OpenSSH, PAM and user names

FreeBSD just published a security advisory for, amongst other issues, a piece of code in OpenSSH's PAM integration which could allow an attacker to use one user's credentials to impersonate another (original patch here). I would like to clarify two things, one that is already mentioned in the advisory and one that isn't.

The first is that in order to exploit this, the attacker must not only have valid credentials but also first compromise the unprivileged pre-authentication child process through a bug in OpenSSH itself or in a PAM service module.

The second is that this behavior, which is universally referred to in advisories and the trade press as a bug or flaw, is intentional and required by the PAM spec (such as it is). There are multiple legitimate use cases for this, such as:

  • Letting PAM, rather than the application, prompt for a user name; the spec allows passing NULL instead of a user name to pam_start(3), in which case it is the service module's responsibility (in pam_sm_authenticate(3)) to prompt for a user name using pam_get_user(3). Note that OpenSSH does not support this.

  • Mapping multiple users with different identities and credentials in the authentication backend to a single “template” user when the application they need to access does not need to distinguish between them, or when this determination is made through other means (e.g. environment variable, which service modules are allowed to set).

  • Mapping Windows user names (which can contain spaces and non-ASCII characters that would trip up most Unix applications) to Unix user names.

That being said, I do not object to the patch, only to its characterization. Regarding the first issue, it is absolutely correct to consider the unprivileged child as possibly hostile; this is, after all, the entire point of privilege separation. Regarding the second issue, there are other (and probably better) ways to achieve the same result—performing the translation in the identity service, i.e. nsswitch, comes to mind—and the percentage of users affected by the change lies somewhere between zero and negligible.

One could argue that instead of silently ignoring the user name set by PAM, OpenSSH should compare it to the original user name and either emit a warning or drop the connection if it does not match, but that is a design choice which is entirely up to the OpenSSH developers.

Building ARM Packages with Poudriere (the simple way)..

The current directions for building ARM packages are quite long and need to be updated. This is my work-in-progress directions until I get everything right and then I will update the documentation.

  1. Install poudriere and qemu-user-static: pkg install poudriere qemu-user-static
  2. Enable qemu-user-static in rc.conf: qemu_user_static_enable="YES"
  3. Run the startup script to configure your system for building different architectures: /usr/local/etc/rc.d/qemu_user_static start
  4. Create a ports tree to build: poudriere ports -c -m svn+https -p svn
  5. Create an ARM build jail. Note, this will take awhile: poudriere jail -c -j 11armv6 -v head -a arm.armv6 -m svn+https

Now you can test build whatever packages you want for your ARM device:
poudriere testport -j 11armv6 -p svn -o x11-wm/lxsession

PC-BSD 10.2-RELEASE Now Available

The PC-BSD team is pleased to announce the availability of 10.2-RELEASE!

A very special thanks to all the developers, QA, and documentation teams for helping to make this release possible.

PC-BSD 10.2 Notable Changes

  • FreeBSD 10.2-RELEASE base system
  • Many bugfixes and enhancements to installer to dual-boot setups
  • New CD-sized network installation media, with Wifi Configuration via GUI
  • Switched to “iocage” for jail management backend
  • Disk Manager GUI now available via installer GUI
  • Bug-fixes and improvements to Life-Preserver replications
  • Improved localization options for login manager
  • Options to Enable / Disable SSHD or IPv6 at installation
  • New “Plugins” system for AppCafe, allowing download of pre-built jail environments
  • Improvements to look-n-feel of AppCafe for package management
  • Improved fonts and better support for 4K monitor setups
  • Enterprise package repo, which only has security updates, allowing users to run a server / desktop or jail with fairly consistent package versions.
  • Firefox 40.0_1,1
  • Chromium 44.0.2403.130
  • Thunderbird 38.1.0
  • Lumina 0.8.6
  • GNOME 3.16.2

Updating

Users currently running 10.1-RELEASE can now update their system via the updater GUI or “pc-updatemanager” utility to be upgraded to 10.2-RELEASE.

