Bug 32065

Summary: sshd 2.9 core dumps with UseLogin yes
Product: Base System Reporter: AnarCat <AnarCat>
Component: binAssignee: dwmalone
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: 4.4-STABLE   
Hardware: Any   
OS: Any   

Description AnarCat 2001-11-17 20:50:01 UTC 
After a recent upgrade from 14.09.2001 to 15.11.2001, I couldn't login
nor use my sshd's anywhere anymore. They all have UseLogin yes in their
config file.

In the logs, I see:

/kernel: pid 58148 (sshd), uid 0: exited on signal 11
sshd[58147]: error: fcntl(4, F_SETFL, O_NONBLOCK): Resource temporarily unavailable

sshd doesn't always core dump (which is strange, in itself). But from
the client, I get a simple "connection closed". sshd keeps on taking
connections (it the childs that die). 

This problem disappears when I remove UseLogin yes from my config file.

This problem might be related with some late login changes, but I would
be surprised. From 14.09 to 15.11, openssh 2.9 was MFC'd, so I'd suspect
that would be the problem.

Here is the output from sshd -ddde:

debug1: sshd version OpenSSH_2.9 FreeBSD localisations 20010713
debug1: private host key: #0 type 0 RSA1
debug3: No RSA1 key file /etc/ssh/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug1: Server will not fork when running in debugging mode.
Connection from localhost port 1251
Connection from ::1 port 1251
debug1: Client protocol version 2.0; client software version OpenSSH_2.9
FreeBSD localisations 20010713
debug1: match: OpenSSH_2.9 FreeBSD localisations 20010713 pat ^OpenSSH
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_2.9 FreeBSD localisations
20010713
debug1: Rhosts Authentication disabled, originating port not trusted.
debug1: list_hostkey_types: ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-dss
debug2: kex_parse_kexinit:
+aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,ri
+jndael256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
+aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,ri
+jndael256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
+hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
+hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
+aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,ri
+jndael256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
+aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,ri
+jndael256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
+hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
+hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: dh_gen_key: priv key bits set: 124/256
debug1: bits set: 1059/2049
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: bits set: 1023/2049
debug1: sig size 20 20
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug3: Trying to reverse map address ::1.
debug1: userauth-request for user anarcat service ssh-connection method
none
debug1: attempt 0 failures 0
debug2: input_userauth_request: setting up authctxt for anarcat
debug1: Starting up PAM with username "anarcat"
debug2: input_userauth_request: try method none
Failed none for anarcat from ::1 port 1251 ssh2
debug1: userauth-request for user anarcat service ssh-connection method
publickey
debug1: attempt 1 failures 1
debug2: input_userauth_request: try method publickey
debug1: test whether pkalg/pkblob are acceptable
debug1: temporarily_use_uid: 1000/1000 (e=0)
debug1: restore_uid
debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss
Failed publickey for anarcat from ::1 port 1251 ssh2
debug1: userauth-request for user anarcat service ssh-connection method
publickey
debug1: attempt 2 failures 2
debug2: input_userauth_request: try method publickey
debug1: test whether pkalg/pkblob are acceptable
debug1: temporarily_use_uid: 1000/1000 (e=0)
debug1: restore_uid
debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss
Failed publickey for anarcat from ::1 port 1251 ssh2
debug1: userauth-request for user anarcat service ssh-connection method
password
debug1: attempt 3 failures 3
debug2: input_userauth_request: try method password
debug1: PAM Password authentication accepted for user "anarcat"
debug1: PAM setting rhost to "localhost"
Accepted password for anarcat from ::1 port 1251 ssh2
debug1: Entering interactive session for SSH2.
debug1: server_init_dispatch_20
debug1: server_input_channel_open: ctype session rchan 0 win 32768 max
16384
debug1: input_session_request
debug1: channel 0: new [server-session]
debug1: session_new: init
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug2: callback start
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 channel 0 request pty-req
reply 0
debug1: session_pty_req: session 0 alloc /dev/ttyp5
debug2: tty_parse_modes: SSH2 n_bytes 251
debug2: tty_parse_modes: ospeed 38400
debug2: tty_parse_modes: ispeed 38400
debug2: callback done
debug2: callback start
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 channel 0 request shell
reply 0
debug1: PAM setting tty to "/dev/ttyp5"
debug1: do_pam_session: euid 0, uid 0
debug1: PAM establishing creds
debug1: channel 0: rfd 4 isatty
debug1: fd 4 setting O_NONBLOCK
debug1: fd 3 IS O_NONBLOCK
debug2: callback done
debug1: Setting controlling tty using TIOCSCTTY.
debug1: Received SIGCHLD.
debug3: tvp!=NULL kid 1 mili 100
debug1: session_by_pid: pid 58305
debug1: session_exit_message: session 0 channel 0 pid 58305
debug1: session_exit_message: release channel 0
debug1: channel 0: write failed
debug1: channel 0: output open -> closed
debug1: channel 0: close_write
debug1: session_pty_cleanup: session 0 release /dev/ttyp5
debug1: session_free: session 0 pid 58305
debug1: channel 0: read<=0 rfd 4 len 0
debug1: channel 0: read failed
debug1: channel 0: input open -> drain
debug1: channel 0: close_read
debug1: channel 0: input: no drain shortcut
debug1: channel 0: ibuf empty
debug1: channel 0: input drain -> closed
debug1: channel 0: send eof
debug1: channel 0: send close
debug2: channel 0: no data after CLOSE
debug2: channel 0: no data after CLOSE
debug1: channel 0: rcvd close
debug2: channel 0: no data after CLOSE
debug1: channel 0: is dead
debug1: channel_free: channel 0: status: The following connections are
open:
  #0 server-session (t4 r0 i8/0 o128/0 fd -1/-1)

