View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by Calhoun, Institutional Archive of the Naval Postgraduate School Calhoun: The NPS Institutional Archive Theses and Dissertations Thesis Collection 2004-12 Use of OpenSSH support for remote login to a multilevel secure system Herbig, Christopher Fred Monterey, California. Naval Postgraduate School http://hdl.handle.net/10945/1258 NAVAL POSTGRADUATE SCHOOL MONTEREY, CALIFORNIA THESIS USE OF OPENSSH SUPPORT FOR REMOTE LOGIN TO A MULTILEVEL SECURE SYSTEM by Christopher Fred Herbig December 2004 Thesis Advisor: Cynthia E. Irvine Thesis Co-Advisor: Thuy D. Nguyen Approved for public release; distribution is unlimited. THIS PAGE INTENTIONALLY LEFT BLANK REPORT DOCUMENTATION PAGE Form Approved OMB No. 0704-0188 Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instruction, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington, VA 22202-4302, and to the Office of Management and Budget, Paperwork Reduction Project (0704-0188) Washington DC 20503. 1. AGENCY USE ONLY (Leave blank) 2. REPORT DATE 3. REPORT TYPE AND DATES COVERED December 2004 Master’s Thesis 4. TITLE AND SUBTITLE: USE OF OPENSSH SUPPORT FOR REMOTE 5. FUNDING NUMBERS LOGIN TO A MULTILEVEL SECURE SYSTEM 6. AUTHOR(S) Christopher Fred Herbig 7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) 8. PERFORMING Naval Postgraduate School ORGANIZATION REPORT Monterey, CA 93943-5000 NUMBER 9. SPONSORING /MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSORING/MONITORING N/A AGENCY REPORT NUMBER 11. SUPPLEMENTARY NOTES The views expressed in this thesis are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government. 12a. DISTRIBUTION / AVAILABILITY STATEMENT 12b. DISTRIBUTION CODE Approved for public release; distribution is unlimited. 13. ABSTRACT (maximum 200 words) Complex multilevel secure (MLS) architectures are emerging that require user identification and authentication services not only from multilevel connections, but from pre-existing single level networks. The XTS-400 can be used as a server in such environments. Trusted devices are required for user login via multilevel connections; however, single level remote login facilities do not require such client-side devices. Instead, a more lightweight mechanism is possible. Remote login capabilities do not exist on the XTS-400 for use over the single level networks and this capability is a desired feature for use in complex multilevel architectures. OpenSSH is an application, developed for OpenBSD, that uses the SSH protocol to provide secure remote logins and an interactive command interface. A secure remote login application, OpenSSH, was ported to the XTS-400 in order to provide remote login capabilities. The porting process identified differences between the original development platform for OpenSSH and the XTS- 400. Solutions, in the form of source code modifications, were made to overcome problems resulting from the compatibility differences encountered during the port. Testing was conducted to ensure that the port was successful and did not violate any security policies enforced by the XTS-400. 14. SUBJECT TERMS OpenSSH, XTS-400, Remote Login 15. NUMBER OF PAGES 225 16. PRICE CODE 17. SECURITY 18. SECURITY 19. SECURITY 20. LIMITATION CLASSIFICATION OF CLASSIFICATION OF THIS CLASSIFICATION OF OF ABSTRACT REPORT PAGE ABSTRACT Unclassified Unclassified Unclassified UL NSN 7540-01-280-5500 Standard Form 298 (Rev. 2-89) Prescribed by ANSI Std. 239-18 i THIS PAGE INTENTIONALLY LEFT BLANK ii Approved for public release; distribution is unlimited. USE OF OPENSSH SUPPORT FOR REMOTE LOGIN TO A MULTILEVEL SECURE SYSTEM Christopher F. Herbig Civilian, Naval Postgraduate School B.S., St. Edward’s University, 2002 Submitted in partial fulfillment of the requirements for the degree of MASTER OF SCIENCE IN COMPUTER SCIENCE from the NAVAL POSTGRADUATE SCHOOL December 2004 Author: Christopher Fred Herbig Approved by: Cynthia E. Irvine Thesis Advisor Thuy D. Nguyen Co-Advisor Peter J. Denning Chairman, Department of Computer Science iii THIS PAGE INTENTIONALLY LEFT BLANK iv ABSTRACT Complex multilevel secure (MLS) architectures are emerging that require user identification and authentication services not only from multilevel connections, but from pre-existing single level networks. The XTS-400 can be used as a server in such environments. Trusted devices are required for user login via multilevel connections; however, single level remote login facilities do not require such client-side devices. Instead, a more lightweight mechanism is possible. Remote login capabilities do not exist on the XTS-400 for use over the single level networks and this capability is a desired feature for use in complex multilevel architectures. OpenSSH is an application, developed for OpenBSD, that uses the SSH protocol to provide secure remote logins and an interactive command interface. A secure remote login application, OpenSSH, was ported to the XTS-400 in order to provide remote login capabilities. The porting process identified differences between the original development platform for OpenSSH and the XTS-400. Solutions, in the form of source code modifications, were made to overcome problems resulting from the compatibility differences encountered during the port. Testing was conducted to ensure that the port was successful and did not violate any security policies enforced by the XTS-400. v THIS PAGE INTENTIONALLY LEFT BLANK vi TABLE OF CONTENTS I. INTRODUCTION........................................................................................................1 A. MOTIVATION OF STUDY ...........................................................................1 B. PURPOSE OF STUDY....................................................................................2 C. ORGANIZATION OF PAPER ......................................................................2 II. BACKGROUND ..........................................................................................................3 A. ARCHITECTURAL BACKGROUND..........................................................3 1. MYSEA Project....................................................................................3 2. OpenSSH...............................................................................................4 a. Overview of OpenSSH ..............................................................4 b. SSH Clients ...............................................................................5 c. Authentication...........................................................................5 d. Modes of Operation...................................................................7 B. PORTING BACKGROUND...........................................................................9 1. BSD Discussion.....................................................................................9 2. XTS-400 ..............................................................................................10 C. SOFTWARE DEPENDENCIES ..................................................................12 1. Zlib ......................................................................................................13 2. OpenSSL .............................................................................................13 3. Entropy Gathering Daemon..............................................................14 4. MYSEA Libraries ..............................................................................14 III. INTEGRATION OF OPENSSH ONTO THE XTS-400 ........................................15 A. GOALS............................................................................................................15 B. METHODOLOGY ........................................................................................15 C. PORTING RESULTS....................................................................................16 D. CHALLENGES ENCOUNTERED..............................................................16 1. System Features .................................................................................16 2. System Functions ...............................................................................17 3. System Files ........................................................................................19 4. Environment.......................................................................................22 IV. INTEGRATION TESTING......................................................................................23 A. DEVELOPMENTAL TESTING..................................................................23 1. Test Plan .............................................................................................23 a. MAC Policy Enforcement.......................................................24 b. DAC Policy Enforcement........................................................27 c. TPE Testing with Files Created by OpenSSH .......................29 d. TPE Testing with Files Modified by OpenSSH .....................31 e.