Getting Media

10.2-RELEASE media (Including VM’s and network installers) can be downloaded from this URL via HTTP or Torrent.

Reporting Bugs
Found a bug in 10.2? Please report it (with as much detail as possible) to our bugs database.

BSDCan 2015 Trip Report: Koop Mast

Travel
I have been to two EuroBSDCon conferences and now I can add my first BSDCan to the list. The trip to Ottawa was just as interesting as the conference itself, it was the first time I stepped aboard an airplane. Purely by chance I found out, after I booked my flight, that I shared the same flight with Ed Schouten and Massimiliano Stucchi so they could help me with the confusing ant hill that is your average airport.

We arrived the 9th in Ottawa and after dropping off our stuff at the residence, we went to the Royal Oak for drinks and social activities.

During the dev summit or the actual BSDCan you can meet people you’ve only heard of before and have a conversation. In some cases, you can also find out they have heard of you before too. That happened to me during lunch on Wednesday, when I met Michael W. Lucas at Cora’s.

While I mostly work on FreeBSD ports, it was interesting to see how a company like Isilon uses at least part of the Project you work on in their product and how they’ve changed their policy over the years to keep up with all the shiny new stuff.

The hacking lounge was a mixed bag of what people were doing: talking with other people attending the conference about different subjects, discussing future projects, doing some code hacking or taking a soldering iron to “harmless” wireless routers. During one of the hacking lounges, Johannes Jost Meixner ask me to do a simple test with a few new ports to see if the skype4 port worked on HEAD. I also put the inspiration I got during a presentation into solving a segfault in PulseAudio that was bugging me for a while.

BSDCan
On Friday June 12th, the conference kicked off with the Keynote by Stephen Bourne, about Unix history and the Bourne shell. After, I attended the "Package building via QEMU" session by Sean Bruno and Stacey Son, on how we use QEMU to build arm packages on an amd64 box a “bit” faster than would be possible on a native box. I also attended “a stitch in time: jhbuild” since I was involved with this project. Jhbuild is a build software that GNOME uses, that takes code right out of git and tries to build it. So portability issues get caught in a few days instead of 6 months later when the author of that code moved on to shinier features. And, some features GNOME glib people would like to have in FreeBSD. The LLDB talk was interesting and it made me actually start using lldb when I need to debug something.

In the evening,  I accidentally ended up in the Doc sprint. Which turned out to be good thing, since I learned some mandoc things and I got some help with thinking about how to write some documents that still need writing.

Saturday June 13th,  had some great talks like CloudAPI where we have a binary from a virtual Operating System and that could in theory be run on any OS. And, the ZFS talk by Kirk McKusick about how ZFS works “magic” in more ways than one. I'm probably not the only one that is looking forward to having the FreeBSD base system in packages.

Free Time
On Sunday the 14th, we had time to do some tourist type things before our flight back to Europe. I saw Parliament Hill and the National Gallery of Canada.

While a few presentations went over my head technically, (ZFS I'm looking at you).  I'm from Europe so jet lag is supposed to be a thing, if you got long plane flights across time zones. Either my sleeping habit is already beyond hope, or I'm one of those people that isn't that affected. Though personally would bet on the former choice.

I'd like to thank the FreeBSD Foundation for giving me the possibility to attend, and Dan Langille and his team for making my first BSDCan a smooth experience.

Koop Mast

FreeBSD 10.2-RELEASE Now Available

The FreeBSD Release Engineering Team is pleased to announce the availability of FreeBSD 10.2-RELEASE.  Installation images are available for the amd64, i386, ia64, powerpc, powerpc64, and sparc64 architectures.

FreeBSD/arm SD card images are available for the BEAGLEBONE, CUBOX-HUMMINGBOARD, GUMSTIX, RPI-B, PANDABOARD, and WANDBOARD kernels.

FreeBSD 10.2-RELEASE is also available on several third-party hosting providers.

See the 10.2-RELEASE announcement email for installation image checksums and additional information.

