Bug 37026

Summary: FBSD4.5/4.4 sshd coredump, for unexisting login and opessh 3.x, (ssh v1)
Product: Ports & Packages Reporter: Alex V Eustrop <eustrop>
Component: Individual Port(s)Assignee: Dirk Meyer <dinoex>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   

Description Alex V Eustrop 2002-04-12 20:20:00 UTC 
 When I am trying to access FBSD box with openssh 3.0/3.1,
ssh protocol version 1 and invalid user name, sshd produce
coredump
 It's wrong.

Fix: 

unknown
How-To-Repeat: 1) OpenSSH 3.x needed:
# cd /usr/ports/security/openssh
# make install && make clean
2) Try to access FBSD box as unexisting user:
# /usr/local/bin/ssh -1 invalid_login@localhost
# tail /var/log/messages; ls -al /sshd.core
Comment 1 Dirk Meyer freebsd_committer freebsd_triage 2002-07-04 20:27:11 UTC 
Responsible Changed
From-To: freebsd-bugs->dinoex

Over to Maintainer
Comment 2 dirk.meyer 2002-07-06 05:44:20 UTC 
Please check if you see this problem,
I can't reproduce this here.

Please file such pr in ports, not in misc for quicker response.

kind regards Dirk

- Dirk Meyer, Im Grund 4, 34317 Habichtswald, Germany
- [dirk.meyer@dinoex.sub.org],[dirk.meyer@guug.de],[dinoex@FreeBSD.org]
Comment 3 Alex V Eustrop 2002-07-06 11:39:04 UTC 
> 
> Please check if you see this problem,
> I can't reproduce this here.
> 
> Please file such pr in ports, not in misc for quicker response.
> 


Excuse me for incomplite information in the PR.
I am talking about sshd from base system 
(/usr/sbin/sshd) which is coredump and ssh
client from openssh 3.x (3.0-3.4), which is
cause it to do so.

I have reproduce this on 8 FBSD boxes, with
FreeBSD 4.3,4.4,4.5 and 4.6-RELEASE.
All of those versions has ssh subsystem based
on openssh 2.x (from OpenSSH_2.3.0 in FBSD4.3 
to OpenSSH_2.9 in 4.6)

On my guess it's FreeBSD endemic bug.

-- 
Eustrop
Comment 4 Alex V Eustrop 2002-07-06 13:39:21 UTC 
 [snip]
> On my guess it's FreeBSD endemic bug.

Also,since FreeBSD-4.5 its produce more informative message, before core:
pinockio:eustrop> /usr/local/bin/ssh -1 none@pinockio
(there are no 'none' user in the /etc/passwd)

pinockio:root> tail -2 /var/log/messages
Jul  6 16:13:28 pinockio sshd[8652]: pam_set_item: NULL pam handle passed
Jul  6 16:13:28 pinockio /kernel: pid 8652 (sshd), uid 0: exited on signal 11 (c
ore dumped)

-- 
Eustrop
Comment 5 dirk.meyer 2002-07-07 07:27:26 UTC 
Mr Alex V Eustrop wrote

> Also,since FreeBSD-4.5 its produce more informative message, before core:
> pinockio:eustrop> /usr/local/bin/ssh -1 none@pinockio
> (there are no 'none' user in the /etc/passwd)
> 
> pinockio:root> tail -2 /var/log/messages
> Jul  6 16:13:28 pinockio sshd[8652]: pam_set_item: NULL pam handle passed
> Jul  6 16:13:28 pinockio /kernel: pid 8652 (sshd), uid 0: exited on signal 11 
> (core dumped)

I see the "pam_set_item" log too,
but my sshd don't dump core.
Please add your "sshd_config" so we can trace which option causes this.

kind regards Dirk

- Dirk Meyer, Im Grund 4, 34317 Habichtswald, Germany
- [dirk.meyer@dinoex.sub.org],[dirk.meyer@guug.de],[dinoex@FreeBSD.org]
Comment 6 Alex V Eustrop 2002-07-07 13:46:41 UTC 
> I see the "pam_set_item" log too,
> but my sshd don't dump core.
> Please add your "sshd_config" so we can trace which option causes this.
> 

