Hi,
I would like to report a bug in OpenSSH-1.2.2 (release) under Linux.
Under certain conditions the sshd client process segfaults while doing
the password authentification. I have observed the behaviour with
glibc 2.0.7 (non-PAM), glibc 2.1.1 (PAM) and glibc 2.1.2 (PAM), when
'RhostsRSAAuthentication yes' is chosen in sshd_config. It appears to
happen regardless whether PAM is used or not (but under slightly
different conditions). With glibc 2.0.7/2.1.1 it happens at the first
password authentication attempt, while with glibc 2.1.2 things are a
bit more complicated:
With PAM enabled the segfault happens at the second or third password
authentication attempt regardless whether this attempt would have
succeeded (i.e. when I entered the right password) or not. With PAM
disabled (--without-pam) I was only able to observe it at an password
authentication attempt > 1 when this attempt would have succeeded.
Here is a debugger session on a glibc 2.1.2 (SuSE 6.3) system, where
sshd was compiled with PAM enabled, the sshd_config file was the
example file from opensshd-1.2.2.tar.gz where
RhostsRSAAuthentication yes
has been set:
(gdb) run
Starting program: /home/bernd/download/openssh-1.2.2/sshd -d -f sshd_config
debug: sshd version OpenSSH-1.2.2
debug: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
Generating 768 bit RSA key.
RSA key generation complete.
debug: Server will not fork when running in debugging mode.
Connection from 127.0.0.1 port 890
debug: Client protocol version 1.5; client software version OpenSSH-1.2.2
debug: Sent 768 bit public key and 1023 bit host key.
debug: Encryption type: 3des
debug: Received session key; encryption turned on.
debug: Installing crc compensation attack detector.
debug: Starting up PAM with username "bernd"
debug: Attempting authentication for bernd.
debug: Trying rhosts with RSA host authentication for bernd
Failed rhosts-rsa for bernd from 127.0.0.1 port 890 ruser bernd
debug: PAM Password authentication for "bernd" failed: Authentication failure
Failed password for bernd from 127.0.0.1 port 890
Program received signal SIGSEGV, Segmentation fault.
0x400b0ef2 in chunk_alloc (ar_ptr=0x40149ba0, nb=16) at malloc.c:2707
2707 malloc.c: No such file or directory.
(gdb) where
#0 0x400b0ef2 in chunk_alloc (ar_ptr=0x40149ba0, nb=16) at malloc.c:2707
#1 0x400b0e14 in __libc_malloc (bytes=8) at malloc.c:2651
#2 0x804ec58 in pamconv (num_msg=1, msg=0xbfffeca0, resp=0xbfffeca4,
appdata_ptr=0x0) at auth-pam.c:43
#3 0x40019911 in __get_authtok () from /lib/security/pam_unix.so
#4 0x40017a5d in pam_sm_authenticate () from /lib/security/pam_unix.so
#5 0x4004f648 in pam_fail_delay () from /lib/libpam.so.0
#6 0x4004f9ce in _pam_dispatch () from /lib/libpam.so.0
#7 0x400512cc in pam_authenticate () from /lib/libpam.so.0
#8 0x804ef47 in auth_pam_password (pw=0xbffff24c, password=0x80826c0 "asdf")
at auth-pam.c:136
#9 0x804c75d in do_authloop (pw=0xbffff24c) at sshd.c:1445
#10 0x804c329 in do_authentication () at sshd.c:1248
#11 0x804bb58 in main (ac=4, av=0xbffff8a4) at sshd.c:873
I hope this report helps finding the bug. If you would like me to
perform further tests, please let me know.
Best regards,
Stefan
and Bernd (who originally found this behavior)
-------------------------------------------------------------------
Email: Stefan.Heinrichs@uni-konstanz.de
Address: Fakulaet fuer Physik, Universitaet Konstanz,
Universitaetsstr.10, 78457 Konstanz, Germany
Phone: +49 7531 88 3814
I would like to report a bug in OpenSSH-1.2.2 (release) under Linux.
