PAM problem - sshd segfault on Solaris

William Yodlowsky bsd at openbsd.rutgers.edu
Wed Oct 24 00:05:27 EST 2001 

I'm using OpenSSH-2.9.9p2 on Solaris 8 sparc64.  2.9p2 worked fine, but
2.9.9p2+ is giving me trouble with one thing - sshd segfaults if I try to
connect and execute a command, such as "ssh machine ls".  Otherwise it
works great.  sshd will fork, and the child process segfaults.

CVS snapshot does the same thing.

I've narrowed this down somewhat.  It will only happen if you use
./configure --with-pam (see below).

Output from "gdb ./sshd" and "run -p 2022 -d -d -d" (IP obscured):

...
Failed none for wyodlows from a.b.c.d port 45214 ssh2
debug1: userauth-request for user wyodlows service ssh-connection method password
debug1: attempt 1 failures 1
debug2: input_userauth_request: try method password
debug1: PAM Password authentication accepted for user "wyodlows"
Accepted password for wyodlows from a.b.c.d port 45214 ssh2
debug1: Entering interactive session for SSH2.
debug1: server_init_dispatch_20
debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 32768
debug1: input_session_request
debug1: channel 0: new [server-session]
debug1: session_new: init
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug2: callback start
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 channel 0 request exec reply 0

Program received signal SIGSEGV, Segmentation fault.
0xff133a9c in strncpy () from /usr/lib/libc.so.1
(gdb) bt
#0  0xff133a9c in strncpy () from /usr/lib/libc.so.1
#1  0xff0b61b0 in pam_sm_open_session () from /usr/lib/security/pam_unix.so.1
#2  0xff372b88 in pam_open_session () from /usr/lib/libpam.so.1
#3  0x2cc88 in do_pam_session (username=0x115fb0 "wyodlows", ttyname=0x0)
    at auth-pam.c:283
#4  0x32360 in do_exec_no_pty (s=0x1108ac, command=0x121950 "ls")
    at session.c:433
#5  0x32884 in do_exec (s=0x1108ac, command=0x121950 "ls") at session.c:668
#6  0x34008 in session_exec_req (s=0x1108ac) at session.c:1742
#7  0x3417c in session_input_channel_req (id=0, arg=0x0) at session.c:1795
#8  0x3a040 in channel_input_channel_request (type=98, plen=19, ctxt=0x116898)
    at channels.c:1974
#9  0x3cae0 in dispatch_run (mode=1, done=0x0, ctxt=0x116898) at dispatch.c:71
#10 0x30e1c in process_buffered_input_packets () at serverloop.c:423
#11 0x314b8 in server_loop2 (authctxt=0xffbef408) at serverloop.c:705
#12 0x348d8 in do_authenticated2 (authctxt=0x1170f0) at session.c:2063
#13 0x31eb4 in do_authenticated (authctxt=0x1170f0) at session.c:199
#14 0x29c68 in do_authentication2 () at auth2.c:134
#15 0x280d4 in main (ac=6, av=0x8) at sshd.c:1204


I do not claim to know what the correct fix is, however I can avoid
the segfault by removing the do_pam_session() call.  This is how the
same code looks in 2.9p2 (which doesn't segfault).

I'll happily provide any information needed to help fix this.  Thanks.


--- openssh/session.c.orig	Mon Oct 22 22:42:46 2001
+++ openssh/session.c	Mon Oct 22 22:43:31 2001
@@ -430,7 +430,7 @@ do_exec_no_pty(Session *s, const char *c
 	session_proctitle(s);
 
 #if defined(USE_PAM)
-	do_pam_session(s->pw->pw_name, NULL);
+/*	do_pam_session(s->pw->pw_name, NULL);		*/
 	do_pam_setcred(1);
 #endif /* USE_PAM */

More information about the openssh-unix-dev mailing list