[Bug 2642] New: [sshconnect2] publickey authentication only properly works if used first: pubkey_prepare doesn't work after pubkey_cleanup
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Tue Nov 22 08:23:16 AEDT 2016
https://bugzilla.mindrot.org/show_bug.cgi?id=2642
Bug ID: 2642
Summary: [sshconnect2] publickey authentication only properly
works if used first: pubkey_prepare doesn't work after
pubkey_cleanup
Product: Portable OpenSSH
Version: 7.3p1
Hardware: amd64
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: ssh
Assignee: unassigned-bugs at mindrot.org
Reporter: git at lerya.net
When using multiple Authentication method after a successful partial
authentication, the following code is run
(https://github.com/openssh/openssh-portable/blob/master/sshconnect2.c#L562-L564):
```
/* reset state */
pubkey_cleanup(authctxt);
pubkey_prepare(authctxt);
```
Unfortunately, this does _not_ reset the state!
- pubkey_cleanup is simple, it just closes the agent connection and
delete all keys in authctxt->keys
- pubkey_prepare populate authctxt->keys and can create an agent
connection. However it cannot be called twice, because it modifies
options.identity_keys and leaks options.certificates:
* When reading identity_keys, when storing the key in a new 'identity'
structure, it runs
(https://github.com/openssh/openssh-portable/blob/master/sshconnect2.c#L1287):
```options.identity_keys[i] = NULL;```. As a result, any subsequent run
of this function, when getting the key via ```key =
options.identity_keys[i];``` will only be able to retrieve 'NULL'
* When reading options.num_certificate_files, it does not replace
options.certificates[i] by NULL but simply copy the pointer in the new
'identity' structure. When pubkey_cleanup run, it will free this value,
making any subsequent run of this function access freed memory? (not
tested)
A clean solution could be to copy the key over, instead of replacing
the original by NULL or leaking and freeing the original, but as far as
I can see, there is no sshkey_copy/sshkey_dup function...
A simple way of reproducing the identity_keys part of the problem (I'm
not using certificate) is to:
- Configure sshd with AuthenticationMethods
keyboard-interactive:pam,publickey
- Generate a public/private key
- Start an ssh agent, add the key
- Run ssh -i ${publickeyfile} -o IdentitiesOnly=yes -vv ${host},
properly authenticate with the password and see the publickey
authentication failing, logs with contain:
```
debug2: key: ${publickeyfile} (${pointer}), explicit, agent
[...]
Authenticated with partial success.
debug2: key: ${publickeyfile} ((nil)), explicit
```
The two key lines should have been identical
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list