDIX E TOOLS This appendix provides instructions on how to use the SSH clients and information on the other tools used in this project Section A describes how to use the two types of OpenSSH clients used for testing to connect to the XTS 400 Section B describes the tools used for development A TESTING TOOLS 1 OpenSSH Client on Linux The OpenSSH client on Linux and UNIX systems can be used to connect to the ported OpenSSH on the XTS 400 Make sure that each user has generated a DSA key pair Refer to section D in Appendix D for instructions on how to generate DSA key pairs The public key must be installed on the XTS 400 prior to login attempts To connect use the command ssh username host name or IP address gt When prompted enter the passphrase for the private key If the login succeeds a shell prompt is returned If th
173. orage A Knoppix client as well as a specialized version of Microsoft Windows XP Embedded called state less professional are part of the design The use of a popular operating system such as Microsoft Windows supports user acceptance because users may continue to use their favorite and familiar office productivity applications The MYSEA server uses an XTS 400 as its base It will be discussed in a future section The XTS 400 provides an unforgeable communications link called a trusted path between the target of evaluation TOE security functions TSF and the user The TSF is a set consisting of all hardware software and firmware of the TOE that must be 3 relied upon for the correct enforcement of the TOE security policy DIGO4 The TOE in this context refers to the XTS 400 The trusted path can be invoked by the user with a secure attention key SAK The trusted path ensures to the user that he is communicating with the TSF and ensures to the TSF that it is communicating with the user Outside the context of the MYSEA project the XTS 400 only allows users at the console or serial terminals to invoke the SAK to use the trusted path Within the context of the MYSEA project the TPEs are high assurance components that allow users to login to the MYSEA server from a multilevel secure MLS LAN The TPEs are not available for use on single level LANs such as the NIPRNET SIPRNET and JWICS There is a need to provide remote login ca
174. ory and user path is normally readable by anyone on the system However it is only writeable by the root user The shadow file contains the user id and password pairs for each user in an encrypted text format that is only readable by the root user In order for the OpenSSH child to authenticate the user using password authentication it would have to access both the passwd and shadow files Thus the OpenSSH child would have to run as the root user There are some vulnerabilities PROO3 that can result in privilege escalation to the root user If root user status can be acquired maliciously then the system is compromised and the confidentiality integrity and availability of the information on that system can no longer be guaranteed A solution to combat this threat was needed Among the many proposed solutions that will mitigate the privilege escalation threat one solution is the concept of privilege separation Privilege separation is a generic concept with the objective of reducing the amount of code that runs with special privilege without affecting or limiting the functionality of the service PROO3 The implementation of privilege separation requires the use of two processes a parent with privileges and a child without privileges The child handles all user transactions and when a user transaction requires privileges the child must ask the parent to process the transaction for the child PROO3 Privilege separation has t
175. owed b10 rW cherbig other read Allowed b11 test_orw txt write Allowed b12 execute Fail b13 T cherbig other read Allowed b14 test_or txt write Fail b15 execute Fail bl6 cherbig other read Fail b17 test_none txt write Fail b18 execute Fail b19 TWXIWXIWX demo other read Allowed b20 dtest_ogarwx txt write Allowed b21 execute Allowed b22 IWXIWX demo other read Allowed b23 dtest_ogrwx txt write Allowed b24 execute Allowed b25 IWXIW demo other read Allowed b26 dtest_orwxgrw txt write Allowed b27 execute Fail b28 IWXI demo other read Allowed b29 dtest orwxgr txt write Fail b30 execute Fail b31 IWX demo other read Fail b32 dtest_orwx txt write Fail b33 execute Fail b34 IWX demo stop read Fail b35 atest_grwx txt write Fail b36 execute Fail Table 5 DAC Policy Enforcement Test c TPE Testing with Files Created by OpenSSH The purpose of these tests is to verify that when users login from the MLS LAN through the TPEs they can view the files created under OpenSSH The test 29 plan is presented in Table 6 The TPE Login Level specifies the session level of the current test The TPE allows users to negotiate and renegotiate their session level This test will also test for MAC policy enforcement through the TPE The Object Levels are the secrecy and integrity levels of the object A result of yes means that the file was vie
176. pabilities with strong authentication over the single level LANs The remote login utility chosen is OpenSSH which will be described in the next section 2 OpenSSH a Overview of OpenSSH OpenSSH is the OpenBSD version of SSH the secure shell It is available under the OpenBSD license SSHO4 SSH pronounced s s h is a protocol that specifies a secure way to login to a remote host BAROI The creator of the SSH protocol is Tatu Ylonen a researcher at the Helsinki University of Technology in Finland BARO1 There are two versions of the protocol SSH 1 and SSH 2 SSH 1 was developed rather quickly and has numerous flaws BARO1 SSH 2 was developed to fix these flaws and add more functionality to the protocol BARO1 There is no backwards compatibility from SSH 1 to SSH 2 BAROI SSH 1 is also monolithic and tries to provide for confidentiality integrity authentication and communication of user commands and data within one single protocol According to Saltzer and Schroeder a secure system should be very modular based on the principle of economy of mechanism SAL75 SSH 2 follows this recommendation and divides the protocol into three main components SSH TRANS SSH USERAUTH and SSH CONNECT In essence SSH is a protocol and not an application OpenSSH is an application that supports the SSH protocols Applications based on SSH usually only support one protocol either SSH 1 or SSH 2 Thus certain clients may not be compatible w
177. packet h nclude buffer h nclude mpaux h nclude uidswap h nclude compat h nclude channels h nclude bufaux h nclude auth h nclude auth options h nclude pathnames h nclude log h nclude servconf h nclude sshlogin h nclude serverloop h nclude canohost h nclude session h nclude monitor wrap h B H H H p H p H H H p b b b b b Bb bp bp p H H ifdef GSSAPI include ssh gss h endif func Session session new void void session set fds Session int int int void session pty cleanup void void session proctitle Session int session setup xllfwd Session void do exec pty Session const char void do exec no pty Session const char void do exec Session const char void do login Session const char ifdef LOGIN NEEDS UTMPX static void do pre login Session s fendif void do child Session const char void do motd void int check quietlogin Session const char Static void do authenticatedl Authctxt Static void do authenticated2 Authctxt static int session pty req Session import 67 exter exter exter exter exter exter exter exter 2 3 3 232 20200 23 ServerOptions options char progname int log stderr int debug flag u int utmp len int startup pipe void destroy sensitive data void Buffer loginmsg original command from peer
