Tiger: Differences between stock and Apple OpenSSH

Adam asked me to look if my OpenSSH install also does SRV lookups when attempting to resolve hostnames.

Under Tiger (10.4.1, md5sum of the OpenSSH binary is b582a5b1da5999b6832dec6cb9477917 /usr/bin/ssh, OpenSSH_3.8.1p1, OpenSSL 0.9.7b 10 Apr 2003) it indeed behaves the same way as Adam describes.

Under Panther (10.3.9, md5sum of OpenSSH binary is 878ef654570e14c103a20b54afe3c417 /usr/bin/ssh OpenSSH_3.6.1p1+CAN-2004-0175, SSH protocols 1.5/2.0, OpenSSL 0x0090702f) I am not seeing any SRV lookups at all.

So I started investigating.

I’ve pulled own OpenSSH from Darwin 8.1 (corresponding to 10.4.1) from http://darwinsource.opendarwin.org/tarballs/other/OpenSSH-56.tar.gz, and the “correct” build from OpenSSH site

diff file was 940K in size, (vast majority of the differences were due to the fact that newer version of autoconf was run on Apple’s sources, and regenerated all the “configure” framework anew) and let me put it this way – OpenSSH as Apple ships it has a whole lot of differences compared to portable OpenSSH 3.8.1p1.

patches subdirectory of Apple tree has most of the patches, but something is telling me that possibly not all of them.

So how is SSH as shipped by Apple differs from SSH as shipped by the portable team of the OpenSSH project?

  • Support for BSM (Basic Security Module) framework, under Solaris, and under MacOS X.
    As an aside – what’s up with BSM and auditing under MacOS X? Solaris (OK, I looked at Solaris 8, maybe things changed in Sol 10) has /etc/security/* with things like audit_class, audit_event, tools to enable and disable auditing, etc. 104.1 has /var/audit that is empty (Obviously – Auditing is not enabled), and prints two lines during kernel boot-up:

    Jun 24 04:13:15 localhost kernel[0]: Security auditing service present
    Jun 24 04:13:15 localhost kernel[0]: BSM auditing present
    

    Anyone has any idea how to actually tweak what gets audited, etc? /usr/include/bsm/ exists, so technically one can attempt to build Solaris BSM tools, but what would Brian Costello^W^WApple do?

  • HEIMDAL support
  • CCAPI – Credentials Caching
  • Fix for Mindrot bug 874 – Swapped parameters of SSH_FXP_SYMLINK packet of SFTP protocol
    +/*
    + * "Blind" conversation function for password authentication.  Assumes that
    + * echo-off prompts are for the password and stores messages for later
    + * display.
    + */
    
  • PAM support for password authentication.
  • Under MacOS X uses Security/AuthSession.h AuthSession – APIs for managing login, authorization, and security Sessions.
    from sshd.c:

    +#ifdef USE_SECURITY_SESSION_API
    +        /*
    +         * Create a new security session for use by the new user login if
    +         * the current session is the root session or we are not launched
    +         * by inetd (eg: debugging mode or server mode).  We do not
    +         * necessarily need to create a session if we are launched from
    +         * inetd because Panther xinetd will create a session for us.
    +         *
    +         * The only case where this logic will fail is if there is an
    +         * inetd running in a non-root session which is not creating
    +         * new sessions for us.  Then all the users will end up in the
    +         * same session (bad).
    +         *
    +         * When the client exits, the session will be destroyed for us
    +         * automatically.
    +         *
    +         * We must create the session before any credentials are stored
    +         * (including AFS pags, which happens a few lines below).
    +         */
    
  • functional GSSAPI tie-in – tied into PAM and BSM, and HEIMDAL – part of making OpenSSH in 10.4.x kerberized. By default is turned on (refer to sshd_config man page under Tiger, applies to Protocol 2 ONLY) Supports lack of hostkey, reverts to “null” method of keying (from sshd.c)
    +#ifndef GSSAPI
    +       /* The GSSAPI key exchange can run without a host key */
            if ((options.protocol & SSH_PROTO_2) && !sensitive_data.have_ssh2_key) {
                    logit("Disabling protocol version 2. Could not load host key");
                    options.protocol &= ~SSH_PROTO_2;
            }
    +#endif
    
  • Support for using memberd for resolving group memberships and to see if Serivce ACLs permit user to use ssh
  • Capabilities support. in sshd_config:
    +# SACL options
    +#SACLSupport yes
    
  • Extended attributes and resource fork support when copying between two 10.4.x systems – option -E for scp, implementation in copyfile.h and scp.c. Seems like metadata gets collected into an additional file, that gets transfered same way as a file would be, at gets re-applied on the other end.
  • Note: openssh/compat.c contains a list of all the “known” implementations of SSH clients, and what bugs they have. Quite an interesting read.

That’s about all I’ve noticed.

Now, regarding SRV lookups…. I’ve not noticed anything magic in the source that causes that to happen. Maybe that’s part of GSSAPI stuff – I frankly weren’t looking too closely. Maybe it’s something that libSystem.B.dylib does on behalf of ssh. Further investigation is needed, as it didn’t jump out at me. Sorry, Adam.

Update: I guess I should have been clearer. I did compile stock OpenSSH 3.8.1p1, and saw what kind of DNS queries it attempted. If the system in question is in /etc/hosts, it does no DNS quieries. If the system is not in /etc/hosts, all it looks at is

17:28:37.287350 IP 10.9.15.194.51980 > 10.9.15.1.domain:  52104+ A? www.epals.com. (31)
17:28:37.593401 IP 10.9.15.1.domain > 10.9.15.194.51980:  52104 1/2/2 A www.epals.com (128)
17:28:38.211709 IP 10.9.15.194.51981 > 10.9.15.1.domain:  55591+ PTR? 1.15.9.10.in-addr.arpa. (40)
17:28:38.212701 IP 10.9.15.1.domain > 10.9.15.194.51981:  55591 NXDomain 0/1/0 (117)
17:28:38.217308 IP 10.9.15.194.51982 > 10.9.15.1.domain:  6539+ PTR? 116.141.26.64.in-addr.arpa. (44)
17:28:38.333627 IP 10.9.15.1.domain > 10.9.15.194.51982:  6539 2/2/2 CNAME 116.96-127.141.26.64.in-addr.arpa., PTR www.epals.com. (190)

(Yes, I enjoy attempting to ssh to epals.com, as most assuredly it would not be an IP address in my /etc/hosts)

On the other hand, Apple’s implementation of OpenSSH does these regardless if the system in question is in /etc/hosts or not:

17:30:25.107046 IP 10.9.15.194.51989 > 10.9.15.1.domain:  50351+ SRV? _telnet._tcp.iskra.ottix.net. (46)
17:30:25.108158 IP 10.9.15.1.domain > 10.9.15.194.51989:  50351 NXDomain 0/1/0 (86)
17:30:25.108981 IP 10.9.15.194.51990 > 10.9.15.1.domain:  3246+ SRV? _telnet._tcp.iskra.ottix.net. (46)
17:30:25.109571 IP 10.9.15.194.51991 > 10.9.15.1.domain:  3821+ SRV? _telnet._tcp.iskra.ottix.net.bhwireless.com. (61)
17:30:25.110614 IP 10.9.15.1.domain > 10.9.15.194.51990:  3246 NXDomain 0/1/0 (86)
17:30:25.110937 IP 10.9.15.1.domain > 10.9.15.194.51991:  3821 NXDomain 0/1/0 (134)
17:30:25.111186 IP 10.9.15.194.51992 > 10.9.15.1.domain:  7928+ SRV? _telnet._tcp.iskra.ottix.net.bhwireless.com. (61)
17:30:25.112891 IP 10.9.15.1.domain > 10.9.15.194.51992:  7928 NXDomain 0/1/0 (134)
[...]
stany@gilva:~/src/ssh/openssh-3.8.1p1[05:30 PM]$ grep ottix /etc/hosts 
192.231.228.2   iskra.ottix.net www.ottix.net
stany@gilva:~/src/ssh/openssh-3.8.1p1[05:30 PM]$ uname -a
Darwin gilva.local 8.1.0 Darwin Kernel Version 8.1.0: Tue May 10 18:16:08 PDT 2005; root:xnu-792.1.5.obj~4/RELEASE_PPC Power Macintosh powerpc
stany@gilva:~/src/ssh/openssh-3.8.1p1[05:30 PM]$ 

