openssh unix dev - Mar 2005 - openssh-3.8.1p1, with pthreads enabled, hung in pthread_join.

I connect to my OpenSSH 3.8.1p1 server and when the password dialog 
shoes up I wait a min or so, long enough for the "Timeout before 
authentication for %s" alarm to trigger. If at that point I enter my 
password ssh will just sit there:

debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password:
debug3: packet_send2: adding 32 (len 18 padlen 14 extra_pad 64)

And the sshd will be in this state:

Attaching to program: `/private/tmp/OpenSSH.roots/OpenSSH~obj/sshd', 
process 26589.
Reading symbols for shared libraries ...................... done
0x9002cf88 in semaphore_wait_trap ()
(gdb) bt
#0  0x9002cf88 in semaphore_wait_trap ()
#1  0x9006153c in pthread_join ()
#2  0x00028a50 in sshpam_thread_cleanup () at 
/tmp/OpenSSH.roots/OpenSSH/openssh/auth-pam.c:417
#3  0x00017110 in do_cleanup (authctxt=0x4034e0) at 
/tmp/OpenSSH.roots/OpenSSH/openssh/session.c:2273
#4  0x00007044 in cleanup_exit (i=255) at 
/tmp/OpenSSH.roots/OpenSSH/openssh/sshd.c:1923
#5  0x00035bb0 in fatal (fmt=0x547d0 "Timeout before authentication for 
%s") at /tmp/OpenSSH.roots/OpenSSH/openssh/fatal.c:40
#6  0x00002d40 in grace_alarm_handler (sig=14) at 
/tmp/OpenSSH.roots/OpenSSH/openssh/sshd.c:320
#7  <signal handler called>
#8  0x90013bc8 in read ()
#9  0x0002b5ec in atomicio (f=0x90013bc0 <read>, fd=6, _s=0xbfffef60, 
n=4) at /tmp/OpenSSH.roots/OpenSSH/openssh/atomicio.c:45
#10 0x00020744 in mm_request_receive (socket=6, m=0xbfffefc0) at 
/tmp/OpenSSH.roots/OpenSSH/openssh/monitor_wrap.c:110
#11 0x0001c290 in monitor_read (pmonitor=0x403540, ent=0x633c4, 
pent=0xbffff030) at /tmp/OpenSSH.roots/OpenSSH/openssh/monitor.c:446
#12 0x0001bda8 in monitor_child_preauth (_authctxt=0x4034e0, 
pmonitor=0x403540) at /tmp/OpenSSH.roots/OpenSSH/openssh/monitor.c:343
#13 0x000039dc in privsep_preauth (authctxt=0x4034e0) at 
/tmp/OpenSSH.roots/OpenSSH/openssh/sshd.c:607
#14 0x000061c0 in main (ac=3, av=0x400f10) at 
/tmp/OpenSSH.roots/OpenSSH/openssh/sshd.c:1544
(gdb) info threads
   2 process 26589 thread 0x1103  0x90013bcc in read ()
* 1 process 26589 thread 0x203  0x9002cf88 in semaphore_wait_trap ()
(gdb) thread 2
[Switching to thread 2 (process 26589 thread 0x1103)]
#0  0x90013bcc in read ()
(gdb) bt
#0  0x90013bcc in read ()
#1  0x0002b5ec in atomicio (f=0x90013bc0 <read>, fd=8, _s=0xf0080ac0, 
n=4) at /tmp/OpenSSH.roots/OpenSSH/openssh/atomicio.c:45
#2  0x000491fc in ssh_msg_recv (fd=8, m=0xf0080b20) at 
/tmp/OpenSSH.roots/OpenSSH/openssh/msg.c:63
#3  0x00028514 in sshpam_thread_conv (n=1, msg=0xf0080bb4, 
resp=0xf0080bb8, data=0x403830) at 
/tmp/OpenSSH.roots/OpenSSH/openssh/auth-pam.c:272
#4  0x96798918 in _pam_system_log ()
#5  0x967989f4 in pam_get_pass ()
#6  0x0018a930 in pam_sm_authenticate ()
#7  0x967961c4 in pam_fail_delay ()
#8  0x96796514 in _pam_dispatch ()
#9  0x96797c40 in pam_authenticate ()
#10 0x00028880 in sshpam_thread (ctxtp=0x403830) at 
/tmp/OpenSSH.roots/OpenSSH/openssh/auth-pam.c:354
#11 0x9002c7f4 in _pthread_body ()

Thread two will just sit there in read while thread one waits for 
thread two to exit.
If i attempt this with privilege separation turned on the lowered 
privilege process will exit and become a zombie, as the original 
process never exits.

Shouldn't the sshpam/read thread have an alarm set so if the 
authentication times out it will exit cleanly?

-Nick

First, if you're building with USE_POSIX_THREADS then that's an 
unsupported configuration.

Nick Lane-Smith wrote:
> I connect to my OpenSSH 3.8.1p1 server and when the password dialog 
> shoes up I wait a min or so, long enough for the "Timeout before 
> authentication for %s" alarm to trigger. If at that point I enter my 
> password ssh will just sit there:
> 
> debug2: input_userauth_info_req
> debug2: input_userauth_info_req: num_prompts 1
> Password:
> debug3: packet_send2: adding 32 (len 18 padlen 14 extra_pad 64)
> 
> And the sshd will be in this state:
> 
> Attaching to program: `/private/tmp/OpenSSH.roots/OpenSSH~obj/sshd', 
> process 26589.
> Reading symbols for shared libraries ...................... done
> 0x9002cf88 in semaphore_wait_trap ()
> (gdb) bt
> #0  0x9002cf88 in semaphore_wait_trap ()
> #1  0x9006153c in pthread_join ()
> #2  0x00028a50 in sshpam_thread_cleanup () at 
> /tmp/OpenSSH.roots/OpenSSH/openssh/auth-pam.c:417
That line is immediately preceded by:

	pthread_cancel(ctxt->pam_thread);

Maybe pthread_cancel doesn't interrupt the read() syscall?  I don't know
anything about your thread implementation.
> Shouldn't the sshpam/read thread have an alarm set so if the 
> authentication times out it will exit cleanly?
It shouldn't be necessary (and it's a potential source of races).

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.