From jin@eubie.lbl.gov  Thu Jan 31 12:23:40 2002
Return-Path: <jin@eubie.lbl.gov>
Received: from eubie.lbl.gov (eubie.lbl.gov [131.243.2.36])
	by hub.freebsd.org (Postfix) with ESMTP id 6D6D637B400
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 31 Jan 2002 12:23:40 -0800 (PST)
Received: (from jin@localhost)
	by eubie.lbl.gov (8.11.6/8.11.6) id g0VKNex00336;
	Thu, 31 Jan 2002 12:23:40 -0800 (PST)
	(envelope-from jin)
Message-Id: <200201312023.g0VKNex00336@eubie.lbl.gov>
Date: Thu, 31 Jan 2002 12:23:40 -0800 (PST)
From: Jin.Guojun@eubie.lbl.gov
Reply-To: j_guojun@lbl.gov
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: ssh can crash the 4.5 system
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         34502
>Category:       bin
>Synopsis:       ssh can crash the 4.5 system
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jan 31 12:30:03 PST 2002
>Closed-Date:    Fri Jul 05 12:21:57 PDT 2002
>Last-Modified:  Fri Jul 05 12:21:57 PDT 2002
>Originator:     Jin Guojun
>Release:        FreeBSD 4.5-RELEASE i386
>Organization:
>Environment:

System: FreeBSD 4.5-RELEASE FreeBSD 4.5-RELEASE #0: Wed Jan 30 09:39:25 PST 2002

	OpenSSH_2.9 FreeBSD localisations 20011202 

>Description:
	Problem 1:
		ssh localhost
	cause system panic. A local user can use it to crash all 4.5 systems.

	Problem 2:

	does not work for protocol 2. After rename authorized_keys to
	x.authorized_keys (i.e., disable protocol 1), then ssh will ask
	password instead of passphase:

% ls ~/.ssh
-rw-------   1 jin  advdev    607 Jan 31 12:10 authorized_keys2
-rw-------   1 jin  advdev    668 Jan 31 12:08 id_dsa
-rw-r--r--   1 jin  advdev    607 Jan 31 12:08 id_dsa.pub
-rw-------   1 jin  advdev    533 Jan 11 21:24 identity
-rw-r--r--   1 jin  advdev    337 Jan 11 21:24 identity.pub
-rw-------   1 jin  advdev    512 Jan 31 11:43 random_seed
-rw-------   1 jin  advdev   1687 Aug 27 08:59 x.authorized_keys

% ssh peer
jin@peer.lbl.gov's password: 


>How-To-Repeat:
	Do as described in Description section.
>Fix:

	


>Release-Note:
>Audit-Trail:

From: parv <parv_@yahoo.com>
To: j_guojun@lbl.gov
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: bin/34502: ssh can crash the 4.5 system
Date: Thu, 31 Jan 2002 15:58:25 -0500

 in message <200201312023.g0VKNex00336@eubie.lbl.gov>, 
 wrote Jin.Guojun@eubie.lbl.gov thusly...
 >
 > System: FreeBSD 4.5-RELEASE FreeBSD 4.5-RELEASE #0: Wed Jan 30 09:39:25 PST 2002
 > 
 > 	OpenSSH_2.9 FreeBSD localisations 20011202 
 > 
 > >Description:
 > 	Problem 1:
 > 		ssh localhost
 > 	cause system panic. A local user can use it to crash all 4.5 systems.
 
 i just tried "ssh localhost" w/o any problems on 4.5-release
 2002.01.24.19.00.47 utc.
 
 
 > 	Problem 2:
 > 
 > 	does not work for protocol 2. After rename authorized_keys to
 > 	x.authorized_keys (i.e., disable protocol 1), then ssh will ask
 > 	password instead of passphase:
 
 isn't that the way ssh supposed to work: in absence of keys ask the
 password?
 
