Jason | 1 Dec 18:35 2006
Picon

mirroring a loop device across an ssh connection

all,

I've been looking into a secure way of accessing a remote loopback 
encrypted partition securely via openssh.

The basic idea I have currently is that a file/partition is connected to 
/dev/loop0 on a remote server, which I have an ssh connection to.  I 
hold the key (for cryptsetup via dm_crypt) on the local client.  I'd 
like to mirror the loop device of the server on the client.  Once that 
is done, I would run cryptsetup with the key on the client and mount as 
normal.

The end application would be for remote secure backup (rsync?) of a 
second encrypted volume on the client.  It is assumed that the remote 
server is untrusted, hence, not running cryptsetup/dm_crypt on the server.

So far, I've looked at Rex/sfs [1], pseudo-tty programming, and a little 
of unix domain sockets.  I'm more familiar with network socket 
programming, though.  My main holdup right now is my lack of familiarity 
with openssh internals.  If someone could point to the right section of 
the src tree, perhaps with a nudge towards how to do this securely, it 
would greatly appreciated.

tia,

Jason.

*** PDF download ***
[1] - http://pdos.csail.mit.edu/papers/sfs:rextr03/MIT-LCS-TR-884.pdf
(Continue reading)

Jason | 1 Dec 19:13 2006
Picon

Re: mirroring a loop device across an ssh connection

Jefferson Ogata wrote:
> On 2006-12-01 17:35, Jason wrote:
>> So far, I've looked at Rex/sfs [1], pseudo-tty programming, and a little 
>> of unix domain sockets.  I'm more familiar with network socket 
>> programming, though.  My main holdup right now is my lack of familiarity 
>> with openssh internals.  If someone could point to the right section of 
>> the src tree, perhaps with a nudge towards how to do this securely, it 
>> would greatly appreciated.
> 
> Take a look at drbd.

Thanks, I hadn't stumbled across that yet.  There is only one small 
problem with it, which I failed to mention in my initial mail.  I can't 
assume I have root access to the remote machine.  I might be able to get 
an 'sudo losetup ...' approved, but most likely I'll need to mirror the 
file descriptor of the file container over the ssh connection.

Currently, for proof of concept, I have root access on the server, but I 
may not in the final implementation.

> Really, if the crypto of the underlying fs is secure, you shouldn't need
> to mirror over ssh; plain rsync (or drbd) mirroring, should be secure.

I would prefer to use ssh, as that is the only incoming connection I 
allow from the internet :)  the remote server could be on the other side 
of the world, depending on my travels.

tia,

Jason.
(Continue reading)

Jefferson Ogata | 1 Dec 19:26 2006
Picon

Re: mirroring a loop device across an ssh connection

[not sure what's up with reply-to here; looks like my previous reply
went only to you]

On 2006-12-01 18:13, Jason wrote:
> Jefferson Ogata wrote:
>> On 2006-12-01 17:35, Jason wrote:
>>> So far, I've looked at Rex/sfs [1], pseudo-tty programming, and a little 
>>> of unix domain sockets.  I'm more familiar with network socket 
>>> programming, though.  My main holdup right now is my lack of familiarity 
>>> with openssh internals.  If someone could point to the right section of 
>>> the src tree, perhaps with a nudge towards how to do this securely, it 
>>> would greatly appreciated.
>> Take a look at drbd.
> 
> Thanks, I hadn't stumbled across that yet.  There is only one small 
> problem with it, which I failed to mention in my initial mail.  I can't 
> assume I have root access to the remote machine.  I might be able to get 
> an 'sudo losetup ...' approved, but most likely I'll need to mirror the 
> file descriptor of the file container over the ssh connection.
> 
> Currently, for proof of concept, I have root access on the server, but I 
> may not in the final implementation.

In that case, fuse is another option that might help, tho I'm not
certain as I haven't used it.

--

-- 
Jefferson Ogata <Jefferson.Ogata <at> noaa.gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt <at> noaa.gov>
"Never try to retrieve anything from a bear."--National Park Service
(Continue reading)

Jason | 1 Dec 20:14 2006
Picon

Re: mirroring a loop device across an ssh connection

Jefferson Ogata wrote:
> [not sure what's up with reply-to here; looks like my previous reply
> went only to you]

My fault, I think.  I recently migrated to thunderbird from mutt, and 
when I set up all my aliases (eg openssh <at> lakedaemon.net), I filled in 
the Reply-To field.  Apparently mindrot's list server doesn't rewrite 
the Reply-To field.  I've since fixed it for this alias.

> 
> On 2006-12-01 18:13, Jason wrote:
>> Jefferson Ogata wrote:
>>> On 2006-12-01 17:35, Jason wrote:
>>>> So far, I've looked at Rex/sfs [1], pseudo-tty programming, and a little 
>>>> of unix domain sockets.  I'm more familiar with network socket 
>>>> programming, though.  My main holdup right now is my lack of familiarity 
>>>> with openssh internals.  If someone could point to the right section of 
>>>> the src tree, perhaps with a nudge towards how to do this securely, it 
>>>> would greatly appreciated.
>>> Take a look at drbd.
>> Thanks, I hadn't stumbled across that yet.  There is only one small 
>> problem with it, which I failed to mention in my initial mail.  I can't 
>> assume I have root access to the remote machine.  I might be able to get 
>> an 'sudo losetup ...' approved, but most likely I'll need to mirror the 
>> file descriptor of the file container over the ssh connection.
>>
>> Currently, for proof of concept, I have root access on the server, but I 
>> may not in the final implementation.
> 
> In that case, fuse is another option that might help, tho I'm not
(Continue reading)

Martin Schröder | 1 Dec 19:18 2006
Picon

Re: mirroring a loop device across an ssh connection

2006/12/1, Jason <openssh <at> lakedaemon.net>:
> Thanks, I hadn't stumbled across that yet.  There is only one small
> problem with it, which I failed to mention in my initial mail.  I can't
> assume I have root access to the remote machine.  I might be able to get
> an 'sudo losetup ...' approved, but most likely I'll need to mirror the
> file descriptor of the file container over the ssh connection.

