[Bug 375] New: sshd core dumping with msg "Cannot delete credentials"

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu Aug 1 23:11:53 EST 2002


http://bugzilla.mindrot.org/show_bug.cgi?id=375

           Summary: sshd core dumping with msg "Cannot delete credentials"
           Product: Portable OpenSSH
           Version: 3.1p1
          Platform: Sparc
        OS/Version: Solaris
            Status: NEW
          Severity: major
          Priority: P2
         Component: sshd
        AssignedTo: openssh-unix-dev at mindrot.org
        ReportedBy: quicksilver_00 at yahoo.com


Here's more info than you probably wanted.  It's a copy of my post to 
comp.security.ssh:
Folks,
I need some help here.  And, I'll apologize now for being so verbose. 
I just want to try and provide as much detail as possible upfront
since most of the threads here simply ask for more details.  Of
course, I'm happy to provide whatever you may need.

Background:
I'm building OpenSSH for the following platforms/OSes: HP-UX 10.20,
HP-UX 11.00, Solaris 2.5.1, Solaris 2.6, Solaris 7, and AIX 4.3.  I
have completed the builds and done basic connection testing from each
platform to each of the other platforms.
For example:
  HP-UX 10.20 -> HP-UX 10.20
  HP-UX 10.20 -> HP-UX 11.00
  HP-UX 10.20 -> Solaris 2.5.1
  HP-UX 10.20 -> Solaris 2.6
  HP-UX 10.20 -> Solaris 7
  HP-UX 10.20 -> AIX 4.3
  HP-UX 11.00 -> ...
  (You get the picture.)
Environment is using OpenSSL 0.9.6d, Zlib 1.1.4, PRNGD 0.9.24 and
OpenSSH 3.1p1 (yes, I know that 3.4 is out...)  The Solaris 7 image
was built on Solaris 2.6 (because 2.5.1 doesn't have native support
for PAM).

Problem: When any client connects to the Solaris 7 server, the
connection will succeed but the server process will core dump after
the connection terminates.

Easy solution: Recompile this stuff on my Solaris 7 box.  Yeah, I
could do that but I'm wondering if there is just something obvious
that I'm missing (like PAM configuration ,etc).

Your help is greatly appreciated.  

Steven

Now for the gorey details...

Using GCC version 3.0.3

Here is my build options for each package:
  OpenSSL 0.9.6d: Configure solaris-sparcv7-gcc
--prefix=/opt/openssl-0.9.6d --openssldir=/opt/openssl-0.9.6d
  Zlib 1.1.4: configure --prefix=/opt/zlib-1.1.4
  PRNGD 0.9.24: make CC=gcc CFLAGS="-O -DSOLARIS26 D__EXTENSIONS__"
SYSLIBS="-lsocket -lnsl"
  OpenSSH 3.1p1: configure --prefix=/opt/openssh-3.1p1 --with-pam
--without-rsh --sysconfdir=/etc/ssh --with-ssl-dir=/opt/openssl-0.9.6d
--with-zlib=/opt/zlib-1.1.4 --with-prngd-socket=/var/spool/prngd/pool
 
Here's my client SSH configuration file (I like to be explicit so I
set values even if it's just to the default):
BatchMode no
CheckHostIP yes
Cipher 3des
Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-
cbc
ClearAllForwardings no
Compression no
ConnectionAttempts 1
EscapeChar ~
FallBackToRsh no
ForwardAgent no
ForwardX11 yes
GatewayPorts no
HostbasedAuthentication no
HostKeyAlgorithms ssh-rsa,ssh-dss
IdentityFile ~/.ssh/id_rsa
IdentityFile ~/.ssh/id_dsa
KeepAlive yes
LogLevel INFO
MACs hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
NoHostAuthenticationForLocalhost no
NumberOfPasswordPrompts 3
PasswordAuthentication yes
Port 22
PreferredAuthentications
hostbased,publickey,keyboard-interactive,password
Protocol 2
PubkeyAuthentication yes
ChallengeResponseAuthentication no
StrictHostKeyChecking ask
UsePrivilegedPort no
UserKnownHostsFile ~/.ssh/known_hosts

