Info: Version 1.8.x is available.

Japanese Page

Last modified: $Date: 2015-08-31 22:19:51 +0900 (Mon, 31 Aug 2015) $

Restricting administrative operations in SSH service.

About this page

This page explains you how to restrict administrative operations by selecting roles before starting SSH login shell.


Step 1: Compiling the program

Decide what roles you want to define. In this page, we use 3 roles ("Web server administrator", "Mail server administrator", "Security administrator").

Compile the below program. In this page, we assume the location of compiled program as /bin/sshd_login . We assume the location of SSH server program as /usr/sbin/sshd .

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <syslog.h>
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

#define SSHD_EXECUTABLE_PATH "/usr/sbin/sshd"

int main(int raw_argc, char *raw_argv[])
{
	int i;
	int argc;
	int envc;
	char *filename;
	char **argv;
	char **envp;
	{ /* Check that I'm an execute handler process.  */
		int fd = open("/proc/ccs/.execute_handler", O_RDONLY);
		close(fd);
		if (fd == EOF) {
			fprintf(stderr, "FATAL: I'm not execute_handler.\n");
			return 1;
		}
	}
	if (raw_argc < 7)
		return 1;
	filename = raw_argv[4];
	argc = atoi(raw_argv[5]);
	envc = atoi(raw_argv[6]);
	if (raw_argc != argc + envc + 7)
		return 1;
	for (i = 5; i < argc + 5; i++)
		raw_argv[i] = raw_argv[i + 2];
	raw_argv[argc + 5] = NULL;
	for (i = argc + 6; i < argc + envc + 6; i++)
		raw_argv[i] = raw_argv[i + 1];
	raw_argv[argc + envc + 6] = NULL;
	argv = raw_argv + 5;
	envp = raw_argv + argc + 6;
	/* "/usr/sbin/sshd" executes "/usr/sbin/sshd" with "-R" option. */
	if (argc == 2 && !strcmp(argv[1], "-R") &&
	    !strcmp(raw_argv[2], SSHD_EXECUTABLE_PATH) &&
	    !strcmp(filename, SSHD_EXECUTABLE_PATH)) {
		execve(filename, argv, envp);
		return 1;
	}
	/* Don't allow 'shell -c "command"' request. */
	if (argc == 3 && !strcmp(argv[1], "-c")) {
		fprintf(stderr, "You are not permitted to run %s\n", argv[2]);
		return 1;
	}
	printf("Select your role.\n\n");
	printf("1: Web administrator\n");
	printf("2: Mail administrator\n");
	printf("3: Security administrator\n\n");
	while (1) {
		int c = getchar();
		if (c == EOF)
			break;
		if (c == '1') {
			execve("/bin/webadmin-auth", argv, envp);
			break;
		}
		if (c == '2') {
			execve("/bin/mailadmin-auth", argv, envp);
			break;
		}
		if (c == '3') {
			execve("/bin/securityadmin-auth", argv, envp);
			break;
		}
	}
	return 1;
}

Save the program listed below as /bin/webadmin-auth and set executable bit.

#! /bin/sh
echo "Enter password for web administrator."
stty -echo
read
stty echo
[ "$REPLY" == "webadmin" ] && exec /bin/bash
echo "Authentication failure"
sleep 5
exit 1

Save the program listed below as /bin/mailadmin-auth and set executable bit.

#! /bin/sh
echo "Enter password for mail administrator."
stty -echo
read
stty echo
[ "$REPLY" == "mailadmin" ] && exec /bin/bash
echo "Authentication failure"
sleep 5
exit 1

Save the program listed below as /bin/securityadmin-auth and set executable bit.

#! /bin/sh
echo "Enter password for security administrator."
stty -echo
read
stty echo
[ "$REPLY" == "securityadmin" ] && exec /bin/bash
echo "Authentication failure"
sleep 5
exit 1

Step 2: Install and initialize TOMOYO Linux

Install TOMOYO Linux and run below commandline in order to initialize TOMOYO Linux.

/usr/lib/ccs/init_policy

Then, please do below operations before you reboot using TOMOYO Linux kernel.

Append below line to /etc/ccs/exception_policy.conf in order to initialize domain transition when /usr/sbin/sshd is executed.

initialize_domain /usr/sbin/sshd

Append below lines to /etc/ccs/domain_policy.conf so that program execution requests from /usr/sbin/sshd are passed to /bin/sshd_login .

<kernel> /usr/sbin/sshd
execute_handler /bin/sshd_login

Step 3: Learning and operation

Now, you are ready to start operation. Please reboot using TOMOYO Linux kernel.

