+++ This bug was initially created as a clone of Bug #205129 +++ Description of problem: When tcp wrappers try to query a remote ident server, which is blocked (e.g. by iptables), it leaves SIGALRM blocked. This is especially bad for sshd, because then whole session then runs with SIGALRM blocked. Version-Release number of selected component (if applicable): tcp_wrappers-7.6-40.4.el5 How reproducible: 100% Steps to Reproduce: 1. on ssh client: "iptables -I INPUT -p tcp --dport ident -j DROP" 2. on ssh server: configure TCP wrappers to do an ident lookup (e.g. add "sshd: ALL@ALL" line to /etc/hosts.allow) 3a. on ssh client: "ssh user@server 'ps xs|grep $$|grep -v grep'" or 3b. on ssh client: "ssh user@server", and in the ssh session run something like this: perl -e '$SIG{ALRM}=sub{print"ALARM\n";}; alarm 1; sleep 5' Actual results: 3a: the "BLOCKED" column of SSH output contains SIGALRM (BLOCKED & 0x2000 is 0x2000 on Linux/x86_64 and Linux/i386). 3b: no message is printed. Expected results: 3a: BLOCKED & 0x2000 should be zero 3b: the "ALARM\n" message should be printed. Additional info: In the following message, Wietse Venema suggests that tcp_wrappers code is correct and the bug is added by third parties: http://www.gatago.com/mailing/unix/openssh-dev/4854382.html Debian bug #354855 (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=354855) apparently contains a patch for this problem. (META: this bugzilla does not have Debian bug tracking system available in "External Bug Reference" list).
Created attachment 305159 [details] Proposed patch - 1 of 2 These two patches are position dependent. This one needs to be applied first.
Created attachment 305160 [details] Proposed patch - 2 of 2 This patch nees to be applied second.
*** Bug 449090 has been marked as a duplicate of this bug. ***
This request was evaluated by Red Hat Product Management for inclusion, but this component is not scheduled to be updated in the current Red Hat Enterprise Linux release. If you would like this request to be reviewed for the next minor release, ask your support representative to set the next rhel-x.y flag to "?".
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2009-0453.html