Subject: bin/15585: sshd crashes in Kerberos5 library under given conditions
To: None <email@example.com>
From: None <firstname.lastname@example.org>
Date: 02/12/2002 00:47:16
>Synopsis: sshd crashes in Kerberos5 library under given conditions
>Arrival-Date: Mon Feb 11 15:48:00 PST 2002
>Originator: Havard Eidnes
>Release: NetBSD-1.5.3_ALPHA from Feb 10 2002
System: NetBSD server.nordu.net 1.5.3_ALPHA NetBSD 1.5.3_ALPHA (SERVER) #3: Sun Feb 10 15:09:34 MET 2002 email@example.com:/usr/src/sys/arch/i386/compile/SERVER i386
sshd crashes under given conditions:
1) server was previously running 1.4.3A, and was configured
for using KerberisIV -- /etc/krb.conf exists and worked
with previous software. OS was recently upgraded.
2) user trying to connect using ssh protocol version 2
3) user is not in the Kerberos database, but exists as a local
4) user has to use password authentication to log in
Under those conditions, sshd will close the connection after
accepting the password. A debug run on the client ends in
debug: next auth method to try is password
Connection closed by 220.127.116.11
debug: Calling cleanup 0x8057764(0x0)
while a debug run of the server ends in
debug1: userauth-request for user he service ssh-connection method none
debug1: attempt 0 failures 0
Failed none for he from 18.104.22.168 port 63222 ssh2
debug1: userauth-request for user he service ssh-connection method password
debug1: attempt 1 failures 1
debug1: temporarily_use_uid: 1612/300 (e=0)
Compiled sshd with debug info, and got the following
Program received signal SIGSEGV, Segmentation fault.
0x480a889c in krb5_get_err_text (context=0x0, code=6)
283 const char *p = com_right(context->et_list, code);
#0 0x480a889c in krb5_get_err_text (context=0x0, code=6)
#1 0x8058a7d in auth_krb5_password (authctxt=0x808b480,
#2 0x804ef58 in auth_password (authctxt=0x808b480,
#3 0x80541f9 in userauth_passwd (authctxt=0x808b480)
#4 0x8053f52 in input_userauth_request (type=50, plen=73, ctxt=0x808b480)
#5 0x805d2c7 in dispatch_run (mode=0, done=0x808b480, ctxt=0x808b480)
#6 0x8053c63 in do_authentication2 ()
#7 0x804e225 in main (ac=4, av=0xbfbfd6b4)
#8 0x804c689 in ___start ()
Gee, I guess context is null, and it tried to deref it.
It turns out that krb5_init() is failing with error code 6 (as
shown above; /etc/krb5.conf does not exist).
However, how this all works on my other non-Kerberos-using
hosts remains a deep mystery to me; even after renaming
/etc/krb.conf out of the way and removing any DNS remnants
pointing in the direction of Kerberos-IV, I still get the
crash on this one system, but not on any of my other
For now I've worked around this by setting
KerberosAuthentication to "no" in /etc/sshd.conf, but
obviously that's not the desired long-term solution.
The robustness of this code against what appears to be a pilot
error could stand some improvement.
It would seem that openssh's auth_krb5_password() can't do
"goto out" and there use krb5_get_err_text() if krb5_init()
fails, as the Kerberos5 context will then be uninitialized.
However, the Kerberos5 library could possibly also have some
improved robustness against these sort of errors (?).