Bug 1471

Summary:

sshd can block if authorized_keys is a named pipe

Product:

Portable OpenSSH

Reporter:

Colin Watson <cjwatson>

Component:

sshd

Assignee:

Assigned to nobody <unassigned-bugs>

Status:

CLOSED FIXED

Severity:

minor

CC:

djm, solar

Priority:

Version:

4.7p1

Hardware:

All

OS:

Linux

Bug Depends on:

Bug Blocks:

1452

Attachments:

Description	Flags
open authorized_keys and shosts in non-blocking mode, check st_mode	none

Description Colin Watson 2008-05-27 00:01:57 AEST

Solar Designer noticed indirectly that sshd child processes (and probably other parts of OpenSSH) can block if ~/.ssh/authorized_keys is a named pipe with an open writer. Perhaps it would be worth checking S_ISREG before trying to open a key file?

(I'm hoping nobody is actually relying on this as a feature. I can't imagine how you'd do so reliably.)

Comment 1 Damien Miller 2008-06-13 13:19:30 AEST

Created attachment 1517 [details]
open authorized_keys and shosts in non-blocking mode, check st_mode

.shosts is another file that the server can be made to open. This diff should fix it and authorized_keys.

Comment 2 Damien Miller 2008-06-13 14:41:29 AEST

that patch has a small bug (don't use it), but a similar one has been submitted and will be in openssh-5.1. Thanks!

Comment 3 Solar Designer 2008-06-16 17:38:34 AEST

I'd add O_NOCTTY.  On some systems it is a no-op, but on others it makes a difference.

Also, a maximum size check both before and during reads could make sense, but it is not clear what the limit should be (1 MB maybe? or would anyone want to put thousands of keys on an account?)

I suppose O_NOFOLLOW would break some existing setups and it does not buy all that much (at least not when arbitrary hard links are allowed by the kernel and there are interesting things on the same device).

Comment 4 Damien Miller 2008-07-22 12:24:45 AEST

Mass update RESOLVED->CLOSED after release of openssh-5.1