openssh bugs - Aug 2017 - [Bug 2765] New: ssh-copy-id appears to hang indefinitely when the target user has no password

https://bugzilla.mindrot.org/show_bug.cgi?id=2765

            Bug ID: 2765
           Summary: ssh-copy-id appears to hang indefinitely when the
                    target user has no password
           Product: Portable OpenSSH
           Version: 6.6p1
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: trivial
          Priority: P5
         Component: ssh-copy-id
          Assignee: unassigned-bugs at mindrot.org
          Reporter: ymbirtt at gmail.com

This is, obviously, a pretty bizarre use-case. Copying an SSH ID to a
passwordless user doesn't actually add any security, but it's still a
werid issue that ssh-copy-id probably shouldn't exhibit. This can be
reproduced on a single node as follows:

$ sudo adduser dimwit
$ sudo passwd -d dimwit # Never do this
$ ssh-copy-id dimwit at localhost
# The shell now appears to hang...

The issue seems to be with a line containing a call to "ssh -v -o
PreferredAuthentications=','", which attempts to assign a value to
the
$REMOTE_VERSION variable.

A little investigative work revealed that this call successfully
negotiates an interactive shell with all its output piped into sed, so
not echoed back to the user. CTRL-C and CTRL-Z get passed down to this
contained shell meaning that these will not exit the process - the
terminal really does appear to lock up. However...

$ echo "touch i-woz-ere" | ssh-copy-id dimwit at localhost
# This rapidly completes
$ su dimwit
$ ls ~
i-woz-ere

It is still possible to interact with this shell.

This does not present any real security vulnerabilty, in fact it is
caused by a complete lack of any security on the user's part, however
spawning an interactive shell does not appear to be intended behaviour.

Replacing the call with "ssh -v -o PreferredAuthentications=','
<
/dev/null" resolves this issue.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2765

Philip Hands <phil at hands.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |phil at hands.com

--- Comment #1 from Philip Hands <phil at hands.com> ---
Sorry for not doing anything about this bug till now.

I was just trying to reproduce it, before fixing it, and am failing to
do so.

I've tried this by hand, and I note that I'm being prompted for a
password, and simply hitting return does not allow me to log in.

I've also added this to the automated tests:

  https://gitlab.com/phil_hands/ssh-copy-id/-/tree/bug/2765

but (assuming the logs are still there by the time you read this)
you'll see here:

  https://gitlab.com/phil_hands/ssh-copy-id/-/jobs/741757388

that it prompts for the user's password repeatedly, and the test
doesn't manage to log in, so it also fails to provoke the behaviour.

I'm not aware of any problem with adding a </dev/null but it would be
nice to be able to demonstrate that it's needed.

Cheers, Phil.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2765

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Assignee|unassigned-bugs at mindrot.org |phil at hands.com
                 CC|                            |dtucker at dtucker.net

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2765

jason.nader at protonmail.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jason.nader at protonmail.com

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2765

--- Comment #2 from ymbirtt at gmail.com ---
So, I still occasionally get emails about this and keep meaning to come
back to it and here I am. I've just tried to reproduce this using the
version of ssh-copy-id in openssh-client-1:8.2p1-4ubuntu0.9, and
couldn't any more.

In particular, it seems as though this newer ssh client won't
successfully create a session with someone who has no password - I
still get prompted for a password, but since no password is defined I
can't successfully authenticate.

Though being prompted for a password against a user who has none still
feels like slightly odd behaviour, I'm happy that this bug is no longer
reproducible.

Thanks for keeping the ticket open all this time :)

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2765

andrew.mainland at gmail.com <andrew.mainland at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |andrew.mainland at gmail.com

--- Comment #3 from andrew.mainland at gmail.com <andrew.mainland at
gmail.com> ---
I was able to reproduce this bug on Fedora 40

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2765

--- Comment #4 from Philip Hands <phil at hands.com> ---
(In reply to andrew.mainland at gmail.com from comment
#3)
> I was able to reproduce this bug on Fedora 40
That's good.

Please would you try applying this change:

 
https://gitlab.com/phil_hands/ssh-copy-id/-/commit/544dcd89b60cd8188e449aae96adfc5010bc9a15

and see if that fixes the problem for you?

Cheers, Phil.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.