[packages/openssh] ignore SIGPIPE from ldap-helper. ssh server does not read whole input if matching key is found

glen glen at pld-linux.org
Sat Nov 2 17:56:50 CET 2013 

commit c53de5e93a8593d64372af9cf17efabbc60f7ff6
Author: Elan Ruusamäe <glen at delfi.ee>
Date:   Sat Nov 2 18:53:42 2013 +0200

    ignore SIGPIPE from ldap-helper. ssh server does not read whole input if matching key is found

 ldap-helper-sigpipe.patch | 94 +++++++++++++++++++++++++++++++++++++++++++++++
 openssh.spec              |  2 +
 2 files changed, 96 insertions(+)
---
diff --git a/openssh.spec b/openssh.spec
index db01ccb..44e3b96 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -61,6 +61,7 @@ Patch4:		%{name}-ldap.patch
 Patch5:		%{name}-ldap-fixes.patch
 Patch8:		ldap.conf.patch
 Patch6:		%{name}-config.patch
+Patch7:		ldap-helper-sigpipe.patch
 
 # High Performance SSH/SCP - HPN-SSH - http://www.psc.edu/networking/projects/hpn-ssh/
 # http://www.psc.edu/networking/projects/hpn-ssh/openssh-5.2p1-hpn13v6.diff.gz
@@ -534,6 +535,7 @@ openldap-a.
 %patch5 -p1
 %patch8 -p1
 %patch6 -p1
+%patch7 -p1
 
 %{?with_hpn:%patch9 -p1}
 %patch10 -p1
diff --git a/ldap-helper-sigpipe.patch b/ldap-helper-sigpipe.patch
new file mode 100644
index 0000000..7c51100
--- /dev/null
+++ b/ldap-helper-sigpipe.patch
@@ -0,0 +1,94 @@
+ignore SIGPIPE from ldap-helper. ssh server does not read whole input if matching key is found
+
+with latest ldap patch from fedora openssh package repo
+(84822b5decc2ddd8415a3167b9ff9f0a368929a3), i encountered bug that if there are
+lots of keys for user and matching key is found near the beginning, the
+ssh-ldap-helper gets sigpipe because apparently sshd server does not read out
+whole output. and that killed by signal is propagated so that whole key auth
+fails.
+
+i'm not sure in which side the fixing should be made, should ldap-helper ignore
+SIGPIPE? should ssh authorizedkeyscommand always read up whole input?
+
+in my case user had only 51 keys outputing ~35k of text:
+# /usr/lib/openssh/ssh-ldap-helper -s git | wc
+     51     251   35685
+
+i think it's quite easy to reproduce:
+- print out matchin key early
+- produce more lines of output
+
+so, here's strace of ssh-ldap-helper being called from ssh-ldap-wrapper:
+
+execve("/usr/lib/openssh/ssh-ldap-helper", ["/usr/lib/openssh/ssh-ldap-helper", "-s", "git"], [/* 13 vars */]) = 0
+access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
+open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
+open("/usr/lib/libldap-2.4.so.2", O_RDONLY|O_CLOEXEC) = 3
+open("/usr/lib/liblber-2.4.so.2", O_RDONLY|O_CLOEXEC) = 3
+open("/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
+open("/usr/lib/libsasl2.so.3", O_RDONLY|O_CLOEXEC) = 3
+open("/lib/libresolv.so.2", O_RDONLY|O_CLOEXEC) = 3
+open("/lib/libssl.so.1.0.0", O_RDONLY|O_CLOEXEC) = 3
+open("/lib/libcrypto.so.1.0.0", O_RDONLY|O_CLOEXEC) = 3
+open("/lib/libcrypt.so.1", O_RDONLY|O_CLOEXEC) = 3
+open("/lib/libpam.so.0", O_RDONLY|O_CLOEXEC) = 3
+open("/lib/libaudit.so.1", O_RDONLY|O_CLOEXEC) = 3
+open("/lib/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
+open("/lib/libz.so.1", O_RDONLY|O_CLOEXEC) = 3
+open("/lib/libfreebl3.so", O_RDONLY|O_CLOEXEC) = 3
+open("/dev/null", O_RDWR|O_LARGEFILE)   = 4
+open("/etc/ldap.conf", O_RDONLY|O_LARGEFILE) = 4
+open("/etc/resolv.conf", O_RDONLY|O_CLOEXEC) = 4
+open("/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 4
+open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 4
+open("/lib/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 4
+open("/etc/host.conf", O_RDONLY|O_CLOEXEC) = 4
+open("/etc/hosts", O_RDONLY|O_CLOEXEC)  = 4
+open("/etc/openldap/ldap.conf", O_RDONLY) = -1 ENOENT (No such file or directory)
+open("/tmp/ldaprc", O_RDONLY)           = -1 ENOENT (No such file or directory)
+open("/tmp/.ldaprc", O_RDONLY)          = -1 ENOENT (No such file or directory)
+stat64("/etc/resolv.conf", {st_mode=S_IFREG|0644, st_size=247, ...}) = 0
+open("/etc/resolv.conf", O_RDONLY|O_CLOEXEC) = 4
+open("/etc/hosts", O_RDONLY|O_CLOEXEC)  = 4
+open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 4
+open("/lib/libnss_dns.so.2", O_RDONLY|O_CLOEXEC) = 4
+--- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=615, si_uid=99} ---
++++ killed by SIGPIPE +++
+
+at the same time in the log:
+
+Nov  2 18:20:44 gitolite3 sshd[605]: debug1: matching key found: file /usr/lib/openssh/ssh-ldap-wrapper, line 1 DSA 96:a8:6c:5b:42:ad:b4:f3:01:fc:19:38:da:63:0b:37
+Nov  2 18:20:44 gitolite3 sshd[605]: error: AuthorizedKeysCommand /usr/lib/openssh/ssh-ldap-wrapper returned status 141
+Nov  2 18:20:44 gitolite3 sshd[605]: debug1: restore_uid: 0/0
+Nov  2 18:20:44 gitolite3 sshd[605]: debug1: temporarily_use_uid: 264/264 (e=0/0)
+Nov  2 18:20:44 gitolite3 sshd[605]: debug1: trying public key file /home/services/git/.ssh/authorized_keys
+Nov  2 18:20:44 gitolite3 sshd[605]: debug1: fd 8 clearing O_NONBLOCK
+Nov  2 18:20:44 gitolite3 sshd[605]: debug1: restore_uid: 0/0
+Nov  2 18:20:44 gitolite3 sshd[605]: Failed publickey for git from 127.0.0.1 port 34574 ssh2: DSA 96:a8:6c:5b:42:ad:b4:f3:01:fc:19:38:da:63:0b:37
+Nov  2 18:20:44 gitolite3 sshd[605]: debug1: userauth-request for user git service ssh-connection method keyboard-interactive [preauth]
+Nov  2 18:20:44 gitolite3 sshd[605]: debug1: attempt 2 failures 1 [preauth]
+Nov  2 18:20:44 gitolite3 sshd[605]: debug1: keyboard-interactive devs  [preauth]
+Nov  2 18:20:44 gitolite3 sshd[605]: debug1: auth2_challenge: user=git devs= [preauth]
+Nov  2 18:20:44 gitolite3 sshd[605]: debug1: kbdint_alloc: devices 'pam' [preauth]
+Nov  2 18:20:44 gitolite3 sshd[605]: debug1: auth2_challenge_start: trying authentication method 'pam' [preauth]
+
+there's quick workaround too (without patching),
+instead of "exec ssh-ldap-helper", run it, and "exit 0" from the wrapper
+script. i don't like this solution, but it makes the problem go away:
+
+# cat /usr/lib/openssh/ssh-ldap-wrapper
+#!/bin/sh
+/usr/lib/openssh/ssh-ldap-helper -s "$1"
+exit 0
+
+--- openssh-6.3p1/ldap-helper.c~	2013-11-02 17:14:48.000000000 +0200
++++ openssh-6.3p1/ldap-helper.c	2013-11-02 18:39:15.740402594 +0200
+@@ -137,6 +137,8 @@
+ 	ldap_checkconfig();
+ 	ldap_do_connect();
+ 
++	signal(SIGPIPE, SIG_IGN);
++
+ 	if (config_single_user) {
+ 		process_user (config_single_user, outfile);
+ 	} else {
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/openssh.git/commitdiff/f6e1ad9aa03b21611212d48cfee7b913c8a4bbb7

More information about the pld-cvs-commit mailing list