From anarcat@anarcat.dyndns.org  Sat Nov 17 12:45:49 2001
Return-Path: <anarcat@anarcat.dyndns.org>
Received: from tomts9-srv.bellnexxia.net (tomts9.bellnexxia.net [209.226.175.53])
	by hub.freebsd.org (Postfix) with ESMTP id 746B737B417
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 17 Nov 2001 12:45:48 -0800 (PST)
Received: from khan.anarcat.dyndns.org ([65.94.128.110])
          by tomts9-srv.bellnexxia.net
          (InterMail vM.4.01.03.16 201-229-121-116-20010115) with ESMTP
          id <20011117204547.WEPW11133.tomts9-srv.bellnexxia.net@khan.anarcat.dyndns.org>
          for <FreeBSD-gnats-submit@freebsd.org>;
          Sat, 17 Nov 2001 15:45:47 -0500
Received: from shall.anarcat.dyndns.org (shall.anarcat.dyndns.org [192.168.0.1])
	by khan.anarcat.dyndns.org (Postfix) with ESMTP id 967AC19C7
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 17 Nov 2001 15:45:53 -0500 (EST)
Received: by shall.anarcat.dyndns.org (Postfix, from userid 1000)
	id 57DA820ADB; Sat, 17 Nov 2001 15:47:08 -0500 (EST)
Message-Id: <20011117204708.57DA820ADB@shall.anarcat.dyndns.org>
Date: Sat, 17 Nov 2001 15:47:08 -0500 (EST)
From: The Anarcat <anarcat@anarcat.dyndns.org>
Reply-To: The Anarcat <anarcat@anarcat.dyndns.org>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: sshd 2.9 core dumps with UseLogin yes
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         32065
>Category:       bin
>Synopsis:       sshd 2.9 core dumps with UseLogin yes
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    dwmalone
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Nov 17 12:50:01 PST 2001
>Closed-Date:    Wed Nov 21 02:45:24 PST 2001
>Last-Modified:  Wed Nov 21 02:45:46 PST 2001
>Originator:     The Anarcat
>Release:        FreeBSD 4.4-STABLE i386
>Organization:
Nada, Inc.
>Environment:
System: FreeBSD shall.anarcat.dyndns.org 4.4-STABLE FreeBSD 4.4-STABLE #0: Fri Nov 16 12:57:38 EST 2001 anarcat@shall.anarcat.dyndns.org:/usr/obj/usr/src/sys/SHALL i386

CVSup'd on 15.11.2001.

>Description:

After a recent upgrade from 14.09.2001 to 15.11.2001, I couldn't login
nor use my sshd's anywhere anymore. They all have UseLogin yes in their
config file.

In the logs, I see:

/kernel: pid 58148 (sshd), uid 0: exited on signal 11
sshd[58147]: error: fcntl(4, F_SETFL, O_NONBLOCK): Resource temporarily unavailable

sshd doesn't always core dump (which is strange, in itself). But from
the client, I get a simple "connection closed". sshd keeps on taking
connections (it the childs that die). 

This problem disappears when I remove UseLogin yes from my config file.

This problem might be related with some late login changes, but I would
be surprised. From 14.09 to 15.11, openssh 2.9 was MFC'd, so I'd suspect
that would be the problem.

Here is the output from sshd -ddde:

debug1: sshd version OpenSSH_2.9 FreeBSD localisations 20010713
debug1: private host key: #0 type 0 RSA1
debug3: No RSA1 key file /etc/ssh/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug1: Server will not fork when running in debugging mode.
Connection from localhost port 1251
Connection from ::1 port 1251
debug1: Client protocol version 2.0; client software version OpenSSH_2.9
FreeBSD localisations 20010713
debug1: match: OpenSSH_2.9 FreeBSD localisations 20010713 pat ^OpenSSH
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_2.9 FreeBSD localisations
20010713
debug1: Rhosts Authentication disabled, originating port not trusted.
debug1: list_hostkey_types: ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-dss
debug2: kex_parse_kexinit:
+aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,ri
+jndael256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
+aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,ri
+jndael256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
+hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
+hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
+aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,ri
+jndael256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
+aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,ri
+jndael256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
+hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
+hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: dh_gen_key: priv key bits set: 124/256
debug1: bits set: 1059/2049
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: bits set: 1023/2049
debug1: sig size 20 20
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug3: Trying to reverse map address ::1.
debug1: userauth-request for user anarcat service ssh-connection method
none
debug1: attempt 0 failures 0
debug2: input_userauth_request: setting up authctxt for anarcat
debug1: Starting up PAM with username "anarcat"
debug2: input_userauth_request: try method none
Failed none for anarcat from ::1 port 1251 ssh2
debug1: userauth-request for user anarcat service ssh-connection method
publickey
debug1: attempt 1 failures 1
debug2: input_userauth_request: try method publickey
debug1: test whether pkalg/pkblob are acceptable
debug1: temporarily_use_uid: 1000/1000 (e=0)
debug1: restore_uid
debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss
Failed publickey for anarcat from ::1 port 1251 ssh2
debug1: userauth-request for user anarcat service ssh-connection method
publickey
debug1: attempt 2 failures 2
debug2: input_userauth_request: try method publickey
debug1: test whether pkalg/pkblob are acceptable
debug1: temporarily_use_uid: 1000/1000 (e=0)
debug1: restore_uid
debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss
Failed publickey for anarcat from ::1 port 1251 ssh2
debug1: userauth-request for user anarcat service ssh-connection method
password
debug1: attempt 3 failures 3
debug2: input_userauth_request: try method password
debug1: PAM Password authentication accepted for user "anarcat"
debug1: PAM setting rhost to "localhost"
Accepted password for anarcat from ::1 port 1251 ssh2
debug1: Entering interactive session for SSH2.
debug1: server_init_dispatch_20
debug1: server_input_channel_open: ctype session rchan 0 win 32768 max
16384
debug1: input_session_request
debug1: channel 0: new [server-session]
debug1: session_new: init
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug2: callback start
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 channel 0 request pty-req
reply 0
debug1: session_pty_req: session 0 alloc /dev/ttyp5
debug2: tty_parse_modes: SSH2 n_bytes 251
debug2: tty_parse_modes: ospeed 38400
debug2: tty_parse_modes: ispeed 38400
debug2: callback done
debug2: callback start
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 channel 0 request shell
reply 0
debug1: PAM setting tty to "/dev/ttyp5"
debug1: do_pam_session: euid 0, uid 0
debug1: PAM establishing creds
debug1: channel 0: rfd 4 isatty
debug1: fd 4 setting O_NONBLOCK
debug1: fd 3 IS O_NONBLOCK
debug2: callback done
debug1: Setting controlling tty using TIOCSCTTY.
debug1: Received SIGCHLD.
debug3: tvp!=NULL kid 1 mili 100
debug1: session_by_pid: pid 58305
debug1: session_exit_message: session 0 channel 0 pid 58305
debug1: session_exit_message: release channel 0
debug1: channel 0: write failed
debug1: channel 0: output open -> closed
debug1: channel 0: close_write
debug1: session_pty_cleanup: session 0 release /dev/ttyp5
debug1: session_free: session 0 pid 58305
debug1: channel 0: read<=0 rfd 4 len 0
debug1: channel 0: read failed
debug1: channel 0: input open -> drain
debug1: channel 0: close_read
debug1: channel 0: input: no drain shortcut
debug1: channel 0: ibuf empty
debug1: channel 0: input drain -> closed
debug1: channel 0: send eof
debug1: channel 0: send close
debug2: channel 0: no data after CLOSE
debug2: channel 0: no data after CLOSE
debug1: channel 0: rcvd close
debug2: channel 0: no data after CLOSE
debug1: channel 0: is dead
debug1: channel_free: channel 0: status: The following connections are
open:
  #0 server-session (t4 r0 i8/0 o128/0 fd -1/-1)

Connection closed by remote host.
Closing connection to ::1


GDB backtrace:

#0  0x281fc4a7 in strncmp () from /usr/lib/libc.so.4
#1  0xbfbfed7c in ?? ()
#2  0x8056e35 in getsockname ()
#3  0x8056049 in getsockname ()
#4  0x8057e12 in getsockname ()
#5  0x8057ffa in getsockname ()
#6  0x8064909 in xstrdup ()
#7  0x805e777 in getsockname ()
#8  0x80518a3 in getsockname ()
#9  0x8051e91 in getsockname ()
#10 0x8058643 in getsockname ()
#11 0x80553ed in getsockname ()
#12 0x8053543 in getsockname ()
#13 0x804dbc3 in getsockname ()
#14 0x804c0c5 in getsockname ()

>How-To-Repeat:

echo "UseLogin yes" >> /etc/ssh/sshd_config
/usr/sbin/sshd -ddde &
ssh localhost
# enter password: bang.