Another interesting side effect: Usually Apple’s sshd (enabled in control panels -> sharing -> Remote Login) registers itself with Rendez-Vous/ZeroConf. I have a piece of software called Rawr-Endezvous (0.6.b3, with my modifications to Growl framework 0.7. Newer versions of it just keep on dieing for me whenever I change location or enable/disable service,so I keep on waiting when Jereme Knope will fix it), that throws up a pop-up on my screen whenever new service is discovered. If one is to disable Remote Login in Sharing control panel, and start Apple’s ssh by hand, it registers the service as ZeroConf. If one starts up a stock OpenSSHD compiled from source, it doesn’t. I wonder if part of the problem is Apple’s patch to enable zeroconf in OpenSSH.

stany@gilva:~/src/ssh/openssh-3.8.1p1[05:38 PM]$ sudo ./sshd -f /etc/sshd_config -h /etc/ssh_host_key -h /etc/ssh_host_rsa_key -h /etc/ssh_host_dsa_key -d
debug1: sshd version OpenSSH_3.8.1p1
debug1: private host key: #0 type 0 RSA1
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
Generating 768 bit RSA key.
RSA key generation complete.

(Remove -d if you want sshd to run in daemon mode).

3 thoughts to “Tiger: Differences between stock and Apple OpenSSH”

  1. The same DNS behavior that you describe is about to get me and my Mac (10.4.2) banned / disconnected by my ISP (Rogers.com), who say that my box is abusing their DNS to the tune of dozens of queries per second!

    When they say the abuse was happening I was running 10.4.2, I’ve just now updated to Security Update 2005-007 (v1.1) – but have no way to tell if the issue is fixed or not until after they ban me (again) – their 2nd level tech support (“EULA enforcement team”) was no real help.

    So far this page, and the other blog linked from here are my only sources of real information, but as a Java guy (not a network guy) I’m way out of my depth trying to understand what’s going on.

    I seem to have the same ssh binary as you do – 10.4.2 w/ Sec-Updt 2005-007(1.1):
    b582a5b1da5999b6832dec6cb9477917 /usr/bin/ssh
    a928873e32134ef8b21ed3082b744b5c /usr/sbin/sshd

    My next step is to try building OpenSSH_p and run the resulting sshd instead of /usr/sbin/sshd (thanks for the tip!)

    In the meantime I’ve disabled the sshd on both the Mac and the GentooLinux box just to be safe. (Don’t know how I’ll manage without being able to ssh back home from work, but hopefully I can continue like this until I get a replacement sshd

    FYI, their auto-generated nasty-gram included the following log snippet:

    Date Time, Src, Query, Query type
    2005-08-24 10:03:02.87574, 24.157.68.55, telnet.tcp.quickbeam.rogers.com., Internet Unknow
    2005-08-24 10:03:02.89364, 24.157.68.55, quickbeam.slnt.phub.net.cable.rogers.com., Internet Addr ?
    2005-08-24 10:03:02.91165, 24.157.68.55, quickbeam.slnt.phub.net.cable.rogers.com., Internet Addr ?
    2005-08-24 10:03:02.92965, 24.157.68.55, quickbeam.phub.net.cable.rogers.com., Internet Addr ?
    2005-08-24 10:03:02.94782, 24.157.68.55, quickbeam.phub.net.cable.rogers.com., Internet Addr ?

    Date Time,Dst,Query,Response
    2005-08-24 10:03:2.87637,24.157.68.55,Error:,3(Name Error)
    2005-08-24 10:03:2.89392,24.157.68.55,Error:,3(Name Error)
    2005-08-24 10:03:2.91205,24.157.68.55,Error:,3(Name Error)
    2005-08-24 10:03:2.93289,24.157.68.55,Error:,3(Name Error)
    2005-08-24 10:03:2.94814,24.157.68.55,Error:,3(Name Error)

    …where “quickbeam” is the host name of my Mac (behind a Cable/DSL Router)

    Many thanks for the info,
    ./ddd

    PS – appologies for the (mis-?)formatting but a quick look turned up no post-syntax guide.

Comments are closed.