Discussion:
SSH crash on OpenBSD (pledge related?)
(too old to reply)
Valentin Kozamernik
2016-07-22 18:32:51 UTC
Permalink
Hello,

I just ran upon this problem and couldn't find it in bugzilla.

SSH crashes (abort trap) if all of the following conditions are met:

(a) option -f is used (crash happens when going to background),
(b) reverse port forwarding is set up (option -R),
(c) option ExitOnForwardFailure is enabled,
(d) there are no actual port-forwarding failures.

The problem can be reproduced by running this command:

ssh -f -N -R 1234:[::1]:4321 -o ExitOnForwardFailure=yes ::1

Repeatable every time at least on OpenBSD 5.9 and the latest snapshot
(July 17th), on amd64/bsd.mp using default installation.

Please CC me any replies as I'm not subscribed to this mailing list.

Tin
--
Valentin Kozamernik
Ljubljana, Slovenia

Phone: +386 41 35 40 99
PGP: 2D34 9133 0B9D 1EEA 83E7 0298 60B7 D121 5682 2AA9
Damien Miller
2016-07-23 00:01:02 UTC
Permalink
Post by Valentin Kozamernik
Hello,
I just ran upon this problem and couldn't find it in bugzilla.
(a) option -f is used (crash happens when going to background),
(b) reverse port forwarding is set up (option -R),
(c) option ExitOnForwardFailure is enabled,
(d) there are no actual port-forwarding failures.
ssh -f -N -R 1234:[::1]:4321 -o ExitOnForwardFailure=yes ::1
Thanks, I think the following fixes it.

diff --git a/clientloop.c b/clientloop.c
index 6740964..fe3baa8 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -115,6 +115,9 @@ extern int stdin_null_flag;
/* Flag indicating that no shell has been requested */
extern int no_shell_flag;

+/* Flag indicating that ssh should daemonise after authentication is complete */
+extern int fork_after_authentication_flag;
+
/* Control socket */
extern int muxserver_sock; /* XXX use mux_client_cleanup() instead */

@@ -1498,7 +1501,7 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
debug("Entering interactive session.");

if (options.control_master &&
- ! option_clear_or_none(options.control_path)) {
+ !option_clear_or_none(options.control_path)) {
debug("pledge: id");
if (pledge("stdio rpath wpath cpath unix inet dns recvfd proc exec id tty",
NULL) == -1)
@@ -1516,7 +1519,8 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
NULL) == -1)
fatal("%s pledge(): %s", __func__, strerror(errno));

- } else if (! option_clear_or_none(options.proxy_command)) {
+ } else if (!option_clear_or_none(options.proxy_command) ||
+ fork_after_authentication_flag) {
debug("pledge: proc");
if (pledge("stdio cpath unix inet dns proc tty", NULL) == -1)
fatal("%s pledge(): %s", __func__, strerror(errno));
Valentin Kozamernik
2016-07-23 08:14:05 UTC
Permalink
Post by Damien Miller
Thanks, I think the following fixes it.
diff --git a/clientloop.c b/clientloop.c
Yes, works fine for me with this diff applied. Thank you.

Tin
--
Valentin Kozamernik
Ljubljana, Slovenia

Phone: +386 41 35 40 99
PGP: 2D34 9133 0B9D 1EEA 83E7 0298 60B7 D121 5682 2AA9
Loading...