Connection closed by remote host.
Closing connection to ::1


GDB backtrace:

#0  0x281fc4a7 in strncmp () from /usr/lib/libc.so.4
#1  0xbfbfed7c in ?? ()
#2  0x8056e35 in getsockname ()
#3  0x8056049 in getsockname ()
#4  0x8057e12 in getsockname ()
#5  0x8057ffa in getsockname ()
#6  0x8064909 in xstrdup ()
#7  0x805e777 in getsockname ()
#8  0x80518a3 in getsockname ()
#9  0x8051e91 in getsockname ()
#10 0x8058643 in getsockname ()
#11 0x80553ed in getsockname ()
#12 0x8053543 in getsockname ()
#13 0x804dbc3 in getsockname ()
#14 0x804c0c5 in getsockname ()

Fix: 

Workaround: s/UseLogin yes/UseLogin no/

Fix unknown
How-To-Repeat: 
echo "UseLogin yes" >> /etc/ssh/sshd_config
/usr/sbin/sshd -ddde &
ssh localhost
# enter password: bang.
Comment 1 dwmalone 2001-11-18 12:41:00 UTC 
On Sat, Nov 17, 2001 at 03:47:08PM -0500, The Anarcat wrote:
> In the logs, I see:
> 
> /kernel: pid 58148 (sshd), uid 0: exited on signal 11


I think this bug also exists in -current. Could you try the following
patch?

	David.


Index: /usr/src/crypto/openssh/session.c
===================================================================
RCS file: /cvs/FreeBSD-CVS/src/crypto/openssh/session.c,v
retrieving revision 1.16
diff -u -r1.16 session.c
--- /usr/src/crypto/openssh/session.c	8 Jun 2001 22:22:09 -0000	1.16
+++ /usr/src/crypto/openssh/session.c	18 Nov 2001 12:22:28 -0000
@@ -1003,7 +1003,7 @@
 	char cmd[1024];
 	FILE *f = NULL;
 	u_int envsize, i;
-	char **env;
+	char **env = NULL;
 	extern char **environ;
 	struct stat st;
 	char *argv[10];
Comment 2 dwmalone freebsd_committer freebsd_triage 2001-11-18 12:41:12 UTC 
State Changed
From-To: open->feedback

See if the suggested patch works or not.
Comment 3 dwmalone freebsd_committer freebsd_triage 2001-11-18 12:41:12 UTC 
Responsible Changed
From-To: freebsd-bugs->dwmalone

I think I see the problem here.
Comment 4 AnarCat 2001-11-18 22:43:04 UTC 
On Dim nov 18, 2001 at 12:41:00pm +0000, David Malone wrote:
> On Sat, Nov 17, 2001 at 03:47:08PM -0500, The Anarcat wrote:
> > In the logs, I see:
> > 
> > /kernel: pid 58148 (sshd), uid 0: exited on signal 11
> 
> 
> I think this bug also exists in -current. Could you try the following
> patch?


It fixes it! Thanks!!!

A.
Comment 5 dwmalone freebsd_committer freebsd_triage 2001-11-21 10:45:24 UTC 
State Changed
From-To: feedback->closed

Fix committed to -current and -stable.