https://bugzilla.mindrot.org/show_bug.cgi?id=2642
--- Comment #1 from Vincent Brillault <g...@lerya.net> --- I believe I've been able to observe the bug on the certificate path. Step to reproduce: - Configure sshd with AuthenticationMethods keyboard-interactive:pam,publickey (in fact, can be any combination of 2 methods) - Generate a valid certificate file - Run ssh -o 'CertificateFile=${certfile}' -o IdentitiesOnly=yes -vvv ${host}, properly authenticate the first time. Logs should contain: * `debug2: key: ${certfile} (${pointer}), explicit` before the first authentication * No corresponding line after the first authentication (the certificate disappeared) On my setup, `key_is_cert(key)` seems to return 0 when accessing the freed memory, leading not to a crash but simply to that key being ignored. If run under valgrind, logs should contain (using 1a6f9d2e2493d445cd9ee496e6e3c2a2f283f66a of https://github.com/openssh/openssh-portable): Authenticated with partial success. ==25112== Invalid read of size 4 ==25112== at 0x1300E9: sshkey_is_cert (sshkey.c:308) ==25112== by 0x1253A6: pubkey_prepare (sshconnect2.c:1298) ==25112== by 0x1289F6: input_userauth_failure (sshconnect2.c:564) ==25112== by 0x154758: ssh_dispatch_run (dispatch.c:119) ==25112== by 0x12852B: ssh_userauth2 (sshconnect2.c:402) ==25112== by 0x124D56: ssh_login (sshconnect.c:1383) ==25112== by 0x113898: main (ssh.c:1418) ==25112== Address 0x6138060 is 0 bytes inside a block of size 64 free'd ==25112== at 0x4C2C4AB: free (vg_replace_malloc.c:473) ==25112== by 0x12597A: pubkey_cleanup (sshconnect2.c:1411) ==25112== by 0x1289EE: input_userauth_failure (sshconnect2.c:563) ==25112== by 0x154758: ssh_dispatch_run (dispatch.c:119) ==25112== by 0x12852B: ssh_userauth2 (sshconnect2.c:402) ==25112== by 0x124D56: ssh_login (sshconnect.c:1383) ==25112== by 0x113898: main (ssh.c:1418) -- You are receiving this mail because: You are watching the assignee of the bug. _______________________________________________ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs