Date: Tue, 25 Dec 2001 09:12:30 +1100 (EST) From: Peter Jeremy <peter.jeremy@alcatel.com.au> To: FreeBSD-gnats-submit@freebsd.org Subject: bin/33155: [PATCH] sshd can leave hanging processes Message-ID: <200112242212.fBOMCUO88982@gsmx07.alcatel.com.au>
next in thread | raw e-mail | index | archive | help
>Number: 33155
>Category: bin
>Synopsis: [PATCH] sshd can leave hanging processes
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Dec 24 14:20:01 PST 2001
>Closed-Date:
>Last-Modified:
>Originator: Peter Jeremy
>Release: FreeBSD 4.5-PRERELEASE i386
>Organization:
Alcatel Australia Limited
>Environment:
System: FreeBSD cirb503493.alcatel.com.au 4.5-PRERELEASE FreeBSD 4.5-PRERELEASE #2: Sun Dec 23 07:00:19 EST 2001 root@cirb503493.alcatel.com.au:/usr/obj/usr/src/sys/pj1592 i386
OpenSSH_2.9 FreeBSD localisations 20011202, SSH protocols 1.5/2.0, OpenSSL 0x0090601f
>Description:
When processing an incoming connection, sshd forks to creat a child
to manage the specific connection. That child forks a second time
with the second child used to manage PAM authentication. If OPIE
authentication is being used and the client aborts the authentication
process then the second child will never terminate. Any further
attempt to log in as that user will fail because of the presence
of the hanging process and lock file.
Note that the process never times out - LoginGraceTime has no
effect on the second child because the interval timer is not
inherited across the fork (see separate PR to be written).
>How-To-Repeat:
Configure /etc/pam.conf as follows:
sshd auth required pam_opie.so
sshd auth required pam_unix.so try_first_pass
sshd account required pam_unix.so
sshd password required pam_permit.so
sshd session required pam_permit.so
csshd auth required pam_opie.so
Create an OPIE key for a user and insert into /etc/opiekeys.
Log into the host as that user:
$ slogin -l user -oTISAuthentication=yes hostname
At the password prompt, enter Ctrl-C (or otherwise kill the client).
On the server, a stray sshd process and /var/spool/opielocks/user
file will be left behind. Further attempts to log in will always
result in failure.
>Fix:
When the sshd process forks to manage PAM authentication, the
parent and child share 3 pipes for IPC. Neither the parent nor
child close the unused ends of the pipe so that the child does
not detect the parent's death. The following patch closes
the unused ends of the pipes.
Index: auth-pam.c
===================================================================
RCS file: /usr/ncvs/src/crypto/openssh/auth-pam.c,v
retrieving revision 1.2.2.2
diff -u -r1.2.2.2 auth-pam.c
--- auth-pam.c 28 Sep 2001 01:33:33 -0000 1.2.2.2
+++ auth-pam.c 24 Dec 2001 11:23:18 -0000
@@ -626,6 +626,13 @@
int i;
char state; /* Which state did the connection just enter? */
+ close(ud->statefd[1]);
+ ud->statefd[1] = -1;
+ close(ud->challengefd[1]);
+ ud->challengefd[1] = -1;
+ close(ud->responsefd[0]);
+ ud->responsefd[0] = -1;
+
/* We are the parent - wait for a call to the communications
function to turn up, or the challenge to be finished */
if (read(ud->statefd[0], &state, 1) != 1) {
@@ -749,6 +756,13 @@
int retval;
char state;
+ close(ud->statefd[0]);
+ ud->statefd[0] = -1;
+ close(ud->challengefd[0]);
+ ud->challengefd[0] = -1;
+ close(ud->responsefd[1]);
+ ud->responsefd[1] = -1;
+
conv.appdata_ptr = ud;
retval = pam_start(service, username, &conv, &pamh);
/* Is user really user? */
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200112242212.fBOMCUO88982>