[Bug 702] dont call userauth_finish after auth2_challenge_stop

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Sep 23 02:55:11 EST 2003


http://bugzilla.mindrot.org/show_bug.cgi?id=702

           Summary: dont call userauth_finish after auth2_challenge_stop
           Product: Portable OpenSSH
           Version: 3.7.1p1
          Platform: UltraSparc
        OS/Version: Solaris
            Status: NEW
          Severity: major
          Priority: P2
         Component: PAM support
        AssignedTo: openssh-bugs at mindrot.org
        ReportedBy: paul.a.bolton at bt.com


Very occasionally users are experiencing sessions bailing on authentication with
a  "fatal: ssh_msg_send: write". After some analysis is seems that the common
factor is a Solaris account management module is printing a message via the
conversation function (e.g. Your password will expire in 7 days...).

It looks as if in auth2-chall.c in input_userauth_info_response() is the
culprit. auth2_challenge_stop() will eventually cause sshpam_free_ctx() to be
called in auth-pam.c, which will free ctxt. This contains important file
descriptors for the conversation function, which get closed before the free
(which is correct).

userauth_finish() can call do_account() if PAM is enabled. As
auth2_challenge_stop() is getting called beforehand, if the module generates
messages invalid references for FD's are found (probably because the memory has
been malloc'ed again no SEGV) and the error detailed above is activated.

It seems that it is possible to call auth2_challenge_stop() after
userauth_finish(). However there are a few comments in the code I have seen that
I don't like in relation to doing this. I will attach a patch with this bug.
Please can you advise on any possible issues in doing this, as the change would
probably need more sanity checking.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.




More information about the openssh-bugs mailing list