Created attachment 1570 [details] patch for channels.c On Solaris 9 and 10, on both sparc and i86pc, sshd hangs on an ioctl TCGETS call after a large write to the pty. Where large is anything over about 2k. So pasting 100 or so lines of text into vi will hang the session. The cause is the tcgetattr call on line 1606 of channels.c provoking a solaris bug. It hangs forever after a large write to the pty. The workaround is to not make the call, assume the terminal is not echoing, and always send the random data packet.
Created attachment 1571 [details] alternate patch for channels.c The ioctl is failing partially because the wfd file descriptor isn't actually a pty. It's being incorrectly flagged as one in channel_register_fds() which simply trusts it's caller. Also the test on line 1605 is checking to see if rfd is a pty, before applying the ioctl to wfd. So this will also fix the problem, but might not be as secure because it doesn't send the ignored random data packets.
Created attachment 1572 [details] Only generate fake echo packets for tty writes < 1k I suspect patch #1570 would make the echo/noecho difference observable on the wire. An alternative is to only do this check for small writes.
I'm not sure 1572 will avoid the problem. Large writes get broken up into multiple writes. The last one can be small, yet enough to fill the pipe, and make the ioctl hang.
1571 avoids the problem, but makes it more vulnerable to analysis. Maybe it could randomly decide to send random size fake packets?
Hi, new and not-so-tech-savvy user here. I'm interested in this ticket because we have a real-live user at Columbia who is tearing his hair out over this issue. I see that the conversation stopped last October. Does that mean no one is working on this problem? Do you happen to know if and when someone will? Thanks; we're eager to know!
I've been using the alternate patch (#1571, 920 bytes) I attached to this bug report. It's been running since october on about 200 production unix servers, used daily by hundreds of people and thousands of automated jobs. We havn't seen any problems. Technically, it probably does make the session a little more subject to certain kinds of cryptographic analysis. It could probably be improved by adding something to randomly send the filler packets.
I'm seeing th
I tested openssh-5.0p1 and confirm that this issue does not exist there, but unfortunately that version doesn't contain the following solaris fix (in OpenSSH_5.2p1): * Avoid a sshd(8) hang-on-exit on Solaris caused by depending on the success of isatty() on a PTY master (undefined behaviour). Probably affected other platforms too. (bz#1463) The above fix works wonders for service administration in an oracle environment. -- Anyway, in short, this is confirmation that we are also affect by this issue and would like to see an official fix make it into the main code some day. -- I will test and implement the alternate patch #1571 for the time being.
Just an update on my situation: we installed the patch and it was successful here. We have not encountered any problems. We, too, would like to see this make it into the main code. Thanks!
Patch #1571 seems to be working well for us as well under Solaris 8 and 10.
Anyone rechecked for this in 5.2p1 ? I will end up checking if I don't hear back from anyone, however I don't see this bug ID listed in the latest change log.
Nevermind, I found previous emails where 5.2p1 was confirmed to still exhibit the issue and also that the alternate patch worked for version 5.2p1 as well.
We'll do something with this for 5.3
Created attachment 1677 [details] Skip tcgetattr on solaris I think this is the simplest thing to do.
This has been committed and will be in the 5.3 release. Thanks.
Mass move of RESOLVED bugs to CLOSED now that 5.3 is out.