Slashdot Mirror

← Back to Stories (view on slashdot.org)

Separating OpenSSH's Privileges For Safety

Posted by timothy on from the making-a-list-checking-it-twice dept.

Niels Provos writes: "Even though I should be working on my disseration proposal right now, I got side tracked with a little project. Markus and I have been working on a 'Privilege Separated OpenSSH.' The basic idea is that OpenSSH starts two processes, one privileged and one unprivileged. The unprivileged process deals with all the network data processing, while the privileged process monitors and decides if authentication was successful. This reduces the impact that bugs in for example third party libraries can have on OpenSSH. We hope that any privilege escalation will not be possible any more in the future." This privilege separation should show up in future versions of OpenSSH, including the portable version.

1 of 16 comments (clear)

  1. what would be cool... by Polo · · Score: 3, Interesting

    I tink it would be cool to have a version of sshd that would ONLY allow secure file transfer.

    I've done some porting work with ssh 2 and the protocol supports several types of "channels". Many of them deal with login and remote execution: "shell", "pty-req" and "exec".

    However, when you run scp or sftp (included with ssh2), the daemon uses ssh to invokes a "subsystem" channel request, with the subsystem of "sftp". (At least with versionn2 of the protocol, I don't think this happens with ssh version 1). This usually starts a daemon sub-process /usr/local/bin/sftp-server and channels all the session stuff to it.

    It would be cool if this was the only function available, and that the sftp directory was chosen on the fly per-user and chroot'd or something so that only a subset of files was available somehow. This would allow you to have a bunch of secure directories for your friends, or even anonymous sftp, without having to let people log into your machine.