Bug 39953

Summary: Resolve failure in OpenSSH 3.4p1 when using PrivilegeSeperation in 4.5-RELEASE
Product: Ports & Packages Reporter: jestrix <jestrix>
Component: Individual Port(s)Assignee: Dirk Meyer <dinoex>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   

Description jestrix 2002-06-28 16:50:01 UTC 
When upgrading to OpenSSH 3.4p1 from the ports collection (using Makefile 1.48 and OPENSSH_OVERWRITE_BASE=yes), sshd hangs when trying to do a lookup of the connecting IP. After about a minute, the password prompt appears and an ssh connection is successfully established.

sshd -ddd output as follows:
debug1: sshd version OpenSSH_3.4p1
debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: private host key: #0 type 2 DSA
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
<snip>
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug3: Trying to reverse map address xx.xx.xx.xx.
<hangs for a minute here>
Could not reverse map address xx.xx.xx.xx.
debug1: userauth-request for user blah service ssh-connection method none
debug1: attempt 0 failures 0
debug3: mm_getpwnamallow entering
<snip>

daemon still works correctly, but the wait is an annoyance.  Furthermore, nslookup successfully resolves the IP in question, so even though sshd is ignoring "VerifyReverseMapping no" (full sshd_config pasted in 'how to repeat') it should not fail.

This problem did NOT occur on a second system when using the same OpenSSH port:
FreeBSD foo2.org 4.6-RC FreeBSD 4.6-RC #0: Fri May 31 00:44:30 EDT 2002     jestrix@jestrix.net:/usr/obj/usr/src/sys/JESTRIX  i386

Fix: 

Set "UsePrivilegeSeperation no" in sshd_config
How-To-Repeat: Repeated on a second 4.5-RELEASE system by installing the new OpenSSH port and using the following sshd_config:

#       $OpenBSD: sshd_config,v 1.56 2002/06/20 23:37:12 markus Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

Port 22
Protocol 2
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 3600
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 600
PermitRootLogin no
StrictModes yes

#RSAAuthentication no
#PubkeyAuthentication no
#AuthorizedKeysFile     .ssh/authorized_keys

# rhosts authentication should not be used
RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
IgnoreUserKnownHosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords no

# Change to no to disable s/key passwords
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

#AFSTokenPassing no

# Kerberos TGT Passing only works with the AFS kaserver
#KerberosTgtPassing no

# Set this to 'yes' to enable PAM keyboard-interactive authentication 
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
#PAMAuthenticationViaKbdInt yes

X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
UseLogin no
UsePrivilegeSeparation yes
Compression no

#MaxStartups 10
# no default banner path
#Banner /some/path
VerifyReverseMapping no

# override default of no subsystems
Subsystem       sftp    /usr/libexec/sftp-server
Comment 1 robertw 2002-07-01 07:03:42 UTC 
Same problem here, except it only happens inside of a jail, not on the host
system.  I can duplicate it on both jails using the same configuration file
as the host system.  DNS is working properly on every other application in
the jails as well.
Comment 2 Dirk Meyer freebsd_committer freebsd_triage 2002-07-04 20:19:48 UTC 
Responsible Changed
From-To: freebsd-ports->dinoex

I will look into this. 

The resolver library is sometimes not inizialized, 
and it can't after chroot is done. 

Workaround: create on of this files with the correct nameserver: 
/usr/local/empty/etc/resolv.conf 
/var/empty/etc/resolv.conf
Comment 3 robertw 2002-07-05 00:05:52 UTC 
I tried created the files for the workaround inside the jails but they
didn't change anything.  I did restart sshd just in case it needed to have
the parent process reinitialize.

Only thing that isn't very standard is that the nameserver line points to
the jail's own IP, not another host or 127.0.0.1.=20

E-mail me if you want to have me test out any patches for this though, would
love to get rid of the long delay in jail SSH sessions.
Comment 4 dirk.meyer 2002-07-25 05:41:45 UTC 
I still can't repoduce the problem as described,
but this patch should fix it.

Please check if this solves the problem.

kind regards Dirk

- Dirk Meyer, Im Grund 4, 34317 Habichtswald, Germany
- [dirk.meyer@dinoex.sub.org],[dirk.meyer@guug.de],[dinoex@FreeBSD.org]

--- sshd.c.orig	Wed Jun 26 01:24:19 2002
+++ sshd.c	Thu Jul 25 06:32:37 2002
@@ -53,6 +53,10 @@
 #include <prot.h>
 #endif
 
+#ifdef __FreeBSD__
+#include <resolv.h>
+#endif
+
 #include "ssh.h"
 #include "ssh1.h"
 #include "ssh2.h"
@@ -1409,6 +1413,17 @@
 	    setsockopt(sock_in, SOL_SOCKET, SO_KEEPALIVE, &on,
 	    sizeof(on)) < 0)
 		error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno));
+
+#ifdef __FreeBSD__
+	/*
+	 * Initialize the resolver.  This may not happen automatically
+	 * before privsep chroot().                                   
+	 */
+	if ((_res.options & RES_INIT) == 0) {
+		debug("res_init()");         
+		res_init();         
+	}
+#endif
 
 	/*
 	 * Register our connection.  This turns encryption off because we do
Comment 5 des 2002-07-25 14:02:59 UTC 
dirk.meyer@dinoex.sub.org (Dirk Meyer) writes:
> I still can't repoduce the problem as described,
> but this patch should fix it.

It looks good, though a simple (void)gethostbyname("localhost") should
be just as effective.

DES
-- 
Dag-Erling Smorgrav - des@ofug.org
Comment 6 robertw 2002-07-26 00:13:36 UTC 
Oops, the workaround DOES work in the jail, it's just I forgot to chmod 755
/var/empty.

But that doesn't matter anymore.  I have patched OpenSSH and the delay is
gone.  Now to just get this back into OpenSSH or the port patches... :)

- Robert
Comment 7 Dirk Meyer freebsd_committer freebsd_triage 2002-07-27 07:20:45 UTC 
State Changed
From-To: open->closed

Commited, Thanks.