Contributed by rueda on from the sshd-mk-thngs-hrdr dept.
As with library order randomisation
(libc.so
/libcrypto
/ld.so
)
at boot
and kernel relinking at boot,
boot time relinking of
sshd(8)
is now implemented in -current.
Theo de Raadt committed the
changes:
CVSROOT: /cvs Module name: src Changes by: deraadt@cvs.openbsd.org 2023/01/18 13:43:15 Modified files: usr.bin/ssh/sshd: Makefile Log message: Create and install sshd random relink kit. ../Makefile.inc and Makfile are concatenated for reuse, which hopefully won't be too fragile, we'll see if we need a different approach. The resulting sshd binary is tested with the new sshd -V option before installation. As the binary layout is now semi-unknown (meaning relative, fixed, and gadget offsets are not precisely known), change the filesystem permissions to 511 to prevent what I call "logged in BROP". I have ideas for improving this further but this is a first step ok djm
CVSROOT: /cvs Module name: src Changes by: deraadt@cvs.openbsd.org 2023/01/18 13:44:40 Modified files: etc : rc Log message: process the sshd random-relink kit if it is found. sshd's text segment is now garbled, and in the future xonly univirse you'll have poor success downloading it or libc to know where gadgets are. ok djm
Please test aggressively.
We look forward to the next steps hinted at in the first of these commit messages.
If this works out, there are indications other early-boot network daemons will get similar treatement sooner rather than later.
(Comments are closed)