Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. OpenSSH>
  3. Bugs
[Bug 702] dont call userauth_finish after auth2_challenge_stop
bugzilla-daemon at mindrot
Sep 22, 2003, 8:55 AM
Post #1 of 10 (1464 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=702

Summary: dont call userauth_finish after auth2_challenge_stop
Product: Portable OpenSSH
Version: 3.7.1p1
Platform: UltraSparc
OS/Version: Solaris
Status: NEW
Severity: major
Priority: P2
Component: PAM support
AssignedTo: openssh-bugs@mindrot.org
ReportedBy: paul.a.bolton@bt.com


Very occasionally users are experiencing sessions bailing on authentication with
a "fatal: ssh_msg_send: write". After some analysis is seems that the common
factor is a Solaris account management module is printing a message via the
conversation function (e.g. Your password will expire in 7 days...).

It looks as if in auth2-chall.c in input_userauth_info_response() is the
culprit. auth2_challenge_stop() will eventually cause sshpam_free_ctx() to be
called in auth-pam.c, which will free ctxt. This contains important file
descriptors for the conversation function, which get closed before the free
(which is correct).

userauth_finish() can call do_account() if PAM is enabled. As
auth2_challenge_stop() is getting called beforehand, if the module generates
messages invalid references for FD's are found (probably because the memory has
been malloc'ed again no SEGV) and the error detailed above is activated.

It seems that it is possible to call auth2_challenge_stop() after
userauth_finish(). However there are a few comments in the code I have seen that
I don't like in relation to doing this. I will attach a patch with this bug.
Please can you advise on any possible issues in doing this, as the change would
probably need more sanity checking.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 702] dont call userauth_finish after auth2_challenge_stop [ In reply to ]
bugzilla-daemon at mindrot
Sep 22, 2003, 8:57 AM
Post #2 of 10 (1447 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=702





------- Additional Comments From paul.a.bolton@bt.com 2003-09-23 02:57 -------
Created an attachment (id=447)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=447&action=view)
call auth2_challenge_stop after userauth_finish

Biggest concern (at present) along with the comments in the original bug
submission is the comment " may set authctxt->postponed" for
auth2_challenge_start.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 702] dont call userauth_finish after auth2_challenge_stop [ In reply to ]
bugzilla-daemon at mindrot
Sep 22, 2003, 10:11 AM
Post #3 of 10 (1445 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=702

markus@openbsd.org changed:

What |Removed |Added
----------------------------------------------------------------------------
Attachment #447 is|0 |1
obsolete| |



------- Additional Comments From markus@openbsd.org 2003-09-23 04:11 -------
Created an attachment (id=448)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=448&action=view)
alternative patch.

perhaps something like this?



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 702] dont call userauth_finish after auth2_challenge_stop [ In reply to ]
bugzilla-daemon at mindrot
Sep 22, 2003, 10:18 AM
Post #4 of 10 (1457 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=702

markus@openbsd.org changed:

What |Removed |Added
----------------------------------------------------------------------------
Attachment #448 is|0 |1
obsolete| |



------- Additional Comments From markus@openbsd.org 2003-09-23 04:18 -------
Created an attachment (id=449)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=449&action=view)
call userauth_finish early

i don't see, why userauth finish cannot be called early....



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 702] dont call userauth_finish after auth2_challenge_stop [ In reply to ]
bugzilla-daemon at mindrot
Sep 22, 2003, 10:31 AM
Post #5 of 10 (1448 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=702





------- Additional Comments From paul.a.bolton@bt.com 2003-09-23 04:31 -------
That would be the way to maintain that part of the original logic. My concern is
in the form of the question "should we act upon the potentially changed value of
authctxt->postponed within the same call to input_userauth_info_response() ?"

Looking at auth2_challenge_stop() seems to suggest (on the face of it) the
original patch would be correct, as this function removes a callback from the
dispatch table and frees the kbdintctxt memory. The patch avoids adding more
(potentially unnecessary) variables into the code.

So, is it a case that it is safe to do, or was the original comment a warning
against doing what I have just described?

Obviously, if no-one can answer that, then play safe and go with the change to
the patch that you have submitted.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 702] dont call userauth_finish after auth2_challenge_stop [ In reply to ]
bugzilla-daemon at mindrot
Sep 22, 2003, 10:37 AM
Post #6 of 10 (1450 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=702





------- Additional Comments From paul.a.bolton@bt.com 2003-09-23 04:37 -------
I dont think you can call userauth_finish() early as auth2_challenge_start will
call the init_ctx. So for PAM this is sshpam_init_ctx(), which will set up PAM
including calling pam_start(). Calling any PAM function before pam_start() is bad.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 702] dont call userauth_finish after auth2_challenge_stop [ In reply to ]
bugzilla-daemon at mindrot
Sep 22, 2003, 11:38 PM
Post #7 of 10 (1447 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=702

paul.a.bolton@bt.com changed:

What |Removed |Added
----------------------------------------------------------------------------
Attachment #447 is|1 |0
obsolete| |





------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 702] dont call userauth_finish after auth2_challenge_stop [ In reply to ]
bugzilla-daemon at mindrot
Sep 22, 2003, 11:38 PM
Post #8 of 10 (1446 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=702

paul.a.bolton@bt.com changed:

What |Removed |Added
----------------------------------------------------------------------------
Attachment #448 is|1 |0
obsolete| |





------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 702] dont call userauth_finish after auth2_challenge_stop [ In reply to ]
bugzilla-daemon at mindrot
Sep 22, 2003, 11:39 PM
Post #9 of 10 (1447 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=702

paul.a.bolton@bt.com changed:

What |Removed |Added
----------------------------------------------------------------------------
Attachment #449 is|0 |1
obsolete| |





------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 702] dont call userauth_finish after auth2_challenge_stop [ In reply to ]
bugzilla-daemon at mindrot
Sep 23, 2003, 2:07 AM
Post #10 of 10 (1472 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=702





------- Additional Comments From markus@openbsd.org 2003-09-23 20:07 -------
yes, my last patch was broken.

when authentication fails and postpone is not
set, then we need to call challenge_start _before_
userauth_finish because _start will set postpone
if it sends a packet to the client. if this is the
case then userauth_finish will behave different
and send _no_ failure packet. so the patch 448
or 447 are better.

however, the comments in the code need to explain
the mess better.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal