https://bugzilla.mindrot.org/show_bug.cgi?id=3976

            Bug ID: 3976
           Summary: sshd 9.8+ does not record utmp/wtmp/lastlog for
                    interactive sessions on DISABLE_FD_PASSING   platforms
                    (regression)
           Product: Portable OpenSSH
           Version: 10.3p1
          Hardware: amd64
                OS: Cygwin on NT/2k/Win7-11
            Status: NEW
          Severity: major
          Priority: P5
         Component: sshd
          Assignee: [email protected]
          Reporter: [email protected]

On any build with DISABLE_FD_PASSING (Cygwin, SCO OpenServer 5, QNX6,
Tru64+SIA,
  or --disable-fd-passing), an interactive pty login is never written
to
  utmp/wtmp/lastlog. `who`, `w`, `who am i`, and `last` do not show the
session.
  Non-interactive sessions are unaffected. This is a regression
introduced in 9.8
  (the sshd-session split).

  REPRODUCE (easiest on Cygwin, from a pristine upstream tarball,
isolated prefix):

    ./configure --prefix=/tmp/o103 --sysconfdir=/tmp/o103/etc
    make && make install
    /tmp/o103/bin/ssh-keygen -t ed25519 -f
/tmp/o103/etc/ssh_host_ed25519_key -N ''
    printf 'Port 2222\nHostKey /tmp/o103/etc/ssh_host_ed25519_key\n' \
        >> /tmp/o103/etc/sshd_config
    /tmp/o103/sbin/sshd -ddd -e -f /tmp/o103/etc/sshd_config
    # from another terminal:
    ssh -p 2222 localhost
    who am i        # prints nothing (should show your login line)
    who             # your pty is absent

  CONTROLLED EXPERIMENT (isolates the regression to the version):
  On a single Cygwin host, the distro's 9.4p1 service records
interactive logins
  correctly, but a pristine upstream 10.3p1 build on the SAME machine
does not: the
  new session's pty is absent from `who` and `who am i` is empty, while
the
  9.4p1-recorded sessions remain listed in the same `who` output. Only
the OpenSSH
  version differs. Independently reproduced on SCO OpenServer 5
(10.3p1).

  ROOT CAUSE (line numbers are stock openssh-10.3p1):
  The only reachable caller of record_login() in a running server is
the privsep
  monitor's mm_answer_pty() (monitor.c:1693) -> mm_record_login()
(monitor.c:1657)
  -> record_login() (monitor.c:1676). mm_answer_pty() runs only when
the session
  child requests the pty from the monitor (MONITOR_REQ_PTY) via
mm_pty_allocate().
  But on DISABLE_FD_PASSING builds that call is compiled out:

      /* session.c:109-111 */
      #ifdef DISABLE_FD_PASSING
      #define mm_pty_allocate pty_allocate
      #endif

  so the session child allocates its pty locally (session.c:1884) and
never sends
  MONITOR_REQ_PTY. mm_answer_pty() therefore never runs and
record_login() is never
  called. Nothing else records the login (login_login()/login_write()
are reached
  only via record_login()).

  WHY 9.8: the matching hack in privsep_postauth()
(sshd-session.c:377-387) retains
  root on this path "so it can allocate PTYs directly", and its comment
notes this
  is "equivalent to what we did <= 9.7, which was to disable post-auth
privsep
  entirely." Re-enabling split post-auth privsep for DISABLE_FD_PASSING
platforms in
  9.8 moved pty allocation out of the monitor, and utmp recording --
which lives
  only in the monitor's pty handler -- was left behind.

  SUGGESTED FIX: on the DISABLE_FD_PASSING path (where the child
allocates the pty),
  also record login/logout from the session process. Minimal change in
session.c,
  ideally guarded by #ifdef DISABLE_FD_PASSING:
    1. do_login(): call record_login() for the session's pid/tty before
       check_quietlogin() (needs `extern u_int utmp_len;`, defined in
       sshd-session.c);
    2. session_pty_cleanup(): call record_logout();
    3. the post-auth cleanup guarded by `if (mm_is_monitor())` around
       session_destroy_all(): run it for the session process on this
path too.

  A tested patch (running in production on SCO OpenServer 5.0.7,
verified to restore
  who/w/who am i/last) available on request

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
[email protected]
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

Reply via email to