[Bug 2107] seccomp sandbox breaks GSSAPI

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Thu Aug 9 22:02:44 AEST 2018 

https://bugzilla.mindrot.org/show_bug.cgi?id=2107

Jakub Jelen <jjelen at redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jjelen at redhat.com

--- Comment #11 from Jakub Jelen <jjelen at redhat.com> ---
It looks like I am late for the party, but this unfortunately does not
address the issue completely. For some reasons, the configuration can
look like this:

GSSAPIAuthentication no
Match User root
  GSSAPIAuthentication yes

and in this case, the caching mechanisms will not be triggered, the
separated child will try to load the data later and fail:

Program received signal SIGSYS, Bad system call.
[Switching to Thread 0x7f67e97f88c0 (LWP 9647)]
0x00007f67e4c3de39 in pthread_once () from /lib64/libpthread.so.0
(gdb) bt
#0  0x00007f67e4c3de39 in pthread_once () from /lib64/libpthread.so.0
#1  0x00007f67e3379b68 in krb5int_pthread_loaded () from
/lib64/libkrb5support.so.0
#2  0x00007f67e337a0f1 in k5_once () from /lib64/libkrb5support.so.0
#3  0x00007f67e74021e7 in gssint_mechglue_initialize_library () from
/lib64/libgssapi_krb5.so.2
#4  0x00007f67e74022b5 in gss_indicate_mechs () from
/lib64/libgssapi_krb5.so.2
#5  0x00005594c41f2e4f in ssh_gssapi_supported_oids (
    oidset=oidset at entry=0x5594c4490088 <supported_oids>) at
gss-serv.c:179
#6  0x00005594c41f2f55 in ssh_gssapi_prepare_supported_oids () at
gss-serv.c:82
#7  ssh_gssapi_test_oid_supported (ms=0x7ffc60dc75f0,
member=0x7ffc60dc7600, present=0x7ffc60dc75ec)
    at gss-serv.c:89
#8  0x00005594c41f23d8 in userauth_gssapi (authctxt=0x5594c48fe500) at
auth2-gss.c:127
#9  0x00005594c41e0b1c in input_userauth_request (type=<optimized out>,
seq=<optimized out>, 
    ctxt=0x5594c48fe500) at auth2.c:295
#10 0x00005594c42227a9 in ssh_dispatch_run
(ssh=ssh at entry=0x5594c49008c0, mode=mode at entry=0, 
    done=done at entry=0x5594c48fe500, ctxt=ctxt at entry=0x5594c48fe500) at
dispatch.c:119
#11 0x00005594c42227f9 in ssh_dispatch_run_fatal (ssh=0x5594c49008c0,
mode=mode at entry=0, 
    done=done at entry=0x5594c48fe500, ctxt=ctxt at entry=0x5594c48fe500) at
dispatch.c:140
#12 0x00005594c41dfde9 in do_authentication2
(authctxt=authctxt at entry=0x5594c48fe500) at auth2.c:175
#13 0x00005594c41d1ee7 in main (ac=<optimized out>, av=<optimized out>)
at sshd.c:2191

Collin, can you confirm you can reproduce the same issue?

I can not think about sensible way around this without initializing the
kerberos library and loading the OIDs unconditionally.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

More information about the openssh-bugs mailing list