Here's my server SSH configuration file (Same here...being explicit):
AllowGroups *
AllowTcpForwarding yes
AllowUsers *
AuthorizedKeysFile %h/.ssh/authorized_keys
Banner /etc/issue
ChallengeResponseAuthentication no
Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-
cbc
ClientAliveInterval 0
ClientAliveCountMax 3
GatewayPorts no
HostbasedAuthentication no
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
IgnoreRhosts yes
IgnoreUserKnownHosts no
KeepAlive yes
PAMAuthenticationViaKbdInt no
Port 22
ListenAddress 0.0.0.0
LoginGraceTime 60
LogLevel INFO
MACs hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
MaxStartups 10
PasswordAuthentication yes
PermitEmptyPasswords no
PermitRootLogin forced-commands-only
PidFile /etc/ssh/sshd.pid
PrintLastLog yes
PrintMotd yes
Protocol 2
PubkeyAuthentication yes
StrictModes yes
Subsystem sftp /opt/openssh/sbin/sftp-server
SyslogFacility AUTH
UseLogin no
VerifyReverseMapping no
X11DisplayOffset 10
X11Forwarding yes
X11UseLocalhost yes
XAuthLocation /usr/bin/X11/xauth

Here's a client trace with 'verbose' turned on:
$ /opt/openssh/bin/ssh -v -l root -p 900 server_acme
OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090604f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be
trusted.
debug1: restore_uid
debug1: ssh_connect: getuid 46534 geteuid 0 anon 1
debug1: Connecting to server_acme [20.1.2.50] port 900.
debug1: temporarily_use_uid: 46534/1 (e=0)
debug1: restore_uid
debug1: temporarily_use_uid: 46534/1 (e=0)
debug1: restore_uid
debug1: Connection established.
debug1: read PEM private key done: type DSA
debug1: read PEM private key done: type RSA
debug1: identity file /home/quicksilver_00/.ssh/id_rsa type 1
debug1: identity file /home/quicksilver_00/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version
OpenSSH_3.1p1
debug1: match: OpenSSH_3.1p1 pat OpenSSH*
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.1p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 138/256
debug1: bits set: 1604/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'server_acme' is known and matches the RSA host key.
debug1: Found key in /home/quicksilver_00/.ssh/known_hosts:6
debug1: bits set: 1608/3191
debug1: ssh_rsa_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
Warning Notice

Access to this network and the information on it are lawfully
available only for approved purposes by employees of ACME
Toys and other users authorized by ACME Toys. If you
are not an employee of ACME Toys or an authorized user,
do not attempt to log on. Other than where prohibited by law
and subject to legal requirements, ACME Toys reserves the
right to review any information in any form on this network at any
time.
debug1: authentications that can continue: publickey,password
debug1: next auth method to try is publickey
debug1: try pubkey: /home/quicksilver_00/.ssh/id_rsa
debug1: authentications that can continue: publickey,password
debug1: try privkey: /home/quicksilver_00/.ssh/id_dsa
debug1: next auth method to try is password
root at server_acme's password: 
debug1: packet_send2: adding 64 (len 57 padlen 7 extra_pad 64)
debug1: ssh-userauth2 successful: method password
debug1: channel 0: new [client-session]
debug1: send channel open 0
debug1: Entering interactive session.
debug1: ssh_session2_setup: id 0
debug1: channel request 0: pty-req
debug1: channel request 0: shell
debug1: fd 4 setting TCP_NODELAY
debug1: channel 0: open confirm rwindow 0 rmax 32768
Last login: Mon Jul 29 14:21:56 2002 from client_acme.acmetoys.com
Sun Microsystems Inc.   SunOS 5.7       Generic October 1998
debug1: PAM establishing creds

Environment:
  USER=root
  LOGNAME=root
  HOME=/root
  PATH=/usr/bin:/bin:/usr/sbin:/sbin:/opt/openssh-3.1p1/bin
  MAIL=/var/mail//root
  SHELL=/sbin/sh
  TZ=US/Eastern
  SSH_CLIENT=20.1.2.3 58311 900
  SSH_TTY=/dev/pts/2
  TERM=xterm
debug3: channel_close_fds: channel 0: r -1 w -1 e -1

Sun Microsystems Inc.   SunOS 5.7       Generic October 1998
You have mail.
-sh: tset: not found

Value of TERM has been set to "xterm". 


