openssh-3.8.1p1, with pthreads enabled, hung in pthread_join.

Nick Lane-Smith nickls at
Wed Mar 16 11:52:45 EST 2005

I connect to my OpenSSH 3.8.1p1 server and when the password dialog 
shoes up I wait a min or so, long enough for the "Timeout before 
authentication for %s" alarm to trigger. If at that point I enter my 
password ssh will just sit there:

debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
debug3: packet_send2: adding 32 (len 18 padlen 14 extra_pad 64)

And the sshd will be in this state:

Attaching to program: `/private/tmp/OpenSSH.roots/OpenSSH~obj/sshd', 
process 26589.
Reading symbols for shared libraries ...................... done
0x9002cf88 in semaphore_wait_trap ()
(gdb) bt
#0  0x9002cf88 in semaphore_wait_trap ()
#1  0x9006153c in pthread_join ()
#2  0x00028a50 in sshpam_thread_cleanup () at 
#3  0x00017110 in do_cleanup (authctxt=0x4034e0) at 
#4  0x00007044 in cleanup_exit (i=255) at 
#5  0x00035bb0 in fatal (fmt=0x547d0 "Timeout before authentication for 
%s") at /tmp/OpenSSH.roots/OpenSSH/openssh/fatal.c:40
#6  0x00002d40 in grace_alarm_handler (sig=14) at 
#7  <signal handler called>
#8  0x90013bc8 in read ()
#9  0x0002b5ec in atomicio (f=0x90013bc0 <read>, fd=6, _s=0xbfffef60, 
n=4) at /tmp/OpenSSH.roots/OpenSSH/openssh/atomicio.c:45
#10 0x00020744 in mm_request_receive (socket=6, m=0xbfffefc0) at 
#11 0x0001c290 in monitor_read (pmonitor=0x403540, ent=0x633c4, 
pent=0xbffff030) at /tmp/OpenSSH.roots/OpenSSH/openssh/monitor.c:446
#12 0x0001bda8 in monitor_child_preauth (_authctxt=0x4034e0, 
pmonitor=0x403540) at /tmp/OpenSSH.roots/OpenSSH/openssh/monitor.c:343
#13 0x000039dc in privsep_preauth (authctxt=0x4034e0) at 
#14 0x000061c0 in main (ac=3, av=0x400f10) at 
(gdb) info threads
   2 process 26589 thread 0x1103  0x90013bcc in read ()
* 1 process 26589 thread 0x203  0x9002cf88 in semaphore_wait_trap ()
(gdb) thread 2
[Switching to thread 2 (process 26589 thread 0x1103)]
#0  0x90013bcc in read ()
(gdb) bt
#0  0x90013bcc in read ()
#1  0x0002b5ec in atomicio (f=0x90013bc0 <read>, fd=8, _s=0xf0080ac0, 
n=4) at /tmp/OpenSSH.roots/OpenSSH/openssh/atomicio.c:45
#2  0x000491fc in ssh_msg_recv (fd=8, m=0xf0080b20) at 
#3  0x00028514 in sshpam_thread_conv (n=1, msg=0xf0080bb4, 
resp=0xf0080bb8, data=0x403830) at 
#4  0x96798918 in _pam_system_log ()
#5  0x967989f4 in pam_get_pass ()
#6  0x0018a930 in pam_sm_authenticate ()
#7  0x967961c4 in pam_fail_delay ()
#8  0x96796514 in _pam_dispatch ()
#9  0x96797c40 in pam_authenticate ()
#10 0x00028880 in sshpam_thread (ctxtp=0x403830) at 
#11 0x9002c7f4 in _pthread_body ()

Thread two will just sit there in read while thread one waits for 
thread two to exit.
If i attempt this with privilege separation turned on the lowered 
privilege process will exit and become a zombie, as the original 
process never exits.

Shouldn't the sshpam/read thread have an alarm set so if the 
authentication times out it will exit cleanly?


More information about the openssh-unix-dev mailing list