upstream: Split per-connection sshd-session binary

This splits the user authentication code from the sshd-session
binary into a separate sshd-auth binary. This will be executed by
sshd-session to complete the user authentication phase of the
protocol only.

Splitting this code into a separate binary ensures that the crucial
pre-authentication attack surface has an entirely disjoint address
space from the code used for the rest of the connection. It also
yields a small runtime memory saving as the authentication code will
be unloaded after thhe authentication phase completes.

Joint work with markus@ feedback deraadt@

Tested in snaps since last week

OpenBSD-Commit-ID: 9c3b2087ae08626ec31b4177b023db600e986d9c

1 files changed, 4 insertions, 22 deletions

diff --git a/sandbox-capsicum.c b/sandbox-capsicum.c
index 11045251c..7ebebf011 100644
--- a/sandbox-capsicum.c
+++ b/sandbox-capsicum.c
@@ -45,8 +45,8 @@
  */
 
 struct ssh_sandbox {
-	struct monitor *monitor;
-	pid_t child_pid;
+	int m_recvfd;
+	int m_log_sendfd;
 };
 
 struct ssh_sandbox *
@@ -54,15 +54,10 @@ ssh_sandbox_init(struct monitor *monitor)
 {
 	struct ssh_sandbox *box;
 
-	/*
-	 * Strictly, we don't need to maintain any state here but we need
-	 * to return non-NULL to satisfy the API.
-	 */
 	debug3("%s: preparing capsicum sandbox", __func__);
 	box = xcalloc(1, sizeof(*box));
-	box->monitor = monitor;
-	box->child_pid = 0;
-
+	box->m_recvfd = monitor->m_recvfd;
+	box->m_log_sendfd = monitor->m_log_sendfd;
 	return box;
 }
 
@@ -112,17 +107,4 @@ ssh_sandbox_child(struct ssh_sandbox *box)
 
 }
 
-void
-ssh_sandbox_parent_finish(struct ssh_sandbox *box)
-{
-	free(box);
-	debug3("%s: finished", __func__);
-}
-
-void
-ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid)
-{
-	box->child_pid = child_pid;
-}
-
 #endif /* SANDBOX_CAPSICUM */