Intermittently stalling PAM authentication children

Simon Vallet svallet at genoscope.cns.fr
Tue Oct 23 02:04:14 EST 2007 

Hi,

we encounter a problem using PAM with privsep to manage OPIE
authentication : in some -- not really reproducible -- cases, the
child responsible of PAM authentication stalls and continues to run
even if its parent has been closed. The server is the standard RHEL 4 
install, which is a 3.9p1 with backported security patches 

As this children account for the 'MaxStartups' limit, new users then
get "remote host closed the connection" messages when trying to connect.

As an example, we have two such processes (30622 and 13328) still
running at the moment -- and absolutely no logs about them :

unix$ ps | grep sshd
30622     1 root     sshd: user1 [pam]
13328     1 root     sshd: user2 [pam]
7687      1 root     /usr/sbin/sshd -f /etc/ssh/sshd_config.OPIE
unix$

tracing reveals they are blocked on a read() to file descriptor 7,
which is a unix domain socket according to lsof and this is what gdb
has to say (no debug version, sorry):

#0  0x0000002a968b1a92 in __read_nocancel () from /lib64/tls/libc.so.6
#1  0x000000552aadea26 in packet_get_int () from /usr/sbin/sshd
#2  0x000000552aae3f75 in kex_input_kexinit () from /usr/sbin/sshd
#3  0x000000552aacdb60 in kexgex_server () from /usr/sbin/sshd
#4  0x0000002a96eb1c27 in converse () from /lib/security/pam_opie.so
#5  0x0000002a96eb1d7a in pam_sm_authenticate () from /lib/security/pam_opie.so
#6  0x0000002a957787aa in _pam_dispatch () from /lib64/libpam.so.0
#7  0x0000002a9577a182 in pam_authenticate () from /lib64/libpam.so.0
#8  0x000000552aace845 in kexgex_server () from /usr/sbin/sshd
#9  0x000000552aace10b in kexgex_server () from /usr/sbin/sshd
#10 0x000000552aac6404 in session_close_by_channel () from /usr/sbin/sshd
#11 0x000000552aac58d2 in session_close_by_channel () from /usr/sbin/sshd
#12 0x000000552aac85a5 in session_close_by_channel () from /usr/sbin/sshd
#13 0x000000552aab5b39 in main () from /usr/sbin/sshd

Any ideas on how this happens ?


Simon

-- 
Simon Vallet
Ingénieur Systèmes/Réseaux
CEA DSV IG / Genoscope
Tél. : 01 60 87 36 06
E-mail : svallet at genoscope.cns.fr

More information about the openssh-unix-dev mailing list