Bug 1395288
Summary: | Krb5 using futex breaks GSSAPI key exchange in OpenSSH | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Jakub Jelen <jjelen> |
Component: | openssh | Assignee: | Jakub Jelen <jjelen> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 24 | CC: | abokovoy, cjwatson, jjelen, j, mattias.ellert, mgrepl, nalin, npmccallum, plautrba, rharwood, tmraz |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | openssh-7.2p2-14.fc24 openssh-7.3p1-6.fc25 openssh-7.4p1-1.fc25 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-01-06 20:21:42 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jakub Jelen
2016-11-15 15:55:32 UTC
(In reply to Jakub Jelen from comment #0) > Description of problem: > Some of the recent version of krb5 brought the usage of threads and futexes > in the function gss_indicate_mechs() which breaks GSSAPI key exchange with > seccomp filter enabled. > > We call gss_indicate_mechs() in the privsep child (limited by seccomp > filter), but system call futex() is not in our current whitelist in this > limited environment. > > Does this function really need to fully initialize krb5, threads and > futexes? Do the futexes need to succeed? Is it considered safe to call this > method from such limited process? > > If it is expected change, feel free to reassign back on me for to openssh. I > can either whitelist futex() syscall, if it is safe, or we can move this > call back to the privileged monitor process. futex() is widely considered a safe syscall, and is used for synchronization. I don't see why one would want it blocked. Please note that we are not calling this function directly; it is being called as part of (setting up) pthreads. To my knowledge, calling into libpthread here is not new, so if futex() is an issue for some reason of which I'm not aware, the pthread (libc) people would be better to ask than me if it needs changed. Almost every call into GSSAPI needs to have GSSAPI fully initialized in order to know what mechanisms are available (because they're configurable at runtime). This means that it needs to initialize the krb5 mechanism, which is what you're seeing here. Hope that helps! openssh-7.3p1-6.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-6d0ee59e4e openssh-7.3p1-6.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-6d0ee59e4e openssh-7.2p2-14.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-48f5186dfb OK. Thank you. I added the exception to the seccomp filter. openssh-7.3p1-6.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-6d0ee59e4e openssh-7.2p2-14.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-48f5186dfb openssh-7.2p2-14.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. openssh-7.3p1-6.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report. I think this is probably the wrong fix, given the changes in response to https://bugzilla.mindrot.org/show_bug.cgi?id=2107. Consider this patch instead (sorry, split into multiple links for reasons, but should be clear enough): https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/diff/gss-serv.c?id=31ed1f715e4c1dd986c32b8c5e6687c185258db9 https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/diff/sshd.c?id=31ed1f715e4c1dd986c32b8c5e6687c185258db9 Thank you Colin for a notice. Your fix looks much better (does not open more switches in the seccomp). I still miss some connections in the gssapi code. I will fix that after I will be done with rebase. openssh-7.4p1-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-4767e2991d openssh-7.4p1-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-4767e2991d openssh-7.4p1-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report. |