Bug#422687: libkrb53 1.6.dfsg.1-2 causes crash in SSH
Well I've linked it to having KerberosAuthentication enabled in openssh, but the crashes do show up in other locations. Since it was working Friday and not Monday and I haven't touched the configuration I'd assume a package upgrade broke it. I'm not sure which package to really place the blame on but libkrb53 was updated and openssh-server wasn't. While I linked it to the KerberosAuthentication option, it does break accounts that are just locally in /etc/passwd too. Lucky for me public key auth and gssapi auth still work. Various deaths that I've recorded now: 0xb7da7930 in _tr_flush_block () from /usr/lib/libz.so.1 0xb7d9d930 in ?? () from /lib/libcrypt.so.1 0xb7cda930 in krb5_realm_iterator_create (context=0x80b5300, iter_p=0x0) 0xb7d2f930 in ?? () from /usr/lib/libgssapi_krb5.so.2 I'll force a downgrade of libkrb5 on one of my machines and see if that fixes it. Attached is the full log of sshd crashing and my sshd_config. -- Jon All things change in a dynamic environment. Your effort to remain what you are is what limits you. - The Puppet Master debug2: load_server_config: filename /etc/ssh/sshd_config debug2: load_server_config: done config len = 842 debug2: parse_server_config: config /etc/ssh/sshd_config len 842 debug1: sshd version OpenSSH_4.3p2 Debian-10 debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #0 type 1 RSA debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #1 type 2 DSA debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-ddd' debug2: fd 3 setting O_NONBLOCK debug1: Bind to port 22 on ::. Server listening on :: port 22. debug2: fd 4 setting O_NONBLOCK debug1: Bind to port 22 on 0.0.0.0. debug3: fd 4 is not O_NONBLOCK debug1: Server will not fork when running in debugging mode. debug3: send_rexec_state: entering fd = 7 config len 842 debug3: ssh_msg_send: type 0 debug3: send_rexec_state: done debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7 debug1: inetd sockets after dupping: 3, 3 debug3: Normalising mapped IPv4 in IPv6 address Connection from 10.222.173.2 port 40536 debug1: Client protocol version 2.0; client software version OpenSSH_4.3p2 Debian-10 debug1: match: OpenSSH_4.3p2 Debian-10 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_4.3p2 Debian-10 debug2: fd 3 setting O_NONBLOCK debug3: privsep user:group 100:65534 debug1: permanently_set_uid: 100/65534 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,[EMAIL PROTECTED] debug2: kex_parse_kexinit: none,[EMAIL PROTECTED] debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,[EMAIL PROTECTED],zlib debug2: kex_parse_kexinit: none,[EMAIL PROTECTED],zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: client-server aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: server-client aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug3: mm_request_send entering: type 0 debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI debug3:
Bug#422687: libkrb53 1.6.dfsg.1-2 causes crash in SSH
Downgrading libkrb53 1.6.dfsg.1-2 to 1.4.4-8 does fix the problem for me. -- Jon All things change in a dynamic environment. Your effort to remain what you are is what limits you. - The Puppet Master -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#422687: libkrb53 1.6.dfsg.1-2 causes crash in SSH
thanks
Date: Tue, 08 May 2007 10:37:38 -0400
In-Reply-To: [EMAIL PROTECTED] (Jon DeVree's message of
Tue, 8 May 2007 03:20:41 -0400)
Message-ID: [EMAIL PROTECTED]
User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Ah. I think I have an idea here.
First, I'd strongly recommend pam_krb5 instead of
KerberosAuthentication in sshd_config.
But I believe I can fix the problem you're seeing there too.
If you get a chance to try the following patch it would be
appreciated. If you aren't sufficiently familiar building Debian
packages I'll try to upload this reasonably soon.
Index: src/include/k5-int.h
===
--- src/include/k5-int.h(revision 19537)
+++ src/include/k5-int.h(revision 19538)
@@ -1048,9 +1048,9 @@
#define KRB5_GET_INIT_CREDS_OPT_SHADOWED 0x4000
#define krb5_gic_opt_is_extended(s) \
-(((s)-flags KRB5_GET_INIT_CREDS_OPT_EXTENDED) ? 1 : 0)
+((s) ((s)-flags KRB5_GET_INIT_CREDS_OPT_EXTENDED) ? 1 : 0)
#define krb5_gic_opt_is_shadowed(s) \
-(((s)-flags KRB5_GET_INIT_CREDS_OPT_SHADOWED) ? 1 : 0)
+((s) ((s)-flags KRB5_GET_INIT_CREDS_OPT_SHADOWED) ? 1 : 0)
typedef struct _krb5_gic_opt_private {
Index: src/lib/krb5/krb/gic_opt.c
===
--- src/lib/krb5/krb/gic_opt.c (revision 19537)
+++ src/lib/krb5/krb/gic_opt.c (revision 19538)
@@ -206,8 +206,18 @@
oe = krb5int_gic_opte_alloc(context);
if (NULL == oe)
return ENOMEM;
-memcpy(oe, opt, sizeof(*opt));
-/* Fix these -- overwritten by the copy */
+
+if (opt)
+memcpy(oe, opt, sizeof(*opt));
+
+/*
+ * Fix the flags -- the EXTENDED flag would have been
+ * overwritten by the copy if there was one. The
+ * SHADOWED flag is necessary to ensure that the
+ * krb5_gic_opt_ext structure that was allocated
+ * here will be freed by the library because the
+ * application is unaware of its existence.
