Hello,
there is a bug in auths-hostbased.c in SSH versions 2.2.0 and 2.3.0.
In the function ssh_server_auth_hostbased() we find the following
code:
retry_with_global_dir:
if (config->user_known_hosts && !retry)
{
char *user_ssh2_dir;
user_ssh2_dir = ssh_userdir(uc, config, TRUE);
candidate_len = strlen(user_ssh2_dir) +
strlen(SSH_KNOWNHOSTS_DIR) + 1 + /* '/' */
strlen(hostname) +
strlen(client_pubkey_alg) + strlen(".pub") + 1; /* that
last one
just to be
sure */
We have two problems here:
1. ssh_userdir() does a stat() on "~/.ssh2" and if this fails a mkdir().
If there is a problem it returns a NULL pointer. So
strlen(user_ssh2_dir) leads to an SIGSEGV.
2. This code is executed with root permissions (bad idea IMHO!)
a) (non-NFS environment)
If a user logs in for the first time (before ever executing the client)
~user/.ssh2 is created with owner==root.
b) (NFS environment)
Over NFS root is mapped to nobody. If the users home-dir is not
world readable or no ~/.ssh2 exists ssh_userdir() fails and returns
a NULL pointer. Again: strlen(user_ssh2_dir) leads to a SIGSEGV.
On SSH 2.3.0 the SIGSEGV abort the server.
On SSH 2.2.0 the signal handler turns the SIGSEGV into an endless loop
which consomes all available CPU time. :-((
A quick and dirty hack(tm) is to put:
if (user_ssh2_dir == NULL) {
user_ssh2_dir = ssh_user_conf_dir(config, uc);
}
after the ssh_userdir() call. This is clearly not the right fix but works
in our environment.
Any help is greatly appreciated!
Greetings
Markus
--
Markus Germeier
[EMAIL PROTECTED]