How about unison? Do you really have to sync a file system?

Best
   Martin
Jim Knoble | 2 Dec 02:37 2006
Picon

Re: mirroring a loop device across an ssh connection

Circa 2006-12-01 12:35 dixit Jason:

: all,
: 
: I've been looking into a secure way of accessing a remote loopback 
: encrypted partition securely via openssh.
: 
: The basic idea I have currently is that a file/partition is connected to 
: /dev/loop0 on a remote server, which I have an ssh connection to.  I 
: hold the key (for cryptsetup via dm_crypt) on the local client.  I'd 
: like to mirror the loop device of the server on the client.  Once that 
: is done, I would run cryptsetup with the key on the client and mount as 
: normal.

This sounds like you'll need unix domain sockets.  The following may be
of help:

    http://bugzilla.mindrot.org/show_bug.cgi?id=1256

: The end application would be for remote secure backup (rsync?) of a 
: second encrypted volume on the client.  It is assumed that the remote 
: server is untrusted, hence, not running cryptsetup/dm_crypt on the server.
: 
: So far, I've looked at Rex/sfs [1], pseudo-tty programming, and a little 
: of unix domain sockets.  I'm more familiar with network socket 
: programming, though.  My main holdup right now is my lack of familiarity 
: with openssh internals.  If someone could point to the right section of 
: the src tree, perhaps with a nudge towards how to do this securely, it 
: would greatly appreciated.

(Continue reading)

Ryan Robertson | 7 Dec 00:15 2006
Picon

ssh 4.x using aix 5.3 auditing

Im trying to identify how ssh 4.5 interacts with the audit subsystem within AIX 5.3.  i get an event when a user
logs in, but not when they exit via ssh.  i can get it to work with telnet, however.  It would seem to me that if an
event is captured from the login, that the same would be true for the logout.  I've opened a PMR w/IBM, but not
getting very much help. 

below is an example of my /etc/security/audit/config file:

start:
        binmode = off
        streammode = on

bin:
        trail = /audit/trail
        bin1 = /audit/bin1
        bin2 = /audit/bin2
        binsize = 10240
        cmds = /etc/security/audit/bincmds
        freespace = 65536

stream:
        cmds = /etc/security/audit/streamcmds

classes:
                default = login
        init = USER_Login, USER_Logout, USER_Exit, USER_Logout

users:
              root = init,default
===========================

(Continue reading)

Darren Tucker | 7 Dec 09:27 2006
Picon
Picon

Re: ssh 4.x using aix 5.3 auditing

Ryan Robertson wrote:
> Im trying to identify how ssh 4.5 interacts with the audit subsystem
> within AIX 5.3.  i get an event when a user logs in, but not when
> they exit via ssh.  i can get it to work with telnet, however.  It
> would seem to me that if an event is captured from the login, that
> the same would be true for the logout.  I've opened a PMR w/IBM, but
> not getting very much help.

There's no code in sshd to specifically support the audit interface on 
AIX, so I suspect that the records you see are generated by the 
"loginsuccess" call which sshd makes.

The API docs[1] make no mention of a corresponding logout function 
(although now I see that the audit redbook[2] makes mention of one but I 
can't find any information about it).

[1] 
http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixprggd/genprogc/ls_sec_audit_subrs.htm
[2] http://www.redbooks.ibm.com/redbooks/pdfs/sg246020.pdf

--

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
Ryan Robertson | 8 Dec 04:11 2006
Picon

Re: ssh 4.x using aix 5.3 auditing

The only way I was able to get any sort of record of a logout was when adding "USER_Exit" to
/etc/security/audit/config.  I'm still not convinced that that is proper field.  Even if it is, then what
does USER_Logout do?  It may be the "logout" command, which if called from any remote connection, fails
since its not "on the login terminal."   Of course I get no response from IBM.
I did notice an entry for rlogind/telnetd in /etc/security/audit/events.  Perhaps there is some API that
be used for ssh?  Is this something that could be added?

-Ryan

 
____________________________________________________________________________________
Do you Yahoo!?
Everyone is raving about the all-new Yahoo! Mail beta.
http://new.mail.yahoo.com
Darren Tucker | 8 Dec 11:24 2006
Picon
Picon

Re: ssh 4.x using aix 5.3 auditing

Ryan Robertson wrote:
> The only way I was able to get any sort of record of a logout was
> when adding "USER_Exit" to /etc/security/audit/config.  I'm still not
> convinced that that is proper field.  Even if it is, then what does
> USER_Logout do?

No idea.  All the pdf I referenced earlier says is:

USER/SYSTEM	AUDIT EVENT	Description
logout		USER_Logout	Calls to the logout subroutine.
[and elsewhere]
rlogind/telnetd USER_Exit

> It may be the "logout" command, which if called from
> any remote connection, fails since its not "on the login terminal."

That's interesting because it doesn't happen here ("logout" works with 
and without "UseLogin yes" in sshd_config).

> Of course I get no response from IBM. I did notice an entry for
> rlogind/telnetd in /etc/security/audit/events.

I looked briefly at the AIX audit documentation when we incorporated the 
Sun BSM audit code to see if it could be supported but could not figure 
it out at the time.

> Perhaps there is some
> API that be used for ssh?  Is this something that could be added?

Maybe, but I'm not sure how.  I would guess that you build the 
(Continue reading)


Gmane