Race condition in sshd
Georgi Chulkov
g.chulkov at jacobs-university.de
Fri Jul 11 09:20:40 EST 2008
Hello,
This bug exists in 5.0p1. I apologize that I couldn't test against HEAD.
I _believe_ I have found a race condition in sshd. In the v2 protocol, after a
connection, the accepting process forks in privsep_preauth(). The parent
executes monitor_child_preauth() to allow certain privsep requests necessary
for authentication. The unprivileged child runs do_ssh2_kex() followed by
do_authentication2().
I am working on a new KEX algorithm whose primary feature is performance. It
is fast enough that do_authentication2() runs _before_ the monitor has a
chance to permit the necessary requests (MONITOR_REQ_PWNAM in particular),
and therefore authentication fails on the server with:
monitor_read: unpermitted request 6
Could someone more experienced please look at this?
Thanks!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20080711/7a916072/attachment.bin
More information about the openssh-unix-dev
mailing list