Kumaresh
2004-Jan-27 11:23 UTC
OpenSSH - Connection problem when LoginGraceTime exceeds time
Hello, This problem is regarding the configuration directive called 'LoginGraceTime'. Problem Description: Tests were done with OpenSSH -3.6.1p2 and 3.7.1p2 on HP-UX. sshd is started with LoginGraceTime as 1 minute.Three windows were used to initiate the ssh client.After launching two clients wait for a sometime without issuing the password so it exceeds the grace period for login.when syslog.log is examined the connection seems to be closed.But when the command #netstat -an|grep 22 is given the connection seems to be still established giving provision for the third client to connect to the server. As this behaviour continues the number of users whom can be connected get reduced because of these connections still being established. (ie MaxStartups - set as 3). In syslog.log: Jan 27 03:49:58 kanishka sshd[7056]: fatal: Timeout before authentication for 127.0.0.1 Jan 27 03:49:59 kanishka sshd[7075]: invalid module type: configuration Example of netstat -an|grep 22: tcp 0 0 127.0.0.1.22 127.0.0.1.58651 ESTABLISHED tcp 0 0 127.0.0.1.22 127.0.0.1.58647 ESTABLISHED tcp 0 0 127.0.0.1.58651 127.0.0.1.22 ESTABLISHED tcp 0 0 127.0.0.1.58647 127.0.0.1.22 ESTABLISHED tcp 0 0 *.22 *.* LISTEN tcp 0 0 127.0.0.1.58649 127.0.0.1.22 ESTABLISHED tcp 0 0 127.0.0.1.22 127.0.0.1.58649 ESTABLISHED So, further connections always give, "ssh_exchange_identification: Connection closed by remote host" and closed. Source code of OpenSSH shows that SSH uses alarm/SIGALRM to implement the LoginGraceTime. When using priviledged separation, the priviledged process receives the alarm signal and exits when the time expires. However, the non-priveledged sshd process remains connected until the client sends some data or the client disconnects. Without priviledged separation, the sshd process receives the alarm signal and exits. No other processes remain. Any help to fix this problem? Advance Thanks, Kumaresh. --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.561 / Virus Database: 353 - Release Date: 1/13/2004
Darren Tucker
2004-Jan-28 04:20 UTC
OpenSSH - Connection problem when LoginGraceTime exceeds time
Kumaresh wrote:> This problem is regarding the configuration directive called > 'LoginGraceTime'.[snip]> Source code of OpenSSH shows that SSH uses alarm/SIGALRM to implement the > LoginGraceTime. When using priviledged separation, the priviledged process > receives the alarm signal and exits when the time expires. However, the > non-priveledged sshd process remains connected until the client sends some > data or the client disconnects. Without priviledged separation, the sshd > process receives the alarm signal and exits. No other processes remain. > > Any help to fix this problem?Please try this patch. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: openssh-logingrace.patch Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040128/f9f9a8c9/attachment.ksh
Kumaresh
2004-Jan-28 12:10 UTC
OpenSSH - Connection problem when LoginGraceTime exceeds time
Hi Darren,> Kumaresh wrote: > > Thanks a lot. The patch fixed the problem. We have tested this on HP-UX. > > There are a couple of problems with the first patch, please try this one > instead.For my understanding, may I please know what are the problems with the first patch? Regards, Kumaresh --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.561 / Virus Database: 353 - Release Date: 1/13/2004
Darren Tucker
2004-Jan-28 12:22 UTC
OpenSSH - Connection problem when LoginGraceTime exceeds time
Kumaresh wrote:> For my understanding, may I please know what are the problems with the first > patch?This is embarassing, but anyway: in the case where the client connects but does not exchange identification (eg if you connect to it with telnet and send no data) and the SIGALRM timer expires, the signal handler will attempt to dereference pmonitor which will not have been initialized at that point. It will most likely segfault. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.