Bug#248125: marked as done (sshd: processes keep alive after connection break)
Your message dated Fri, 28 May 2004 17:32:10 -0400
with message-id <E1BToxW-00005k-00@newraff.debian.org>
and subject line Bug#248125: fixed in openssh 1:3.8.1p1-4
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 9 May 2004 13:40:39 +0000
>From Mario.Holbe@rz.tu-ilmenau.de Sun May 09 06:40:39 2004
Return-path: <Mario.Holbe@rz.tu-ilmenau.de>
Received: from piggy.rz.tu-ilmenau.de [141.24.4.8]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1BMoXn-0007FO-00; Sun, 09 May 2004 06:40:39 -0700
Received: from gate.22.kls.lan (vpn2.rz.tu-ilmenau.de [141.24.172.2])
by piggy.rz.tu-ilmenau.de (8.12.10/8.12.10) with ESMTP id i49DePBv024569
for finalrecipients; Sun, 9 May 2004 15:40:35 +0200 (MET DST)
Received: from darkside.22.kls.lan (root@darkside.22.kls.lan [192.168.22.1])
by gate.22.kls.lan (8.12.11/8.12.11) with ESMTP id i49DeMYv001131
for <submit@bugs.debian.org>; Sun, 9 May 2004 15:40:22 +0200
Received: from darkside.22.kls.lan (holbe@localhost [127.0.0.1])
by darkside.22.kls.lan (8.12.11/8.12.11) with ESMTP id i49DeMu9028747
for <submit@bugs.debian.org>; Sun, 9 May 2004 15:40:22 +0200
Received: (from holbe@localhost)
by darkside.22.kls.lan (8.12.11/8.12.11) id i49DeLQX028744
for submit@bugs.debian.org; Sun, 9 May 2004 15:40:21 +0200
Date: Sun, 9 May 2004 15:40:21 +0200
From: "Mario 'BitKoenig' Holbe" <Mario.Holbe@RZ.TU-Ilmenau.DE>
To: submit@bugs.debian.org
Subject: sshd: processes keep alive after connection break
Message-ID: <[🔎] 20040509134021.GG12582@darkside.22.kls.lan>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.6i
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-5.0 required=4.0 tests=HAS_PACKAGE autolearn=no
version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
X-CrossAssassin-Score: 1
Package: ssh
Version: 1:3.8p1-3
Severity: critical
Hello,
sshd leaves processes alive, if a connection breaks while
authentication phase:
Initial state is:
| root@darkside:~# ps -ef | grep ssh
| root 27981 1 0 15:29 ? 00:00:00 /usr/sbin/sshd
| root@darkside:~#
Now I do:
| holbe@darkside:/home/holbe% ssh holbe@localhost
| Password:
Which results in:
| root@darkside:~# ps -ef | grep ssh
| root 27981 1 0 15:28 ? 00:00:00 /usr/sbin/sshd
| holbe 28162 1398 0 15:31 tty5 00:00:00 ssh holbe@localhost
| root 28163 27981 0 15:31 ? 00:00:00 sshd: holbe [priv]
| sshd 28165 28163 0 15:31 ? 00:00:00 sshd: holbe [net]
| root 28166 28163 0 15:31 ? 00:00:00 sshd: holbe [pam]
| root@darkside:~#
Now I break the client with Ctrl-C:
| holbe@darkside:/home/holbe% ssh holbe@localhost
| Password:
|
| holbe@darkside:/home/holbe%
And the result is:
| root@darkside:~# ps -ef | grep ssh
| root 27981 1 0 15:28 ? 00:00:00 /usr/sbin/sshd
| root 28163 27981 0 15:31 ? 00:00:00 sshd: holbe [priv]
| sshd 28165 28163 0 15:31 ? 00:00:00 [sshd] <defunct>
| root 28166 28163 0 15:31 ? 00:00:00 sshd: holbe [pam]
| root@darkside:~#
Those processes remain running until I manually kill them.
