search for: monitor_child_preauth

Hello, This bug exists in 5.0p1. I apologize that I couldn't test against HEAD. I _believe_ I have found a race condition in sshd. In the v2 protocol, after a connection, the accepting process forks in privsep_preauth(). The parent executes monitor_child_preauth() to allow certain privsep requests necessary for authentication. The unprivileged child runs do_ssh2_kex() followed by do_authentication2(). I am working on a new KEX algorithm whose primary feature is performance. It is fast enough that do_authentication2() runs _before_ the monitor has a ch...

...ot;key.h" @@ -179,6 +188,8 @@ int mm_answer_audit_event(int, Buffer *) int mm_answer_audit_command(int, Buffer *); #endif +static int monitor_read_log(struct monitor *); + static Authctxt *authctxt; static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */ @@ -346,6 +357,10 @@ monitor_child_preauth(Authctxt *_authctx debug3("preauth child monitor started"); + close(pmonitor->m_recvfd); + close(pmonitor->m_log_sendfd); + pmonitor->m_log_sendfd = pmonitor->m_recvfd = -1; + authctxt = _authctxt; memset(authctxt, 0, sizeof(*authctxt)); @@ -405,6 +420,10 @@ monito...

...bug1: temporarily_use_uid: 529/101 (e=0) debug1: restore_uid debug1: temporarily_use_uid: 529/101 (e=0) debug1: restore_uid debug1: ssh_rsa_verify: signature correct Accepted hostbased for quinot from 10.10.0.172 port 35503 ssh2 Accepted hostbased for quinot from 10.10.0.172 port 35503 ssh2 debug1: monitor_child_preauth: quinot has been authenticated by privileged proce ss debug1: newkeys: mode 0 debug1: newkeys: mode 1 debug1: Entering interactive session for SSH2. debug1: fd 8 setting O_NONBLOCK debug1: fd 10 setting O_NONBLOCK debug1: server_init_dispatch_20 buffer_append_space: alloc 10506240 not supported deb...

...ixserver01 authpriv:info sshd[467118]: Failed publickey for robertobouza from 10.10.20.202 port 55612 ssh2 Dec 3 11:23:17 aixserver01 authpriv:info sshd[467118]: Accepted password for robertobouza from 10.10.20.202 port 55612 ssh2 Dec 3 11:23:17 aixserver01 authpriv:debug sshd[467118]: debug1: monitor_child_preauth: robertobouza has been authenticated by privileged process Dec 3 11:23:17 aixserver01 authpriv:debug sshd[467118]: debug1: do_cleanup So, it looks like everything is working but why do I get a connection closed? Thank you. Roberto Bouza.

https://bugzilla.mindrot.org/show_bug.cgi?id=983 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED Assignee|pgsery at swcp.com |djm at mindrot.org --- Comment #58 from Damien Miller

...tory, but I didn't find any moment when it could have been working (maybe before implementation of privilege separation, when there was only one authctxt?). The difference between password authentication and pubkey is, that this log is called from mm_answer_keyallowed instead of standard cycle monitor_child_preauth. Fix is pretty easy, just increment failures value before (or after as other log calls?) calling the log function in monitor.c, but of course I want to make sure that I didn't miss something from protocol specification. But everything looks like prepared for this, except it doesn't work....

...;pam' Postponed keyboard-interactive for root from x.x.x.x port 2319 ssh2 Postponed keyboard-interactive/pam for root from x.x.x.x port 2319 ssh2 Accepted keyboard-interactive/pam for root from x.x.x.x port 2319 ssh2 Accepted keyboard-interactive/pam for root from x.x.x.x port 2319 ssh2 debug1: monitor_child_preauth: root has been authenticated by privileged process debug1: Entering interactive session for SSH2. debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384 debug1: input_session_request debug1: channel 0: new [server-session] debug1: session_new: i...

...debug1: Exit status 1 Couldn't read packet: Connection reset by peer ------ And if I change LogLevel to DEBUG2, I get this in /var/log/auth.log: ------ ct 1 00:28:27 163-73-23 sshd[17728]: Accepted password for sam from 127.0.0.1 port 36128 ssh2 Oct 1 00:28:27 163-73-23 sshd[17728]: debug1: monitor_child_preauth: sam has been authenticated by privileged process Oct 1 00:28:27 163-73-23 sshd[17728]: debug2: mac_setup: found hmac-md5 Oct 1 00:28:27 163-73-23 sshd[17728]: debug2: mac_setup: found hmac-md5 Oct 1 00:28:27 163-73-23 sshd[17731]: debug1: SELinux support disabled Oct 1 00:28:27 163-73-23 sshd[...

http://bugzilla.mindrot.org/show_bug.cgi?id=298 ------- Additional Comments From sshbugs at wayne47.com 2002-06-26 11:05 ------- Problem appears to be that setusercontext is being called after a chroot. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

...70 #1 0x274d8 in auth_password (authctxt=0x8e148, password=0x90250 "XXXXXXXX") at auth-passwd.c:140 #2 0x380fc in mm_answer_authpassword (socket=9, m=0xffbeef28) at monitor.c:608 #3 0x376c4 in monitor_read (pmonitor=0x8bec0, ent=0x84150, pent=0xffbeefbc) at monitor.c:371 #4 0x37244 in monitor_child_preauth (pmonitor=0x8bec0) at monitor.c:280 #5 0x1aaac in privsep_preauth () at sshd.c:603 #6 0x1d45c in main (ac=3, av=0xffbefaac) at sshd.c:1497 At first, I simply tried to add the stock Kerberos prompter to krb5_get_init_creds_password: problem = krb5_get_init_creds_password(authctxt->krb5_ctx...

Hi, We've encountered a bug with OpenSSH 3.8.1p1 on Linux. With an account that has an empty password and with PAM and Privilege Separation turned on through the SSH1 protocol, the login fails with: fatal: mm_request_receive_expect: read: rtype 24 != type 46 I believe the problem is a missing do_pam_account() call. The patch below to auth1.c fixes the problem. If this is correct, can

...Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: unassigned-bugs at mindrot.org ReportedBy: godji at 300penguins.org In the v2 protocol, after a connection, the accepting process forks in privsep_preauth(). The parent executes monitor_child_preauth() to allow certain privsep requests necessary for authentication. The unprivileged child runs do_ssh2_kex() followed by do_authentication2(). If KEX is fast enough, do_authentication2() runs before the monitor has a chance to permit the necessary requests (MONITOR_REQ_PWNAM in articular), and th...

...then remove the directory */ + if (read(pmonitor->m_recvfd, &status, 1) < 0) + fatal("read(): %s", strerror(errno)); + if (rmdir(emptydir) < 0) + fatal("rmdir(\"%s\"): %s", emptydir, strerror(errno)); + close(pmonitor->m_recvfd); authctxt = monitor_child_preauth(pmonitor); close(pmonitor->m_sendfd); @@ -591,6 +606,10 @@ } else { /* child */ + if (chdir(emptydir) == -1) + fatal("chdir(\"%s\"): %s", emptydir, strerror(errno)); + if (write(pmonitor->m_sendfd, &status, 1) < 0) + fatal("write(): %s", st...

...file, the `grace_alarm_handler()` signal handling function calls `sigdie()`, which in turn calls `sshsigdie()`, and within this call, functions such as `shlogv()`, `do_log()`, `{openlog(), syslog(), closelog()}` are invoked. Similarly, within the main thread, the `privsep_preauth()` function calls `monitor_child_preauth()`, which then calls `auth_log()`, and this also results in calls to `{openlog(), syslog(), closelog()}`. Since these functions are not async-signal-safe and they utilize a global lock named `syslog_lock`, this can lead to a recursive deadlock (AA lock). As a result, the pre-authentication process...

..._allowed2 (auth2-pubkey.c:638) sshd[22181]: ==22181== by 0x13783A: user_key_allowed (auth2-pubkey.c:839) sshd[22181]: ==22181== by 0x13B544: mm_answer_keyallowed (monitor.c:1339) sshd[22181]: ==22181== by 0x13D66D: monitor_read (monitor.c:550) sshd[22181]: ==22181== by 0x140B95: monitor_child_preauth (monitor.c:319) sshd[22181]: ==22181== by 0x118620: privsep_preauth (sshd-session.c:367) sshd[22181]: ==22181== by 0x118620: main (sshd-session.c:1320) OpenBSD's dirname(3) is documented as returning a pointer into internal static storage (https://man.openbsd.org/dirname.3), but glib...

Hello, I pulled the latest from cvs today and ran several tests and added more options to the CFLAGS in the Makefile. To start with, I ran valgrind against sshd & it comes up with this: ==24959== 112 bytes in 1 blocks are definitely lost in loss record 297 of 310 ==24959== at 0x40164650: malloc (vg_clientfuncs.c:100) ==24959== by 0x807A0D1: compat_init_setproctitle (setproctitle.c:236)

...oot login accepted for forced command.^M (*) debug2: userauth_pubkey: authenticated 1 pkalg ssh-dss^M ROOT LOGIN REFUSED FROM xx.xx.xx.xx^M Failed publickey for root from xx.xx.xx.xx port 1094 ssh2^M debug2: pam_acct_mgmt() = 0^M Accepted publickey for root from xx.xx.xx.xx port 1094 ssh2^M debug1: monitor_child_preauth: root has been authenticated by privileged process^M debug3: mm_get_keystate: Waiting for new keys^M debug3: mm_request_receive_expect entering: type 24^M debug3: mm_request_receive entering^M debug1: userauth-request for user root service ssh-connection method password^M debug1: attempt 3 failures...

...userauth-request for user user service ssh-connection method password debug1: attempt 1 failures 1 debug1: PAM Password authentication accepted for user "user" Accepted password for user from 192.168.1.21 port 3948 ssh2 Accepted password for user from 192.168.1.21 port 3948 ssh2 debug1: monitor_child_preauth: user has been authenticated by privileged process debug1: Entering interactive session for SSH2. To reproduce: Build openssh with --with-pam option Install samba Your smb.conf should be running in: security = domain And your /etc/pam.d/sshd should look like this: # auth auth suffi...

...enSSH/openssh/atomicio.c:45 #10 0x00020744 in mm_request_receive (socket=6, m=0xbfffefc0) at /tmp/OpenSSH.roots/OpenSSH/openssh/monitor_wrap.c:110 #11 0x0001c290 in monitor_read (pmonitor=0x403540, ent=0x633c4, pent=0xbffff030) at /tmp/OpenSSH.roots/OpenSSH/openssh/monitor.c:446 #12 0x0001bda8 in monitor_child_preauth (_authctxt=0x4034e0, pmonitor=0x403540) at /tmp/OpenSSH.roots/OpenSSH/openssh/monitor.c:343 #13 0x000039dc in privsep_preauth (authctxt=0x4034e0) at /tmp/OpenSSH.roots/OpenSSH/openssh/sshd.c:607 #14 0x000061c0 in main (ac=3, av=0x400f10) at /tmp/OpenSSH.roots/OpenSSH/openssh/sshd.c:1544 (gdb) in...

...6 () + 1e 00007ff5c3622d4a __open () + 1a 00007ff5c363dbee open () + 12e 000000000045a20d auth_openfile () + 3d 0000000000465ccc user_key_allowed () + 3fc 000000000046999b mm_answer_keyallowed () + 45b 000000000046bf08 monitor_read () + 118 000000000046c2f8 monitor_child_preauth () + 308 000000000044cba0 main () + 1eb0 00000000004492d3 _start () + 43 NFS blocks most signals for the duration of the over-the-wire call, including SIGALRM. The alarm implementing login_grace_time was queued, but never delivered to the process. As a result, sshd process stayed unaut...