Bug#236306: Segmentation fault during keyboard-interactive authentication in sshd

To: submit@bugs.debian.org
Subject: Bug#236306: Segmentation fault during keyboard-interactive authentication in sshd
From: Joachim Durchholz <joachim.durchholz@web.de>
Date: Fri, 05 Mar 2004 15:20:46 +0100
Message-id: <[🔎] 40488CBE.3080408@web.de>
Reply-to: Joachim Durchholz <joachim.durchholz@web.de>, 236306@bugs.debian.org

Package: ssh
Version: 3.4p1-1.woody.3

When trying to log in to an sshd with privilege separation off and PAM
keyboard-interactive authentication, sshd crashes with a segmentation
fault.

I have included a transcript of the server output and the sshd_config
file.
In the transcript, comments are marked by double square brackets
[[like this]].
(I'm using PuTTY 0.53b on Windows 2000, if that's of any relevance.)

The crash does *not* happen if I'm connecting with public-key
authentication.

Kernel version: 2.4.24
libc6 version: 2.2.5-11.5

The last debug output lines say something about devices.
The crash *might* be due to a missing entry in the /dev subdirectory;
I had some entries removed during early install).
Unfortunately, recreating devices using /dev/MAKEDEV didn't help.
That came as no real surprise as the debug log gives no hint on the
kind or name of any missing device entries (and I'm not too sure that
this is the real problem anyway).

I have tried to reconstruct the crash from the C sources, but I have
failed so far - it seems that sshd is looking for a device to use,
and crashing because the list of useful devices is empty, but I was
unable to determine what structure element exactly contains the NULL
that causes the segfault, nor to find out where sshd is supposed to
get the device (device list) from.

Please feel free to ask for any additional information you may need.

Regards,
Jo

--- transcript ---
root@durchholz in ~:
515 # sshd -dddD -o Port=223 -o UsePrivilegeSeparation=no -o PAMAuthenticationViaKbdInt=yes
[[Note that the options above override the settings in the configuration file.]]
debug1: sshd version OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3
debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: Bind to port 22 on 0.0.0.0.
debug1: Bind to port 223 on 0.0.0.0.
Server listening on 0.0.0.0 port 223.
debug1: Server will not fork when running in debugging mode.
Connection from 212.102.226.14 port 3058
debug1: Client protocol version 2.0; client software version PuTTY-Release-0.53b
debug1: no match: PuTTY-Release-0.53b
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss

debug2: kex_parse_kexinit:aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.sedebug2: kex_parse_kexinit:aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se

debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss

debug2: kex_parse_kexinit:aes256-cbc,rijndael256-cbc,rijndael-cbc@lysator.liu.se,aes192-cbc,rijndael192-cbc,aes128-cbc,rijndael128-cbc,blowfish-cbc,3des-cbcdebug2: kex_parse_kexinit:aes256-cbc,rijndael256-cbc,rijndael-cbc@lysator.liu.se,aes192-cbc,rijndael192-cbc,aes128-cbc,rijndael128-cbc,blowfish-cbc,3des-cbc

debug2: kex_parse_kexinit: hmac-sha1,hmac-md5,none
debug2: kex_parse_kexinit: hmac-sha1,hmac-md5,none
debug2: kex_parse_kexinit: none,zlib,none
debug2: kex_parse_kexinit: none,zlib,none
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-sha1
debug1: kex: client->server aes256-cbc hmac-sha1 none
debug2: mac_init: found hmac-sha1
debug1: kex: server->client aes256-cbc hmac-sha1 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: dh_gen_key: priv key bits set: 249/512
debug1: bits set: 1591/3191
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: bits set: 1586/3191
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: cipher_init: set keylen (16 -> 32)
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: cipher_init: set keylen (16 -> 32)
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
[[client shows "login as:" prompt; user name "root" was entered.]]
debug1: userauth-request for user root service ssh-connection method none
debug1: attempt 0 failures 0
debug2: input_userauth_request: setting up authctxt for root
debug1: Starting up PAM with username "root"
debug3: Trying to reverse map address 212.102.226.14.
debug1: PAM setting rhost to "line-gm-212102226014.oberberg.net"
debug2: input_userauth_request: try method none
Failed none for root from 212.102.226.14 port 3058 ssh2
debug1: userauth-request for user root service ssh-connection method keyboard-interactive
debug1: attempt 1 failures 1
debug2: input_userauth_request: try method keyboard-interactive
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=root devs=
debug1: kbdint_alloc: devices ''
debug2: auth2_challenge_start: devices
Segmentation fault

root@durchholz in ~:
516 #


--- sshd_config (comments stripped for brevity) ---
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_rsa_key
HostbasedAuthentication no
IgnoreRhosts yes
KeepAlive yes
KeyRegenerationInterval 3600
LogLevel VERBOSE
LoginGraceTime 600
PAMAuthenticationViaKbdInt no
PasswordAuthentication no
# PasswordAuthentication yes will go through some additional gyrations,
# but the last lines before the crash are the same as above.
PermitEmptyPasswords no
PermitRootLogin yes
Port 22
PrintLastLog no
PrintMotd no
Protocol 2
PubkeyAuthentication yes
RSAAuthentication yes
RhostsAuthentication no
RhostsRSAAuthentication no
ServerKeyBits 768
StrictModes yes
Subsystem       sftp    /usr/lib/sftp-server
SyslogFacility AUTH
UsePrivilegeSeparation yes
X11DisplayOffset 10
X11Forwarding no

Reply to:

Prev by Date: Bug#117318: STOP PAYING For Your Pay-Per-View, Fri, 05 Mar 2004 01:57:00 -0500
Next by Date: Bug#117318: efogwh hiwhh wiel
Previous by thread: Bug#117318: STOP PAYING For Your Pay-Per-View, Fri, 05 Mar 2004 01:57:00 -0500
Next by thread: Bug#117318: efogwh hiwhh wiel
Index(es):
- Date
- Thread