WARNING:  YOU ARE SUPERUSER !!

server_acme root> exit
logout root
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: channel 0: rcvd eof
debug1: channel 0: output open -> drain
debug1: channel 0: obuf empty
debug1: channel 0: close_write
debug1: channel 0: output drain -> closed
debug1: channel 0: rcvd close
debug1: channel 0: close_read
debug1: channel 0: input open -> closed
debug1: channel 0: almost dead
debug1: channel 0: gc: notify user
debug1: channel 0: gc: user detached
debug1: channel 0: send close
debug1: channel 0: is dead
debug1: channel 0: garbage collecting
debug1: channel_free: channel 0: client-session, nchannels 1
Connection to server_acme closed.
debug1: Transferred: stdin 0, stdout 0, stderr 32 bytes in 10.7
seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 3.0
debug1: Exit status 0

Here's the accompanying server side trace with -ddd turned on:
server_acme root> /opt/openssh/sbin/sshd -ddd -f
/etc/ssh/sshd_config_root -p 900
debug3: Seeing PRNG from /opt/openssh-3.1p1/libexec/ssh-rand-helper
debug3: cipher ok: aes128-cbc
[aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc]
debug3: cipher ok: 3des-cbc
[aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc]
debug3: cipher ok: blowfish-cbc
[aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc]
debug3: cipher ok: cast128-cbc
[aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc]
debug3: cipher ok: arcfour
[aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc]
debug3: cipher ok: aes192-cbc
[aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc]
debug3: cipher ok: aes256-cbc
[aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc]
debug3: ciphers ok: [aes128-cbc,3des-cbc,blowfish-cbc,cast128-
cbc,arcfour,aes192-cbc,aes256-cbc]
debug2: mac_init: found hmac-md5
debug3: mac ok: hmac-md5
[hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96]
debug2: mac_init: found hmac-sha1
debug3: mac ok: hmac-sha1
[hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96]
debug2: mac_init: found hmac-ripemd160
debug3: mac ok: hmac-ripemd160
[hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96]
debug2: mac_init: found hmac-sha1-96
debug3: mac ok: hmac-sha1-96
[hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96]
debug2: mac_init: found hmac-md5-96
debug3: mac ok: hmac-md5-96
[hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96]
debug3: macs ok: [hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96]
debug1: sshd version OpenSSH_3.1p1
debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: Bind to port 900 on 0.0.0.0.
Server listening on 0.0.0.0 port 900.
debug1: Server will not fork when running in debugging mode.
Connection from 20.1.2.3 port 58311
debug1: Client protocol version 2.0; client software version
OpenSSH_3.1p1
debug1: match: OpenSSH_3.1p1 pat OpenSSH*
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.1p1
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: dh_gen_key: priv key bits set: 133/256
debug1: bits set: 1608/3191
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: bits set: 1604/3191
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user root service ssh-connection method
none
debug1: attempt 0 failures 0
debug3: Trying to reverse map address 20.1.2.3.
debug2: input_userauth_request: setting up authctxt for root
debug1: Starting up PAM with username "root"
debug1: PAM setting rhost to "client_acme.acmetoys.com"
debug2: input_userauth_request: try method none
debug1: userauth_banner: sent
Failed none for root from 20.1.2.3 port 58311 ssh2
debug1: userauth-request for user root service ssh-connection method
publickey
debug1: attempt 1 failures 1
debug2: input_userauth_request: try method publickey
debug1: test whether pkalg/pkblob are acceptable
debug1: temporarily_use_uid: 0/1 (e=0)
debug1: trying public key file /root/.ssh/authorized_keys
debug1: restore_uid
debug1: temporarily_use_uid: 0/1 (e=0)
debug1: trying public key file /root/.ssh/authorized_keys
debug1: restore_uid
debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa
Failed publickey for root from 20.1.2.3 port 58311 ssh2
debug1: userauth-request for user root service ssh-connection method
password
debug1: attempt 2 failures 2
debug2: input_userauth_request: try method password
debug1: PAM Password authentication accepted for user "root"
Accepted password for root from 20.1.2.3 port 58311 ssh2
debug1: Entering interactive session for SSH2.
debug1: fd 7 setting O_NONBLOCK
debug1: fd 9 setting O_NONBLOCK
debug1: server_init_dispatch_20
debug1: server_input_channel_open: ctype session rchan 0 win 65536 max
16384
debug1: input_session_request
debug1: channel 0: new [server-session]
debug1: session_new: init
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug1: server_input_channel_req: channel 0 request pty-req reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req pty-req
debug1: Allocating pty.
debug1: session_pty_req: session 0 alloc /dev/pts/2
debug3: tty_parse_modes: SSH2 n_bytes 266
debug3: tty_parse_modes: ospeed 38400
debug3: tty_parse_modes: ispeed 0
debug3: tty_parse_modes: 1 3
debug3: tty_parse_modes: 2 28
debug3: tty_parse_modes: 3 127
debug3: tty_parse_modes: 4 21
debug3: tty_parse_modes: 5 4
debug3: tty_parse_modes: 6 0
debug3: tty_parse_modes: 7 0
debug3: tty_parse_modes: 8 17
debug3: tty_parse_modes: 9 19
debug3: tty_parse_modes: 10 26
debug3: tty_parse_modes: 11 25
debug3: tty_parse_modes: 12 18
debug3: tty_parse_modes: 13 23
debug3: tty_parse_modes: 14 22
debug3: tty_parse_modes: 16 0
debug3: tty_parse_modes: 18 15
debug3: tty_parse_modes: 30 1
debug3: tty_parse_modes: 31 0
debug3: tty_parse_modes: 32 0
debug3: tty_parse_modes: 33 1
debug3: tty_parse_modes: 34 0
debug3: tty_parse_modes: 35 0
debug3: tty_parse_modes: 36 1
debug3: tty_parse_modes: 37 0
debug3: tty_parse_modes: 38 1
debug3: tty_parse_modes: 39 0
debug3: tty_parse_modes: 40 0
debug3: tty_parse_modes: 41 1
debug3: tty_parse_modes: 50 1
debug3: tty_parse_modes: 51 1
debug3: tty_parse_modes: 52 0
debug3: tty_parse_modes: 53 1
debug3: tty_parse_modes: 54 1
debug3: tty_parse_modes: 55 1
debug3: tty_parse_modes: 56 0
debug3: tty_parse_modes: 57 0
debug3: tty_parse_modes: 58 0
debug3: tty_parse_modes: 59 1
debug3: tty_parse_modes: 60 1
debug3: tty_parse_modes: 61 1
debug3: tty_parse_modes: 62 0
debug3: tty_parse_modes: 70 1
debug3: tty_parse_modes: 71 0
debug3: tty_parse_modes: 72 1
debug3: tty_parse_modes: 73 0
debug3: tty_parse_modes: 74 0
debug3: tty_parse_modes: 75 0
debug3: tty_parse_modes: 90 1
debug3: tty_parse_modes: 91 1
debug3: tty_parse_modes: 92 0
debug3: tty_parse_modes: 93 0
debug1: server_input_channel_req: channel 0 request shell reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req shell
debug1: PAM setting tty to "/dev/pts/2"
debug1: PAM establishing creds
debug1: fd 4 setting TCP_NODELAY
debug1: fd 11 setting O_NONBLOCK
debug2: fd 10 is O_NONBLOCK
debug1: Received SIGCHLD.
debug1: session_by_pid: pid 10183
debug1: session_exit_message: session 0 channel 0 pid 10183
debug1: channel request 0: exit-status
debug1: session_exit_message: release channel 0
debug1: channel 0: write failed
debug1: channel 0: close_write
debug1: channel 0: output open -> closed
debug1: session_close: session 0 pid 10183
debug1: session_pty_cleanup: session 0 release /dev/pts/2
debug2: notify_done: reading
debug1: channel 0: read<=0 rfd 11 len 0
debug1: channel 0: read failed
debug1: channel 0: close_read
debug1: channel 0: input open -> drain
debug1: channel 0: ibuf empty
debug1: channel 0: send eof
debug1: channel 0: input drain -> closed
debug1: channel 0: send close
debug3: channel 0: will not send data after close
debug1: channel 0: rcvd close
debug3: channel 0: will not send data after close
debug1: channel 0: is dead
debug1: channel 0: garbage collecting
debug1: channel_free: channel 0: server-session, nchannels 1
debug3: channel_free: status: The following connections are open:
  #0 server-session (t4 r0 i3/0 o3/0 fd -1/-1)
debug3: channel_close_fds: channel 0: r -1 w -1 e -1
Connection closed by remote host.
Closing connection to 20.1.2.3
debug1: Cannot delete credentials[7]: Permission denied
Segmentation Fault - core dumped



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.



More information about the openssh-unix-dev mailing list