Bug#905227: openssh-server: SSH AuthorizedKeysCommand hangs when output is too large

Wed, 01 Aug 2018 08:42:32 -0700 

Package: openssh-server
Version: 1:7.4p1-10+deb9u3
Severity: important
Tags: patch upstream

Dear Maintainer,

when sshd's AuthorizedKeysCommand outputs a lot of keys and the match is close 
to the beginning of the output sshd will deadlock.  Upstream has a patch ready 
to fix this issue, which would need to be backported to OpenSSH 7.4 as used by 
Debian 9.

Patch: 
https://github.com/openssh/openssh-portable/commit/ddd3d34e5c7979ca6f4a3a98a7d219a4ed3d98c2

See-Also: https://bugzilla.mindrot.org/show_bug.cgi?id=2655
See-Also: https://bugzilla.redhat.com/show_bug.cgi?id=1496467


-- System Information:
Debian Release: 9.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-6-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages openssh-server depends on:
ii  adduser                3.115
ii  debconf [debconf-2.0]  1.5.61
ii  dpkg                   1.18.25
ii  init-system-helpers    1.48
ii  libaudit1              1:2.6.7-2
ii  libc6                  2.24-11+deb9u3
ii  libcomerr2             1.43.4-2
ii  libgssapi-krb5-2       1.15-1+deb9u1
ii  libkrb5-3              1.15-1+deb9u1
ii  libpam-modules         1.1.8-3.6
ii  libpam-runtime         1.1.8-3.6
ii  libpam0g               1.1.8-3.6
ii  libselinux1            2.6-3+b3
ii  libssl1.0.2            1.0.2l-2+deb9u3
ii  libsystemd0            232-25+deb9u4
ii  libwrap0               7.6.q-26
ii  lsb-base               9.20161125
ii  openssh-client         1:7.4p1-10+deb9u3
ii  openssh-sftp-server    1:7.4p1-10+deb9u3
ii  procps                 2:3.3.12-3+deb9u1
ii  ucf                    3.0036
ii  zlib1g                 1:1.2.8.dfsg-5

Versions of packages openssh-server recommends:
ii  libpam-systemd  232-25+deb9u4
ii  ncurses-term    6.0+20161126-1+deb9u2
ii  xauth           1:1.0.9-1+b2

Versions of packages openssh-server suggests:
pn  molly-guard   <none>
pn  monkeysphere  <none>
pn  rssh          <none>
pn  ssh-askpass   <none>
pn  ufw           <none>

-- debconf information:
  openssh-server/permit-root-login: true

>From ddd3d34e5c7979ca6f4a3a98a7d219a4ed3d98c2 Mon Sep 17 00:00:00 2001
From: "d...@openbsd.org" <d...@openbsd.org>
Date: Fri, 30 Dec 2016 22:08:02 +0000
Subject: [PATCH] upstream commit

fix deadlock when keys/principals command produces a lot of
output and a key is matched early; bz#2655, patch from jboning AT gmail.com

Upstream-ID: e19456429bf99087ea994432c16d00a642060afe
---
 auth2-pubkey.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 20f3309e1..70c021589 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-pubkey.c,v 1.60 2016/11/30 02:57:40 djm Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.61 2016/12/30 22:08:02 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -727,6 +727,9 @@ match_principals_command(struct passwd *user_pw, const 
struct sshkey *key)
 
        ok = process_principals(f, NULL, pw, cert);
 
+       fclose(f);
+       f = NULL;
+
        if (exited_cleanly(pid, "AuthorizedPrincipalsCommand", command) != 0)
                goto out;
 
@@ -1050,6 +1053,9 @@ user_key_command_allowed2(struct passwd *user_pw, Key 
*key)
 
        ok = check_authkeys_file(f, options.authorized_keys_command, key, pw);
 
+       fclose(f);
+       f = NULL;
+
        if (exited_cleanly(pid, "AuthorizedKeysCommand", command) != 0)
                goto out;

Reply via email to