Bug 2185785
Summary: | sss_ssh_knownhostsproxy does not exit after disconnect from libssh, leaks memory | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Martin Pitt <mpitt> |
Component: | cockpit | Assignee: | Martin Pitt <mpitt> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 37 | CC: | abokovoy, atikhono, jhrozek, k.koukiou, lslebodn, luk.claes, mmarusak, mpitt, mzidek, patrick, pbrezina, sbose, ssorce, sssd-maintainers, stefw |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | cockpit-290-1.fc38 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2023-04-28 02:35:41 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Martin Pitt
2023-04-11 07:46:36 UTC
The man page for ssh_config says: ProxyCommand Specifies the command to use to connect to the server. The command string extends to the end of the line, and is executed using the user's shell ‘exec’ directive to avoid a lingering shell process. Arguments to ProxyCommand accept the tokens described in the TOKENS section. The command can be basically anything, and should read from its standard input and write to its standard output. It should eventually connect an sshd(8) server running on some machine, or execute sshd -i somewhere. Host key management will be done using the Hostname of the host being connected (defaulting to the name typed by the user). Setting the command to none disables this option entirely. Note that CheckHostIP is not available for connects with a proxy command. This directive is useful in conjunction with nc(1) and its proxy support. For example, the following directive would connect via an HTTP proxy at 192.0.2.0: ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p * https://man.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/ssh_config.5 I am not expert but maybe libssh should take care of "closing" `ProxyCommand` Alexey: Good call -- but indeed RHEL 8 doesn't support it yet (we would really like to use it for Cockpit as well, but it's annoying that we can't yet). Thanks Lukas for pointing out! Indeed I reproduced this completely independently of sssd. New reproducer: 1. dnf install cockpit-bridge netcat 2. Set up an SSH key and add it to ~/.ssh/authorized_keys; you should be able to do "ssh localhost" *without* an "unknown host key" prompt (i.e. accept it for the first time) and *without* a password prompt (due to using key login). 3. Set up a dummy ProxyCommand config (make sure to do this with a test user account: printf 'Host dummyproxy\nHostname localhost\nProxyCommand nc %%h %%p\n' > ~/.ssh/config 4. Run a proxied SSH session through ssh(1), and ensure that it works: ssh dummyproxy Check that `pgrep -a nc` shows the `nc localhost 22` proxy command launched by ssh. 5. Run an SSH session through libssh (using cockpit-ssh as client), and kill it: (printf '\n\n\n\n\n\n'; sleep 20) | /usr/libexec/cockpit-ssh dummyproxy & sleep 1 && pkill -e cockpit-ssh After 5, `pgrep -a nc` shows the leaked `nc` process. But now I realize that libssh probably shouldn't install a SIGTERM signal handler to clean this up, as that's awkward in libraries. I suppose this should happen in cockpit-ssh and shut down the SSH connection properly. FEDORA-2023-bc7e3718bc has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-bc7e3718bc FEDORA-2023-363cf1cea2 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-363cf1cea2 FEDORA-2023-bc7e3718bc has been pushed to the Fedora 38 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-bc7e3718bc` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-bc7e3718bc See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2023-363cf1cea2 has been pushed to the Fedora 37 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-363cf1cea2` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-363cf1cea2 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2023-bc7e3718bc has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report. |