Bug 1108836

Summary: ssh-keyscan should ignore SIGPIPE
Product: Red Hat Enterprise Linux 6 Reporter: Jiri Jaburek <jjaburek>
Component: opensshAssignee: Petr Lautrbach <plautrba>
Status: CLOSED ERRATA QA Contact: Jiri Jaburek <jjaburek>
Severity: low Docs Contact:
Priority: low    
Version: 6.5CC: ksrot, pvrabec
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openssh-5.3p1-102.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 577066 Environment:
Last Closed: 2014-10-14 07:39:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 577066    
Bug Blocks:    

Description Jiri Jaburek 2014-06-12 16:08:51 UTC 
+++ This bug was initially created as a clone of Bug #577066 +++

Description of problem:

Presently, openssh-4.3p2-36.el5_4.3's ssh-keyscan (as with prior versions) will abort execution on a SIGPIPE, which presumably should just be ignored.

close(140)                              = -1 EBADF (Bad file descriptor)
read(142, "S", 1)                       = 1
read(142, "S", 1)                       = 1
read(142, "H", 1)                       = 1
read(142, "-", 1)                       = 1
read(142, "2", 1)                       = 1
read(142, ".", 1)                       = 1
read(142, "0", 1)                       = 1
read(142, "-", 1)                       = 1
read(142, "c", 1)                       = 1
read(142, "r", 1)                       = 1
read(142, "y", 1)                       = 1
read(142, "p", 1)                       = 1
read(142, "t", 1)                       = 1
read(142, "l", 1)                       = 1
read(142, "i", 1)                       = 1
read(142, "b", 1)                       = 1
read(142, "\r", 1)                      = 1
read(142, "\n", 1)                      = 1
write(2, "debug1: no match: cryptlib\r\n", 28) = 28
write(2, "# 192.168.129.62 SSH-2.0-cryptli"..., 34) = 34
write(142, "SSH-2.0-OpenSSH-keyscan\r\n", 25) = -1 EPIPE (Broken pipe)
--- SIGPIPE (Broken pipe) @ 0 (0) ---
+++ killed by SIGPIPE +++


....we ssh-keyscan over a thousand hosts in a pass for centralized monitoring and maintenance of known-hosts. This update process falls on its face when a bad server (in this case, a broken APC PDU management interface) shows up in the list.

=======================================================================

This bug is still present on RHEL5.10 and RHEL6.5 (openssh-clients-5.3p1-94.el6), while being fixed on RHEL7 (openssh-clients-6.4p1-8.el7). Would it be possible to backport the downstream patch (openssh-5.8p2-sigpipe.patch) to RHEL6 or resolve this issue upstream?

Thanks,
Jiri
Comment 3 Jiri Jaburek 2014-06-12 17:23:43 UTC 
The SIGPIPE seems to be ignored on RHEL-6.6-20140606.n.0, despite the compose having exactly the same openssh-clients version and the same sha1sum for /usr/bin/ssh-keyscan.


On RHEL-6.5:

# strace -f -e signal ssh-keyscan -T 10 -p 12345 127.0.0.1
rt_sigaction(SIGRTMIN, {0x7f69ab129c60, [], SA_RESTORER|SA_SIGINFO, 0x7f69ab133710}, NULL, 8) = 0
rt_sigaction(SIGRT_1, {0x7f69ab129cf0, [], SA_RESTORER|SA_RESTART|SA_SIGINFO, 0x7f69ab133710}, NULL, 8) = 0
rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0

# rpm -q openssh-clients
openssh-clients-5.3p1-94.el6.x86_64

# sha1sum /usr/bin/ssh-keyscan 
41521eec46f18d7206f2fa46a08d9a0ffcf70503  /usr/bin/ssh-keyscan


On RHEL-6.6-20140606.n.0:

# strace -f -e signal ssh-keyscan -T 10 -p 12345 127.0.0.1
rt_sigaction(SIGRTMIN, {0x7f69a44a9c60, [], SA_RESTORER|SA_SIGINFO, 0x7f69a44b3710}, NULL, 8) = 0
rt_sigaction(SIGRT_1, {0x7f69a44a9cf0, [], SA_RESTORER|SA_RESTART|SA_SIGINFO, 0x7f69a44b3710}, NULL, 8) = 0
rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
rt_sigaction(SIGPIPE, {SIG_IGN, [], SA_RESTORER, 0x7f69a4f7e990}, NULL, 8) = 0
Process 6967 attached
[pid  6967] rt_sigaction(SIGRTMIN, {0x433700, [], SA_RESTORER|SA_SIGINFO, 0x43cc20}, NULL, 8) = 0
[pid  6967] rt_sigaction(SIGRT_1, {0x433630, [], SA_RESTORER|SA_RESTART|SA_SIGINFO, 0x43cc20}, NULL, 8) = 0
[pid  6967] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
Process 6967 detached
--- SIGCHLD (Child exited) @ 0 (0) ---

# rpm -q openssh-clients
openssh-clients-5.3p1-94.el6.x86_64

# sha1sum /usr/bin/ssh-keyscan 
41521eec46f18d7206f2fa46a08d9a0ffcf70503  /usr/bin/ssh-keyscan


The firewalls of both machines are the same (all policies as ACCEPT, no rules, only the filter module loaded), as is the installation method. The forked pid on 6.6 seems to be prelink. I'm kind of clueless here.
Comment 5 Petr Lautrbach 2014-06-13 11:54:03 UTC 
The patch is one liner and can be simply backported from Fedora. Regarding the different behaviour, I've got no clue what is going on but it's probably someting outside the openssh sources.
Comment 9 errata-xmlrpc 2014-10-14 07:39:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2014-1552.html