I am using default sshd_configs on most of the affected machines...
Shell account on such machine should be more productive.
 (sent with separate letter)

-- 
Eustrop
Comment 7 dirk.meyer 2002-07-07 16:17:14 UTC 
> I am using default sshd_configs on most of the affected machines...
> Shell account on such machine should be more productive.
>  (sent with separate letter)

Please try this patch below in /usr/src/crypto/openssh/

kind regards Dirk

- Dirk Meyer, Im Grund 4, 34317 Habichtswald, Germany
- [dirk.meyer@dinoex.sub.org],[dirk.meyer@guug.de],[dinoex@FreeBSD.org]

--- auth1.c.orig	Fri Sep 28 03:33:33 2001
+++ auth1.c	Sun Jul  7 16:54:39 2002
@@ -341,6 +341,7 @@
 			debug("rcvd SSH_CMSG_AUTH_TIS: Trying PAM");
 			pam_cookie = ipam_start_auth("csshd", pw->pw_name);
 			/* We now have data available to send as a challenge */
+			if (pam_cookie != NULL )
 			if (pam_cookie->num_msg != 1 ||
 			    (pam_cookie->msg[0]->msg_style != PAM_PROMPT_ECHO_OFF &&
 			     pam_cookie->msg[0]->msg_style != PAM_PROMPT_ECHO_ON)) {
Comment 8 Alex V Eustrop 2002-07-07 18:37:07 UTC 
 [about patch  to /usr/src/crypto/openssh/auth1.c ]

No, it dosn't help. I have apply this patch to FBSD 4.5R,4.6R,4.6-RELENG

# patch applied as the next sequence:

cd /usr/src/crypto/openssh
patch -p < /path/to/patch
cd /usr/src/secure/
make depend
make all
make install
kill `cat /var/run/sshd.pid`
/usr/sbin/sshd

/usr/local/bin/ssh -1 none@localhost

-- 
Eustrop
Comment 9 dirk.meyer 2002-07-16 05:09:49 UTC 
I wrote: (gulped by gnats)

I can now reproduce the poblem ...

This patch solves the problem here.

The error does not occur if you set in /etc/ssh/sshd_config:
ChallengeResponseAuthentication no

Thanks for your help, Please check.

kind regards Dirk

- Dirk Meyer, Im Grund 4, 34317 Habichtswald, Germany
- [dirk.meyer@dinoex.sub.org],[dirk.meyer@guug.de],[dinoex@FreeBSD.org]

--- crypto/openssh/auth1.c.orig	Sun Sep 30 19:37:34 2001
+++ crypto/openssh/auth1.c	Sun Jul  7 20:27:25 2002
@@ -339,8 +339,12 @@
 #ifdef USE_PAM
 		case SSH_CMSG_AUTH_TIS:
 			debug("rcvd SSH_CMSG_AUTH_TIS: Trying PAM");
+			if (pw == NULL)
+			    break;
 			pam_cookie = ipam_start_auth("csshd", pw->pw_name);
 			/* We now have data available to send as a challenge */
+			if (pam_cookie == NULL)
+			    break;
 			if (pam_cookie->num_msg != 1 ||
 			    (pam_cookie->msg[0]->msg_style != PAM_PROMPT_ECHO_OF
F &&
 			     pam_cookie->msg[0]->msg_style != PAM_PROMPT_ECHO_ON
)) {

----------------------

Mr Alex V Eustrop wrote:

> > Thanks for your help, Please check.
> > 
> > kind regards Dirk
> 
> Thank you. It's work fine. I have test this patch with
> FreeBSD 4.3, 4.4, 4.5, 4.6.
> 
> Best Regards.
> Eustrop
Comment 10 Dirk Meyer freebsd_committer freebsd_triage 2002-08-23 20:14:26 UTC 
State Changed
From-To: open->closed

Closed after Timeout from security-officer, 
I reccommend users of FreeBSD 4.5 to install the patch, 
or update to STABLE.