Bug 101800 - OpenSSH server crashes when Kerberos 5 authentication is enabled and a non-root user login is attempted
OpenSSH server crashes when Kerberos 5 authentication is enabled and a non-ro...
Status: CLOSED NOTABUG
Product: Red Hat Linux
Classification: Retired
Component: openssh (Show other bugs)
8.0
i586 Linux
high Severity high
: ---
: ---
Assigned To: Tomas Mraz
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-08-06 19:32 EDT by Economou, Matthew
Modified: 2005-10-31 17:00 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-02-04 11:44:10 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
GDB output for sshd (Red Hat Linux 8, openssh-server-3.4p1-4) (8.09 KB, text/plain)
2003-08-06 19:33 EDT, Economou, Matthew
no flags Details

  None (edit)
Description Economou, Matthew 2003-08-06 19:32:53 EDT
Description of problem:

When Kerberos 5 authentication is configured (i.e. via authconfig),
sshd's connection-specific child process segfaults (SIGSEGV) when a
non-root user attempts to log onto the system.  It doesn't matter of
the non-root user authenticates locally or via Kerberos 5.  The parent
sshd instance is unaffected and continues to field connection attempts
on port 22.

I observed similar behavior on Red Hat Linux 9 with openssh-server
version 3.5p1-6.9.

From the perspective of the client, the connection is dropped before
the user is prompted for a password.

The problem can be duplicated by running sshd in debug mode (the "-d"
option to sshd) under GDB.  A GDB transcript that includes a backtrace
is attached to this bug report.

Version-Release number of selected component (if applicable):

openssh-server-3.4p1-4

How reproducible:

Every time

Steps to Reproduce:

1. Run authconfig and enable Kerberos 5 authentication.
2. A reboot is NOT required.
3. Restarting sshd is NOT required.
4. Use the ssh client to attempt to log into a non-root account,
   e.g. ssh user@localhost.
5. It does not matter if the account authenticates via Kerberos 5 or
   locally via /etc/shadow.
6. To return to normal operations, re-run authconfig and disable
   Kerberos 5 authentication.

Actual results:

After the connection encryption is negotiated, the ssh client will
lose contact with the sshd server child instance and report
"Connection closed by <NAME OR ADDRESS>", e.g. "Connection closed by
127.0.0.1".

When running sshd in debug mode under GDB, one will observe a segfault
(signal SIGSEV) in malloc_consolidate() from /lib/libc.so.6.

Expected results:

The user should have been authenticated as customary for ssh, via the
pam_krb5 or pam_unix modules.  Obviously, the segfault in
malloc_consolidate() should not occur.

Additional info:

The relevant error as reported when running sshd under GDB in debug
mode (sshd's debug messages are prefixed with "debug3"):

debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
debug3: mm_request_receive_expect entering: type 11
debug3: mm_request_receive entering
debug3: monitor_read: checking request 10
Program received signal SIGSEGV, Segmentation fault.
0x40210618 in malloc_consolidate () from /lib/libc.so.6

A backtrace at this point shows the following:

#0  0x40210618 in malloc_consolidate () from /lib/libc.so.6
#1  0x4020fd85 in _int_malloc () from /lib/libc.so.6
#2  0x4020f484 in malloc () from /lib/libc.so.6
#3  0x40183442 in krb5_sendto_kdc () from /usr/kerberos/lib/libkrb5.so.3
#4  0x4016c043 in send_as_request () from /usr/kerberos/lib/libkrb5.so.3
#5  0x4016d260 in krb5_get_init_creds () from /usr/kerberos/lib/libkrb5.so.3
#6  0x4016e6a4 in krb5_get_init_creds_password () 
from /usr/kerberos/lib/libkrb5.so.3
#7  0x404ba36b in pam_sm_authenticate () from /lib/security/pam_krb5.so
#8  0x4001bba9 in _pam_dispatch_aux () from /lib/libpam.so.0
#9  0x4001bd33 in _pam_dispatch () from /lib/libpam.so.0
#10 0x400158df in pam_sm_chauthtok () from /lib/security/pam_stack.so
#11 0x40014c4e in pam_sm_authenticate () from /lib/security/pam_stack.so
#12 0x4001bba9 in _pam_dispatch_aux () from /lib/libpam.so.0
#13 0x4001bd33 in _pam_dispatch () from /lib/libpam.so.0
#14 0x4001d828 in pam_authenticate () from /lib/libpam.so.0
#15 0x0805487a in strcpy ()
#16 0x08054bbc in strcpy ()
#17 0x08055619 in strcpy ()
#18 0x0805f8b1 in strcpy ()
#19 0x0805f090 in strcpy ()
#20 0x0805ed55 in strcpy ()
#21 0x0804d651 in strcpy ()
#22 0x0804e750 in strcpy ()
#23 0x401b74ed in __libc_start_main () from /lib/libc.so.6
Comment 1 Economou, Matthew 2003-08-06 19:33:35 EDT
Created attachment 93465 [details]
GDB output for sshd (Red Hat Linux 8, openssh-server-3.4p1-4)
Comment 2 Tomas Mraz 2005-02-04 10:13:35 EST
Does it still happen for you with the current Fedora Core?
Comment 3 Economou, Matthew 2005-02-04 11:04:06 EST
I do not know.  I am sorry if this sounds snotty, but I stopped using 
Red Hat Linux and its variants after my bug reports went unanswered.  
If I recall correctly, this was a bug in the portable version of 
OpenSSH (not in LinuxPAM or glibc) that was fixed around version 3.6.
Comment 4 Tomas Mraz 2005-02-04 11:44:10 EST
Thanks anyway.

Note You need to log in before you can comment on or make changes to this bug.