+ */
oe-flags |= ( KRB5_GET_INIT_CREDS_OPT_EXTENDED |
KRB5_GET_INIT_CREDS_OPT_SHADOWED);
Property changes on: .
___
Name: svk:merge
- 122d7f7f-0217-0410-a6d0-d37b9a318acc:/local/krb5/branches/krb5-1-6:20009
304ed8f4-7412-0410-a0db-8249d8f37659:/my-branches/kdb-config:339
dc483132-0cff-0310-8789-dd5450dbe970:/branches/ccapi:18199
dc483132-0cff-0310-8789-dd5450dbe970:/branches/referrals/trunk:18581
dc483132-0cff-0310-8789-dd5450dbe970:/trunk:18744
+ 122d7f7f-0217-0410-a6d0-d37b9a318acc:/local/krb5/branches/krb5-1-6:20016
304ed8f4-7412-0410-a0db-8249d8f37659:/my-branches/kdb-config:339
dc483132-0cff-0310-8789-dd5450dbe970:/branches/ccapi:18199
dc483132-0cff-0310-8789-dd5450dbe970:/branches/referrals/trunk:18581
dc483132-0cff-0310-8789-dd5450dbe970:/trunk:18744
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#422687: libkrb53 1.6.dfsg.1-2 causes crash in SSH
First, I'd strongly recommend pam_krb5 instead of KerberosAuthentication in sshd_config. Any reason in particular? This was all setup before I really knew what I was doing and I never really went back and looked at how it was setup. But I believe I can fix the problem you're seeing there too. If you get a chance to try the following patch it would be appreciated. If you aren't sufficiently familiar building Debian packages I'll try to upload this reasonably soon. Yes the patch fixes it. -- Jon All things change in a dynamic environment. Your effort to remain what you are is what limits you. - The Puppet Master -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#422687: libkrb53 1.6.dfsg.1-2 causes crash in SSH
Jon DeVree [EMAIL PROTECTED] writes: First, I'd strongly recommend pam_krb5 instead of KerberosAuthentication in sshd_config. Any reason in particular? This was all setup before I really knew what I was doing and I never really went back and looked at how it was setup. KerberosAuthentication tells sshd to internally check passwords with Kerberos, but that code is specific to ssh and doesn't integrate with the rest of the system login practice. It's also likely that it won't handle things like password aging properly. I believe those options predated widespread use of PAM with ssh. Most of the testing and work for Kerberos login authentication goes into the Kerberos PAM module, which has a ton of options for things that you may need, handles password aging and changing (if you enable ChallengeResponseAuthentication in ssh), integrates with the rest of the PAM stack, and generally will make ssh logins work more like the other authentication on the system. It's not clear that the folks maintaining ssh are paying close attention to changes to the Kerberos API, whereas I promise to pay close attention to anything that changes the PAM module. :) The only time I'd use KerberosAuthentication in sshd is if I were running it on a system that doesn't support PAM. -- Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#422687: libkrb53 1.6.dfsg.1-2 causes crash in SSH
Package: libkrb53 Version: 1.6.dfsg.1-2 Severity: normal The latest update to libkrb53 causes SSH to crash when it tries to let me login with a password. When I run SSH under GDB with libkrb5-dbg I get: Program received signal SIGSEGV, Segmentation fault. 0xb7d48930 in krb5_gss_accept_sec_context (minor_status=0x80b5330, context_handle=0x0, verifier_cred_handle=0xbffe98dc, input_token=0x1, input_chan_bindings=0xb7d766e0, src_name=0x0, mech_type=0xbffe98f4, output_token=0xbffe90c6, ret_flags=0x2b, time_rec=0x8087a98, delegated_cred_handle=0x8087a94) at ../../../../src/lib/gssapi/krb5/accept_sec_context.c:314 314 ../../../../src/lib/gssapi/krb5/accept_sec_context.c: No such file or directory. in ../../../../src/lib/gssapi/krb5/accept_sec_context.c I'm not sure whether this is the fault of openssh or krb5, but libkrb5 just got updated and openssh didn't. -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.17.6 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libkrb53 depends on: ii libc62.5-5 GNU C Library: Shared libraries ii libcomer 1.39+1.40-WIP-2006.11.14+dfsg-2 common error description library ii libkeyut 1.2-3 Linux Key Management Utilities (li libkrb53 recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#422687: libkrb53 1.6.dfsg.1-2 causes crash in SSH
tags 422687 help thanks This is most strange. The input_token to that call should be a pointer, not 0x1. I definitely cannot reproduce the problem you are seeing either using password auth, kerberos auth or a combination. I've tried both on amd64 and i386. Can I get you to try running sshd -d -d -d and including that log output in the bug? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
