Bug 1606

Summary:

internal-sftp does not drop conections properly, it will hang

Product:

Portable OpenSSH

Reporter:

zpbrent <zpbrent>

Component:

sshd

Assignee:

Assigned to nobody <unassigned-bugs>

Status:

CLOSED FIXED

Severity:

normal

CC:

djm

Priority:

Version:

5.2p1

Hardware:

Itanium

OS:

HP-UX

Bug Depends on:

Bug Blocks:

1626

Attachments:

Description	Flags
Temporarily fix (changed code in session.c) for this issue	none
abort non-subsystem sessions to forced internal sftp-server	dtucker: ok+

Description zpbrent 2009-06-11 17:25:45 AEST

Created attachment 1648 [details]
Temporarily fix (changed code in session.c) for this issue

Hello: 

I have configured sshd_config as the following:
=================================================
Subsystem sftp /opt/ssh/libexec/sftp-server 
#Subsystem sftp internal-sftp
Match User sftpch
    ChrootDirectory /chrootdir
    ForceCommand internal-sftp
==================================================
Now if somebody tries to do a ssh (not a sftp) with account sftpch,
the connection hangs.

And I have investigated this issue and generated a temporarily solution
for it.

Let's have a travel to the ForceCommand section to execute
internal-sftp in do_exec() function, the source code just use
IS_INTERNAL_SFTP(command) to check whether sshd want to use
ForceCommand to execute internal-sftp or not and do not judge which
requirement from client, that means when our customers use ssh
(SUBSYSTEM_NONE) to connect to sshd but they have configured to use
ForceCommand to execute internal-sftp, the logic error will happened
(None Subsystem client connected to the internal-sftp Subsystem
server), it looks like this is the root cause about this hang.

Based on the root cause, I have generated a temporarily fix for this
issue. Just use IS_INTERNAL_SFTP(command) to check whether to set the
session->is_subsystem to SUBSYSTEM_INT_SFTP is not sufficient, we also
have use if (s->is_subsystem != SUBSYSTEM_NONE) to check if the
requirement from the client belong to subsystem or not meanwhile.

I will list the detial detail of the fix below and please help us to
have a review:
=======================================================================
In the session.c source file
=======================================================================
845c845
+               if (s->is_subsystem && IS_INTERNAL_SFTP(command))
---
-               if (IS_INTERNAL_SFTP(command))
853c853
+               if (s->is_subsystem && IS_INTERNAL_SFTP(command))
---
-               if (IS_INTERNAL_SFTP(command))
=======================================================================

With this temporarily fix, if somebody tries to do a ssh (not a sftp)
with account sftpch and sshd_config is set to above , the connection
will prompt 
"sh: internal-sftp:  not found 
Connection to <remote nodename> closed." 
and then drop conections properly instead of hang. And for sftp and ssh
with other account, it works correctly.

Are there anybody could help me to trace this issue and review my
temporarily fix since I am not an expert about Open-SSH code and I am
not confirm this fix dose not make other side effect for Open-SSH. If
you accept my fix, could you help me to port them into your next SSH
version, and if you think my fix is not considerable, could you help me
to figure out a new one? 

Best Regards
Brent
zpbrent@yahoo.com.cn

Comment 1 Damien Miller 2009-09-09 10:24:23 AEST

*** Bug 1605 has been marked as a duplicate of this bug. ***

Comment 2 Damien Miller 2009-10-23 12:19:31 AEDT

Created attachment 1704 [details]
abort non-subsystem sessions to forced internal sftp-server

I think your proposed fix introduces a security vulnerability - a user could upload a file "internal-sftp" and sshd would execute it, since the SUBSYSTEM_INT_SFTP is no longer set when processing the session.

Comment 3 Damien Miller 2009-11-20 10:42:22 AEDT

patch applied - this will be in openssh-5.4

Comment 4 Darren Tucker 2010-03-26 10:51:04 AEDT

With the release of 5.4p1, this bug is now considered closed.