OpenBSD Journal

sshd(8) splitting continues

Contributed by rueda on from the puffy-does-the-splits-again dept.

The work of improving ssh security by segregating functionality into separate binaries contiues, this time by introducing sshd-auth as a separate binary.

The commit message summarizes why this makes sense,

Splitting this code into a separate binary ensures that the crucial
pre-authentication attack surface has an entirely disjoint address
space from the code used for the rest of the connection. It also
yields a small runtime memory saving as the authentication code will
be unloaded after thhe authentication phase completes.

The code is in snapshots as we type.

Read the whole thing after the fold -

With the following commit, Damien Miller (djm@) continued the process of splitting sshd(8) into multiple binaries:

CVSROOT:	/cvs
Module name:	src
Changes by:	djm@cvs.openbsd.org	2024/10/13 19:57:50

Modified files:
	usr.bin/ssh    : Makefile Makefile.inc log.c monitor.c monitor.h 
	                 monitor_wrap.c monitor_wrap.h pathnames.h 
	                 sandbox-pledge.c sandbox-rlimit.c servconf.c 
	                 servconf.h session.c ssh-sandbox.h 
	                 sshd-session.c sshd.c 
	usr.bin/ssh/sshd-session: Makefile 
Added files:
	usr.bin/ssh    : sshd-auth.c 
	usr.bin/ssh/sshd-auth: Makefile 

Log message:
Split per-connection sshd-session binary

This splits the user authentication code from the sshd-session
binary into a separate sshd-auth binary. This will be executed by
sshd-session to complete the user authentication phase of the
protocol only.

Splitting this code into a separate binary ensures that the crucial
pre-authentication attack surface has an entirely disjoint address
space from the code used for the rest of the connection. It also
yields a small runtime memory saving as the authentication code will
be unloaded after thhe authentication phase completes.

Joint work with markus@ feedback deraadt@

Tested in snaps since last week

Like sshd(8), ssh-session, and ssh-agent(1), sshd-auth gets randomly relinked at boot.

(We reported earlier on the initial split.)


Comments
  1. By Jurjen Oskam (joskam) jurjen@osk.am on

    This takes me back to the qmail days, the more things change...

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]