Try   HackMD

Tracing sshd (hard mode)

Introduction

TODO: write about why I did this

The data we wanted from the tracing:

  • authentications
    • login of user
    • time & date
    • if it succeeded
  • ssh sessions
    • start time
    • end time
    • commands that were ran inside
      • arguments to the command
      • return value
      • duration

My first attempt

After knowing this I was really excited and eager to finally do something with eBPF (as I had only read about it).

My first step was to download OpenSSH's source code and find the functions that were of interest (which one did authentication, take care of commands, ).
Once that was done I recompiled OpenSSH on my machine in order to have debug symbols.

Next I just wrote a small bpftrace PoC that got the data we wanted.
Happy that I had finished all this quickly I went to show my work.
That is when I learned that the whole point of using eBPF was its non-obstrusctivity, we could just run the script on an already running server and get the data we needed, without modifying the environment.

Another downside to my reliance on symbols was that I was using a header with the struct definitions from sshd.h.
If the definitions were modified and sshd updated, my script would be broken by looking at the wrong data.

Second attempt

The solution to tracing sshd without its symbols is just to look at the syscalls it makes.
(maybe there is another way but I haven't found it)
I spent a day thinking about it and I was thinking that this idea was completely stupid and error prone and was going to give false data.

I had to dig much more into sshd's source and after some time I started to release it was always the same pattern, there were lots calls to fork.

At first I really didn't get it until I learned about the privsep(TODO: link to something explaining privsep?) mechanism.

Consequently I realised that each child was performing a specific action.

If I could get a good understanding of how the children were interacting, when they were being created etc I could get a good view of sshd from the outside by only looking at syscalls.

After a bit of time reading source code, monitoring sshd and lots of tinkering with bpftrace this is the diagram I came up with:

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Once I had the diagram, it was just a matter of writing eBPF probes and tracking who was making the syscalls and who were the parents of the callees.
By doing this I could easily trace sshd.
Writing the eBPF program was pretty trivial, the hardest part was understanding sshd.

You can find the source code in with_syscalls/ssh_sessions/

Last changed by 
Martin Schmidt
0
373

Read more

Plaintes Constructives 10/06/2021

Plaintes constructives pour la réunion du 10/06/2021 ARINC Arinc et son boycott. La norme ARINC est assez niche, peu de gens vont s'en servir dans leur futur metier: ce cours a-t-il vraiment sa place dans la majeure ? Le vrai probleme que j'ai avec ARINC, c'est la dose de travail pour l'apport du cours. Si je veux arriver a rendre le TP de la semaine 3 (FFT) je devrais passer au moins 3 jours (si ce n'est bcp plus) sur les 7 d'une semaine. Derriere ce travail j'ai l'impression que je n'apprends rien. Je n'ai tout simplement pas le temps de bosser autant pour un cours que je considere comme inutile dans mon parcours. Je prefere "boycotter" le cours et passer mon temps a travailler sur des projets utiles : BSP, K, PFE/Projet RDI etc. D'autant plus que ce qu'on fait n'a au final pas de relation avec la norme ARINC, c'est juste un cours de langage, qui n'est utilisé par personne Les TPs d'ARINC pourraient se résumer à de la "bidouille", autrement dit on passe plus de temps à chercher comment compiler tout ce cambouis plutôt qu'à comprendre ce que l'on fait réellement. Apres 5 cours d'ARINC, je ne sais pas ce que c'est que la norme d'ARINC. Si je devais passer un entretiens technique, je serais incapable de dire quoi que ce soit et je serais recale. WinIOT

Jun 10, 2021
Read more from Martin Schmidt
Published on HackMD