sshd relinking

Mon, 16 Jan 2023 07:57:56 -0800 

I propose to relink sshd on every boot, before it gets started.

This is like kernel, libc.so, libcrypto, and ld.so relinking.

The sshd design self-protects itself quite well, but this kind of
address space secrecy is still a good addition.

Since the sshd binary becomes unique on every openbsd machine, we
can also block a logged in user from inspecting it, and then using
that information as part of a remote attack, so mode 511.

I am surprised how this turned out.  This could easily be done with
a few other important daemons or tools.

Index: usr.bin/ssh/sshd/Makefile
===================================================================
RCS file: /cvs/src/usr.bin/ssh/sshd/Makefile,v
retrieving revision 1.106
diff -u -p -u -r1.106 Makefile
--- usr.bin/ssh/sshd/Makefile   27 May 2022 05:02:46 -0000      1.106
+++ usr.bin/ssh/sshd/Makefile   16 Jan 2023 15:29:01 -0000
@@ -14,6 +14,7 @@ SRCS+=        ${SRCS_BASE} ${SRCS_KEX} ${SRCS_K
        ${SRCS_SK_CLIENT}
 
 PROG=  sshd
+BINMODE=511
 BINDIR=        /usr/sbin
 MAN=   sshd.8 sshd_config.5
 
@@ -46,3 +47,22 @@ DPADD+=      ${LIBUTIL}
 LDADD+=        -lz
 DPADD+=        ${LIBZ}
 .endif
+
+# The relink kit, used on OpenBSD by /etc/rc
+
+Makefile.relink: ${.CURDIR}/../Makefile.inc ${.CURDIR}/Makefile
+       # XXX assume a concatenation of these is OK
+       cat ${.CURDIR}/../Makefile.inc ${.CURDIR}/Makefile > Makefile.relink
+
+sshd.tar: ${OBJS} Makefile.relink
+       tar cf $@ ${OBJS} Makefile.relink
+
+afterinstall: sshd.tar
+       install -d -o root -g wheel -m 755 \
+           ${DESTDIR}/usr/share/relink/usr/sbin/sshd
+       install -o ${BINOWN} -g ${BINGRP} -m 640 \
+           sshd.tar ${DESTDIR}/usr/share/relink/usr/sbin/sshd/sshd.tar
+
+relink:
+       cc -o sshd `echo ${OBJS} | tr ' ' '\n' | sort -R` ${LDADD}
+       ./sshd -t && install -o root -g wheel -m ${BINMODE} sshd /usr/sbin/sshd
Index: etc/rc
===================================================================
RCS file: /cvs/src/etc/rc,v
retrieving revision 1.568
diff -u -p -u -r1.568 rc
--- etc/rc      28 Dec 2022 09:53:33 -0000      1.568
+++ etc/rc      16 Jan 2023 07:59:15 -0000
@@ -188,7 +188,7 @@ reorder_libs() {
                fi
        done
 
-       echo 'reordering libraries:'
+       echo 'reordering:'
 
        # Remount the (read-only) filesystems in _ro_list as read-write.
        for _mp in $_ro_list; do
@@ -237,6 +237,19 @@ reorder_libs() {
                ) || { _error=true; break; }
        done
 
+       for _bin in $_relink/usr/sbin/sshd; do
+               _tmpdir=$(mktemp -dq $_relink/_rebuild.XXXXXXXXXXXX) &&
+               (
+               set -o errexit
+               cd $_tmpdir
+               _binn=${_bin##*/}
+               _bint=${_bin}/${_binn}.tar
+               echo " $_binn"
+               tar xf $_bint
+               make -f Makefile.relink relink >/dev/null
+               ) || { _error=true; break; }
+       done
+               
        rm -rf $_relink/_rebuild.*
 
        # Restore previous mount state if it was changed.

Reply via email to