FreeBSD 10.2-RELEASE Available

FreeBSD 10.2-RELEASE is now available. Please be sure to check the Release Notes and Release Errata before installation for any late-breaking news and/or issues with 10.2. More information about FreeBSD releases can be found on the Release Information page.

FreeBSD 10.2-RC3 Now Available

The third RC build of the 10.2-RELEASE cycle is now available.  This is expected to be the final RC build of this release cycle.

Installation images are available for the amd64, i386, ia64, powerpc, powerpc64, and sparc64 architectures.

FreeBSD/arm SD card images are available for the BEAGLEBONE, CUBOX-HUMMINGBOARD, GUMSTIX, RPI-B, PANDABOARD, and WANDBOARD kernels.

FreeBSD 10.2-RC3 is also available on several third-party hosting providers.

See the PGP-signed announcement email for installation image checksums and more information.

Official Vagrant FreeBSD Images

I am very proud to announce that FreeBSD Vagrant images are now available.

Usage:
For VMWare, create a Vagrantfile like so:

Vagrant.configure("2") do |config|
  config.vm.synced_folder ".", "/vagrant", id: "vagrant-root", disabled: true
  config.vm.box = "freebsd/FreeBSD-11.0-CURRENT"
  config.ssh.shell = "sh"
end

For VirtualBox, create a Vagrantfile like:

Vagrant.configure("2") do |config|
  config.vm.synced_folder ".", "/vagrant", id: "vagrant-root", disabled: true
  config.vm.box = "freebsd/FreeBSD-11.0-CURRENT"
  config.ssh.shell = "sh"
  config.vm.base_mac = "080027D14C66"
end

Then run:
vagrant up

On first boot the machine will come up and install missing pkgs and run freebsd-update if needed. Note that this can take a few minutes. If it fails to boot try using: vagrant up --no-destroy-on-error. On my 2004 iMac with a spinning disk it takes just over 3 minutes. On my mid 2014 MBP with a SSD it takes about 1 minute and 45 seconds. In the future we will reevaluate installing the missing packages on boot vs when the VM is built.

Note that you can replace `FreeBSD-11.0-CURRENT’ with `FreeBSD-10.0-RC2′ or others. To see a full list of versions available, check the Hashicorp Atlas website here: https://atlas.hashicorp.com/FreeBSD/

Going forward:

  • All snapshots will include Vagrant images, so weekly updates of FreeBSD -STABLE branches and -CURRENT.
  • All future releases will including Vagrant images.

FreeBSD 10.2-RC3 Available

The third RC build for the FreeBSD 10.2 release cycle is now available. ISO images for the amd64, armv6, i386, ia64, powerpc, powerpc64 and sparc64 architectures are available on most of our FreeBSD mirror sites.

PC-BSD 10.2-RC1 Now Available

The PC-BSD team is pleased to announce the availability of RC1 images for the upcoming 10.2 release. Please test these images out and report any issues found on our bug tracker: https://bugs.pcbsd.org

 

PC-BSD 10.2 Notable Changes

  • FreeBSD 10.2 base system
  • Many bugfixes and enhancements to installer to dual-boot setups
  • New CD-sized network installation media, with Wifi Configuration via GUI
  • Switched to “iocage” for jail management backend
  • Disk Manager GUI now available via installer GUI
  • Bug-fixes and improvements to Life-Preserver replications
  • Improved localization options for login manager
  • Options to Enable / Disable SSHD or IPv6 at installation
  • New “Plugins” system for AppCafe, allowing download of pre-built jail environments
  • Improvements to look-n-feel of AppCafe for package management
  • Improved fonts and better support for 4K monitor setups
  • Enterprise package repo, which only has security updates, allowing users to run a server / desktop or jail with fairly consistent package versions.
  • FireFox 39.0
  • Chromium 43.0.2357.134
  • Thunderbird 38.1.0
  • Lumina 0.8.6

 

Updating

Users currently running the EDGE package repo can now update their packages via the updater GUI or “pc-updatemanager” utility to be brought up to date with RC1. Updates for users on the 10.1.2 / PRODUCTION repo will be available once 10.2-RELEASE is announced.

