JINMEI Tatuya / 神明達哉
2001-Oct-03 05:38 UTC
a trouble about filename authentication in 2.9.9p2
Hello, After upgrading OpenSSH to 2.9.9p2, I've found some troubles on public key authentication with an sshd working at Solaris 2.5.1 machine. The server failed to validate the user's path in auth.c:secure_filename(). There were actually two reasons for the trouble: 1. the "realpath" of pw->pw_dir (that realpath() would return) was different from pw->pw_dir itself. Thus, comparing the directory name to each directory in the for loop of the function never succeeded. 2. Our Solaris box had its own dirname(), which returned an empty string for the root directory. So the stat() call in the for loop failed for the root directory. I've attached a patch to fix the problem 1 to this message. For the problem 2, we're using a quick patch to check the empty string in secure_filename(), but I'm not sure if this is the correct fix. We might rather use the shared dirname() in openbsd-compat/dirname.c. So I've not included the quick hack for now. I'd apologize in advance if this is a well-known issue and/or has already been fixed. JINMEI, Tatuya Communication Platform Lab. Corporate R&D Center, Toshiba Corp. jinmei at isl.rdc.toshiba.co.jp p.s. I don't subscribe to the list, so if anyone of you need further information or questions on this issue, please include me in the response explicitly. Thanks. *** auth.c.orig Wed Oct 3 14:15:47 2001 --- auth.c Wed Oct 3 14:14:43 2001 *************** *** 363,369 **** char *err, size_t errlen) { uid_t uid = pw->pw_uid; ! char buf[MAXPATHLEN]; char *cp; struct stat st; --- 363,369 ---- char *err, size_t errlen) { uid_t uid = pw->pw_uid; ! char buf[MAXPATHLEN], pwbuf[MAXPATHLEN]; char *cp; struct stat st; *************** *** 372,377 **** --- 372,382 ---- strerror(errno)); return -1; } + if (realpath(pw->pw_dir, pwbuf) == NULL) { + snprintf(err, errlen, "realpath %s failed: %s", pw->pw_dir, + strerror(errno)); + return -1; + } /* check the open file to avoid races */ if (fstat(fileno(f), &st) < 0 || *************** *** 400,406 **** } /* If are passed the homedir then we can stop */ ! if (strcmp(pw->pw_dir, buf) == 0) { debug3("secure_filename: terminating check at '%s'", buf); break; --- 405,411 ---- } /* If are passed the homedir then we can stop */ ! if (strcmp(pwbuf, buf) == 0) { debug3("secure_filename: terminating check at '%s'", buf); break;
Reasonably Related Threads
- Public key reading abstraction (to allow future work)
- Solaris 2.5.1 dirname() bug in libgen.a affects OpenSSH2.9.9p2 auth.c
- [nbdkit PATCH 7/7] nbd: Implement structured replies
- Missing functionality in Blowfish for crypt(3)
- OpenSSH 3.6.1p2 ON SCO 3.2v4.2 + STRICTMODES -->yes