From jeremyp@gsmx07.alcatel.com.au  Mon Dec 24 14:12:37 2001
Return-Path: <jeremyp@gsmx07.alcatel.com.au>
Received: from netau1.alcanet.com.au (ntp.alcanet.com.au [203.62.196.27])
	by hub.freebsd.org (Postfix) with ESMTP id 1E83B37B416
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 24 Dec 2001 14:12:36 -0800 (PST)
Received: from mfg1.cim.alcatel.com.au (mfg1.cim.alcatel.com.au [139.188.23.1])
	by netau1.alcanet.com.au (8.9.3 (PHNE_22672)/8.9.3) with ESMTP id JAA03441
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 25 Dec 2001 09:12:34 +1100 (EDT)
Received: from gsmx07.alcatel.com.au by cim.alcatel.com.au
 (PMDF V5.2-32 #37641) with ESMTP id <01KCA35AI70GVFJF8I@cim.alcatel.com.au>
 for FreeBSD-gnats-submit@freebsd.org; Tue, 25 Dec 2001 09:11:51 +1100
Received: (from jeremyp@localhost)	by gsmx07.alcatel.com.au (8.11.6/8.11.6)
 id fBOMCUO88982; Tue, 25 Dec 2001 09:12:30 +1100 (EST envelope-from jeremyp)
Message-Id: <200112242212.fBOMCUO88982@gsmx07.alcatel.com.au>
Date: Tue, 25 Dec 2001 09:12:30 +1100 (EST)
From: Peter Jeremy <peter.jeremy@alcatel.com.au>
Reply-To: Peter Jeremy <peter.jeremy@alcatel.com.au>
To: FreeBSD-gnats-submit@freebsd.org
Subject: [PATCH] sshd can leave hanging processes
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         33155
>Category:       bin
>Synopsis:       [PATCH] sshd can leave hanging processes
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    des
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Dec 24 14:20:01 PST 2001
>Closed-Date:    Mon Jul 14 03:27:09 PDT 2003
>Last-Modified:  Mon Jul 14 03:27:09 PDT 2003
>Originator:     Peter Jeremy
>Release:        FreeBSD 4.5-PRERELEASE i386
>Organization:
Alcatel Australia Limited
>Environment:
System: FreeBSD cirb503493.alcatel.com.au 4.5-PRERELEASE FreeBSD 4.5-PRERELEASE #2: Sun Dec 23 07:00:19 EST 2001 root@cirb503493.alcatel.com.au:/usr/obj/usr/src/sys/pj1592 i386

OpenSSH_2.9 FreeBSD localisations 20011202, SSH protocols 1.5/2.0, OpenSSL 0x0090601f
	
>Description:
	When processing an incoming connection, sshd forks to creat a child
	to manage the specific connection.  That child forks a second time
	with the second child used to manage PAM authentication.  If OPIE
	authentication is being used and the client aborts the authentication
	process then the second child will never terminate.  Any further
	attempt to log in as that user will fail because of the presence
	of the hanging process and lock file.

	Note that the process never times out - LoginGraceTime has no
	effect on the second child because the interval timer is not
	inherited across the fork (see separate PR to be written).

>How-To-Repeat:
	Configure /etc/pam.conf as follows:
sshd    auth    required        pam_opie.so
sshd    auth    required        pam_unix.so                     try_first_pass
sshd    account required        pam_unix.so
sshd    password required       pam_permit.so
sshd    session required        pam_permit.so
csshd   auth    required        pam_opie.so

	Create an OPIE key for a user and insert into /etc/opiekeys.
	Log into the host as that user:
$ slogin -l user -oTISAuthentication=yes hostname
	At the password prompt, enter Ctrl-C (or otherwise kill the client).
	On the server, a stray sshd process and /var/spool/opielocks/user
	file will be left behind.  Further attempts to log in will always
	result in failure.

>Fix:

	When the sshd process forks to manage PAM authentication, the
	parent and child share 3 pipes for IPC.  Neither the parent nor
	child close the unused ends of the pipe so that the child does
	not detect the parent's death.  The following patch closes
	the unused ends of the pipes.

Index: auth-pam.c
===================================================================
RCS file: /usr/ncvs/src/crypto/openssh/auth-pam.c,v
retrieving revision 1.2.2.2
diff -u -r1.2.2.2 auth-pam.c
--- auth-pam.c	28 Sep 2001 01:33:33 -0000	1.2.2.2
+++ auth-pam.c	24 Dec 2001 11:23:18 -0000
@@ -626,6 +626,13 @@
 		int i;
 		char state;	/* Which state did the connection just enter? */
 
+		close(ud->statefd[1]);
+		ud->statefd[1] = -1;
+		close(ud->challengefd[1]);
+		ud->challengefd[1] = -1;
+		close(ud->responsefd[0]);
+		ud->responsefd[0] = -1;
+
 		/* We are the parent - wait for a call to the communications
 		   function to turn up, or the challenge to be finished */
 		if (read(ud->statefd[0], &state, 1) != 1) {
@@ -749,6 +756,13 @@
 		int retval;
 		char state;
 
+		close(ud->statefd[0]);
+		ud->statefd[0] = -1;
+		close(ud->challengefd[0]);
+		ud->challengefd[0] = -1;
+		close(ud->responsefd[1]);
+		ud->responsefd[1] = -1;
+
 		conv.appdata_ptr = ud;
 		retval = pam_start(service, username, &conv, &pamh);
 		/* Is user really user? */
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->green 
Responsible-Changed-By: sheldonh 
Responsible-Changed-When: Wed Jan 9 06:35:42 PST 2002 
Responsible-Changed-Why:  
Over to the OpenSSH maintainer. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=33155 
Responsible-Changed-From-To: green->des 
Responsible-Changed-By: green 
Responsible-Changed-When: Sat Jul 12 21:23:05 PDT 2003 
Responsible-Changed-Why:  
ssh over to DES 

http://www.freebsd.org/cgi/query-pr.cgi?pr=33155 
State-Changed-From-To: open->closed 
State-Changed-By: des 
State-Changed-When: Mon Jul 14 03:27:06 PDT 2003 
State-Changed-Why:  
OBE 

http://www.freebsd.org/cgi/query-pr.cgi?pr=33155 
>Unformatted:
