Template Version: @(#)onepager.txt 1.35 07/11/07 SMI
Copyright 2007 Sun Microsystems
1. Introduction
1.1. Project/Component Working Name:
Extension of SSHD to allow public keys to be provided by
executables
1.2. Name of Document Author/Supplier:
Erik Trauschke
1.3. Date of This Document:
11/06/2009
1.3.1. Date this project was conceived:
04/2009
1.4. Name of Major Document Customer(s)/Consumer(s):
1.4.1. The PAC or CPT you expect to review your project:
Solaris PAC
1.4.2. The ARC(s) you expect to review your project:
PSARC
1.4.3. The Director/VP who is "Sponsoring" this project:
Vincent.Murphy at sun.com
1.4.4. The name of your business unit:
OpenSolaris
1.5. Email Aliases:
1.5.1. Responsible Manager:
Bonnie.Corwin at sun.com
1.5.2. Responsible Engineer:
Erik.Trauschke at sun.com
1.5.3. Marketing Manager:
N/A
1.5.4. Interest List:
Alan.Burlison at sun.com
2. Project Summary
2.1. Project Description:
This extension to Secure Shell Daemon (SSHD) allows it to run an
configuration-defined executable before user authentication.
This can
be used to retrieve user-related data, which is required for
authentication (like e.g. SSH keys), from arbitrary systems such as
databases and remote authentication facilities.
2.2. Risks and Assumptions:
The proposed change to SSHD adds a new configuration option to
sshd that
will be specific to the Sun version of SSHD. However, the modified
SSHD will still be fully compatible with the configuration files
used by the current version of SSHD. The change will therefore not
require any changes to existing customized configuration files.
The use of an executable run before authentication could potentially
introduce security issues if the executable is not written
correctly.
However only the superuser can activate this functionality, and
there
are already multiple ways an administrator could compromise
security by
misconfiguration of SSHD, so the incremental risk introduced by
this
modification is small.
3. Business Summary
3.1. Problem Area:
The OpenSolaris.org infrastructure needs to be able to
authenticate SSH
sessions against an external XML-RPC service. After discussion
with the
Sun SSH maintainers, it was agreed that this was a generally useful
feature, and it should therefore be added to the Solaris SSHD.
3.2. Market/Requester:
OpenSolaris
4. Technical Description:
4.1. Details:
The changes involve the addition of a new configuration
directive to
the SSHD configuration file (/etc/ssh/sshd_config) named
PreUserauthHook. It only parameter is the path to an executable
which
is run before each authentication method.
The executable is invoked with two arguments. The first argument
specifies the name of the authentication method currently
processed,
the second specifies the username of the user trying to log in.
Furthermore SSHD passes an environment variable named
SSH_CONNECTION to
the executable, which is equivalent to the SSH_CONNECTION
variable set
for the SSH shell after successful login.
The exit code of the executable defines if the current authentication
method will be continued or aborted. If the executable exits
with an
exit code of zero the authentication method will be processed as
normal. If the exit status is 1 the current authentication is
aborted
and authentication continues with the next method, if any.
The executable is furthermore required to have defined permissions,
namely owned by the user running SSHD (normally root) and with only
read and execute permissions for that user (0500).
4.2. Bug/RFE Number(s):
6850175
Extension of SSHD to run an executable prior to user authentication
4.5. Interfaces:
The modified SSHD will accept a new option in its configuration
file
(/etc/ssh/sshd_config) named PreUserauthHook. The parameters for
this option are the path to the executable.
Example:
PreUserauthHook /opt/oso/bin/synckeys
Calls the executable "synckeys".
Stability level: Committed
Release binding: patch
4.6. Doc Impact:
Suggested manpage addition:
PreUserauthHook
Specifies an executable which will be run prior to any
of the
processed authentication methods. The executable can be
used
to synchronize user information with a remote
user-management
facility using an arbitrary communication protocol.
The executable is run before any user validation is
conducted
by SSHD so the user is not required to be existent
before she
tries to log in.
The executable is invoked with two arguments in the
following
order: the name of the current authentication method and
the username. Furthermore the environment variable
SSH_CONNECTION (see sshd(1M)) is passed to the executable.
If the executable returns a zero exit status, the current
authentication method is processed as normal. If the exit
status is 1 the current authentication method is
ignored and
can not be used to validate the user.
The executable must be owned by root and have
permissions of
0500, otherwise it will be treated as if it has exited with
status 1.
There is no default value for this property.
4.7. Admin/Config Impact:
A new option will be available in the configuration file for SSHD
which specifies the executable to be run to retrieve public keys.
See 4.5
4.10. Packaging & Delivery:
All affected components are in the SUNWssh package
(OpenSolaris) or in
the SUNWsshdu package (Nevada), respectively.
4.11. Security Impact:
If SSHD is configured to use the PreUserauthHook the system
administrator needs to be aware of the security implications of
having
an executable retrieving keys.
SSHD will require the executable to be owned by the user
running the
SSHD process, and will verify that the executable is only user
readable
and user executable (0500).
4.12. Dependencies:
none
6. Resources and Schedule:
6.1. Projected Availability:
08/2009
6.2. Cost of Effort:
1 man/month
6.3. Cost of Capital Resources:
0
6.4. Product Approval Committee requested information:
6.4.1. Consolidation or Component Name:
ON
6.4.3. Type of CPT Review and Approval expected:
FastTrack
6.4.7. Target RTI Date/Release:
08/2009
6.4.8. Target Code Design Review Date:
14/08/2009
6.5. ARC review type:
FastTrack
6.6. ARC Exposure:
open
--
Darren J Moffat
