[Bug 2882] New: ssh-add can run script in SSH_ASKPASS environment variable in infinite loop
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Sat Jul 14 04:32:29 AEST 2018
https://bugzilla.mindrot.org/show_bug.cgi?id=2882
Bug ID: 2882
Summary: ssh-add can run script in SSH_ASKPASS environment
variable in infinite loop
Product: Portable OpenSSH
Version: 7.2p2
Hardware: Other
OS: Linux
Status: NEW
Severity: minor
Priority: P5
Component: ssh-add
Assignee: unassigned-bugs at mindrot.org
Reporter: bugzilla.mindrot.org at ch.pkts.ca
TL;DR: User can make ssh-add go into infinite loop by setting
environment variable to script that gives bad pw and rc=0.
Reproduction:
############ Setup:
eval $(ssh-agent -s)
umask 077
ssh-keygen -N asdfasdf -f /tmp/id_rsa
function testit() {
ssh-add -D 2> /dev/null
env DISPLAY=:0 SSH_ASKPASS="$1" ssh-add /tmp/id_rsa < /dev/null
}
function createit() {
echo "echo '$1'; exit $2" > /tmp/a.sh
chmod a+rx /tmp/a.sh
}
######### Tests:
# Correct operation, non-script with zero RC:
testit /bin/true
# Correct operation, non-script with non-zero RC:
testit /bin/false
# Script with correct password and zero RC:
createit asdfasdf 0; testit /tmp/a.sh # Identity added: /tmp/id_rsa
(/tmp/id_rsa)
# Script with correct password and non-zero RC:
createit asdfasdf 0; testit /tmp/a.sh # Not added
# Script with incorrect password and non-zero RC:
createit wrong_pw 1; testit /tmp/a.sh # Not added
# Script with incorrect password and zero RC:
createit wrong_pw 0; testit /tmp/a.sh # (Hangs, hit ctrl-C to stop
it.)
######## Debugging:
# Tracing it:
strace -s 1024 -fo/tmp/a env DISPLAY=:0 SSH_ASKPASS=/tmp/a.sh ssh-add
/tmp/id_rsa < /dev/null
# (Ctrl-C after a few seconds)
grep -m 15 execve /tmp/a | tail
16950 execve("/usr/bin/ssh-add", ["ssh-add", "/tmp/id_rsa.pub"], [/* 86
vars */]) = 0
16951 execve("/tmp/a.sh", ["/tmp/a.sh", "Enter passphrase for
/tmp/id_rsa.pub: "], [/* 86 vars */]) = -1 ENOEXEC (Exec format error)
16951 execve("/bin/sh", ["/bin/sh", "/tmp/a.sh", "Enter passphrase for
/tmp/id_rsa.pub: "], [/* 86 vars */]) = 0
16952 execve("/tmp/a.sh", ["/tmp/a.sh", "Bad passphrase, try again for
/tmp/id_rsa.pub: "], [/* 86 vars */]) = -1 ENOEXEC (Exec format error)
16952 execve("/bin/sh", ["/bin/sh", "/tmp/a.sh", "Bad passphrase, try
again for /tmp/id_rsa.pub: "], [/* 86 vars */]) = 0
16953 execve("/tmp/a.sh", ["/tmp/a.sh", "Bad passphrase, try again for
/tmp/id_rsa.pub: "], [/* 86 vars */]) = -1 ENOEXEC (Exec format error)
16953 execve("/bin/sh", ["/bin/sh", "/tmp/a.sh", "Bad passphrase, try
again for /tmp/id_rsa.pub: "], [/* 86 vars */]) = 0
16954 execve("/tmp/a.sh", ["/tmp/a.sh", "Bad passphrase, try again for
/tmp/id_rsa.pub: "], [/* 86 vars */]) = -1 ENOEXEC (Exec format error)
16954 execve("/bin/sh", ["/bin/sh", "/tmp/a.sh", "Bad passphrase, try
again for /tmp/id_rsa.pub: "], [/* 86 vars */]) = 0
16955 execve("/tmp/a.sh", ["/tmp/a.sh", "Bad passphrase, try again for
/tmp/id_rsa.pub: "], [/* 86 vars */]) = -1 ENOEXEC (Exec format error)
##---------------
Maybe make ssh-add abort after three tries? Infinite retries is really
only useful for password cracking.
Thanks!
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list