OpenBSD Journal

sshd random relinking at boot

Contributed by rueda on from the sshd-mk-thngs-hrdr dept.

As with library order randomisation (libc.so/libcrypto/ld.so) at boot and kernel relinking at boot, boot time relinking of sshd(8) is now implemented in -current. Theo de Raadt committed the changes:

CVSROOT:	/cvs
Module name:	src
Changes by:	deraadt@cvs.openbsd.org	2023/01/18 13:43:15

Modified files:
	usr.bin/ssh/sshd: Makefile 

Log message:
Create and install sshd random relink kit.
../Makefile.inc and Makfile are concatenated for reuse, which hopefully won't
be too fragile, we'll see if we need a different approach.
The resulting sshd binary is tested with the new sshd -V option before
installation.  As the binary layout is now semi-unknown (meaning
relative, fixed, and gadget offsets are not precisely known), change
the filesystem permissions to 511 to prevent what I call "logged in BROP".
I have ideas for improving this further but this is a first step
ok djm

and

CVSROOT:	/cvs
Module name:	src
Changes by:	deraadt@cvs.openbsd.org	2023/01/18 13:44:40

Modified files:
	etc            : rc 

Log message:
process the sshd random-relink kit if it is found.  sshd's text segment
is now garbled, and in the future xonly univirse you'll have poor success
downloading it or libc to know where gadgets are.
ok djm

Please test aggressively.

We look forward to the next steps hinted at in the first of these commit messages.

If this works out, there are indications other early-boot network daemons will get similar treatement sooner rather than later.


Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]