auth.c:auth_log contains the following code:
authlog("%s %s for %s%.100s from %.200s port %d%s",
authmsg,
method,
authctxt->valid ? "" : "illegal user ",
---> authctxt->valid && authctxt->pw->pw_uid == 0 ?
"ROOT" :
authctxt->user,
get_remote_ipaddr(),
get_remote_port(),
info);
If authctxt->user is null, this will dump core. I discovered this using
SSH1 publickey auth with my hacked 20010424 CVS sources. auth.c and auth1.c
haven't changed since then, so I suspect this may still be lurking. I'm
going to test it against 2.9p1 as soon as I can, but I have to run off to
jury duty now (feh).
A local patch is to change the marked line above to:
authctxt->valid ? (authctxt->pw->pw_uid == 0 ? "ROOT" :
authctxt->user) :
"unknown user",
A larger issue is why getpwnam() hasn't been called by that point...
--
Carson Gaspar - carson at taltos.org
Queen trapped in a butch body
On Wed, May 02, 2001 at 12:20:49PM -0700, Carson Gaspar wrote:> If authctxt->user is null, this will dump core.how can ->user be NULL? authentication packets w/o a user are illegal and should trigger other error messages.> I discovered this using > SSH1 publickey auth with my hacked 20010424 CVS sources. auth.c and auth1.c > haven't changed since then, so I suspect this may still be lurking. I'm > going to test it against 2.9p1 as soon as I can, but I have to run off to > jury duty now (feh). > > A local patch is to change the marked line above to: > > authctxt->valid ? (authctxt->pw->pw_uid == 0 ? "ROOT" : authctxt->user) : > "unknown user", > > A larger issue is why getpwnam() hasn't been called by that point...if getpwnam is successfull then authctxt->valid is true. authctxt->user should always be set from the ssh messages.
OK, so after recompiling with no optimization, the bug vanishes. Recompiling with optimization again, the bug still vanishes. <sigh> I'm stumped where it came from, and why authctxt->user wasn't being populated, but the bug in auth_log() should still be fixed. -- Carson