Red Hat Bugzilla – Bug 205129
TCP wrappers leave SIGALRM blocked when ident fails
Last modified: 2007-11-30 17:11:42 EST
Description of problem: When tcp wrappers try to query a remote ident server, which is blocked (e.g. by iptables), it leaves SIGALRM blocked. This is especially bad for sshd, because then whole session then runs with SIGALRM blocked. Version-Release number of selected component (if applicable): tcp_wrappers-7.6-40.2 openssh-4.3p2-4 How reproducible: 100% Steps to Reproduce: 1. on ssh client: "iptables -I INPUT -p tcp --dport ident -j DROP" 2. on ssh server: configure TCP wrappers to do an ident lookup (e.g. add "sshd: ALL@ALL" line to /etc/hosts.allow) 3a. on ssh client: "ssh user@server 'ps xs|grep $$|grep -v grep'" or 3b. on ssh client: "ssh user@server", and in the ssh session run something like this: perl -e '$SIG{ALRM}=sub{print"ALARM\n";}; alarm 1; sleep 5' Actual results: 3a: the "BLOCKED" column of SSH output contains SIGALRM (BLOCKED & 0x2000 is 0x2000 on Linux/x86_64 and Linux/i386). 3b: no message is printed. Expected results: 3a: BLOCKED & 0x2000 should be zero 3b: the "ALARM\n" message should be printed. Additional info: In the following message, Wietse Venema suggests that tcp_wrappers code is correct and the bug is added by third parties: http://www.gatago.com/mailing/unix/openssh-dev/4854382.html Debian bug #354855 (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=354855) apparently contains a patch for this problem. (META: this bugzilla does not have Debian bug tracking system available in "External Bug Reference" list).
tcp_wrappers-7.6-40.3.fc6 has been pushed for fc6, which should resolve this issue. If these problems are still present in this version, then please make note of it in this bug report.
tcp_wrappers-7.6-40.3.fc5 has been pushed for fc5, which should resolve this issue. If these problems are still present in this version, then please make note of it in this bug report.