Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

SSH crash on OpenBSD (pledge related?)

10 views
Skip to first unread message

Valentin Kozamernik

unread,
Jul 22, 2016, 2:46:49 PM7/22/16
to
Hello,

I just ran upon this problem and couldn't find it in bugzilla.

SSH crashes (abort trap) if all of the following conditions are met:

(a) option -f is used (crash happens when going to background),
(b) reverse port forwarding is set up (option -R),
(c) option ExitOnForwardFailure is enabled,
(d) there are no actual port-forwarding failures.

The problem can be reproduced by running this command:

ssh -f -N -R 1234:[::1]:4321 -o ExitOnForwardFailure=yes ::1

Repeatable every time at least on OpenBSD 5.9 and the latest snapshot
(July 17th), on amd64/bsd.mp using default installation.

Please CC me any replies as I'm not subscribed to this mailing list.

Tin


--
Valentin Kozamernik
Ljubljana, Slovenia

Phone: +386 41 35 40 99
PGP: 2D34 9133 0B9D 1EEA 83E7 0298 60B7 D121 5682 2AA9
_______________________________________________
openssh-unix-dev mailing list
openssh-...@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Damien Miller

unread,
Jul 22, 2016, 8:01:45 PM7/22/16
to
On Fri, 22 Jul 2016, Valentin Kozamernik wrote:

> Hello,
>
> I just ran upon this problem and couldn't find it in bugzilla.
>
> SSH crashes (abort trap) if all of the following conditions are met:
>
> (a) option -f is used (crash happens when going to background),
> (b) reverse port forwarding is set up (option -R),
> (c) option ExitOnForwardFailure is enabled,
> (d) there are no actual port-forwarding failures.
>
> The problem can be reproduced by running this command:
>
> ssh -f -N -R 1234:[::1]:4321 -o ExitOnForwardFailure=yes ::1

Thanks, I think the following fixes it.

diff --git a/clientloop.c b/clientloop.c
index 6740964..fe3baa8 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -115,6 +115,9 @@ extern int stdin_null_flag;
/* Flag indicating that no shell has been requested */
extern int no_shell_flag;

+/* Flag indicating that ssh should daemonise after authentication is complete */
+extern int fork_after_authentication_flag;
+
/* Control socket */
extern int muxserver_sock; /* XXX use mux_client_cleanup() instead */

@@ -1498,7 +1501,7 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
debug("Entering interactive session.");

if (options.control_master &&
- ! option_clear_or_none(options.control_path)) {
+ !option_clear_or_none(options.control_path)) {
debug("pledge: id");
if (pledge("stdio rpath wpath cpath unix inet dns recvfd proc exec id tty",
NULL) == -1)
@@ -1516,7 +1519,8 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
NULL) == -1)
fatal("%s pledge(): %s", __func__, strerror(errno));

- } else if (! option_clear_or_none(options.proxy_command)) {
+ } else if (!option_clear_or_none(options.proxy_command) ||
+ fork_after_authentication_flag) {
debug("pledge: proc");
if (pledge("stdio cpath unix inet dns proc tty", NULL) == -1)
fatal("%s pledge(): %s", __func__, strerror(errno));

Valentin Kozamernik

unread,
Jul 23, 2016, 4:20:06 AM7/23/16
to
On Sat, 23 Jul 2016 at 10:01, Damien Miller wrote:

> Thanks, I think the following fixes it.
>
> diff --git a/clientloop.c b/clientloop.c

Yes, works fine for me with this diff applied. Thank you.

Tin


--
Valentin Kozamernik
Ljubljana, Slovenia

Phone: +386 41 35 40 99
PGP: 2D34 9133 0B9D 1EEA 83E7 0298 60B7 D121 5682 2AA9
0 new messages