Bug#905226: openssh-server: SSH AuthorizedKeysCommand hangs when output is too large
Package: openssh-server
Version: 1:7.4p1-10+deb9u3
Severity: important
Tags: patch upstream
Dear Maintainer,
when sshd's AuthorizedKeysCommand outputs a lot of keys and the match is close to the beginning of the output sshd will deadlock. Upstream has a patch ready to fix this issue, which would need to be backported to OpenSSH 7.4p1 as used by Debian 9.5.
Patch: https://github.com/openssh/openssh-portable/commit/ddd3d34e5c7979ca6f4a3a98a7d219a4ed3d98c2
See-Also: https://bugzilla.mindrot.org/show_bug.cgi?id=2655
See-Also: https://bugzilla.redhat.com/show_bug.cgi?id=1496467
-- System Information:
Debian Release: 9.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-6-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages openssh-server depends on:
ii adduser 3.115
ii debconf [debconf-2.0] 1.5.61
ii dpkg 1.18.25
ii init-system-helpers 1.48
ii libaudit1 1:2.6.7-2
ii libc6 2.24-11+deb9u3
ii libcomerr2 1.43.4-2
ii libgssapi-krb5-2 1.15-1+deb9u1
ii libkrb5-3 1.15-1+deb9u1
ii libpam-modules 1.1.8-3.6
ii libpam-runtime 1.1.8-3.6
ii libpam0g 1.1.8-3.6
ii libselinux1 2.6-3+b3
ii libssl1.0.2 1.0.2l-2+deb9u3
ii libsystemd0 232-25+deb9u4
ii libwrap0 7.6.q-26
ii lsb-base 9.20161125
ii openssh-client 1:7.4p1-10+deb9u3
ii openssh-sftp-server 1:7.4p1-10+deb9u3
ii procps 2:3.3.12-3+deb9u1
ii ucf 3.0036
ii zlib1g 1:1.2.8.dfsg-5
Versions of packages openssh-server recommends:
ii libpam-systemd 232-25+deb9u4
ii ncurses-term 6.0+20161126-1+deb9u2
ii xauth 1:1.0.9-1+b2
Versions of packages openssh-server suggests:
pn molly-guard <none>
pn monkeysphere <none>
pn rssh <none>
pn ssh-askpass <none>
pn ufw <none>
-- debconf information:
openssh-server/permit-root-login: true
>From ddd3d34e5c7979ca6f4a3a98a7d219a4ed3d98c2 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Fri, 30 Dec 2016 22:08:02 +0000
Subject: [PATCH] upstream commit
fix deadlock when keys/principals command produces a lot of
output and a key is matched early; bz#2655, patch from jboning AT gmail.com
Upstream-ID: e19456429bf99087ea994432c16d00a642060afe
---
auth2-pubkey.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 20f3309e1..70c021589 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-pubkey.c,v 1.60 2016/11/30 02:57:40 djm Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.61 2016/12/30 22:08:02 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@@ -727,6 +727,9 @@ match_principals_command(struct passwd *user_pw, const struct sshkey *key)
ok = process_principals(f, NULL, pw, cert);
+ fclose(f);
+ f = NULL;
+
if (exited_cleanly(pid, "AuthorizedPrincipalsCommand", command) != 0)
goto out;
@@ -1050,6 +1053,9 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key)
ok = check_authkeys_file(f, options.authorized_keys_command, key, pw);
+ fclose(f);
+ f = NULL;
+
if (exited_cleanly(pid, "AuthorizedKeysCommand", command) != 0)
goto out;
Reply to: