Bug 766488

Summary: ssh segfaults in krb5_sname_to_principal when using ProxyCommand + Host
Product: [Fedora] Fedora Reporter: Richard W.M. Jones <rjones>
Component: opensshAssignee: Petr Lautrbach <plautrba>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: mattias.ellert, mgrepl, plautrba, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-10-30 10:08:56 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:

Description Richard W.M. Jones 2011-12-12 02:08:21 EST
Description of problem:

 $ ssh onuma
 Segmentation fault

Version-Release number of selected component (if applicable):

openssh-5.9p1-14.fc17.x86_64
krb5-libs-1.10-0.fc17.alpha1.0.x86_64
glibc-2.14.90-20.fc17.x86_64

How reproducible:

100%

Steps to reproduce:

This only occurs when I set up a proxy command in .ssh/config
which looks like this (real hostname and port are different):

 Host onuma
   ProxyCommand ssh -T -o ForwardAgent=yes proxy nc %h %p
 Host proxy
   Port 12345
   HostName proxy.example.com

Stack trace from gdb:

Program received signal SIGSEGV, Segmentation fault.
__strlen_sse2 () at ../sysdeps/x86_64/strlen.S:32
32		movdqu	(%rdi), %xmm1
Missing separate debuginfos, use: debuginfo-install krb5-libs-1.10-0.fc17.alpha1.0.x86_64 libcom_err-1.42-0.7.WIP.1016.fc17.x86_64 nss-3.13.1-3.fc17.x86_64 nss-util-3.13.1-1.fc17.x86_64
(gdb) bt
#0  __strlen_sse2 () at ../sysdeps/x86_64/strlen.S:32
#1  0x00007ffff58b4a76 in __GI___strdup (
    s=0x4cd889e <Address 0x4cd889e out of bounds>) at strdup.c:42
#2  0x00007ffff609e5f9 in krb5_sname_to_principal () from /lib64/libkrb5.so.3
#3  0x00007ffff631a595 in ?? () from /lib64/libgssapi_krb5.so.2
#4  0x00007ffff630b1f5 in ?? () from /lib64/libgssapi_krb5.so.2
#5  0x00007ffff630c4c9 in gss_init_sec_context ()
   from /lib64/libgssapi_krb5.so.2
#6  0x0000555555599afc in ssh_gssapi_init_ctx (ctx=0x5555557e51c0, 
    deleg_creds=<optimized out>, recv_tok=0x0, send_tok=0x7fffffffb7c0, 
    flags=0x0) at gss-genr.c:354
#7  0x0000555555599dfa in ssh_gssapi_check_mechanism (ctx=0x7fffffffb828, 
    oid=<optimized out>, host=0x5555557dc3a0 "onuma", client=0x0)
    at gss-genr.c:478
#8  0x000055555556ddb1 in userauth_gssapi (authctxt=0x7fffffffb900)
    at sshconnect2.c:727
#9  0x000055555556f141 in userauth (authctxt=0x7fffffffb900, 
    authlist=0x5555557e5140 "publickey,gssapi-keyex,gssapi-with-mic,password")
    at sshconnect2.c:526
#10 0x0000555555591e47 in dispatch_run (mode=0, done=0x7fffffffb928, 
    ctxt=0x7fffffffb900) at dispatch.c:98
#11 0x000055555556ed9d in ssh_userauth2 (local_user=0x5555557dc3c0 "rjones", 
    server_user=0x5555557dc450 "rjones", host=0x5555557dc3a0 "onuma", 
    sensitive=0x5555557c18e0) at sshconnect2.c:490
#12 0x000055555556ab11 in ssh_login (sensitive=0x5555557c18e0, 
    orighost=<optimized out>, hostaddr=0x5555557c1860, port=22, 
    pw=<optimized out>, timeout_ms=-1000) at sshconnect.c:1178
#13 0x000055555555f39f in main (ac=<optimized out>, av=<optimized out>)
    at ssh.c:929
Comment 1 Richard W.M. Jones 2011-12-12 02:11:24 EST
I updated to the latest krb5-libs from Rawhide and
installed the krb5-libs debuginfo in order to resolve
a few missing symbols from the above stack trace.  Here
is a more detailed stack trace:

