openssh-server hangs with AuthorizedKeysCommand
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssh (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Medium
|
Sergio Durigan Junior |
Bug Description
[Impact]
On a default Xenial install, when sshd is configured to obtain the list of allowed keys using AuthorizedKeysC
[Test Case]
In order to reproduce the bug, one can:
$ lxc launch ubuntu-daily:xenial openssh-server-bug1877454
$ lxc shell openssh-server-bug1877454
# ssh-keygen
(no need to choose a passphrase for the key, just hit ENTER on all prompts)
# cat > authkeyscommand.sh << __EOF__
#!/bin/bash
cat /root/.
echo
head -c 1M < /dev/urandom
__EOF__
# chmod +x authkeyscommand.sh
# cat >> /etc/ssh/
AuthorizedKeysC
AuthorizedKeysC
__EOF__
# systemctl reload sshd.service
# ssh root@127.0.0.1
You will notice that ssh will stay there waiting for sshd's reply, which won't come. The expected result would be for ssh to succeed.
[Regression Potential]
Since the affected code deals with executing a subprocess, reading its output through a pipe, and then relying on wait(2) to determine whether the subprocess exited correctly; and considering that this code is written in C without the help of features like RAII and with the use of goto statements, we are not able to disconsider the chances of making a mistake and forgetting to free a resource or to properly read/write from/to pipes, for example. This is, after all, the reason the bug happened in the first place.
Having said that, openssh contains extensive tests and the code is well organized and relatively easy to follow. Upon close inspection, there doesn't seem to be an evident problem with the backported fixes.
As usual when dealing with a somewhat older distribution, there is always the possibility of encountering problems because we will be recompiling openssh using the most recent versions of its build dependencies.
[Original Description]
Please consider applying this change to openssh-server distributed in Xenial (16.04).
Without it, sshd can sporadically hang when making use of the `AuthorizedKeys
https:/
Related branches
- Rafael David Tinoco (community): Approve
- Canonical Server: Pending requested
- Canonical Server Core Reviewers: Pending requested
-
Diff: 159 lines (+131/-0)4 files modifieddebian/changelog (+14/-0)
debian/patches/authkeyscommand-deadlock-01.patch (+41/-0)
debian/patches/authkeyscommand-deadlock-02.patch (+74/-0)
debian/patches/series (+2/-0)
Changed in openssh (Ubuntu Xenial): | |
assignee: | nobody → Sergio Durigan Junior (sergiodj) |
description: | updated |
description: | updated |
Additional discussion of this issue:
https:/ /bugzilla. redhat. com/show_ bug.cgi? id=1496467
https:/ /bugzilla. mindrot. org/show_ bug.cgi? id=2496
https:/ /discourse. phabricator- community. org/t/newly- added-ssh- keys-not- working/ 992