]>
Commit | Line | Data |
---|---|---|
1 | ignore SIGPIPE from ldap-helper. ssh server does not read whole input if matching key is found | |
2 | ||
3 | with latest ldap patch from fedora openssh package repo | |
4 | (84822b5decc2ddd8415a3167b9ff9f0a368929a3), i encountered bug that if there are | |
5 | lots of keys for user and matching key is found near the beginning, the | |
6 | ssh-ldap-helper gets sigpipe because apparently sshd server does not read out | |
7 | whole output. and that killed by signal is propagated so that whole key auth | |
8 | fails. | |
9 | ||
10 | i'm not sure in which side the fixing should be made, should ldap-helper ignore | |
11 | SIGPIPE? should ssh authorizedkeyscommand always read up whole input? | |
12 | ||
13 | in my case user had only 51 keys outputing ~35k of text: | |
14 | # /usr/lib/openssh/ssh-ldap-helper -s git | wc | |
15 | 51 251 35685 | |
16 | ||
17 | i think it's quite easy to reproduce: | |
18 | - print out matchin key early | |
19 | - produce more lines of output | |
20 | ||
21 | so, here's strace of ssh-ldap-helper being called from ssh-ldap-wrapper: | |
22 | ||
23 | execve("/usr/lib/openssh/ssh-ldap-helper", ["/usr/lib/openssh/ssh-ldap-helper", "-s", "git"], [/* 13 vars */]) = 0 | |
24 | access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) | |
25 | open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 | |
26 | open("/usr/lib/libldap-2.4.so.2", O_RDONLY|O_CLOEXEC) = 3 | |
27 | open("/usr/lib/liblber-2.4.so.2", O_RDONLY|O_CLOEXEC) = 3 | |
28 | open("/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 | |
29 | open("/usr/lib/libsasl2.so.3", O_RDONLY|O_CLOEXEC) = 3 | |
30 | open("/lib/libresolv.so.2", O_RDONLY|O_CLOEXEC) = 3 | |
31 | open("/lib/libssl.so.1.0.0", O_RDONLY|O_CLOEXEC) = 3 | |
32 | open("/lib/libcrypto.so.1.0.0", O_RDONLY|O_CLOEXEC) = 3 | |
33 | open("/lib/libcrypt.so.1", O_RDONLY|O_CLOEXEC) = 3 | |
34 | open("/lib/libpam.so.0", O_RDONLY|O_CLOEXEC) = 3 | |
35 | open("/lib/libaudit.so.1", O_RDONLY|O_CLOEXEC) = 3 | |
36 | open("/lib/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3 | |
37 | open("/lib/libz.so.1", O_RDONLY|O_CLOEXEC) = 3 | |
38 | open("/lib/libfreebl3.so", O_RDONLY|O_CLOEXEC) = 3 | |
39 | open("/dev/null", O_RDWR|O_LARGEFILE) = 4 | |
40 | open("/etc/ldap.conf", O_RDONLY|O_LARGEFILE) = 4 | |
41 | open("/etc/resolv.conf", O_RDONLY|O_CLOEXEC) = 4 | |
42 | open("/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 4 | |
43 | open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 4 | |
44 | open("/lib/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 4 | |
45 | open("/etc/host.conf", O_RDONLY|O_CLOEXEC) = 4 | |
46 | open("/etc/hosts", O_RDONLY|O_CLOEXEC) = 4 | |
47 | open("/etc/openldap/ldap.conf", O_RDONLY) = -1 ENOENT (No such file or directory) | |
48 | open("/tmp/ldaprc", O_RDONLY) = -1 ENOENT (No such file or directory) | |
49 | open("/tmp/.ldaprc", O_RDONLY) = -1 ENOENT (No such file or directory) | |
