https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=231172
Bug ID: 231172 Summary: ssh login fails if server is set sysctl kern.trap_enotcap=1 Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: b...@freebsd.org Reporter: naito.yuich...@gmail.com Created attachment 196883 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=196883&action=edit sshd.patch Problem ------- While I'm debugging my program which runs in capability mode on remote machine, I set sysctl kern.trap_enotcap=1 to make my kernel triggers SIGTRAP when capability violation occurs. If I quit a ssh session by accident, I can never ssh login again. Reason ------ Sshd uses login_getpwclass(3) for authentication, but it is not allowed in capability mode because of accessing to '/etc/login.conf' and '${HOME}/.login.conf'. Authentication failure triggers to close ssh session. Please note that this is not a security problem. Sshd checks login_getpwclass(3) in several times. One of these checks is sandboxed and fails in capability mode. And sshd calls auth_timeok(3) after login_getpwcalss(3). In auth_timeok(3), localtime(3) is called and it opens '/etc/localtime'. This is not allowed neither. Reproduce --------- 1. stop sshd # service sshd stop 2. set kern.trap_enotcap=1 # sysctl kern.trap_enotcap=1 3. truss sshd # truss -f -o /tmp/sshd.log /usr/sbin/sshd -D 4. ssh login $ ssh localhost 5. check the logfile $ grep 'capability' /tmp/sshd.log 6637: lstat("/etc/login.conf",0x7fffffffd850) ERR#94 'Not permitted in capability mode' Workaround ---------- Apply the attached `sshd.patch` and rebuild sshd. This patch adds wrapper function of login_getpwclass(3), and fixes the sandboxed process to call this function. Question -------- I know sshd is a contributed software from OpenSSH project. And it seems FreeBSD project applies specific patches to sshd. Is my code a part of FreeBSD specific patches? If so, please review my code. -- You are receiving this mail because: You are the assignee for the bug. _______________________________________________ freebsd-bugs@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"