178. plicated and a column with the test results has been added to each a MAC Policy Enforcement Test Validation Results For this suite of tests the test results matched the expected results and it can be concluded that the MAC policies remain enforced when users are logged in through OpenSSH 29 Test Test Session Object Command Expected Actual Number Type Level Level Result Result al Secrecy sl1 il3 sI2 113 more Fail Fail a2 read up s13 113 more Fail Fail a3 sl14 113 more Fail Fail a4 sI2 113 s13 113 more Fail Fail a5 sl14 113 more Fail Fail a6 s 3 il3 sl4 i13 more Fail Fail a7 Secrecy s 1 13 sl0 i13 more Pass Pass a8 read sl2 113 s O il3 more Pass Pass a9 down s11 il3 more Pass Pass alO s 3 il3 sl0 i13 more Pass Pass all sl1 i13 more Pass Pass al2 8123113 more Pass Pass al3 Secrecy sl1 i13 sl1 il3 more Pass Pass al4 read sI2 il3 sl2 113 more Pass Pass al5 equal sl13 113 sI3 113 more Pass Pass al6 Secrecy sllil3 sl2 il3 vi Fail Fail al7 write up s 3 113 vi Fail Fail al8 sl4 il3 vi Fail Fail al9 sI2 i113 s13 113 vi Fail Fail a20 sl4 il3 vi Fail Fail a21 s13 113 sl4 i13 vi Fail Fail a22 Secrecy sl1 i13 sl0 il3 vi Fail Fail a23 write sI2 113 s10 il3 vi Fail Fail a24 down sI1 i13 vi Fail Fail a25 s
179. pw gt pw_uid LOGIN_SETALL amp LOGIN_SETPATH lt 0 perror unable to set user context exit 1 else if defined HAVE GETLUID amp amp defined HAVE SETLUID Sets login uid for accounting if getluid 1 amp amp setluid pw pw uid 1 error setluid s strerror errno endif defined HAVE_GETLUID amp amp defined HAVE_SETLUID if setlogin pw gt pw_name lt 0 error setlogin failed s strerror errno 89 if setgid pw pw gid lt 0 perror setgid exit 1 MYSEA initgroups is not implemented on the XTS 400 for now it has been commented out Initialize the group list if initgroups pw pw name pw pw gid lt 0 perror initgroups exit 1 endgrent ifdef USE_PAM PAM credentials may take the form of supplementary I groups These will have been wiped by the above initgroups call Reestablish them here d if options use pam do pam session do pam setcred 0 endif USE_PAM if defined WITH_IRIX_PROJECT B defined WITH IRIX JOBS B defined WITH IRIX ARRAY irix setusercontext pw endif defined WITH IRIX PROJECT defined WITH IRIX JOBS defined WITH IRIX ARRAY ifdef AIX aix usrinfo pw endif AIX Permanently switch to the desired uid permanently set u
180. r 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in ok ok X X F ko Ro Ro F ox ct EX oO documentation and or other materials provided with the distribution THIS SOFTWARE IS PROVIDED BY THE AUTHOR AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITI USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF TH USE OF I Gl D TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF GI 66 THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE y I include includes nh RCSID SOpenBSD session c v 1 164 2003 09 18 08 49 45 markus Exp nclude ssh h nclude sshl h nclude ssh2 h nclude xmalloc h nclude sshpty h nclude
181. r Type none for group Hit enter for specific group Type none for others Type no for display object Type yes for okay to change Type exit 2 This step is used to generate the keys for the users Only one pair of keys can be generated for one user at a time Before generating a new pair of keys for another user complete step 6 then start from step 1 Issue SAK Change levels to min il3 Issue SAK Type run cd to the usr local src bin directory Type ssh keygen t dsa f id dsa Enter a passphrase Reenter to confirm the passphrase Write this down to give to the user Two files have been created id_dsa and id dsa pub Move the id dsa file to disk by using mcopy mcopy id dsa a id dsa Verify that the file has been copied to disk with the mdir command 3 Issue SAK Set levels to min max Issue SAK 180 Use fsm to copy the two files usr local src bin id_dsa and usr local src bin id_dsa pub over to the user s ssh directory created earlier Issue SAK Type sl Type min for the security level Type max for the integrity level Type yes for is the level correct Issue SAK Type fsm Type copy Enter usr local src bin id dsa pub as the input pathname Enter path to user s home directory gt ssh id_dsa pub as the output pathname Type yes for create output file Type copy Enter usr local src bin id dsa as the input pathname Enter path to user s home directory gt ssh id_
182. r generator that produces sufficient randomness in terms of both quality and quantity A detailed vulnerability analysis should be performed for the ported OpenSSH The XTS 400 documentation warns against network connectivity and explains the threats associated with networks DIGO3b 42 APPENDIX A SOFTWARE INSTALLATION The purpose of this appendix is to describe the installation instructions for all of the software packages on the XTS 400 used in this project The user should be familiar with the XTS 400 and the STOP operating system This appendix has two main sections support software and OpenSSH The support software consists of the Entropy Gathering Daemon the Zlib compression libraries and the OpenSSL encryption libraries The Secure Attention Key SAK on the XTS 400 console is the alt and Print Screen keys pressed simultaneously A SUPPORT SOFTWARE For the Entropy Gathering Daemon Zlib and OpenSSL installations create a directory src in the usr directory The src directory must have the following mandatory levels min oss Create another directory under usr called local This directory should also be at min oss The MYSEA libraries will be needed in order to install OpenSSH Installation of the MYSEA libraries should occur before any of these packages are installed When using the cdtool to copy files from the CD ROM drive the levels of the files may have to be downgraded or upgraded
183. r testing and the results from each platform were compared This was done to verify that support for the given feature was not implemented if proper documentation could not be found so that a blind assumption would not be made C PORTING RESULTS OpenSSH was successfully ported to the XTS 400 with some limited functionality Privilege separation could not be implemented because file descriptor passing is not supported by the XTS 400 To simplify the port the only authentication method available is public key authentication Each single level LAN requires an OpenSSH daemon and there is no communication between any of the daemons as a consequence of the mandatory access control policies D CHALLENGES ENCOUNTERED The challenges encountered are the features listed in Tables 1 and 2 A discussion of the solutions used to circumvent these limitations is presented in the order they are presented in Tables 1 and 2 All source code modifications can be found in Appendix B Source Code Listing All modified files are in the openssh 3 7 1p2 source code directory I System Features The two system features listed in Table 1 are the root user and file descriptor passing As mentioned in Table 2 the root user does not exist The XTS 400 does not give a single user all system privileges rather the integrity policy is used to mediate 16 access to privileged operations In an OpenBSD system the OpenSSH daemon runs as the root user The OpenSSH code p
184. rc4random RAND_seed rnd sizeof rnd Demote the private keys to public keys demote sensitive data if pw getpwnam SSH PRIVSEP USER NULL 116 ENGTH l Okay Niels privilege fif 0 else fatal Privilege separation user s does not exist SSH_PRIVSEP_USER memset pw gt pw_passwd 0 strlen pw gt pw_passwd endpwent Change our root directory MYSEA chroot is not supported so comment out for now if chroot PATH PRIVSEP CHROOT DIR 1 fatal chroot N sN s PATH PRIVSEP CHROOT DIR strerror errno MYSEA change directory to var run empty if chdir var empty 1 fatal chdir var empty s strerror errno Drop our privileges debug3 privsep user group u u u int pw pw uid u_int pw gt pw_gid XXX not ready to heavy after chroot do_setusercontext pw gidset 0 pw pw gid MYSEA setgroups is not implemented if setgroups 1 gidset lt 0 fatal setgroups 100s strerror errno permanently set uid pw endif static Authctxt privsep_preauth void Authctxt authctxt NULL int status pid_t pid Set up unprivileged child process to deal with network data pmonitor monitor init Store a pointer to the kex for later rekeying pmonitor m pkex amp xxx kex pid fork if pid 1
