openssh bugs - Nov 2015 - [Bug 2496] New: sshd hangs when using AuthorizedKeysCommand

https://bugzilla.mindrot.org/show_bug.cgi?id=2496

            Bug ID: 2496
           Summary: sshd hangs when using AuthorizedKeysCommand
           Product: Portable OpenSSH
           Version: 7.1p1
          Hardware: amd64
                OS: FreeBSD
            Status: NEW
          Severity: normal
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: felicity at torchbox.com

Since upgrading to 7.1p1 on FreeBSD 10.2, sshd has started hanging when
using an AuthorizedKeysCommand.  This worked fine in 6.8.

Server configuration:

Match User git
        AuthorizedKeysCommand /usr/local/sbin/ssh-lookup-key-git

Relevant server debug output:

debug3: subprocess: AuthorizedKeysCommand command
"/usr/local/sbin/ssh-lookup-key-git git" running as sshkeys
debug3: subprocess: AuthorizedKeysCommand pid 86183
debug2: user_key_allowed: check options:
'command="/usr/local/git/bin/gitolite-shell
tom at
torchbox.com",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty
ssh-dss
AAAAB3NzaC1kc3MAAACBALtPYyEOw+gvvWvW45iTR7SAkdH8FIML+4SBFPeXBp4ntT0JaRrkaTwm2C2PkZUaOShvFHCcTc7muNBMB/qmLYuWAcbCeKoxv08RMruGheGp6BB/9sByGjPfHssYNk4qxCqHTL6ZRjPRgApV5qz+OP8cTNlT0YXi2WA5Ubact4DhAAAAFQC71JYAqRBN0URvJmmMF5TyBNePkQAAAIEAlkG+5H/NZsHjZK7Dxn9iCNjGxoB/zJQJ89aSZ+wPktJExkfbVEXtiuEC04qfJ3qCqw6uYX8fG3e9+mujrAfh/TUDMLZc8sq4WvV91HPe9CX4XUOcf0dXzV76OlKJ4oTe2CHSouZzOyCCgtDgT87B85yS+B/7fKWXbDYEQ45lMfgAAACBALLs4d0ii3i2hwtVeddkYrJ8lHXKQWCZOtff+fLVu+cFEw8lTAfmpke+saN6sX5O1EgOuJUHInwgE+HDdmk6l1vyNJhGxKCuI3qYG2LXOKLmEyiEBOlpkPELVJnvVNMcQrMTARjo8IsiM4AcXBufzhN8yIdJ1fDV4a4cTYVzdF7n
tom at tortoise.local'
[... output elided ...]
debug2: user_key_allowed: check options:
'command="/usr/local/git/bin/gitolite-shell
felicity at
torchbox.com",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty
ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAQEAyszt9jTA88Dz4SjVVevwgCKHY1GfS5hla0XatqtAWNI+9O5eXasbybB7UfHo5Y6FB8Xu7Snu1NAj/xVGKLlQ69cNT6YMaj3TC1TLfhK2pmHxWHXDUqffU5ZOE/C4VSdING8FateJ5E7oOw9152UKNRoI12Fsu9yzzUZnKm0+43kFg/XfGioGqagm4jAUNhwylqRulRxFWCpZLjEjJOiRI+6pgVK8+wsq5kpuwVe36k0wmHEPWhbGabNY1Uw6dkVWIz3pI1PtaAmmb4FZ6KLYFh6kO4u3M+uhPfj94mtJb3Yr5jPkOb/9DKhCaZqYLVm3cs7pyQZtN3oRkitjzJC34Q=felicity
at severance'
debug1: matching key found: file /usr/local/sbin/ssh-lookup-key-git,
line 15 RSA SHA256:LlC54jHl2i3IC3K8rSsRuvjkSIdcfhbyH1oq2e/9Uog

No output is printed after this, and the sshd server process hangs with
the authorized keys command still running.

A workaround appears to be having the command flush output after
printing every key, instead of buffering it as a single write; in this
case, since it's a Perl script, adding "$| = 1;" to disable
buffering
makes things work as expected.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2496

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
sshd waits for the AuthorizedKeysCommand to finish - if it doesn't
finish, sshd will hang. So the question is: why is the command failing
to exit?

The only differences between 6.8p1 and 7.1p1 that I think could be
relevant is that 7.1p1 sets up a minimal environment ($PATH, $USER,
$LOGNAME, $HOME, $LANG) whereas 6.8p1 inherited a full environment from
sshd.

I'm not sure why this could cause your command to misbehave though. I
suggest getting a strace/ktrace of the command as it hangs - it might
yield some clues.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2496

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |WORKSFORME
             Status|NEW                         |RESOLVED

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
closing: >6 months with no followup

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2496

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
Close all resolved bugs after 7.3p1 release

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2496

Jakub Jelen <jjelen at redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jjelen at redhat.com

--- Comment #4 from Jakub Jelen <jjelen at redhat.com> ---
This upstream commit fixes the problem according to discussion on IRC:

https://github.com/openssh/openssh-portable/commit/ddd3d34e5c7979ca6f4a3a98a7d219a4ed3d98c2

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.