[Bug 702] dont call userauth_finish after auth2_challenge_stop
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Tue Sep 23 02:55:11 EST 2003
http://bugzilla.mindrot.org/show_bug.cgi?id=702
Summary: dont call userauth_finish after auth2_challenge_stop
Product: Portable OpenSSH
Version: 3.7.1p1
Platform: UltraSparc
OS/Version: Solaris
Status: NEW
Severity: major
Priority: P2
Component: PAM support
AssignedTo: openssh-bugs at mindrot.org
ReportedBy: paul.a.bolton at bt.com
Very occasionally users are experiencing sessions bailing on authentication with
a "fatal: ssh_msg_send: write". After some analysis is seems that the common
factor is a Solaris account management module is printing a message via the
conversation function (e.g. Your password will expire in 7 days...).
It looks as if in auth2-chall.c in input_userauth_info_response() is the
culprit. auth2_challenge_stop() will eventually cause sshpam_free_ctx() to be
called in auth-pam.c, which will free ctxt. This contains important file
descriptors for the conversation function, which get closed before the free
(which is correct).
userauth_finish() can call do_account() if PAM is enabled. As
auth2_challenge_stop() is getting called beforehand, if the module generates
messages invalid references for FD's are found (probably because the memory has
been malloc'ed again no SEGV) and the error detailed above is activated.
It seems that it is possible to call auth2_challenge_stop() after
userauth_finish(). However there are a few comments in the code I have seen that
I don't like in relation to doing this. I will attach a patch with this bug.
Please can you advise on any possible issues in doing this, as the change would
probably need more sanity checking.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the openssh-bugs
mailing list