sshd crashes (w/ skey)

Vanja Hrustic vanja at relaygroup.com
Sat Jan 20 03:22:09 EST 2001 

Hi!

There is a situation when sshd will crash, but it might be rather hard to reproduce. I'll try to explain the setup :)

S/KEY is compiled and installed (taken from http://www.sparc.spb.su/solaris/skey/ ) on Linux box (kernel 2.4.0). Then, OpenSSH 2.3.0p1 is compiled
with skey support. It all works fine (patch has been applied too, which fixes skey issue found in November).

Now, for the sake of testing, I have created an skey entry for the user which doesn't have an account on the system. Like: 'skey init blah'

Then, I try to connect with: ssh blah at host (s/key enabled, password authentication disabled - so s/key kicks in automatically, and ssh_config also
has s/key authentication enabled)

Sshd dies. Debug output shows:

...
debug1: Received session key; encryption turned on.
debug1: Installing crc compensation attack detector.
debug1: Attempting authentication for illegal user blah.
debug1: rcvd SSH_CMSG_AUTH_TIS
debug1: generating fake skeyinfo for blah.
Segmentation fault (core dumped)
[root at x openssh-2.3.0p1]#

Funny enough, core file is created in the root (/core) - I am not sure if that is 'expected' behavior - never had sshd crash before :)

gdb output shows:

(gdb) where
#0  0x400ae0d6 in chunk_free (ar_ptr=0x40142d60, p=0x80f3948) at malloc.c:3097
#1  0x400ade46 in chunk_alloc (ar_ptr=0x40142d60, nb=24) at malloc.c:2594
#2  0x400ad5ce in __libc_malloc (bytes=15) at malloc.c:2696
#3  0x400b2a29 in __strdup (s=0x4013b731 "/etc/localtime") at strdup.c:43
#4  0x400dd3c0 in tzset_internal (always=0) at tzset.c:169
#5  0x400de0db in __tz_convert (timer=0xbfffee8c, use_localtime=1, tp=0x40148460) at tzset.c:582
#6  0x400d9c9c in localtime (t=0xbfffee8c) at localtime.c:43
#7  0x400d9bd8 in ctime (t=0xbfffee8c) at ctime.c:32
#8  0x80501b6 in skey_fake_keyinfo (username=0x80ed5d8 "blah") at auth-skey.c:145
#9  0x804eb9c in do_authloop (pw=0x0, luser=0x80ed5d8 "blah") at auth1.c:279
#10 0x804ef77 in do_authentication () at auth1.c:473
#11 0x804dc4a in main (ac=2, av=0xbffffa3c) at sshd.c:1088
(gdb)

I might be talking complete BS, but I think that problem lies somewhere among these lines:

-- auth-skey.c - skey_fake_keyinfo() --
} else if (!stat(_PATH_MEM, &sb) || !stat("/", &sb)) {
	t = sb.st_ctime;
	secret = ctime(&t);
	secretlen = strlen(secret);
	flg = 0;
}
-- cut--

I have tried adding various debug() messages in the auth-skey.c file, and what was VERY funny is that sshd would 'randomly' stop crashing if I put
debug lines to the code. For example, I add 2 debug lines below this piece of code, and fake response gets generated fine - sshd never dies. I put
only 1, little bit more up - it dies. I move it more, sshd works again.

This doesn't look like 'stable bug' (doesn't happen when I add some debug lines fe), so it might be something related to the system itself. More
details:

opennssl 0.9.6
openssh 2.3.0p1
gcc version egcs-2.91.66 19990314/Linux (egcs-1.1.2 release)
kernel 2.4.0 (no 'additional' patches)

Any help is appreciated :)

Vanja

p.s: sorry, I'm not on the list, so I'd appreciate if you can CC me on any responses. Thanks :)

More information about the openssh-unix-dev mailing list