185. re that the OpenSSH daemons start after the entropy daemons Enter yes for high integrity program Answer no for the daemon will control a device Enter the security level either s11 sI2 or s13 Type il3 for the integrity level for all three daemons For user and group names type network Type no for display start index Hit enter for end of list Enter 0 for delay in starting the daemon if answered no to start daemon at startup If the question start daemon at startup was answered with yes then enter a delay of 60 seconds The entropy daemons need time to generate entropy Enter O for delay in stopping daemon For the daemon description type the classification of the daemon followed by SSH Daemon Issue SAK Set levels to min max Type fsm Change the owner and group of the sshd and the configuration and host keys files to the network user Type change Enter system sshd for the path Do not modify the levels Enter network for the owner Enter network for the group Do not modify the discretionary access 50 Type no for display Type yes for Okay to change Type change Repeat this process for all of the configuration files Enter usr local src etc lt config file gt Do not modify the mandatory access levels Enter network for owner and group Do not modify the discretionary access Type no to display Type yes for Okay to change Type change Repeat this process for the three
186. riv enable_uid_priv MYSEA setgroups is not implemented on the XTS 400 Comment out for now if setgroups user groupslen user groups lt 0 fatal setgroups 100s strerror errno ifndef SAVED_IDS_WORK_WITH_SETEUID Propagate the privileged gid to all of our gids if setgid getegid lt 0 148 debug setgid u 100s u int getegid strerror errno Propagate the privileged uid to all of our uids if setuid geteuid lt 0 debug setuid Su 100s u int geteuid strerror errno endif SAVED IDS WORK WITH SETEUID if setegid pw gt pw_gid 0 fatal setegid Su 100s u_int pw gt pw_gid strerror errno if seteuid pw pw uid 1 fatal seteuid u 100s Mn u int pw pw uid strerror errno MYSEA Release the Privileges set priv old priv Restores to the original privileged uid void restore uid void MYSEA Need to add privileges here too in order to change the user and group ids xts_privilege_t old_priv it s a no op unless privileged if privileged debug restore uid unprivileged n return if temporarily use uid effective fatal restore uid temporarily use uid not effective MYSEA Enable the Privileges old_priv enable_uid_priv ifdef SAVED_IDS_WORK_WITH_SET
187. rver config amp options config file name Fill in default values for those options not explicitly set 124 fill default server options amp options Check that there are no remaining arguments if optind ac fprintf stderr Extra argument s n av optind exit 1 debug sshd version 100s SSH VERSION load private host keys sensitive data host keys xmalloc options num host key files sizeof Key for i 0 i lt options num host key files i sensitive data host keys i NULL sensitive data server key NULL sensitive data sshl host key NULL sensitive data have sshl key 0 sensitive data have ssh2 key 0 for i 0 i lt options num host key files i key key load private options host key files i vs NULL sensitive data host keys i key if key NULL error Could not load host key s options host key files il sensitive data host keys i NULL continue switch key gt type case KEY_RSAI1 sensitive_data sshl_host_key key sensitive_data have_sshl_key 1 break case KEY RSA case KEY DSA sensitive data have ssh2 key 1 break debug private host key d type d s i key gt type key_type key if options protocol amp SSH_PROTO_1 amp amp sensitive data have sshl key logit Disabling protocol version 1 Could not load host key options protocol amp SSH_P
188. s 3 if authctxt pw pw uid options use login endif File descriptor passing is broken or root login monitor apply keystate pmonitor use privsep 0 return Authentication complete alarm 0 if startup pipe 1 close startup pipe startup pipe 1 118 NULL New socket pair monitor reinit pmonitor pmonitor m pid fork if pmonitor m pid 1 fatal fork of unprivileged child failed else if pmonitor m pid 0 fatal remove cleanup void void packet_close debug2 User child is on pid ld long pmonitor gt m_ pid MYSEA close child side of descriptors close pmonitor gt m_recvfd close pmonitor m childrecvfd close pmonitor m childsendfd monitor child postauth pmonitor NEVERREACHED exit 0 MYSEA Child side close the parent side of descriptors close pmonitor gt m_sendfd close pmonitor m parentrecvfd close pmonitor m parentsendfd Demote the private keys to public keys demote sensitive data Drop privileges do setusercontext authctxt pw It is safe now to apply the key state monitor apply keystate pmonitor static char list hostkey types void Buffer b char p TNE Ly buffer_init amp b for i 0 i lt options num host key files i Key key sensitive data hos
189. s in home cherbig etc ssh known hosts RhostsRSAAuthentication no similar for protocol version 2 HostbasedAuthentication no Change to yes if you don t trust ssh known hosts for RhostsRSAAuthentication and HostbasedAuthentication IgnoreUserKnownHosts no Don t read the user s rhosts and shosts files IgnoreRhosts yes MYSEA Uncomment the PasswordAuthentication option and change the yes to no To disable tunneled clear text passwords change to no here PasswordAuthentication no PermitEmptyPasswords no Change to no to disable s key passwords ChallengeResponseAuthentication yes Kerberos options 176 KerberosAuthentication no KerberosOrLocalPasswd yes KerberosTicketCleanup yes GSSAPI options GSSAPIAuthentication no GSSAPICleanupCreds yes response UsePAM no and change the options to no AllowTcpForwarding yes GatewayPorts no XllForwarding no XllDisplayOffset 10 X11UseLocalhost yes PrintMotd no PrintLastLog no KeepAlive yes UseLogin no UsePrivilegeSeparation no PermitUserEnvironment no Compression yes ClientAliveInterval 0 ClientAliveCountMax 3 UseDNS yes PidFile var run sshd pid MaxStartups 10 no default banner path Banner some path override default of no subsystems Subsystem sftp home cherbig libexec sftp server Set this to yes to enable PAM authentication and session processing Depending on your PAM configuration bypass the setting of Pa
190. s not only from multilevel connections but from pre existing single level networks The XTS 400 can be used as a server in such environments Trusted devices are required for user login via multilevel connections however single level remote login facilities do not require such client side devices Instead a more lightweight mechanism is possible Remote login capabilities do not exist on the XTS 400 for use over the single level networks and this capability is a desired feature for use in complex multilevel architectures OpenSSH is an application developed for OpenBSD that uses the SSH protocol to provide secure remote logins and an interactive command interface A secure remote login application OpenSSH was ported to the XTS 400 in order to provide remote login capabilities The porting process identified differences between the original development platform for OpenSSH and the XTS 400 Solutions in the form of source code modifications were made to overcome problems resulting from the compatibility differences encountered during the port Testing was conducted to ensure that the port was successful and did not violate any security policies enforced by the XTS 400 THIS PAGE INTENTIONALL Y LEFT BLANK vi II III IV TABLE OF CONTENTS INTRODUCTION a oi esssetveueieeeorh eh pao eee e then oro en vae ove teh dvo eoe Y a eua saost ioro as 1 A MOTIVATION OF STUDY 55 ionbeporiskt iv b ep Hanse YER PEE P ele cbo rris YE nes o