 

Getting media

10.2-RC1 DVD/USB media can be downloaded from the following URL via HTTP or Torrent. http://download.pcbsd.org/iso/10.2-RELEASE/edge/amd64/

 

Reporting Bugs

Found a bug in 10.2? Please report it (with as much detail as possible) to our bugs database. https://bugs.pcbsd.org

Lumina Desktop 0.8.6 Released!

Just in time for PC-BSD & FreeBSD 10.2 (coming soon), the Lumina desktop has been updated to version 0.8.6! This version contains a number of updates for non-English users (following up all the new translations which are now available), as well as a number of important bug-fixes, and support for an additional FreeDesktop specification. The PC-BSD “Edge” packages have already been updated to this version and the FreeBSD ports tree will be getting this update very soon as well.

In addition, the Lumina desktop now has its own website! While we are still working on cleaning up some of the visuals, all the information about Lumina (how to download/install it on various OS’s, a summary of the features, description of the project, screenshots, etc..) is all there and up-to-date. We are also working on a full handbook for Lumina (similar to the PC-BSD/FreeBSD handbooks) which can also be viewed directly from the website. Please check it out and let us know what you think!

 

Changes Since 0.8.5:

  1. Localizations
    • Add the ability to set system-locale overrides (used on login), allowing the user to “mix” locale settings for the various outputs.
    • Add the ability for the user to switch the locale of the current session on the fly (all locale settings changed for the current session only), and these settings will be used when launching any applications later.
    • Fix up the translation mechanisms of the Lumina interface, so everything will instantly get re-translated to the new locale.
    • More languages are now fully translated! Make sure to install the x11/lumina-i18n port or pkg to install the localizations and enable all these new features!
  2. Add support for the “Actions” extension to the XDG Desktop specifications.
    • This allows applications to set a number of various “actions” (alternate startup routines) within their XDG desktop registration file.
    • These actions are shown within Lumina as new sub-menus within the Applications menu as well as in the User button (look for the down arrow next to the application icon).
  3. Change the Lumina OSD to a different widget – allowing it to be shown much faster.
  4. Add new “_ifexists” functionality to any session options in luminaDesktop.conf. This allows the distributor to more easily setup default applications (browser, email, etc..) through an intelligent tree of options (which may or may not be installed).
  5. Bug Fixes
    • Apply a work-around for new users which fixes a bug in Fluxbox where the virtual desktop windows could still be changed/closed by various Fluxbox keyboard shortcuts. If an existing user wants to apply this fix, you need to replace your ~/.lumina/fluxbox-keys file with the new Lumina default (/usr/local/share/Lumina-DE/fluxbox-keys) – which will overwrite any custom keyboard shortcuts you had previously setup.
    • Fix some bugs in the new window detection/adjustment routines – fixing up issues with full-screen apps that change around the X session settings to suit their own temporary needs.
    • Fix a couple bugs with the automatic detection/load routines for the new QtQuick plugins.
    • Add in the “Ctrl-X” keyboard shortcut for cutting items in the Insight file manager.
    • Fix up the active re-loading of icons when the user changes the icon theme.

 

FreeBSD 10.2-RC2 Now Available

The second RC build of the 10.2-RELEASE cycle is now available.

Installation images are available for the amd64, i386, ia64, powerpc, powerpc64, and sparc64 architectures.

FreeBSD/arm SD card images are available for the BEAGLEBONE, CUBOX-HUMMINGBOARD, GUMSTIX, RPI-B, PANDABOARD, and WANDBOARD kernels.

FreeBSD 10.2-RC2 is also available on several third-party hosting providers.

See the PGP-signed announcement email for installation image checksums and more information.

FreeBSD 10.2-RC2 Available

The second RC build for the FreeBSD 10.2 release cycle is now available. ISO images for the amd64, armv6, i386, ia64, powerpc, powerpc64 and sparc64 architectures are available on most of our FreeBSD mirror sites.