[Bug 3906] New: Misusing 'Match Host' in server config causes a crash at deferred connection time

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Fri Dec 19 07:18:14 AEDT 2025 

https://bugzilla.mindrot.org/show_bug.cgi?id=3906

            Bug ID: 3906
           Summary: Misusing 'Match Host' in server config causes a crash
                    at deferred connection time
           Product: Portable OpenSSH
           Version: 10.0p2
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: major
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: egberts at yahoo.com

Ok, I misused 'Host' in sshd_config as in:

    Match Host 127.0.0.1                                                
    AllowUsers vim                                                      
    Subsystem sftp internal-sftp                                        
    AuthenticationMethods password                                      
    PasswordAuthentication yes                                          
    PubkeyAuthentication no                                             
    AllowGroups sftpusers                                               
    ChrootDirectory /tmp/sftp/%u                                        
    ForceCommand internal-sftp                                          
    AllowTcpForwarding no                                               
    X11Forwarding no                                                    
    Banner none                  

And the server daemon comes up ok, no invalidation, no early exit, just
open the port and wait.

Running: OpenSSH_10.0p2 Debian-7, OpenSSL 3.5.4 30 Sep 2025

Checked out github openssh to tag 'upstream/10.0p1' (p2 is not
available).

Then performed:

    ssh -vvv -p 922 test at localhost

Condense stacktrace is:
    copy_set_server_options()
    parse_server_match_config()
    getpwnamallow()/auth.c:480
    mm_answer_pwnamallow()/monitor.c
    monitor_read()/monitor.c
    monitor_child_preauth()/monitor.c
    privsep_preauth()/sshd-session.c
    main()/sshd-session.c

Server crash dump upon connection is:

# gdb -q -args /usr/sbin/sshd -d -D -e
Reading symbols from /usr/sbin/sshd...
Reading symbols from
/usr/lib/debug/.build-id/44/f9dc6472e2a28c87bab63eb3e0ef883e97311c.debug...
(gdb) directory /home/user/work/github/openssh
Source directories searched: /home/user/work/github/openssh:$cdir:$cwd
(gdb) b main
Breakpoint 1 at 0xa430: file ../../sshd.c, line 1398.
(gdb) r
Starting program: /usr/sbin/sshd -d -D -e

This GDB supports auto-downloading debuginfo from the following URLs:
  <https://debuginfod.debian.net>
Enable debuginfod for this session? (y or [n]) y
Debuginfod has been enabled.
To make this setting permanent, add 'set debuginfod enabled on' to
.gdbinit.
[Thread debugging using libthread_db enabled]
Using host libthread_db library
"/lib/x86_64-linux-gnu/libthread_db.so.1".

Breakpoint 1, main (ac=4, av=0x7fffffffc968) at ../../sshd.c:1398
warning: Source file is more recent than executable.
1398                    case 'b':
(gdb) c
Continuing.
debug1: sshd version OpenSSH_10.0, OpenSSL 3.5.4 30 Sep 2025
debug1: private host key #0: ssh-ed25519
SHA256:xxxxxxxxFplEETh4uLfOjFXuqwDF4q1Z5xxxxxxxxho
debug1: rexec_argv[1]='-d'
debug1: rexec_argv[2]='-D'
debug1: rexec_argv[3]='-e'
debug1: Set /proc/self/oom_score_adj from 200 to -1000
debug1: srclimit_init: max connections 100, per source 5, masks 32,128
debug1: Bind to port 922 on 0.0.0.0.
Server listening on 0.0.0.0 port 922.
debug1: srclimit_check_allow: sock 7 id 8 limit 5
debug1: Server will not fork when running in debugging mode.
[Detaching after fork from child process 3909266]
debug1: rexec start in 7 out 7 newsock 7 config_s 8/9
process 3909250 is executing new program: /usr/lib/openssh/sshd-session
[Thread debugging using libthread_db enabled]
Using host libthread_db library
"/lib/x86_64-linux-gnu/libthread_db.so.1".

Breakpoint 1, main (ac=5, av=0x7fffffffc938) at
../../sshd-session.c:843
warning: Source file is more recent than executable.
843             char *line, *laddr, *logfile = NULL;
(gdb) c
Continuing.
debug1: sshd-session version OpenSSH_10.0, OpenSSL 3.5.4 30 Sep 2025
debug1: network sockets: 6, 6
Connection from 127.0.0.1 port 55228 on 127.0.0.1 port 922 rdomain ""
debug1: Local version string SSH-2.0-OpenSSH_10.0p2
debug1: Remote protocol version 2.0, remote software version
OpenSSH_10.0p2 Debian-7
debug1: compat_banner: match: OpenSSH_10.0p2 Debian-7 pat OpenSSH*
compat 0x04000000
[Detaching after fork from child process 3909267]
debug1: network sockets: 5, 5 [preauth]
debug1: mm_answer_state: config len 1315
debug1: sshd-auth version OpenSSH_10.0, OpenSSL 3.5.4 30 Sep 2025
debug1: permanently_set_uid: 103/65534 [preauth]
debug1: list_hostkey_types: ssh-ed25519 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug1: kex: algorithm: curve25519-sha256 [preauth]
debug1: kex: host key algorithm: ssh-ed25519 [preauth]
debug1: kex: client->server cipher: chacha20-poly1305 at openssh.com MAC:
<implicit> compression: none [preauth]
debug1: kex: server->client cipher: chacha20-poly1305 at openssh.com MAC:
<implicit> compression: none [preauth]
debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
debug1: SSH2_MSG_KEX_ECDH_INIT received [preauth]
debug1: mm_answer_sign: hostkey ssh-ed25519 index 0
debug1: ssh_packet_send2_wrapped: resetting send seqnr 3 [preauth]
debug1: rekey out after 131072 blocks [preauth]
debug1: SSH2_MSG_NEWKEYS sent [preauth]
debug1: Sending SSH2_MSG_EXT_INFO [preauth]
debug1: expecting SSH2_MSG_NEWKEYS [preauth]
debug1: ssh_packet_read_poll2: resetting read seqnr 3 [preauth]
debug1: SSH2_MSG_NEWKEYS received [preauth]
debug1: rekey in after 131072 blocks [preauth]
debug1: KEX done [preauth]
debug1: SSH2_MSG_EXT_INFO received [preauth]
debug1: kex_ext_info_check_ver: ext-info-in-auth at openssh.com=<0>
[preauth]
debug1: userauth-request for user vim service ssh-connection method
none [preauth]
debug1: attempt 0 failures 0 [preauth]
debug1: connection from 127.0.0.1 matched 'Host 127.0.0.1' at line 80

