OpenSSH 4.0p1 segfaults on keyboard-interactive login

Andreas M. Kirchwitz openssh-unix-dev-list at list.zikzak.de
Fri Mar 11 02:40:27 EST 2005


Hello!

Darren Tucker <dtucker at zip.com.au> wrote:

 >> I've compiled the new OpenSSH 4.0p1 on my Linux box running
 >> Fedora Core 2 (kernel 2.6.10) the same way as I did with 3.9p1
 >> and all previous versions.
 >> 
 >> Key-based login works fine, but if I login from a host that
 >> require me to enter my login password (keyboard-interactive),
 >> then the sshd child process segfaults.
 >
 > I believe this is something relating to glibc and nameservice lookups in 
 > a chroot.  It looks like libc tries to dynamically load some nameservice 
 > modules then blows up when it fails (because they don't exist in the 
 > chroot).  If you can get a gdb backtrace of it I think you'll find it's 
 > inside libc when it dies.
 
Cool, that's a valuable hint. Sorry to say that, but I'm not good
with gdb, so I first tried out some things (based on your suggestions)
and found out additional interesting facts.

 > Try
 >   - "UseDNS no" in sshd_config.

You're right, this makes the segfault go away.

 >   - cp -a /lib /var/empty (or wherever your sshd chroot is).  You won't 
 > need all of the libraries, though.

Please don't laugh, but the mere existance of the directory
"/var/empty/sshd/lib" is sufficient to make Fedora Core 2 happy.
(I started with a complete copy of /lib and removed the libraries
step by step to see which one I need. And to my surprise, I could
safely delete everything except the "lib" directory itself.)

 >   - create an /etc/nsswitch.conf inside the chroot that has only "hosts: 
 > files".
 
This doesn't seem to help, but a file "/var/empty/sshd/etc/hosts"
with a line for every remote host I want to login from, also "solves"
the problem.

Do you have any idea what code change from OpenSSH 3.9p1 to 4.0p1
may have triggered this strange bug in system libraries? Especially
the workaround with "mkdir /var/empty/sshd/lib" is, hmmm, confusing.

Hopefully, this isn't a general security risk for applications that
do nameservice lookups within a chroot'ed environment.

	Greetings and thanks for you help ... Andreas




More information about the openssh-unix-dev mailing list