[Bug 2642] New: [sshconnect2] publickey authentication only properly works if used first: pubkey_prepare doesn't work after pubkey_cleanup

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Tue Nov 22 08:23:16 AEDT 2016


            Bug ID: 2642
           Summary: [sshconnect2] publickey authentication only properly
                    works if used first: pubkey_prepare doesn't work after
           Product: Portable OpenSSH
           Version: 7.3p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: git at lerya.net

When using multiple Authentication method after a successful partial
authentication, the following code is run
                /* reset state */

Unfortunately, this does _not_ reset the state!
- pubkey_cleanup is simple, it just closes the agent connection and
delete all keys in authctxt->keys
- pubkey_prepare populate authctxt->keys and can create an agent
connection. However it cannot be called twice, because it modifies
options.identity_keys and leaks options.certificates:

 * When reading identity_keys, when storing the key in a new 'identity'
structure, it runs
```options.identity_keys[i] = NULL;```. As a result, any subsequent run
of this function, when getting the key via ```key =
options.identity_keys[i];``` will only be able to retrieve 'NULL'

 * When reading options.num_certificate_files, it does not replace
options.certificates[i] by NULL but simply copy the pointer in the new
'identity' structure. When pubkey_cleanup run, it will free this value,
making any subsequent run of this function access freed memory? (not

A clean solution could be to copy the key over, instead of replacing
the original by NULL or leaking and freeing the original, but as far as
I can see, there is no sshkey_copy/sshkey_dup function...

A simple way of reproducing the identity_keys part of the problem (I'm
not using certificate) is to:
- Configure sshd with AuthenticationMethods
- Generate a public/private key
- Start an ssh agent, add the key
- Run ssh -i ${publickeyfile} -o IdentitiesOnly=yes -vv ${host},
properly authenticate with the password and see the publickey
authentication failing, logs with contain:
debug2: key: ${publickeyfile} (${pointer}), explicit, agent
Authenticated with partial success.
debug2: key: ${publickeyfile} ((nil)), explicit
The two key lines should have been identical

You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list