50 | stat64("/etc/resolv.conf", {st_mode=S_IFREG|0644, st_size=247, ...}) = 0 | |
51 | open("/etc/resolv.conf", O_RDONLY|O_CLOEXEC) = 4 | |
52 | open("/etc/hosts", O_RDONLY|O_CLOEXEC) = 4 | |
53 | open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 4 | |
54 | open("/lib/libnss_dns.so.2", O_RDONLY|O_CLOEXEC) = 4 | |
55 | --- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=615, si_uid=99} --- | |
56 | +++ killed by SIGPIPE +++ | |
57 | ||
58 | at the same time in the log: | |
59 | ||
60 | Nov 2 18:20:44 gitolite3 sshd[605]: debug1: matching key found: file /usr/lib/openssh/ssh-ldap-wrapper, line 1 DSA 96:a8:6c:5b:42:ad:b4:f3:01:fc:19:38:da:63:0b:37 | |
61 | Nov 2 18:20:44 gitolite3 sshd[605]: error: AuthorizedKeysCommand /usr/lib/openssh/ssh-ldap-wrapper returned status 141 | |
62 | Nov 2 18:20:44 gitolite3 sshd[605]: debug1: restore_uid: 0/0 | |
63 | Nov 2 18:20:44 gitolite3 sshd[605]: debug1: temporarily_use_uid: 264/264 (e=0/0) | |
64 | Nov 2 18:20:44 gitolite3 sshd[605]: debug1: trying public key file /home/services/git/.ssh/authorized_keys | |
65 | Nov 2 18:20:44 gitolite3 sshd[605]: debug1: fd 8 clearing O_NONBLOCK | |
66 | Nov 2 18:20:44 gitolite3 sshd[605]: debug1: restore_uid: 0/0 | |
67 | Nov 2 18:20:44 gitolite3 sshd[605]: Failed publickey for git from 127.0.0.1 port 34574 ssh2: DSA 96:a8:6c:5b:42:ad:b4:f3:01:fc:19:38:da:63:0b:37 | |
68 | Nov 2 18:20:44 gitolite3 sshd[605]: debug1: userauth-request for user git service ssh-connection method keyboard-interactive [preauth] | |
69 | Nov 2 18:20:44 gitolite3 sshd[605]: debug1: attempt 2 failures 1 [preauth] | |
70 | Nov 2 18:20:44 gitolite3 sshd[605]: debug1: keyboard-interactive devs [preauth] | |
71 | Nov 2 18:20:44 gitolite3 sshd[605]: debug1: auth2_challenge: user=git devs= [preauth] | |
72 | Nov 2 18:20:44 gitolite3 sshd[605]: debug1: kbdint_alloc: devices 'pam' [preauth] | |
73 | Nov 2 18:20:44 gitolite3 sshd[605]: debug1: auth2_challenge_start: trying authentication method 'pam' [preauth] | |
74 | ||
75 | there's quick workaround too (without patching), | |
76 | instead of "exec ssh-ldap-helper", run it, and "exit 0" from the wrapper | |
77 | script. i don't like this solution, but it makes the problem go away: | |
78 | ||
79 | # cat /usr/lib/openssh/ssh-ldap-wrapper | |
80 | #!/bin/sh | |
81 | /usr/lib/openssh/ssh-ldap-helper -s "$1" | |
82 | exit 0 | |
83 | ||
84 | --- openssh-6.6p1/ldap-helper.c~ 2014-05-13 17:04:22.258162978 +0300 | |
85 | +++ openssh-6.6p1/ldap-helper.c 2014-05-13 17:14:08.398824417 +0300 | |
86 | @@ -31,6 +31,7 @@ | |
87 | #include "ldapbody.h" | |
88 | #include <string.h> | |
89 | #include <unistd.h> | |
90 | +#include <signal.h> | |
91 | ||
92 | static int config_debug = 0; | |
93 | int config_exclusive_config_file = 0; | |
94 | @@ -137,6 +137,8 @@ | |
95 | ldap_checkconfig(); | |
96 | ldap_do_connect(); | |
97 | ||
98 | + signal(SIGPIPE, SIG_IGN); | |
99 | + | |
100 | if (config_single_user) { | |
101 | process_user (config_single_user, outfile); | |
102 | } else { |