  - parv
 
 -- 
  

From: "Jin Guojun[ITG]" <j_guojun@lbl.gov>
To: parv <parv_@yahoo.com>
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: bin/34502: ssh can crash the 4.5 system
Date: Thu, 31 Jan 2002 13:31:50 -0800

 parv wrote:
 > 
 > in message <200201312023.g0VKNex00336@eubie.lbl.gov>,
 > wrote Jin.Guojun@eubie.lbl.gov thusly...
 > >
 > > System: FreeBSD 4.5-RELEASE FreeBSD 4.5-RELEASE #0: Wed Jan 30 09:39:25 PST 2002
 > >
 > >       OpenSSH_2.9 FreeBSD localisations 20011202
 > >
 > > >Description:
 > >       Problem 1:
 > >               ssh localhost
 > >       cause system panic. A local user can use it to crash all 4.5 systems.
 > 
 > i just tried "ssh localhost" w/o any problems on 4.5-release
 > 2002.01.24.19.00.47 utc.
 
 # ssh -v localhost
 OpenSSH_2.9 FreeBSD localisations 20011202, SSH protocols 1.5/2.0, OpenSSL
 0x0090601f
 debug1: Reading configuration data /etc/ssh/ssh_config
 debug1: Applying options for *
 debug1: Rhosts Authentication disabled, originating port will not be trusted.
 debug1: restore_uid
 debug1: ssh_connect: getuid 0 geteuid 0 anon 1
 debug1: Connecting to localhost [::1] port 22.
 debug1: temporarily_use_uid: 0/0 (e=0)
 debug1: restore_uid
 debug1: temporarily_use_uid: 0/0 (e=0)
 
 ---- crashing
 Read from remote host peer.lbl.gov: Connection reset by peer
 Connection to peer.lbl.gov closed.
 
 This time I tried as a root who has no ssh set up at all. So, I do not
 think this is related to .ssh/ set up. I have tried on three machines:
 
 Dual 200Mhz Pentium
 500Mhz Celeron
 700MHz AMD
 
 > 
 > >       Problem 2:
 > >
 > >       does not work for protocol 2. After rename authorized_keys to
 > >       x.authorized_keys (i.e., disable protocol 1), then ssh will ask
 > >       password instead of passphase:
 > 
 > isn't that the way ssh supposed to work: in absence of keys ask the
 > password?
 
 The authorized_keys2 is there (not missing). Below is the manual page:
 
 ...
    SSH protocol version 2
 
      When a user connects using the protocol version 2 different authentica-
      tion methods are available: At first, the client attempts to authenticate
      using the public key method.  If this method fails password authentica-
      tion is tried.
 
      The public key method is similar to RSA authentication described in the
      previous section except that the DSA algorithm is used instead of the
      patented RSA algorithm.  The client uses his private DSA key
      $HOME/.ssh/id_dsa to sign the session identifier and sends the result to
      the server.  The server checks whether the matching public key is listed
      in $HOME/.ssh/authorized_keys2 and grants access if both the key is found
      and the signature is correct.  The session identifier is derived from a
      shared Diffie-Hellman value and is only known to the client and the serv-
      er.
 
      If public key authentication fails or is not available a password can be
      sent encrypted to the remote host for proving the user's identity.  This
      protocol 2 implementation does not yet support Kerberos or OPIE authenti-
      cation.

From: Bill Fumerola <billf@mu.org>
To: j_guojun@lbl.gov
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: bin/34502: ssh can crash the 4.5 system
Date: Thu, 31 Jan 2002 14:47:17 -0800

 On Thu, Jan 31, 2002 at 12:23:40PM -0800, Jin.Guojun@eubie.lbl.gov wrote:
 
 > >Description:
 > 	Problem 1:
 > 		ssh localhost
 > 	cause system panic. A local user can use it to crash all 4.5 systems.
 
 obviously this doesn't happen for everyone. if a machine crashes, it has
 a crashdump. there is ample documentation in the handbook on how to
 retrieve this crashdump. more likely then not, ssh has nothing to do
 with your machine crashing and its just tickling another bug in the
 system. we don't know which one though, because you didn't include a
 crashdump traceback.
 