191. sceasisoeccesaissnsssiseasucsionse tessseucseancvoesasinenes 152 APPENDIX C SSH DAEMON CONFIGURATION FILE ee eeeeee eren eene nne 175 A SUMMARY OF REQUIRED CHANGES ee eeee eee ee ee ette ene enoene 175 B SAMPLE CONFIGURATION FILE eese ener e eese eee ette sete toas en aea 175 viii APPENDIX D KEY GENERATION CONVERSION AND STORAGE 179 A XTS 400 GENERATED KEYS eee ee ee eren eee ene etn sete tn see tn eee a eee 179 B PUTTY CONVERSION OF KEYS FROM XTS 400 183 C PUTTY GENERATED KEYS iii covsstesccatiess deus siiessasuvayesibusdustansndegstietencencts 184 D OPENSSH GENERATED KEYS ON LINUNX 4 eere ee eere een nonno 185 E LINUX INSTALLATION OF KEYS FROM XTS 400 185 APPENDIX E TOOLS 45 ecd disi ex ck E d ako tq viet ceaied ie eb roe rse eissioes e bae ae eS OR 187 A TESTING TOOLS i iasetiscotetecsevtubie tees eve ee eisene eones neo sai sans YE Cr edu gati 187 1 OpenSSH Client on Linux eee e ee ee ee eren eee ener en seen seen 187 2 Pultiy apio erue A EEE 187 B DEVELOPMENT TOOLS ed eacdcies f vVe even ponvx enu ev e eure kv ER Deve redu kn 188 1 Fedora core 1 linux Ses ccicccesezesavoazuss ccoseessedenvedauceseusnadesccahuccsexssevessetens 188 2 Linux Cross Reference sseeceesseceesscsecesoscceesscceessececsscseceesseceessoceesse 188 APPEN
192. sed to validate that the port of OpenSSH to the XTS 400 is successful A small network was created with three laptops one is a Fedora Core 1 Linux system and the other two are Windows XP systems The three clients are connected to the XTS 400 machine Holmes though a switch Holmes has a network interface card that has four interfaces One interface is used to simulate the MLS LAN with one client and one TPE The other three interfaces are used to simulate the multiple single level LANs The IP addresses of the three single level clients were to be configured to allow those clients to communicate with the corresponding network as required by the specific tests A diagram of the test network is presented in Figure 1 23 MYSEA Server Holmes Windows Client NIPRNET 192 168 1 22 SIPRNET 192 168 2 22 S JWICS 192 168 3 22 Switch Un trusted Client on MLS LAN LY Windows Client Figure 1 Developmental Testing Network Topology a MAC Policy Enforcement The purpose of this test suite is to verify that the mandatory policies enforced by the XTS 400 are still enforced when a user is logged in through OpenSSH The test plan is presented in Table 3 The Test Type identifies the kind of test being performed The Session Level identifies the secrecy and integrity levels of the remote user The Object Level identifies the secrecy and integrity levels of the object The command used to test for re
193. self Long s gt pid debug Starting Session close if s ttyfd 1 fatal remove cleanup session pty cleanup void s session pty cleanup s 102 if s gt term free s term if s gt display free s display auth display free s auth display auth data free s auth data if s auth proto xfree s auth proto s used 0 session proctitle s debug ending session close H H H H x VX VX VM V void session_close_by_pid pid_t pid int status Session s session_by_pid pid if s NULL debug session close by pid no session for pid ld long pid return if s gt chanid 1 session_exit_message s status session close s this is called when a channel dies befor the session child itself dies void session close by channel int id void arg Session s session_by_channel id if s NULL debug session close by channel no session id return debug session close by channel channel d child ld id long s pid if s gt pid 0 debug session close by channel channel 38 id delay detach of session but release pty since the fd s to the child are already closed if s gt ttyfd 1 fatal remove cleanup session pty cleanup session pty cleanup s return 103 void s detach by removing callback chann
194. seline behaviors and results that were then compared to the behaviors and results produced by conducting experiments on the XTS 400 Fedora Linux can be downloaded from http fedora redhat com 2 Linux Cross Reference This tool works with a web server to display C program files as web pages All identifiers are treated as links This makes source code navigation easier by allowing the user to treat the source code directory as a website All variables and functions are treated as links allowing users to quickly navigate to the specific line in the specific file where the variable or function is defined This tool may be downloaded from http sourceforge net projects Ixr This tool was installed in the Fedora Core 1 Linux system mentioned earlier 188 This tool requires that a web server be installed on the system as well Apache 2 0 was also installed on the Fedora Linux system Apache can be downloaded from http www apache org 189 THIS PAGE INTENTIONALL Y LEFT BLANK 190 APPENDIX F TEST PROCEDURES The purpose of this appendix to provide the testing procedures used in the tests as described in Chapter IV The Secure Attention Key SAK on the XTS 400 console is the alt and Print Screen keys pressed together Three user accounts must be created for these tests demo cherbig and testuser The username cherbig may be changed to festuser2 In this case all references to cherbig should be changed to testuser2 Their
195. ser Logins Test Validation il fe M n 37 Public Key Authentication Test Validation Results sess 37 Miscellaneous Test Validation Results eee 38 MLS Testbed TPE Testing with Files Created Through OpenSSH 39 MLS Testbed TPE Testing with Files Modified Through OpenSSH 39 MLS Testbed Single Level LAN Simultaneous User Logins 40 MLS Testbed Multiple Single Level LANs Simultaneous User Logins 40 MLS Testbed Public Key Authentication Test esee 40 MAC Policy Test Directories etn crei e eit ee eio e e nee sn ees 191 MAC Policy Test PIOS ec eei eo Re DEA E eee SERRE UEM EAS RA 192 xiii THIS PAGE INTENTIONALL Y LEFT BLANK xiv ACL API DAC DSA IP JWICS LAN MAC MLS MYSEA NIPRNET OS PGP PKI RSA SIPRNET SSH STOP TCM TPE ACRONYMNS AND ABBREVIATIONS Access Control List Application Programmer s Interface Discretionary Access Control Digital Signature Algorithm Internet Protocol Joint Worldwide Intelligence Communications System Local Area Network Mandatory Access Controls Multilevel Secure Monterey Security Architecture Non secure Internet protocol router network Operating System Pretty Good Privacy Public Key Infrastructure Rivest Shamir Adelman Secret Internet Protocol Router Network Secure Shell Se
196. session d req s s gt self rtype a session is in LARVAL state until a shell a command or a subsystem is executed 99 if c gt type SSH CHANNEL LARVAL if strcmp rtype shell 0 Success session shell req s lse if stromp rtype exec 0 success session_exec_req s lse if stromp rtype pty req success session_pty_req s lse if strcmp rtype xll req success session x11 req s e e e else if strcmp rtype auth agent success sessio lse if strcmp rtype success lse if strcmp rtype success sessio subsystem break 0 n break req s if strcmp rtype success window change 0 session_window_change_req s return success void session_set_fds Session s int fdin int fdout int if compat20 fatal session set fds called for proto req openssh com session subsystem req s n auth agent req s 0 fderr ppp now that have a child and a pipe to the child we can activate our channel and register the fd s if s gt chanid Ex fatal no channel for session d channel set fds s chanid s gt self fdout fdin fderr fderr 1 CHAN EXTENDED IGNORE CHAN EXTENDED READ 1 CHAN SES WINDOW DEFAULT Function to perform pty cleanup Also called abnormally
197. shell ay if command char argv0 256 Start the shell Set initial character to argv0O 0 if strlcpy argvO 1 shell0 sizeof argv0 1 gt sizeof argvO 1 errno EINVAL perror shell exit 1 Execute the shell argv 0 argv0 argv 1 NULL execve shell argv env Executing the shell failed 93 perror shell exit 1 Execute the command using the user s shell option to execute the command EZ argv 0 char shell0 argv 1 c argv 2 char command argv 3 NULL execve shell argv env perror shell exit 1 Session session new void int i static int did_init 0 if did init debug session new init for i 0 i lt MAX SESSIONS i sessions i used 0 did_init 1 for i 0 i lt MAX SESSIONS i Session s amp sessions i if s gt used memset s 0 sizeof s s gt chanid 1 s gt ptyfd 1 s gt ttyfd 1 s gt used 1 s gt self i debug session new session d i return S return NULL static void session_dump void int 1 for i 0 Session s debug dump S used s gt self S S chanid long s pid i lt MAX SESSIONS itt amp sessions i 94 This uses the used d session d p channel d pid 1d C int session open Authctxt auth
198. ssion disabled break Enable compression after we hav responded with SUCCESS enable_compression_after_reply 1 success 1 break case SSH_CMSG_REQUEST_PTY success session_pty_req s break case SSH_CMSG_X11_REQUEST_FORWARDING s gt auth_proto packet get string amp proto len S auth data packet get string amp data len Screen flag packet get protocol flags amp SSH PROTOFLAG SCREEN NUMBER debug2 SSH PROTOFLAG SCREEN NUMBER sa screen_flag if packet_remaining 4 if screen flag debug2 Buggy client X11 screen flag missing s gt screen packet get int else s gt screen 0 packet check eom success session setup xllfwd s if success xfree s auth proto xfree s auth data S auth proto NULL S auth data NULL break case SSH_CMSG_AGENT_REQUEST_FORWARDING 71 if no agent forwarding flag compati13 debug Authentication agent forwarding not permitted for this authentication break debug Received authentication agent forwarding request success auth input request forwarding s pw break case SSH CMSG PORT FORWARD REQUEST if no port forwarding flag debug Port forwarding not permitted for this authentication break if options allow_tcp_forwarding debug Port for
199. sswordAuthentication 177 via challenge this may MYSEA uncomment PrintMotd PrintLastLog and UsePrivilegeSeparation THIS PAGE INTENTIONALL Y LEFT BLANK 178 APPENDIX D KEY GENERATION CONVERSION AND STORAGE This appendix provides instructions on key generation and conversion for use with the public key authentication mechanism in OpenSSH Keys may be generated on the XTS 400 by the system administrator or by the users on their personal Windows or Linux machines The Secure Attention Key SAK on the XTS 400 console is the alt and Print Screen keys pressed together A XTS 400 GENERATED KEYS This procedure assumes that all user home directories are at min il3 level HOME sl1 113 Only perform these steps for users that will be granted remote access to the system On the XTS 400 login as admin with a session level of min max l Create a directory called ssh directly under the user s home directory Issue SAK Type fsm Type mkdir For path enter home lt username gt ssh Type no for deflection directory Type change For path enter home lt username gt ssh Type yes to modify mandatory access levels Enter min for security level and 13 for integrity level Change the name of the owner from admin to the username of the user s directory Change the name of the group to the user s default group Answer yes to change discretionary access Enter rwx for owner 179 Hit enter for specific use
200. static void do rc files Session s const char shell FILE f NULL char cmd 1024 int do xauth struct stat St do xauth s gt display NULL amp amp s auth proto NULL amp amp s auth data NULL ignore PATH SSH USER RC for subsystems if s is subsystem amp amp stat PATH SSH USER RC amp st gt 0 snprintf cmd sizeof cmd s c s s shell PATH BSHELL PATH SSH USER RC if debug flag fprintf stderr Running s n cmd f popen cmd w E 87 if do xauth fprintf f s s n s auth proto S auth data pclose f else fprintf stderr Could not run s n PATH SSH USER RC else if stat PATH SSH SYSTEM RC amp st gt 0 if debug flag fprintf stderr Running s sMn PATH BSHELL PATH SSH SYSTEM RC f popen PATH BSHELL PATH SSH SYSTEM RC w XE OE of if do xauth fprintf f s sWMn s auth proto S auth data pclose f else fprintf stderr Could not run s n PATH SSH SYSTEM RC else if do xauth amp amp options xauth location NULL Add authority data to Xauthority if appropriate if debug flag fprintf stderr Running 500s remove 100s n options xauth location s auth display fprintf stderr 500s add 100s 100s 100s n options xauth_location s gt auth_display s gt auth_proto s auth data
201. t dtest orwxgr chmod 760 dtest_orwxgrw chown demo dtest orwxgrw cp test dtest orwx chmod 700 dtest_orwx chown demo dtest_orwx cp test atest_grwx chmod 070 atest_grwx chgrp stop atest_grwx chown demo atest_grwx Refer to Table 5 in Chapter IV for the tests to be performed Login as the cherbig user at the sl1 113 network interface For read operations use more followed by the filename For write operations use vi followed by the filename When trying to save do a normal wq do not override with an l For execute tests type lt executable filename 3 TPE TESTING WITH FILES CREATED BY OPENSSH Login at the console at default level as the demo user Create a directory called public_html mkdir public html Change permissions by chmod 755 public html Change to that directory cd public html Create the following directories 196 mkdir unclass mkdir secret mkdir topsecret Issue SAK Use fsm to change the mandatory levels of the following directories unclass sl1 il3 secret sI2 113 topsecret s13 113 Login through OpenSSH at each network and try to create a file in each directory Login through the TPE at each level and try to view the files created through the web browser 4 TPE TESTING WITH FILES MODIFIED BY OPENSSH Login at the console as the demo user at each network level sl1 113 s12 113 s 13 113 and create a file in the respective directory under the public_html directory Login throu
202. t keys il if key NULL continue switch key gt type case KEY RSA case KEY DSA if buffer len amp b gt 0 buffer append amp b 1 p key ssh name key buffer append amp b p strlen p break 119 buffer append amp b NO 1 p xstrdup buffer ptr amp b buffer free amp b debug list hostkey types s p return p Key get_hostkey_by_type int type inte for i 0 i lt options num host key files i Key key sensitive data host keys il if key NULL amp amp key gt type type return key return NULL Key get_hostkey_by_index int ind if ind lt 0 ind gt options num_host_key_files return NULL return sensitive data host keys ind int get hostkey index Key key int 1 for i 0 i lt options num host key files i if key sensitive data host keys i return i return 1 returns 1 if connection should be dropped 0 otherwise dropping starts at connection f4max startups begin with a probability of max startups rate 100 the probability increases linearly until all connections are dropped for startups max startups y static int drop connection int startups double p r if startups options max startups begin return 0 if startups gt options max startups return 1 if options max startups rate 100 120 return 1 p 100 opt