Access the SSH server. Confirm that a prompt is shown by /bin/sshd_login after passing existing SSH authentication. Logout the SSH session by pressing Ctrl-C. Now, the domain for /bin/sshd_login was created as "<kernel> /usr/sbin/sshd /bin/sshd_login".

Change access control mode to learning mode by assigning profile 1 so that we can restrict operations from /bin/sshd_login .

/usr/sbin/ccs-setprofile -r 1 '<kernel> /usr/sbin/sshd /bin/sshd_login'

Access the SSH server. Please select 1 for the prompt shown by /bin/sshd_login and enter "webadmin" to the prompt shown by /bin/webadmin-auth . Now, the domain for "Web server administrator" was created as "<kernel> /usr/sbin/sshd /bin/sshd_login /bin/webadmin-auth /bin/bash".

Then, please do operations you want to allow for "Web server administrator". In the above movie, below operations are done.

service httpd restart
cd /var/www/html/
tar -zxf ~/htdocs.tar.gz --strip 1
less /var/log/httpd/access_log

Logout from the SSH session after you finished doing all operations you want to allow.

Access the SSH server. Please select 2 for the prompt shown by /bin/sshd_login and enter "mailadmin" for the prompt shown by /bin/mailadmin-auth . Now, the domain for "Mail server administrator" was created as "<kernel> /usr/sbin/sshd /bin/sshd_login /bin/mailadmin-auth /bin/bash".

Then, please do operations you want to allow for "Mail server administrator". In the above movie, below operations are done.

service sendmail restart
mailq
less /var/log/maillog

Logout from the SSH session after you finished doing all operations you want to allow.

Access the SSH server. Please select 3 for the prompt shown by /bin/sshd_login and enter "securityadmin" for the prompt shown by /bin/securityadmin-auth . Now, the domain for "Security administrator" was created as "<kernel> /usr/sbin/sshd /bin/sshd_login /bin/securityadmin-auth /bin/bash".

Then, please do operations you want to allow for "Security administrator". In the above movie, below operations are done.

less /var/log/tomoyo/reject_log.conf

Logout from the SSH session after you finished doing all operations you want to allow.

Change access control mode to permissive mode by assigning profile 2 and verify that you can do operations you want to allow.

/usr/sbin/ccs-setprofile -r 2 '<kernel> /usr/sbin/sshd /bin/sshd_login'

Change access control mode to enforcing mode by assigning profile 3. Now, the operations are restricted.

/usr/sbin/ccs-setprofile -r 3 '<kernel> /usr/sbin/sshd /bin/sshd_login'

Explanation

We divide roles in the following way. We insert 3 programs ( /bin/webadmin-auth /bin/mailadmin-auth /bin/securityadmin-auth ) between /usr/sbin/sshd and login shell for SSH session. As a result, we get 3 domains with different parent domain ("<kernel> /usr/sbin/sshd /bin/sshd_login /bin/webadmin-auth /bin/bash", "<kernel> /usr/sbin/sshd /bin/sshd_login /bin/mailadmin-auth /bin/bash", "<kernel> /usr/sbin/sshd /bin/sshd_login /bin/securityadmin-auth /bin/bash" ). We assign these 3 domains to 3 roles ("Web server administrator", "Mail server administrator", "Security administrator") by granting only necessary operations for each domain. Since these programs are just for example, we used simple shell scripts. When you use at real systems, please use appropriate programs with appropriate authentication functionality.

TOMOYO Linux's execute_handler functionality intercepts program execution requests from /usr/sbin/sshd and passes the program execution requests to /bin/sshd_login . Then, /bin/sshd_login shows a prompt for selecting role and receives response from the user.

The role selection is applied after SSH authentication. Thus, operations without shell execution (e.g. TCP port forwarding) are permitted. If you want to restrict operations without shell execution, you need to develop policy for SSH server process and apply enforcing mode to the SSH server processes.

Regarding within each domain, domain transition occurs whenever a program is executed. If you want to suppress domain transition within each domain, you can append "keep_domain" lines (like shown below) to /etc/ccs/exception_policy.conf .

keep_domain <kernel> /usr/sbin/sshd /bin/sshd_login /bin/webadmin-auth /bin/bash
keep_domain <kernel> /usr/sbin/sshd /bin/sshd_login /bin/mailadmin-auth /bin/bash
keep_domain <kernel> /usr/sbin/sshd /bin/sshd_login /bin/securityadmin-auth /bin/bash

Return to index page.

sflogo.php