Bug#905226: Acknowledgement (openssh-server: SSH AuthorizedKeysCommand hangs when output is too large)

To: Dennis Schridde <dennis.schridde@uni-heidelberg.de>, cjwatson@debian.org
Cc: 905226@bugs.debian.org
Subject: Bug#905226: Acknowledgement (openssh-server: SSH AuthorizedKeysCommand hangs when output is too large)
From: Moritz Muehlenhoff <jmm@debian.org>
Date: Tue, 25 Jun 2019 11:29:31 +0200
Message-id: <[🔎] 20190625092931.GA2396@pisco.westfalen.local>
Reply-to: Moritz Muehlenhoff <jmm@debian.org>, 905226@bugs.debian.org
In-reply-to: <2377933.DxfvGuKFXS@c07060>
References: <153313784014.29119.18019817284156223054.reportbug@fireserv.urz.uni-heidelberg.de> <handler.905226.B.15331378459024.ack@bugs.debian.org> <2377933.DxfvGuKFXS@c07060> <153313784014.29119.18019817284156223054.reportbug@fireserv.urz.uni-heidelberg.de>

On Mon, Aug 06, 2018 at 12:04:46PM +0200, Dennis Schridde wrote:
> I confirm that the patch [1] to the upstream bug report [2] solves the issue 
> for us.

JFTR, we've also run into this at work at the Wikimedia Foundations's Phabricator
installation (https://phabricator.wikimedia.org/T224677) and can confirm
that the attached patch fixes it.

Colin, from my PoV this seems suitable for an update shipped in
a Stretch point release. I'd be happy to take care of an upload and
interacting with SRMs if you agree.

Cheers,
        Moritz

diff -Naur openssh-7.4p1.orig/debian/patches/fix-deadlock-in-keys-principals-command.patch openssh-7.4p1/debian/patches/fix-deadlock-in-keys-principals-command.patch
--- openssh-7.4p1.orig/debian/patches/fix-deadlock-in-keys-principals-command.patch	1970-01-01 01:00:00.000000000 +0100
+++ openssh-7.4p1/debian/patches/fix-deadlock-in-keys-principals-command.patch	2019-06-25 11:04:11.723638028 +0200
@@ -0,0 +1,37 @@
+From ddd3d34e5c7979ca6f4a3a98a7d219a4ed3d98c2 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Fri, 30 Dec 2016 22:08:02 +0000
+Subject: [PATCH] upstream commit
+
+fix deadlock when keys/principals command produces a lot of
+output and a key is matched early; bz#2655, patch from jboning AT gmail.com
+
+Upstream-ID: e19456429bf99087ea994432c16d00a642060afe
+---
+ auth2-pubkey.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/auth2-pubkey.c b/auth2-pubkey.c
+index 20f3309e1..70c021589 100644
+--- a/auth2-pubkey.c
++++ b/auth2-pubkey.c
+@@ -727,6 +727,9 @@ match_principals_command(struct passwd *user_pw, const struct sshkey *key)
+ 
+ 	ok = process_principals(f, NULL, pw, cert);
+ 
++	fclose(f);
++	f = NULL;
++
+ 	if (exited_cleanly(pid, "AuthorizedPrincipalsCommand", command) != 0)
+ 		goto out;
+ 
+@@ -1050,6 +1053,9 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key)
+ 
+ 	ok = check_authkeys_file(f, options.authorized_keys_command, key, pw);
+ 
++	fclose(f);
++	f = NULL;
++
+ 	if (exited_cleanly(pid, "AuthorizedKeysCommand", command) != 0)
+ 		goto out;
+ 
diff -Naur openssh-7.4p1.orig/debian/patches/series openssh-7.4p1/debian/patches/series
--- openssh-7.4p1.orig/debian/patches/series	2019-03-01 17:19:28.000000000 +0100
+++ openssh-7.4p1/debian/patches/series	2019-06-25 11:06:56.429841721 +0200
@@ -44,3 +44,4 @@
 have-progressmeter-force-update-at-beginning-and-end-transfer.patch
 check-filenames-in-scp-client.patch
 scp-handle-braces.patch
+fix-deadlock-in-keys-principals-command.patch

Reply to:

Prev by Date: RE: Dentist Updated Leads
Next by Date: Bug#113608: 10 of your incoming messages has been suspended
Previous by thread: openssh_8.0p1-2_source.changes ACCEPTED into experimental
Next by thread: Bug#113608: 10 of your incoming messages has been suspended
Index(es):
- Date
- Thread