Program received signal SIGSEGV, Segmentation fault.
__strlen_sse2 () at ../sysdeps/x86_64/strlen.S:32
32		movdqu	(%rdi), %xmm1
Missing separate debuginfos, use: debuginfo-install libcom_err-1.42-0.7.WIP.1016.fc17.x86_64 nss-3.13.1-3.fc17.x86_64 nss-util-3.13.1-1.fc17.x86_64
(gdb) bt
#0  __strlen_sse2 () at ../sysdeps/x86_64/strlen.S:32
#1  0x00007ffff58b4a76 in __GI___strdup (
    s=0x4cd889e <Address 0x4cd889e out of bounds>) at strdup.c:42
#2  0x00007ffff609e5f9 in krb5_sname_to_principal (context=0x5555557e73e0, 
    hostname=0x5555557e7a30 "onuma", sname=0x5555557e5180 "host", type=3, 
    ret_princ=0x7fffffff9520) at sn2princ.c:115
#3  0x00007ffff631a595 in krb5_gss_import_name (minor_status=0x5555557e51c4, 
    input_name_buffer=<optimized out>, input_name_type=<optimized out>, 
    output_name=0x7fffffffb6e8) at import_name.c:162
#4  0x00007ffff630b1f5 in gssint_import_internal_name (
    minor_status=0x5555557e51c4, mech_type=0x5555557e7230, 
    union_name=0x5555557e5110, internal_name=0x7fffffffb6e8) at g_glue.c:386
#5  0x00007ffff630c4c9 in gss_init_sec_context (minor_status=0x5555557e51c4, 
    claimant_cred_handle=0x0, context_handle=0x5555557e51c8, 
    target_name=0x5555557e5110, req_mech_type=<optimized out>, 
    req_flags=<optimized out>, time_req=0, input_chan_bindings=0x0, 
    input_token=0x0, actual_mech_type=0x0, output_token=0x7fffffffb7c0, 
    ret_flags=0x0, time_rec=0x0) at g_init_sec_context.c:168
#6  0x0000555555599afc in ssh_gssapi_init_ctx (ctx=0x5555557e51c0, 
    deleg_creds=<optimized out>, recv_tok=0x0, send_tok=0x7fffffffb7c0, 
    flags=0x0) at gss-genr.c:354
#7  0x0000555555599dfa in ssh_gssapi_check_mechanism (ctx=0x7fffffffb828, 
    oid=<optimized out>, host=0x5555557dc3a0 "onuma", client=0x0)
    at gss-genr.c:478
#8  0x000055555556ddb1 in userauth_gssapi (authctxt=0x7fffffffb900)
    at sshconnect2.c:727
#9  0x000055555556f141 in userauth (authctxt=0x7fffffffb900, 
    authlist=0x5555557e5140 "publickey,gssapi-keyex,gssapi-with-mic,password")
    at sshconnect2.c:526
#10 0x0000555555591e47 in dispatch_run (mode=0, done=0x7fffffffb928, 
    ctxt=0x7fffffffb900) at dispatch.c:98
#11 0x000055555556ed9d in ssh_userauth2 (local_user=0x5555557dc3c0 "rjones", 
    server_user=0x5555557dc450 "rjones", host=0x5555557dc3a0 "onuma", 
    sensitive=0x5555557c18e0) at sshconnect2.c:490
#12 0x000055555556ab11 in ssh_login (sensitive=0x5555557c18e0, 
    orighost=<optimized out>, hostaddr=0x5555557c1860, port=22, 
    pw=<optimized out>, timeout_ms=-1000) at sshconnect.c:1178
#13 0x000055555555f39f in main (ac=<optimized out>, av=<optimized out>)
    at ssh.c:929
Comment 2 Richard W.M. Jones 2011-12-12 02:15:33 EST
A workaround is to disable gssapi-with-mic by adding:

  PreferredAuthentications publickey,keyboard-interactive,password

to the Host entry.
Comment 3 Petr Lautrbach 2012-10-30 09:32:52 EDT
Are you still able to reproduce this issue with current F17 or newer?
Comment 4 Richard W.M. Jones 2012-10-30 10:08:56 EDT
Seems to have fixed itself with
openssh-server-6.1p1-1.fc18.x86_64