Bug 1108836 – ssh-keyscan should ignore SIGPIPE

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1108836 - ssh-keyscan should ignore SIGPIPE

Summary:	ssh-keyscan should ignore SIGPIPE

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	openssh (Show other bugs)
Sub Component:
Version:	6.5
Hardware:	All Linux

Priority	low Severity low
Target Milestone:	rc
Target Release:	---
Assigned To:	Petr Lautrbach
QA Contact:	Jiri Jaburek
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:	577066
Blocks:
	Show dependency tree / graph

Reported:	2014-06-12 12:08 EDT by Jiri Jaburek
Modified:	2014-10-14 03:39 EDT (History)
CC List:	2 users (show)

See Also:
Fixed In Version:	openssh-5.3p1-102.el6
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:	577066
Environment:
Last Closed:	2014-10-14 03:39:57 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2014:1552	normal	SHIPPED_LIVE	Moderate: openssh security, bug fix, and enhancement update	2014-10-13 21:21:23 EDT

Groups: None (edit)

Description Jiri Jaburek 2014-06-12 12:08:51 EDT

+++ This bug was initially created as a clone of Bug #577066 +++

Description of problem:

Presently, openssh-4.3p2-36.el5_4.3's ssh-keyscan (as with prior versions) will abort execution on a SIGPIPE, which presumably should just be ignored.

close(140)                              = -1 EBADF (Bad file descriptor)
read(142, "S", 1)                       = 1
read(142, "S", 1)                       = 1
read(142, "H", 1)                       = 1
read(142, "-", 1)                       = 1
read(142, "2", 1)                       = 1
read(142, ".", 1)                       = 1
read(142, "0", 1)                       = 1
read(142, "-", 1)                       = 1
read(142, "c", 1)                       = 1
read(142, "r", 1)                       = 1
read(142, "y", 1)                       = 1
read(142, "p", 1)                       = 1
read(142, "t", 1)                       = 1
read(142, "l", 1)                       = 1
read(142, "i", 1)                       = 1
read(142, "b", 1)                       = 1
read(142, "\r", 1)                      = 1
read(142, "\n", 1)                      = 1
write(2, "debug1: no match: cryptlib\r\n", 28) = 28
write(2, "# 192.168.129.62 SSH-2.0-cryptli"..., 34) = 34
write(142, "SSH-2.0-OpenSSH-keyscan\r\n", 25) = -1 EPIPE (Broken pipe)
--- SIGPIPE (Broken pipe) @ 0 (0) ---
+++ killed by SIGPIPE +++


....we ssh-keyscan over a thousand hosts in a pass for centralized monitoring and maintenance of known-hosts. This update process falls on its face when a bad server (in this case, a broken APC PDU management interface) shows up in the list.

=======================================================================

This bug is still present on RHEL5.10 and RHEL6.5 (openssh-clients-5.3p1-94.el6), while being fixed on RHEL7 (openssh-clients-6.4p1-8.el7). Would it be possible to backport the downstream patch (openssh-5.8p2-sigpipe.patch) to RHEL6 or resolve this issue upstream?

Thanks,
Jiri

Comment 3 Jiri Jaburek 2014-06-12 13:23:43 EDT

The SIGPIPE seems to be ignored on RHEL-6.6-20140606.n.0, despite the compose having exactly the same openssh-clients version and the same sha1sum for /usr/bin/ssh-keyscan.


On RHEL-6.5:

# strace -f -e signal ssh-keyscan -T 10 -p 12345 127.0.0.1
rt_sigaction(SIGRTMIN, {0x7f69ab129c60, [], SA_RESTORER|SA_SIGINFO, 0x7f69ab133710}, NULL, 8) = 0
rt_sigaction(SIGRT_1, {0x7f69ab129cf0, [], SA_RESTORER|SA_RESTART|SA_SIGINFO, 0x7f69ab133710}, NULL, 8) = 0
rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0

# rpm -q openssh-clients
openssh-clients-5.3p1-94.el6.x86_64

# sha1sum /usr/bin/ssh-keyscan 
41521eec46f18d7206f2fa46a08d9a0ffcf70503  /usr/bin/ssh-keyscan


On RHEL-6.6-20140606.n.0:

# strace -f -e signal ssh-keyscan -T 10 -p 12345 127.0.0.1
rt_sigaction(SIGRTMIN, {0x7f69a44a9c60, [], SA_RESTORER|SA_SIGINFO, 0x7f69a44b3710}, NULL, 8) = 0
rt_sigaction(SIGRT_1, {0x7f69a44a9cf0, [], SA_RESTORER|SA_RESTART|SA_SIGINFO, 0x7f69a44b3710}, NULL, 8) = 0
rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
rt_sigaction(SIGPIPE, {SIG_IGN, [], SA_RESTORER, 0x7f69a4f7e990}, NULL, 8) = 0
Process 6967 attached
[pid  6967] rt_sigaction(SIGRTMIN, {0x433700, [], SA_RESTORER|SA_SIGINFO, 0x43cc20}, NULL, 8) = 0
[pid  6967] rt_sigaction(SIGRT_1, {0x433630, [], SA_RESTORER|SA_RESTART|SA_SIGINFO, 0x43cc20}, NULL, 8) = 0
[pid  6967] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
Process 6967 detached
--- SIGCHLD (Child exited) @ 0 (0) ---

# rpm -q openssh-clients
openssh-clients-5.3p1-94.el6.x86_64

# sha1sum /usr/bin/ssh-keyscan 
41521eec46f18d7206f2fa46a08d9a0ffcf70503  /usr/bin/ssh-keyscan


The firewalls of both machines are the same (all policies as ACCEPT, no rules, only the filter module loaded), as is the installation method. The forked pid on 6.6 seems to be prelink. I'm kind of clueless here.

Comment 5 Petr Lautrbach 2014-06-13 07:54:03 EDT

The patch is one liner and can be simply backported from Fedora. Regarding the different behaviour, I've got no clue what is going on but it's probably someting outside the openssh sources.

Comment 9 errata-xmlrpc 2014-10-14 03:39:57 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2014-1552.html

Note You need to log in before you can comment on or make changes to this bug.