[Bug 2642] [sshconnect2] publickey authentication only properly works if used first: pubkey_prepare doesn't work after pubkey_cleanup

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Tue Nov 22 18:32:23 AEDT 2016 

https://bugzilla.mindrot.org/show_bug.cgi?id=2642

--- Comment #1 from Vincent Brillault <git at lerya.net> ---
I believe I've been able to observe the bug on the certificate path.
Step to reproduce:
- Configure sshd with AuthenticationMethods
keyboard-interactive:pam,publickey (in fact, can be any combination of
2 methods)
- Generate a valid certificate file
- Run ssh -o 'CertificateFile=${certfile}' -o IdentitiesOnly=yes -vvv
${host}, properly authenticate the first time. Logs should contain:
 * `debug2: key: ${certfile} (${pointer}), explicit` before the first
authentication
 * No corresponding line after the first authentication (the
certificate disappeared)

On my setup, `key_is_cert(key)` seems to return 0 when accessing the
freed memory, leading not to a crash but simply to that key being
ignored.

If run under valgrind, logs should contain (using
1a6f9d2e2493d445cd9ee496e6e3c2a2f283f66a of
https://github.com/openssh/openssh-portable):
Authenticated with partial success.
==25112== Invalid read of size 4
==25112==    at 0x1300E9: sshkey_is_cert (sshkey.c:308)
==25112==    by 0x1253A6: pubkey_prepare (sshconnect2.c:1298)
==25112==    by 0x1289F6: input_userauth_failure (sshconnect2.c:564)
==25112==    by 0x154758: ssh_dispatch_run (dispatch.c:119)
==25112==    by 0x12852B: ssh_userauth2 (sshconnect2.c:402)
==25112==    by 0x124D56: ssh_login (sshconnect.c:1383)
==25112==    by 0x113898: main (ssh.c:1418)
==25112==  Address 0x6138060 is 0 bytes inside a block of size 64
free'd
==25112==    at 0x4C2C4AB: free (vg_replace_malloc.c:473)
==25112==    by 0x12597A: pubkey_cleanup (sshconnect2.c:1411)
==25112==    by 0x1289EE: input_userauth_failure (sshconnect2.c:563)
==25112==    by 0x154758: ssh_dispatch_run (dispatch.c:119)
==25112==    by 0x12852B: ssh_userauth2 (sshconnect2.c:402)
==25112==    by 0x124D56: ssh_login (sshconnect.c:1383)
==25112==    by 0x113898: main (ssh.c:1418)

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list