[Bug 2837] New: ssh-agent closes listening socket on error in handle_socket_read()

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Tue Mar 6 19:24:50 AEDT 2018


https://bugzilla.mindrot.org/show_bug.cgi?id=2837

            Bug ID: 2837
           Summary: ssh-agent closes listening socket on error in
                    handle_socket_read()
           Product: Portable OpenSSH
           Version: 7.6p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh-agent
          Assignee: unassigned-bugs at mindrot.org
          Reporter: lukas.kuster at adnovum.ch

Created attachment 3132
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3132&action=edit
patch that removes close_socket() of listening socket.

Hi all,

The ssh-agent closes the listening socket if handle_socket_read() fails
for any reason. This makes the agent process unusable if the getpeereid
check fails. Older versions before 7.6p1 used to not close the
listening socket.

You can reproduce this bug by executing agent-getpeereid.sh test but
instead of killing the agent process at the end, execute "ssh-add -l"
again with a privileged user. You will notice that the connection will
be refused because the listening socket was closed by the agent.

On our AIX test server we had a more severe issue because of this bug.
The ssh client tries to check if a ssh-agent is present by connecting
to it and immediately closing the socket again. On the agent side, this
can cause the call to getpeereid() to fail with the errormessage
"Connection closed" causing the listening socket to be closed as well,
making any future connections to the agent process impossible.

Thanks

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list