Bug 1487 - Race condition between monitor and unprivileged child in sshd
Summary: Race condition between monitor and unprivileged child in sshd
Status: CLOSED WORKSFORME
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: sshd (show other bugs)
Version: 5.0p1
Hardware: All All
: P2 normal
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-07-12 21:52 AEST by Georgi Chulkov
Modified: 2011-01-24 12:33 AEDT (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Georgi Chulkov 2008-07-12 21:52:14 AEST
In the v2 protocol, after a connection, the accepting process forks in privsep_preauth(). The parent executes monitor_child_preauth() to allow certain privsep requests necessary for authentication. The unprivileged child runs do_ssh2_kex() followed by do_authentication2().

If KEX is fast enough, do_authentication2() runs before the monitor has a 
chance to permit the necessary requests (MONITOR_REQ_PWNAM in articular), 
and therefore authentication fails on the server with:

monitor_read: unpermitted request 6

Damien Miller proposed setting up a pipe shared between the monitor and
child, and making the child wait until the monitor end closes, which
it should do after permitting the monitor calls.

I believe the pipe close (granting permission to continue) should be at the end of monitor.c:mm_answer_sign, right after the line:

monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1);

Of course, I could be wrong. On the other hand, I have not been able to figure out where to place the pipe read (waiting for permission) call.
Comment 1 Damien Miller 2010-04-25 21:26:02 AEST
Actually, I don't see this race at all. The monitor is completely synchronous - the only way i can see that REQ_PWNAM is refused is if the KEX skipped a step. IIRC you were using a custom KEX, so you are probably attempting an illegal transaction in the monitor state machine.
Comment 2 Damien Miller 2011-01-24 12:33:43 AEDT
Move resolved bugs to CLOSED after 5.7 release