Recent discoveries in illumos demonstrate cases where Address Space Randomization Layout (ASLR) can/should be used. Making the SSH daemon use ASLR will make its child processes also use ASLR. Its a good idea for hygiene.
Dan McDonald commented on 2025-06-17T13:02:43.496-0400:
Initial build testing demonstrates efficacy:
smartos-build-2(~)[0]% cd smartos-live-DEBUG/projects/illumos-extra
smartos-build-2(projects/illumos-extra)[0]% git show --stat -1
commit 77e489bc47077d265368c5be555d7784ed2e4041 (HEAD -> OS-8669, origin/OS-8669, origin/HEAD)
Author: Dan McDonald <danmcd@mnx.io>
Date: Tue Jun 17 10:45:11 2025 -0400
OS-8669 Build SSH with ASLR enabled
Makefile.defs | 6 ++++++
openssh/Makefile | 1 +
2 files changed, 7 insertions(+)
smartos-build-2(projects/illumos-extra)[0]% cd ../..
smartos-build-2(~/smartos-live-DEBUG)[0]% foreach a ( /usr/bin/ssh* /usr/lib/ssh/ssh* )
foreach? echo $a ; pfexec elfdump $a | grep -i aslr
foreach? echo proto/$a ; elfdump proto/$a | grep -i aslr
foreach? end
/usr/bin/ssh
proto//usr/bin/ssh
[33] SUNW_ASLR 0x1
/usr/bin/ssh-add
proto//usr/bin/ssh-add
[32] SUNW_ASLR 0x1
/usr/bin/ssh-agent
proto//usr/bin/ssh-agent
[32] SUNW_ASLR 0x1
/usr/bin/ssh-keygen
proto//usr/bin/ssh-keygen
[32] SUNW_ASLR 0x1
/usr/bin/ssh-keyscan
proto//usr/bin/ssh-keyscan
[32] SUNW_ASLR 0x1
/usr/lib/ssh/ssh-keysign
proto//usr/lib/ssh/ssh-keysign
[32] SUNW_ASLR 0x1
/usr/lib/ssh/ssh-pkcs11-helper
proto//usr/lib/ssh/ssh-pkcs11-helper
[32] SUNW_ASLR 0x1
/usr/lib/ssh/sshd
proto//usr/lib/ssh/sshd
[37] SUNW_ASLR 0x1
/usr/lib/ssh/sshd-auth
proto//usr/lib/ssh/sshd-auth
[39] SUNW_ASLR 0x1
/usr/lib/ssh/sshd-session
proto//usr/lib/ssh/sshd-session
[39] SUNW_ASLR 0x1
smartos-build-2(~/smartos-live-DEBUG)[0]% Dan McDonald commented on 2025-06-18T15:02:43.963-0400:
Deployment on Triton head node shows nothing obviously wrong with day-to-day operations, and the ssh-in shell is ASLR’ed:
[root@moe (kebecloud) ~]# ptree $$
6796 /usr/lib/ssh/sshd
50032 /usr/lib/ssh/sshd-session -R
50044 /usr/lib/ssh/sshd-session -R
50045 -bash
50152 ptree 50045
[root@moe (kebecloud) ~]# psecflags $$
50045: -bash
E: aslr
I: aslr
L: none
U: aslr,forbidnullmap,noexecstack
[root@moe (kebecloud) ~]# psecflags 6796
6796: /usr/lib/ssh/sshd
E: aslr
I: aslr
L: none
U: aslr,forbidnullmap,noexecstack
[root@moe (kebecloud) ~]# psecflags 50032
50032: /usr/lib/ssh/sshd-session -R
E: aslr
I: aslr
L: none
U: aslr,forbidnullmap,noexecstack
[root@moe (kebecloud) ~]# psecflags 50044
50044: /usr/lib/ssh/sshd-session -R
E: aslr
I: aslr
L: none
U: aslr,forbidnullmap,noexecstack
[root@moe (kebecloud) ~]#
[root@moe (kebecloud) ~]# sleep 10 &
[1] 50185
[root@moe (kebecloud) ~]# psecflags 50185
50185: sleep 10
E: aslr
I: aslr
L: none
U: aslr,forbidnullmap,noexecstack
[root@moe (kebecloud) ~]# wait
[1]+ Done sleep 10
[root@moe (kebecloud) ~]# Dan McDonald commented on 2025-06-18T15:04:31.218-0400:
We had to add <method_context security_flags='aslr' /> to the xml file for the ssh service. Thanks to OmniOS for making that clear in their commit history.