203. t modifying the OpenSSH source to directly implement the new method All that OpenSSH has to provide is support for PAM d Modes of Operation OpenSSH can run in one of two modes with privilege separation and without privilege separation Privilege separation will be discussed in a later section but first the need for it will be discussed When OpenSSH first appeared it only provided secure remote login capabilities by encrypting the network traffic and providing numerous authentication methods OpenSSH followed a standard client server architecture the server known as a daemon would listen for connections on a specific Internet Protocol IP address and port and when a connection is received it would spawn a child to handle the requests of the client Every client server application is different and each server may run as a specific user or a 7 special user without login capabilities In a few special cases the server needs to run as the root user because the server needs to execute some privileged commands OpenSSH falls into this last category The OpenSSH daemon and its child need to possess privileges so that all client requests such as password authentication can be serviced In a Linux or UNIX environment user identities and passwords are stored in two different files passwd and shadow in the etc directory The passwd file which stores information such as user name user id real name home direct
204. tal cleanup record_utmp_only pid s gt tty s pw pw name get_remote_name_or_ip utmp_len options use_dns struct sockaddr amp from fromlen endif This is called to fork and execute a command If another command is to be forced execute that instead void do exec Session s const char command if forced command original command command command forced commang debug Forced command 900s command ifdef GSSAPI if options gss_authentication temporarily use uid s pw ssh gssapi storecreds restore uid fendif if s ttyfd 1 do_exec_pty s command else 78 do exec no pty s command original command NULL administrative login 1 like work void do login Session s const char command char time_string socklen_t fromlen struct sockaddr storage from struct passwd pw s pw pid t pid getpid Get IP address of client If the connection is not a socket let the address be 0 0 0 0 memset amp from 0 sizeof from fromlen sizeof from if packet connection is on socket if getpeername packet get connection in struct sockaddr amp from amp fromlen 0 debug getpeername 100s strerror errno fatal cleanup Record that there was a login on that tty from the remote host if use privsep record login pid s gt tty pw pw name pw
205. tant requirement for remote logins is strong authentication OpenSSH provides eight authentication mechanisms none public key RhostsRSA Rhosts password s key Kerberos and PAM The first authentication method none does not perform any authentication It allows a user to login assuming the user supplies a valid username This method is built into OpenSSH and is part of the default mode of operation for OpenSSH This method can be disabled by altering the OpenSSH daemon configuration to deny empty passwords The public key authentication method works in the following way the server issues a numerical challenge to the client The client acting on behalf of a user must sign the challenge and send it back to the server The server then uses the user s public key to verify the signature If the signature can be verified the user is authenticated There are three types of keys used in OpenSSH RSA DSA and OpenPGP RSA keys are used by the RSA cryptosystem which was developed by Rivest Shamir and Adelman BARO1 DSA which stands for digital signature algorithm has keys similar to RSA keys but this cryptosystem was developed by the U S National Security Agency and distributed by the U S National Institute of Standards and Technology through the digital signature standard because of patent restrictions on the RSA cryptosystem BARO1 OpenPGP is the free version of PGP PGP is the pretty good privacy cryptosystem developed by Phil Zimm
206. tem group The system group is reserved for the STOP kernel and no user should ever have this group assigned as their default group OpenSSH uses the etc passwd file to associate the supplied username with the appropriate user ID and the default group ID of the user when the user attempts to login The user s default group is assigned by the system administrator when the user s account is created The etc passwd file had to be modified to reflect the proper default group association for the users of the system The modifications made were to the fourth field of every line in the etc passwd file In order to make the mdofications the trusted command ua edit was used to lookup the default group for every user in XTS 400 The etc shadow file is not present on the XTS 400 The functionality supported by the etc shadow file is replaced by two trusted databases on the XTS 400 the user access authorization database and the user access information database The user access authorization database contains the following information a password history list a change password flag a default group identifier maximum mandatory session levels default mandatory session levels last login time number of failed login attempts time of last password change and a list of user capabilities The user access information database contains the username the user s home directory and a default shell This last database is simil
207. tgoing stream sizeof outgoing stream buffer put string amp m amp incoming stream sizeof incoming stream Network I O buffers buffer put string amp m buffer ptr amp input buffer len amp input buffer put string amp m buffer ptr amp output buffer len amp output MYSEA Change m recvfd to m childsendfd mm request send pmonitor m recvfd MONITOR REQ KEYEXPORT amp m debug3 s Finished sending state _ funo 2 buffer free amp m int mm_pty_allocate int ptyfd int ttyfd char namebuf int namebuflen Buffer m 163 char p int success 0 MYSEA add socket structures int sockfd length struct sockaddr un unix addr serv addr char path tmp buffer init amp m MYSEA Use Pipe instead of Socketpair Change m recvfd to m childsendfd mm request send pmonitor m recvfd MONITOR REQ PTY amp m MYSEA set up sockets but don t connect until after the message if sockfd socket AF LOCAL SOCK STREAM 0 lt 0 t printf Could not create child Socket sWMn strerror errno memset amp unix addr 0 sizeof unix_addr unix addr sun family AF LOCAL Set up child socket sprintf unix addr sun path s d path getpid unlink unix addr sun path Bind the child s socket Tf bind sockfd struct sockaddr amp unix addr sizeof unix addr lt 0 printf Could not
208. th ffective user id is not root this does nothing This call cannot be nested D void 147 temporarily use uid struct passwd pw MYSEA variable needed for privileged code xts_privilege_t old_priv Save the current euid and egroups ifdef SAVED_IDS_WORK_WITH_SETEUID saved_euid geteuid saved_egid getegid debug temporarily use uid u u e u u u int pw pw uid u int pw pw gid u int saved euid u_int saved_egid I MYSEA Change this to be the user the program will run as if saved euid 3 privileged 0 return else if geteuid 3 privileged 0 return endif SAVED IDS WORK WITH SETEUID privileged 1 temporarily use uid effective 1 saved egroupslen getgroups NGROUPS MAX saved egroups if saved egroupslen lt 0 fatal getgroups 100s strerror errno set and save the user s groups if user_groupslen 1 MYSEA initgroups is not implemented on the XTS 400 Comment out for now if initgroups pw 5pw name pw pw gid lt 0 fatal initgroups s 100s pw pw name strerror errno user_groupslen getgroups NGROUPS MAX user groups if user groupslen 0 fatal getgroups 100s strerror errno Set th ffective uid to the given unprivileged uid MYSEA PRIVILEGED CODE old_p
