On Mon, 6 Oct 2008, Nicolas Williams wrote:
>sshd does fork() once after first beginning to use PKCS#11 (through
>OpenSSL) to create the monitor process (immediate child of the sshd
>master listener, but parent in this fork()) and the daemon that actually
>does most of the SSHv2 work (the child in this case). The child runs
>as the logged-in user, and with little privilege. So as long as PKCS#11
>drops access to open devices then all should be fine.
>
>Now, PKCS#11 is not fork-safe, and libpkcs11 does do the equivalent of
>C_Finalize() on the child side of any fork(), so technically sshd should
>definitely lose access to devices that are not accessible to the
>logged-in user.
>
>BUT, Jan changed recently how this works. Specifically now the child is
>fork()ed sooner and runs with privilege longer, then drops privilege.
>So we may actually have a problem.
Nico, I'm not sure I follow here. Are we talking about a possible
situation where sshd uses the smartcard? I doesn't make too much sense to me
to have its server side private key there, and the server doesn't need any
user's private key.
J.
--
Jan Pechanec
