[Bug 2686] New: SSHD segfaults when trying to load RSA1 host keys

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Thu Mar 2 03:46:53 AEDT 2017 

https://bugzilla.mindrot.org/show_bug.cgi?id=2686

            Bug ID: 2686
           Summary: SSHD segfaults when trying to load RSA1 host keys
           Product: Portable OpenSSH
           Version: 7.4p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Keywords: patch
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: jjelen at redhat.com

Created attachment 2952
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2952&action=edit
possible patch

During the transition from Protocol 1 and older openssh versions there
is a possibility that the old configuration files will still have some
of the old configuration options including the HostKeys pointing to the
old key types (RSA1). I found in my sshd_config such a line and after
updating OpenSSH I was unable to connect:

  HostKey /etc/ssh/ssh_host_key

Removing the above line will make sshd work again.

GDB traceback:

Program received signal SIGSEGV, Segmentation fault.

#0  match_pattern (s=s at entry=0x0, 
    pattern=pattern at entry=0x7fffffffd520
"ecdsa-sha2-nistp256-cert-v01 at openssh.com") at match.c:98
#1  0x00005555555a7af3 in match_pattern_list (string=0x0, 
    pattern=pattern at entry=0x555555831aa0
"ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ssh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-dss-cert-v0"...,
dolower=dolower at entry=0) at match.c:156
#2  0x000055555556447c in list_hostkey_types () at sshd.c:794
#3  do_ssh2_kex () at sshd.c:2327
#4  0x00005555555622c1 in main (ac=<optimized out>, av=<optimized out>)
at sshd.c:2181

Problem is in  list_hostkey_types()  which is not checking the return
value of  sshkey_ssh_name() (for RSA1 returns NULL).

The openssh is build --with-ssh1 (to support SSH1 in clients), but that
should not matter.

I am not sure about the plans what everything will be removed in next
release and if if maters for future, but certainly it maters for us
that it is crashing sshd at this moment.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list