This could very easily be exploited to a Denial-of-Service
attack against system ressources (processes). There is no
special knowledge needed about the victim system, this works
also with uids that don't exist.
That's why I set the severity to critical.
regards,
Mario
--
<jv> Oh well, config
<jv> one actually wonders what force in the universe is holding it
<jv> and makes it working
<Beeth> chances and accidents :)
---------------------------------------
Received: (at 248125-close) by bugs.debian.org; 28 May 2004 21:38:20 +0000
>From katie@ftp-master.debian.org Fri May 28 14:38:20 2004
Return-path: <katie@ftp-master.debian.org>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1BTp3U-0005rq-00; Fri, 28 May 2004 14:38:20 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1BToxW-00005k-00; Fri, 28 May 2004 17:32:10 -0400
From: Colin Watson <cjwatson@debian.org>
To: 248125-close@bugs.debian.org
X-Katie: $Revision: 1.49 $
Subject: Bug#248125: fixed in openssh 1:3.8.1p1-4
Message-Id: <E1BToxW-00005k-00@newraff.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Fri, 28 May 2004 17:32:10 -0400
Delivered-To: 248125-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
Source: openssh
Source-Version: 1:3.8.1p1-4
We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:
openssh-client-udeb_3.8.1p1-4_powerpc.udeb
to pool/main/o/openssh/openssh-client-udeb_3.8.1p1-4_powerpc.udeb
openssh-server-udeb_3.8.1p1-4_powerpc.udeb
to pool/main/o/openssh/openssh-server-udeb_3.8.1p1-4_powerpc.udeb
openssh_3.8.1p1-4.diff.gz
to pool/main/o/openssh/openssh_3.8.1p1-4.diff.gz
openssh_3.8.1p1-4.dsc
to pool/main/o/openssh/openssh_3.8.1p1-4.dsc
ssh-askpass-gnome_3.8.1p1-4_powerpc.deb
to pool/main/o/openssh/ssh-askpass-gnome_3.8.1p1-4_powerpc.deb
ssh_3.8.1p1-4_powerpc.deb
to pool/main/o/openssh/ssh_3.8.1p1-4_powerpc.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 248125@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 28 May 2004 17:58:45 -0300
Source: openssh
Binary: ssh-askpass-gnome openssh-client-udeb ssh openssh-server-udeb
Architecture: source powerpc
Version: 1:3.8.1p1-4
Distribution: unstable
Urgency: medium
Maintainer: Matthew Vernon <matthew@debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
openssh-client-udeb - Secure shell client for the Debian installer (udeb)
openssh-server-udeb - Secure shell server for the Debian installer (udeb)
ssh - Secure rlogin/rsh/rcp replacement (OpenSSH)
ssh-askpass-gnome - under X, asks user for a passphrase for ssh-add
Closes: 248125
Changes:
openssh (1:3.8.1p1-4) unstable; urgency=medium
.
* Kill off PAM thread if privsep slave dies (closes: #248125).
Files:
8dce3b0bc4cdc70093d8dbdc473e9bd8 890 net standard openssh_3.8.1p1-4.dsc
313bb10cb79d9677e887935de39c7178 145574 net standard openssh_3.8.1p1-4.diff.gz
d56bb8a20deefd960104e0a11d6bd23e 730442 net standard ssh_3.8.1p1-4_powerpc.deb
08f2e260a229e3886bb06ff3dec6a553 51610 gnome optional ssh-askpass-gnome_3.8.1p1-4_powerpc.deb
0c181ed3e4c6496eb3bf725543cafae2 100746 debian-installer optional openssh-client-udeb_3.8.1p1-4_powerpc.udeb
f2dd9a38bcd13f6beab183583db5a1b2 160116 debian-installer optional openssh-server-udeb_3.8.1p1-4_powerpc.udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer
iD8DBQFAt6s39t0zAhD6TNERAh32AJ4+34IeBeOc/4toCW8c478PQr5b9ACfSMQD
l/NRDsnwai0LTXXpA0RhWaU=
=JvF4
-----END PGP SIGNATURE-----
Reply to: