bin/51070: sshd leaks a file descriptor to authorized_keys

To: gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: bin/51070: sshd leaks a file descriptor to authorized_keys
From: stix%stix.id.au@localhost
Date: Fri, 15 Apr 2016 07:30:00 +0000 (UTC)

>Number:         51070
>Category:       bin
>Synopsis:       sshd leaks a file descriptor to authorized_keys
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Apr 15 07:30:00 +0000 2016
>Originator:     Paul Ripke
>Release:        NetBSD current, 2016-04-15
>Organization:
>Environment:
>Description:

During login, the forked sshd opens .ssh/authorized_keys for the user
and re-opens unnecessarily without closing.

>How-To-Repeat:

slave:ksh$ fstat .ssh/authorized_keys 
USER     CMD          PID   FD MOUNT       INUM MODE         SZ|DV R/W NAME
stix     sshd       26541    8 /home    59278094 -rw-r--r--    3774 r   .ssh/authorized_keys
stix     sshd       26541    9 /home    59278094 -rw-r--r--    3774 r   .ssh/authorized_keys
root     sshd       20713    8 /home    59278094 -rw-r--r--    3774 r   .ssh/authorized_keys
root     sshd       20713    9 /home    59278094 -rw-r--r--    3774 r   .ssh/authorized_keys
slave:ksh$ ps alx | egrep '(26541|20713)'
    0 20713 21589    0  85  0  81180   6076 select  Is   ?         0:00.02 sshd: stix [pri
20008 26541 20713    0  85  0  81184   4600 select  S    ?         0:00.01 sshd: stix@pts/
20008  3530 29162    0  85  0  11020   1224 pipe_rd O+   pts/12    0:00.00 egrep (26541|20
20008 29162 26541    0  85  0   9052   1524 pause   Ss   pts/12    0:00.01 -ksh 

>Fix:

The following patch works for me - patch is against current, and I've tested
it on netbsd-7. afaict, it also more or less matches upstream openssh.

Index: auth2-pubkey.c
===================================================================
RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth2-pubkey.c,v
retrieving revision 1.14
diff -u -d -r1.14 auth2-pubkey.c
--- auth2-pubkey.c	11 Mar 2016 01:55:00 -0000	1.14
+++ auth2-pubkey.c	15 Apr 2016 06:19:50 -0000
@@ -806,13 +806,6 @@
 	    }
 	}
 #endif
-	debug("trying public key file %s", file);
-	f = auth_openkeyfile(file, pw, options.strict_modes);
-
-	if (!f) {
-		restore_uid();
-		return 0;
-	}
 
 	found_key = 0;

Prev by Date: NetBSD Nightly Trouble Ticket Report
Next by Date: PR/50344 CVS commit: [netbsd-7] src/usr.sbin/makemandb
Previous by Thread: Re: bin/15174: gdb "kill" command does not free sockets
Next by Thread: PR/50344 CVS commit: [netbsd-7] src/usr.sbin/makemandb
Indexes:

Home | Main Index | Thread Index | Old Index