Fix for CVE-2015-5600 can sometimes erroneously block logins
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssh (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
When testing a fix for CVE-2015-5600 based on the Ubuntu patch in openssh-5.9 ( https:/
The symptom was when logging in with the command and sshd_config below I would get permission denied sometimes and permission granted other times. Upon investigating the reason for permission being denied was sshd erroneously thinking "pam" had already been used as a login method on the first attempt to use it. This appeared to be related to the kbdinit_alloc function in auth2_chall.c not initializing devices_done. Once I made the following patch the issue went away:
@@ -130,6 +131,7 @@ kbdint_alloc(const char *devs)
+ kbdintctxt-
return kbdintctxt;
}
Since openssh uses xmalloc ( i.e. malloc or die ) to initialize data structures, it seems that the issue is the struct not getting zero'ed out at the start. I haven't taken the time to verify this in openssh-6.9 / openssh-7.0, but it seems like since xmalloc / malloc is still in use that it should still fail in the same manner.
These are the ssh command sshd_config that were in use when the issue was happening. I'm not sure if something about them makes the issue more likely to happen:
===
ssh command:
ssh -o StrictHostKeyCh
sshd_config:
Protocol 2
Port 22
SyslogFacility AUTHPRIV
PasswordAuthent
ChallengeRespon
UsePAM yes
MaxStartups 10:30:100
Subsystem sftp /usr/libexec/
PermitEmptyPass
AllowTcpForwarding no
Banner /etc/issue
StrictModes yes
UsePrivilegeSep
Compression delayed
GatewayPorts no
GSSAPIAuthentic
KerberosAuthent
LoginGraceTime 120
LogLevel DEBUG2
Ciphers 3des-cbc,
KexAlgorithms diffie-
MACs hmac-md5,
HostKey <removed rsa keypath>
HostKey <removed dsa keypath>
===
Is anyone else able to see this issue and verify that my fix is correct?
Thanks,
Ethan