Under certain conditions the sshd client process segfaults while doing
the password authentification. I have observed the behaviour with
glibc 2.0.7 (non-PAM), glibc 2.1.1 (PAM) and glibc 2.1.2 (PAM), when
'RhostsRSAAuthentication yes' is chosen in sshd_config. It appears to
happen regardless whether PAM is used or not (but under slightly
different conditions). With glibc 2.0.7/2.1.1 it happens at the first
password authentication attempt, while with glibc 2.1.2 things are a
bit more complicated:
With PAM enabled the segfault happens at the second or third password
authentication attempt regardless whether this attempt would have
succeeded (i.e. when I entered the right password) or not. With PAM
disabled (--without-pam) I was only able to observe it at an password
authentication attempt > 1 when this attempt would have succeeded.
Here is a debugger session on a glibc 2.1.2 (SuSE 6.3) system, where
sshd was compiled with PAM enabled, the sshd_config file was the
example file from opensshd-1.2.2.tar.gz where
RhostsRSAAuthentication yes
has been set:
(gdb) run
Starting program: /home/bernd/download/openssh-1.2.2/sshd -d -f sshd_config
debug: sshd version OpenSSH-1.2.2
debug: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
Generating 768 bit RSA key.
RSA key generation complete.
debug: Server will not fork when running in debugging mode.
Connection from 127.0.0.1 port 890
debug: Client protocol version 1.5; client software version OpenSSH-1.2.2
debug: Sent 768 bit public key and 1023 bit host key.
debug: Encryption type: 3des
debug: Received session key; encryption turned on.
debug: Installing crc compensation attack detector.
debug: Starting up PAM with username "bernd"
debug: Attempting authentication for bernd.
debug: Trying rhosts with RSA host authentication for bernd
Failed rhosts-rsa for bernd from 127.0.0.1 port 890 ruser bernd
debug: PAM Password authentication for "bernd" failed: Authentication failure
Failed password for bernd from 127.0.0.1 port 890
Program received signal SIGSEGV, Segmentation fault.
0x400b0ef2 in chunk_alloc (ar_ptr=0x40149ba0, nb=16) at malloc.c:2707
2707 malloc.c: No such file or directory.
(gdb) where
#0 0x400b0ef2 in chunk_alloc (ar_ptr=0x40149ba0, nb=16) at malloc.c:2707
#1 0x400b0e14 in __libc_malloc (bytes=8) at malloc.c:2651
#2 0x804ec58 in pamconv (num_msg=1, msg=0xbfffeca0, resp=0xbfffeca4,
appdata_ptr=0x0) at auth-pam.c:43
#3 0x40019911 in __get_authtok () from /lib/security/pam_unix.so
#4 0x40017a5d in pam_sm_authenticate () from /lib/security/pam_unix.so
#5 0x4004f648 in pam_fail_delay () from /lib/libpam.so.0
#6 0x4004f9ce in _pam_dispatch () from /lib/libpam.so.0
#7 0x400512cc in pam_authenticate () from /lib/libpam.so.0
#8 0x804ef47 in auth_pam_password (pw=0xbffff24c, password=0x80826c0 "asdf")
at auth-pam.c:136
#9 0x804c75d in do_authloop (pw=0xbffff24c) at sshd.c:1445
#10 0x804c329 in do_authentication () at sshd.c:1248
#11 0x804bb58 in main (ac=4, av=0xbffff8a4) at sshd.c:873
I hope this report helps finding the bug. If you would like me to
perform further tests, please let me know.
Best regards,
Stefan
and Bernd (who originally found this behavior)
-------------------------------------------------------------------
Email: Stefan.Heinrichs@uni-konstanz.de
Address: Fakulaet fuer Physik, Universitaet Konstanz,
Universitaetsstr.10, 78457 Konstanz, Germany
Phone: +49 7531 88 3814