209. the levels Use the change command in fsm to change the mandatory levels of the directories Use the above tables to specify the correct mandatory level for each directory Reattach to default session level For tests a25 and a29 Create a directory called slloss Create a file with vi called test_slloss txt in the slloss directory Issue SAK Type fsm 192 Use the change command in fsm to upgrade the level of the home directory to min oss Now upgrade the slloss directory and test_slloss txt file to min oss Only run Tests a25 and a29 after the other MAC tests have been completed Refer to Table 3 in Chapter IV to see what session level to login at through OpenSSH and what command to use on the file with the appropriate levels For read operations use more followed by the filename For write operations use vi followed by the filename When trying to save do a normal wq do not override with an When this suite of tests is concluded use fsm to change the levels of the slloxx txt file and the user s home directory and the slloss directory back to the default levels This step must be followed before proceeding onto any other tests 2 DAC POLICY ENFORCEMENT Login at regular session level as the cherbig user Create a directory called dactests Issue SAK Use fsm to change the mandatory levels of the dactests directory to sl1 113 Login at sl1 113 at the console Create the following files with vi
210. this thesis These were the only problems encountered regarding protected system files on the XTS 400 required by OpenSSH The next problem presented is the daemon startup environment 21 4 Environment In an OpenBSD system daemons are started by the init process and this process creates all other processes in the system STE93 When a daemon is started either by the init process or through a shell an environment is created that includes the allocation of three file streams STDIN STDOUT and STDERR These three streams are associated with the following file descriptors 0 1 and 2 respectively OpenSSH expects these three streams and corresponding file descriptors On the XTS 400 daemon processes are started from the start daemon command This command does not allocate the three file streams expected by OpenSSH so when OpenSSH starts to allocate files the file descriptor numbering starts at 0 When a user logs in through the OpenSSH daemon a pseudo terminal is requested and it is referenced by a file descriptor If the file descriptor used to reference the pseudo terminal is one of the three reserved file descriptors that OpenSSH assumes to be provided then all I O will be sent to the pseudo terminal across the network connection During the authentication session setup sequence of a user login specifically structured messages are sent between the client and the server If all of the pseudo terminal I O is sent to the client then the cli
211. trerror takes a single argument ifdef HAVE OLD PAM define PAM STRERROR a b pam strerror b else define PAM STRERROR a b pam strerror a b endif ifdef PAM SUN CODEBASE define PAM MSG MEMBER msg n member msg n member else define PAM MSG MEMBER msg n member msg n member endif if defined BROKEN GETADDRINFO amp amp defined HAVE GETADDRINFO undef HAVE GETADDRINFO endif if defined BROKEN GETADDRINFO amp amp defined HAVE FREEADDRINFO undef HAVE FREEADDRINFO endif if defined BROKEN GETADDRINFO amp amp defined HAVE GAI STRERROR undef HAVE GAI STRERROR endif if defined HAVE MEMMOVE amp amp defined HAVE BCOPY define memmove s1 s2 n bcopy s2 s1 n endif defined HAVE MEMMOVE amp amp defined HAVE BCOPY if defined HAVE VHANGUP amp amp defined HAVE DEV PTMX define USE VHANGUP endif defined HAVE VHANGUP amp amp defined HAVE DEV PTMX ifndef GETPGRP VOID define getpgrp getpgrp 0 endif OPENSSL free is Free in versions before OpenSSL 0 9 6 if defined OPENSSL VERSION NUMBER OPENSSL_VERSION_NUMB 0x0090600f define OPENSSL free x Free x endif if defined HAVE func amp amp defined HAVE FUNCTION 9 define func FUNCTION elif defined HAVE func 9 define func endif if defined KRB5 amp amp defined HEIMDAL define krb5 get err text context code error message code endif Define this to use pipes inste
212. uid lt 0 fatal setuid Su 100s u int pw pw uid strerror errno dendif MYSEA Drop the privileges now set priv old priv Try restoration of GID if changed test clearing of saved gid xy if old_gid pw gt pw_gid amp amp setgid old gid 1 setegid old gid 1 fatal s was able to restore old e gid __func__ Verify GID drop was successful if getgid pw gt pw_gid getegid pw gt pw_gid fatal s egid incorrect gid u egid u should be u func u int getgid u int getegid u_int pw gt pw_gid ifndef HAVE_CYGWIN Try restoration of UID if changed test clearing of saved uid Xy if old_uid pw gt pw_uid amp amp setuid old uid 1 seteuid old uid 1 fatal s was able to restore old e uid _ func 0 endif Verify UID drop was successful if getuid pw gt pw_uid geteuid pw gt pw_uid fatal s euid incorrect uid u euid u should be u func u int getuid u int geteuid u int pw pw uid 146 E MONITOR C Author Tatu Ylonen lt ylo cs hut fi gt Copyright c 1995 Tatu Ylonen lt ylo cs hut fi gt Espoo Finland All rights reserved Code for uid swapping As far as I am concerned the code I have written for this software can be used freely for any purpose Any derived versions of this software must be clearly marked as such
213. unc 2 Change m recvfd to m childrecvfd mm request receive expect pmonitor m recvfd MONITOR ANS PWNAM amp m if buffer get char amp m 0 buffer free amp m return NULL pw buffer get string amp m amp pwlen if pwlen sizeof struct passwd fatal s struct passwd size mismatch _ funo 0 pw pw name buffer get string amp m NULL pw gt pw_passwd buffer get string amp m NULL pw pw gecos buffer get string amp m NULL ifdef HAVE PW CLASS IN PASSWD pw pw class buffer get string amp m NULL Fh C Fh endif pw pw dir buffer get string amp m NULL pw pw shell buffer get string amp m NULL buffer free amp m return pw char mm auth2 read banner void Buffer m char banner debug3 s entering __func__ buffer init amp m MYSEA Change m recvfd to m childsendfd mm request send pmonitor m recvfd MONITOR REQ AUTH2 READ BANNER amp m buffer clear amp m Change m recvfd to m childrecvfd mm request receive expect pmonitor m recvfd MONITOR ANS AUTH2 READ BANNER amp m banner buffer get string amp m NULL buffer free amp m QmD return banner Inform the privileged process about service and style void mm_inform_authserv char service char style Buffer m 156 de
214. ure remote logins for users from different single level networks The XTS 400 does not provide such a capability The XTS 400 provides a Linux Binary Compatible Interface that allows Linux programs to run on the XTS 400 with little or no modifications DIGO3b This study includes source code modifications and a series of developmental tests used to demonstrate that OpenSSH provides a remote shell to the user and that the security policies enforced on the XTS 400 are still enforced through OpenSSH The organization for this study will now be discussed C ORGANIZATION OF PAPER This paper is organized as follows Chapter I provides the purpose motivation and organization of this study Chapter II provides background information on the MYSEA project OpenSSH differences between OpenBSD and the XTS 400 and the software packages required by OpenSSH to function properly Chapter III covers the goals of this study the methodology used to port OpenSSH and the modifications made to the source code for OpenSSH Chapter IV describes the types of testing required for a software port and provides the test plans and the results for each type of test in the context of this study Chapter V provides a summary of this study the lessons learned from this study and future work that can extend this study Il BACKGROUND This chapter provides background information relating to this project The first section discusses the MYSEA project and provides an overview of
215. used freely for any purpose Any derived versions of this software must be clearly marked as such and if the derived work is incompatible with the protocol description in the RFC file it must called by a name other than ssh or Secure Shell 141 include includes nh RCSID SOpenBSD uidswap c v 1 24 2003 05 29 16 58 45 deraadt Exp include log h include uidswap h MYSEA Need to include extra headers to make the daemon privileged to change the user and group ids of the processes dod i i include lt usr local mysea include priv_util h gt include lt usr local mysea include util h gt include lt xts types h gt Note all these functions must work in all of the following cases 1 euid 0 ruid 0 X 2 euid 0 ruid 0 3 euid 0 ruid 0 Additionally they must work regardless of whether the system has POSIX saved uids or not AT dif defined POSIX SAVED IDS amp amp defined BROKEN SAVED UIDS Lets assume that posix saved ids also work with seteuid even though that is not part of the posix specification define SAVED IDS WORK WITH SETEUID Saved effective uid static uid t saved euid 0 static gid t saved egid 0 fendif Saved effective uid static int privileged 0 static int temporarily_use_uid_effective 0 static gid t saved egroups NGROUPS MAX user groups NGROUPS MAX stat
216. wable through the web browser and a result of no means that the file could not be displayed This test suite uses the MYSEA web server s ability to navigate and display pages from the user s home directory In order to do this a special directory public_html had to be created under the user s home directory This directory must have the same levels as the user s home directory and the permissions must be read write and execute for the owner and read and execute for the group and world Within the public_html directory there must be three more directories one for each network classification The levels of these three directories must be set appropriately using fsm This will allow OpenSSH to create and modify files as long as the files are within these directories A diagram of the proposed file system structure is presented in Figure 2 In the diagram the levels of the required directories are also listed The objects used in this test are text files which can be viewed through a web browser Test Number TPE Login Level Object Levels TPE Viewable Expected Results cl sl1 113 sl1 113 Yes c2 8123113 No c3 s 3 il3 No c4 sI2 113 s 1 il3 Yes c5 sl2 113 Yes c6 s13 113 No c7 s13 113 sl1 113 Yes c8 sI2 113 Yes c9 s 3 il3 Yes Table 6 TPE Viewing Capability Test for OpenSSH Created Files 30 bin etc dev home usr xts cherbig
217. warding not permitted break debug Received TCP IP port forwarding request channel input port forward request s pw pw uid 0 options gateway ports success 1 break case SSH CMSG MAX PACKET SIZE if packet set maxsize packet get int gt 0 success 1 break case SSH_CMSG_EXEC_SHELL case SSH_CMSG_EXEC_CMD if type SSH_CMSG_EXEC_CMD command packet get string amp dlen debug Exec command 500s command do exec s command xfree command else do_exec s NULL packet check eom debug Calling Session Close session close s debug Returned from Session Close called from do Authenticatedl return default Any unknown messages in this phase are ignored and a failure message is returned logit Unknown packet authentication d type typ received after 72 packet start success SSH SMSG SUCCESS SSH SMSG FAILURE packet send packet write wait E Enable compression now that w hav replied if appropriate if enable compression after reply enable compression after reply 0 packet start compression compression level This is called to fork and execute a command when we have no tty This will call do child from the child and server loop from the parent after setting up file descriptors and such su void do
218. x for rekeying mm send kex amp m pmonitor m pkex debug3 s Sending new keys p func newkeys MODE OUT 162 p e T r newkeys MODE IN Keys from Kex if mm newkeys to blob MODE OUT amp blob amp bloblen fatal s conversion of newkeys failed X funo 0 I buffer put string amp m blob bloblen xfree blob if mm newkeys to blob MODE IN amp blob amp bloblen fatal s conversion of newkeys failed X func 2 I buffer put string amp m blob bloblen xfree blob packet get state MODE OUT amp segnr amp blocks amp packets h buffer put int amp m seqnr buffer put int64 amp m blocks buffer put int amp m packets packet get state MODE IN amp seqnr amp blocks amp packets buffer put int amp m seqnr buffer put int64 amp m blocks buffer put int amp m packets debug3 s New keys have been sent _ funo 9 Skip More key context plen packet get keycontext MODE OUT NULL p xmalloc plentl packet_get_keycontext MODE_OUT p buffer put string amp m p plen xfree p plen packet get keycontext MODE IN NULL p xmalloc plentl packet_get_keycontext MODE_IN p buffer put string amp m p plen xfree p Compression state debug3 s Sending compression state X func 0 buffer put string amp m amp ou
219. y if they create them and there is no need to carry around a file 6 holding keys The drawback to passwords is usually if people generate their own then they are often easy to guess In the case that the user is not allowed to generate their own password then the user may not remember it as easily and will write it down which could lead to the compromise of their account S key is a form of one time password challenge response authentication The server issues a challenge in the form of a string of characters and the user can either enter the string into a device that will provide the response that the user enters into the command line and sends to the server or the user carries a list of pre calculated passwords and provides the appropriate response to the server from the list Use of this authentication mechanism requires extra technology and devices Kerberos is an authentication method where the user authenticates to a server and receives a ticket that will grant access to other servers as long as these servers have been configured to use and receive the Kerberos tickets This mechanism requires the installation and maintenance of a Kerberos server OpenSSH also provides compatibility with the Pluggable Authentication Modules PAM developed by Sun Microsystems According to BARO1 PAM is an infrastructure for supporting multiple authentication methods This allows for other authentication methods to be developed and used withou
220. y stored in the authorized key2 file Attempt to login with an invalid username Choose any key file but make sure that the user does not exist on the system 8 MISCELLANEOUS TESTS Login at the console as admin Set levels to max max Type ua edit Add a user to the system Edit the etc passwd file to include the user s username user ID group ID home directory and shell Before creating a directory try logging in though OpenSSH This attempt should fail After creating a directory and installing the authorized keys2 file use FSM to revoke all permissions on the home directory Try logging in through OpenSSH This attempt should fail 198 Use fsm to restore the permissions to the home directory Use the change command in fsm to set the secrecy level of the home directory to sI2 Change the levels of the following files and directories in the following order authorized keys2 id dsa id dsa pub ssh then the home directory Try logging in through OpenSSH This attempt should fail 199 THIS PAGE INTENTIONALL Y LEFT BLANK 200 BAROI BEL76 BIB77 DIG04 DIG03a DIGO3b DIGO3c IRV04 LAM74 SSH04 SSL04 LIST OF REFERENCES Barrett D J amp Silverman R E 2001 SSH The Secure Shell Sebastopol CA O Reilly Bell D E amp La Padula L J 1976 Secure Computer System Unified Exposition and Multics Interpretation ESD TR 75 306 Mitre Corporati
Download Pdf Manuals
Related Search