>Fix:

Workaround: s/UseLogin yes/UseLogin no/

Fix unknown
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->feedback 
State-Changed-By: dwmalone 
State-Changed-When: Sun Nov 18 04:41:12 PST 2001 
State-Changed-Why:  
See if the suggested patch works or not. 


Responsible-Changed-From-To: freebsd-bugs->dwmalone 
Responsible-Changed-By: dwmalone 
Responsible-Changed-When: Sun Nov 18 04:41:12 PST 2001 
Responsible-Changed-Why:  
I think I see the problem here. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=32065 

From: David Malone <dwmalone@maths.tcd.ie>
To: The Anarcat <anarcat@anarcat.dyndns.org>
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: bin/32065: sshd 2.9 core dumps with UseLogin yes
Date: Sun, 18 Nov 2001 12:41:00 +0000

 On Sat, Nov 17, 2001 at 03:47:08PM -0500, The Anarcat wrote:
 > In the logs, I see:
 > 
 > /kernel: pid 58148 (sshd), uid 0: exited on signal 11
 
 
 I think this bug also exists in -current. Could you try the following
 patch?
 
 	David.
 
 
 Index: /usr/src/crypto/openssh/session.c
 ===================================================================
 RCS file: /cvs/FreeBSD-CVS/src/crypto/openssh/session.c,v
 retrieving revision 1.16
 diff -u -r1.16 session.c
 --- /usr/src/crypto/openssh/session.c	8 Jun 2001 22:22:09 -0000	1.16
 +++ /usr/src/crypto/openssh/session.c	18 Nov 2001 12:22:28 -0000
 @@ -1003,7 +1003,7 @@
  	char cmd[1024];
  	FILE *f = NULL;
  	u_int envsize, i;
 -	char **env;
 +	char **env = NULL;
  	extern char **environ;
  	struct stat st;
  	char *argv[10];

From: The Anarcat <anarcat@anarcat.dyndns.org>
To: David Malone <dwmalone@maths.tcd.ie>
Cc: FreeBSD-gnats-submit@freebsd.org,
	FreeBSD Stable Issues <FreeBSD-stable@FreeBSD.ORG>
Subject: Re: bin/32065: sshd 2.9 core dumps with UseLogin yes
Date: Sun, 18 Nov 2001 17:43:04 -0500

 --x+6KMIRAuhnl3hBn
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 On Dim nov 18, 2001 at 12:41:00pm +0000, David Malone wrote:
 > On Sat, Nov 17, 2001 at 03:47:08PM -0500, The Anarcat wrote:
 > > In the logs, I see:
 > >=20
 > > /kernel: pid 58148 (sshd), uid 0: exited on signal 11
 >=20
 >=20
 > I think this bug also exists in -current. Could you try the following
 > patch?
 
 It fixes it! Thanks!!!
 
 A.
 
 --x+6KMIRAuhnl3hBn
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.0.6 (FreeBSD)
 Comment: Pour information voir http://www.gnupg.org
 
 iEYEARECAAYFAjv4OXcACgkQttcWHAnWiGdMVACeOU301p+FCCvJvEeN0t3dPMzk
 vOIAnj7OT/ITHllPtfQ743M/8hL2GFqt
 =/AXr
 -----END PGP SIGNATURE-----
 
 --x+6KMIRAuhnl3hBn--
State-Changed-From-To: feedback->closed 
State-Changed-By: dwmalone 
State-Changed-When: Wed Nov 21 02:45:24 PST 2001 
State-Changed-Why:  
Fix committed to -current and -stable. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=32065 
>Unformatted:
