Your message dated Wed, 01 Aug 2018 17:50:32 +0200
with message-id <1714888.9ysFh9GC0X@c07060>
and subject line Re: Bug#905227: Acknowledgement (openssh-server: SSH
AuthorizedKeysCommand hangs when output is too large)
has caused the Debian Bug report #905227,
regarding openssh-server: SSH AuthorizedKeysCommand hangs when output is too
large
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
905227: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=905227
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: openssh-server
Version: 1:7.4p1-10+deb9u3
Severity: important
Tags: patch upstream
Dear Maintainer,
when sshd's AuthorizedKeysCommand outputs a lot of keys and the match is close
to the beginning of the output sshd will deadlock. Upstream has a patch ready
to fix this issue, which would need to be backported to OpenSSH 7.4 as used by
Debian 9.
Patch:
https://github.com/openssh/openssh-portable/commit/ddd3d34e5c7979ca6f4a3a98a7d219a4ed3d98c2
See-Also: https://bugzilla.mindrot.org/show_bug.cgi?id=2655
See-Also: https://bugzilla.redhat.com/show_bug.cgi?id=1496467
-- System Information:
Debian Release: 9.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-6-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages openssh-server depends on:
ii adduser 3.115
ii debconf [debconf-2.0] 1.5.61
ii dpkg 1.18.25
ii init-system-helpers 1.48
ii libaudit1 1:2.6.7-2
ii libc6 2.24-11+deb9u3
ii libcomerr2 1.43.4-2
ii libgssapi-krb5-2 1.15-1+deb9u1
ii libkrb5-3 1.15-1+deb9u1
ii libpam-modules 1.1.8-3.6
ii libpam-runtime 1.1.8-3.6
ii libpam0g 1.1.8-3.6
ii libselinux1 2.6-3+b3
ii libssl1.0.2 1.0.2l-2+deb9u3
ii libsystemd0 232-25+deb9u4
ii libwrap0 7.6.q-26
ii lsb-base 9.20161125
ii openssh-client 1:7.4p1-10+deb9u3
ii openssh-sftp-server 1:7.4p1-10+deb9u3
ii procps 2:3.3.12-3+deb9u1
ii ucf 3.0036
ii zlib1g 1:1.2.8.dfsg-5
Versions of packages openssh-server recommends:
ii libpam-systemd 232-25+deb9u4
ii ncurses-term 6.0+20161126-1+deb9u2
ii xauth 1:1.0.9-1+b2
Versions of packages openssh-server suggests:
pn molly-guard <none>
pn monkeysphere <none>
pn rssh <none>
pn ssh-askpass <none>
pn ufw <none>
-- debconf information:
openssh-server/permit-root-login: true
>From ddd3d34e5c7979ca6f4a3a98a7d219a4ed3d98c2 Mon Sep 17 00:00:00 2001
From: "[email protected]" <[email protected]>
Date: Fri, 30 Dec 2016 22:08:02 +0000
Subject: [PATCH] upstream commit
fix deadlock when keys/principals command produces a lot of
output and a key is matched early; bz#2655, patch from jboning AT gmail.com
Upstream-ID: e19456429bf99087ea994432c16d00a642060afe
---
auth2-pubkey.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 20f3309e1..70c021589 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-pubkey.c,v 1.60 2016/11/30 02:57:40 djm Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.61 2016/12/30 22:08:02 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@@ -727,6 +727,9 @@ match_principals_command(struct passwd *user_pw, const
struct sshkey *key)
ok = process_principals(f, NULL, pw, cert);
+ fclose(f);
+ f = NULL;
+
if (exited_cleanly(pid, "AuthorizedPrincipalsCommand", command) != 0)
goto out;
@@ -1050,6 +1053,9 @@ user_key_command_allowed2(struct passwd *user_pw, Key
*key)
ok = check_authkeys_file(f, options.authorized_keys_command, key, pw);
+ fclose(f);
+ f = NULL;
+
if (exited_cleanly(pid, "AuthorizedKeysCommand", command) != 0)
goto out;
--- End Message ---
--- Begin Message ---
Duplicate of bug #905228
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