Program received signal SIGSEGV, Segmentation fault.
0x0000555555570717 in copy_set_server_options
(dst=dst at entry=0x555555666820 <options>, src=src at entry=0x7fffffffb6b0, 
    preauth=preauth at entry=0) at ../../servconf.c
(gdb) bt
#0  0x0000555555570717 in copy_set_server_options
(dst=dst at entry=0x555555666820 <options>, src=src at entry=0x7fffffffb6b0, 
    preauth=preauth at entry=0) at ../../servconf.c:3037
#1  0x0000555555570aa6 in parse_server_match_config
(options=0x555555666820 <options>, includes=<optimized out>, 
    connectinfo=connectinfo at entry=0x555555667540 <ci>) at
../../servconf.c:2874
#2  0x00005555555754be in getpwnamallow (ssh=ssh at entry=0x5555556ecb50,
user=0x5555556e8a80 "vim") at ../../auth.c:480
#3  0x000055555558c0c1 in mm_answer_pwnamallow (ssh=0x5555556ecb50,
sock=8, m=0x5555556f0360) at ../../monitor.c:863
#4  0x000055555558966e in monitor_read (ssh=ssh at entry=0x5555556ecb50,
pmonitor=pmonitor at entry=0x5555556eada0, 
    ent=0x555555666310 <mon_dispatch_proto20+48>,
pent=pent at entry=0x7fffffffbf30) at ../../monitor.c:550
#5  0x000055555558cb96 in monitor_child_preauth
(ssh=ssh at entry=0x5555556ecb50, pmonitor=0x5555556eada0)
    at ../../monitor.c:319
#6  0x0000555555564621 in privsep_preauth (ssh=0x5555556ecb50) at
../../sshd-session.c:367
#7  main (ac=<optimized out>, av=<optimized out>) at
../../sshd-session.c:1320

(gdb) up
#1  0x0000555555570aa6 in parse_server_match_config
(options=0x555555666820 <options>, includes=<optimized out>, 
    connectinfo=connectinfo at entry=0x555555667540 <ci>) at
../../servconf.c:zzzz
warning: Source file is more recent than executable.

(gdb) up
#2  0x00005555555754be in getpwnamallow (ssh=ssh at entry=0x5555556ecb50,
user=0x5555556e8a80 "vim") at ../../auth.c:480
warning: Source file is more recent than executable.
480             parse_server_match_config(&options, &includes, ci);
(gdb) l
475             u_int i;
476
477             ci = server_get_connection_info(ssh, 1,
options.use_dns);
478             ci->user = user;
479             ci->user_invalid = getpwnam(user) == NULL;
480             parse_server_match_config(&options, &includes, ci);
481             log_change_level(options.log_level);
482             log_verbose_reset();
483             for (i = 0; i < options.num_log_verbose; i++)
484                     log_verbose_add(options.log_verbose[i]);
(gdb) up
#3  0x000055555558c0c1 in mm_answer_pwnamallow (ssh=0x5555556ecb50,
sock=8, m=0x5555556f0360) at ../../monitor.c:zzzz
warning: Source file is more recent than executable.

(gdb) up
#4  0x000055555558966e in monitor_read (ssh=ssh at entry=0x5555556ecb50,
pmonitor=pmonitor at entry=0x5555556eada0, 
    ent=0x555555666310 <mon_dispatch_proto20+48>,
pent=pent at entry=0x7fffffffbf30) at ../../monitor.c:zzzz
warning: Source file is more recent than executable.

(gdb) up
#5  0x000055555558cb96 in monitor_child_preauth
(ssh=ssh at entry=0x5555556ecb50, pmonitor=0x5555556eada0)
    at ../../monitor.c:zzzz
warning: Source file is more recent than executable.

#6  0x0000555555564621 in privsep_preauth (ssh=0x5555556ecb50) at
../../sshd-session.c:367
warning: Source file is more recent than executable.

(gdb) up
#7  main (ac=<optimized out>, av=<optimized out>) at
../../sshd-session.c:1320
warning: Source file is more recent than executable.

(gdb) up
Initial frame selected; you cannot go up.
(gdb) q

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list