 -- 
 - bill fumerola / fumerola@yahoo-inc.com / billf@FreeBSD.org / billf@mu.org
 - my anger management counselor can beat up your self-affirmation therapist
 
 
 How-To-Not-Repeat:
 
 [ref4-billf] /home/billf > uname -a
 FreeBSD ref4.freebsd.org 4.5-STABLE FreeBSD 4.5-STABLE #0: Tue Jan 29 18:18:29 PST 2002     cshumway@ref4.freebsd.org:/local0/scratch/obj/usr/src/sys/REF4  i386
 [ref4-billf] /home/billf > ssh localhost
 billf@localhost's password: 
 

From: "Jin Guojun[ITG]" <j_guojun@lbl.gov>
To: Bill Fumerola <billf@mu.org>
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: bin/34502: ssh can crash the 4.5 system
Date: Thu, 31 Jan 2002 18:00:48 -0800

 Bill Fumerola wrote:
 > 
 > On Thu, Jan 31, 2002 at 12:23:40PM -0800, Jin.Guojun@eubie.lbl.gov wrote:
 > 
 > > >Description:
 > >       Problem 1:
 > >               ssh localhost
 > >       cause system panic. A local user can use it to crash all 4.5 systems.
 > 
 > obviously this doesn't happen for everyone. if a machine crashes, it has
 > a crashdump. there is ample documentation in the handbook on how to
 > retrieve this crashdump. more likely then not, ssh has nothing to do
 > with your machine crashing and its just tickling another bug in the
 > system. we don't know which one though, because you didn't include a
 > crashdump traceback.
 
 This is odd. The dump reports panic somewhere in tcp_input().
 So, I recompiled all tcp_*.o with -g option (not entire kernel), then
 problem goes away.
 
 A couple of things I encounted during the installation was
 some /dev/md0 errors related to two things:
 
 (1) when entired a wrong DNS IP, after system hanging for a while,
 typed in a correct IP, the system did not accept the new one and
 keep hanging. Hit ^C to restart the installation over, then saw
 a /dev/md0 error.
 
 (2) when read mfsroot, I saw /dev/md0 errors.
 
 This type error may cause installation failure. However, I have no idea
 what really caused /dev/md0 errors.
 
 The source I download was a few of hours prior to the 4.5-RELEASE
 stably released to ftp.freebsd.org.
 I will try to download the 4.5 source again and reinstall some systems
 to see if problem still persists.
 
 	-Jin

From: "Jin Guojun[ITG]" <j_guojun@lbl.gov>
To: freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: bin/34502: ssh can crash the 4.5 system
Date: Tue, 05 Feb 2002 10:02:17 -0800

 > Problem 1:
 >      ssh localhost
 >      cause system panic. A local user can use it to crash all 4.5 systems.
 
 This has been identified as an installation problem which is related to some
 /dev/md0 error. The installations without /dev/md0 error do not produce
 such problem. This portion can be closed.
 
 > Problem 2:
 >       does not work for protocol 2. After rename authorized_keys to
 >       x.authorized_keys (i.e., disable protocol 1), then ssh will ask
 >       password instead of passphase.
 
 This problem exist in all OpenSSH 2.x release.
 It has been fixed after OpenSSH 3.0.1. Since FreeBSD security Advisory
 -- FreeBSD-SA-01:63.openssh -- sent out on 2001-12-07, said that there is 
 a problem prior to 3.0.2 release, so, the solution is to update ssh to 
 OpenSSH 3.1.0 or the later release.
 
 How soon can we get SSH updated to release 3.1.0 or better?
 
 Thanks,
 
 	-Jin
State-Changed-From-To: open->closed 
State-Changed-By: jon 
State-Changed-When: Fri Jul 5 12:21:21 PDT 2002 
State-Changed-Why:  
OpenSSH 3.4p1 has been imported. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=34502 
>Unformatted:
