Bug 2496 - sshd hangs when using AuthorizedKeysCommand
Summary: sshd hangs when using AuthorizedKeysCommand
Status: CLOSED WORKSFORME
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: sshd (show other bugs)
Version: 7.1p1
Hardware: amd64 FreeBSD
: P5 normal
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-11-17 22:09 AEDT by Felicity Tarnell
Modified: 2017-02-18 00:58 AEDT (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Felicity Tarnell 2015-11-17 22:09:27 AEDT 
Since upgrading to 7.1p1 on FreeBSD 10.2, sshd has started hanging when using an AuthorizedKeysCommand.  This worked fine in 6.8.

Server configuration:

Match User git
	AuthorizedKeysCommand /usr/local/sbin/ssh-lookup-key-git

Relevant server debug output:

debug3: subprocess: AuthorizedKeysCommand command "/usr/local/sbin/ssh-lookup-key-git git" running as sshkeys
debug3: subprocess: AuthorizedKeysCommand pid 86183
debug2: user_key_allowed: check options: 'command="/usr/local/git/bin/gitolite-shell tom@torchbox.com",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-dss AAAAB3NzaC1kc3MAAACBALtPYyEOw+gvvWvW45iTR7SAkdH8FIML+4SBFPeXBp4ntT0JaRrkaTwm2C2PkZUaOShvFHCcTc7muNBMB/qmLYuWAcbCeKoxv08RMruGheGp6BB/9sByGjPfHssYNk4qxCqHTL6ZRjPRgApV5qz+OP8cTNlT0YXi2WA5Ubact4DhAAAAFQC71JYAqRBN0URvJmmMF5TyBNePkQAAAIEAlkG+5H/NZsHjZK7Dxn9iCNjGxoB/zJQJ89aSZ+wPktJExkfbVEXtiuEC04qfJ3qCqw6uYX8fG3e9+mujrAfh/TUDMLZc8sq4WvV91HPe9CX4XUOcf0dXzV76OlKJ4oTe2CHSouZzOyCCgtDgT87B85yS+B/7fKWXbDYEQ45lMfgAAACBALLs4d0ii3i2hwtVeddkYrJ8lHXKQWCZOtff+fLVu+cFEw8lTAfmpke+saN6sX5O1EgOuJUHInwgE+HDdmk6l1vyNJhGxKCuI3qYG2LXOKLmEyiEBOlpkPELVJnvVNMcQrMTARjo8IsiM4AcXBufzhN8yIdJ1fDV4a4cTYVzdF7n tom@tortoise.local'
[... output elided ...]
debug2: user_key_allowed: check options: 'command="/usr/local/git/bin/gitolite-shell felicity@torchbox.com",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyszt9jTA88Dz4SjVVevwgCKHY1GfS5hla0XatqtAWNI+9O5eXasbybB7UfHo5Y6FB8Xu7Snu1NAj/xVGKLlQ69cNT6YMaj3TC1TLfhK2pmHxWHXDUqffU5ZOE/C4VSdING8FateJ5E7oOw9152UKNRoI12Fsu9yzzUZnKm0+43kFg/XfGioGqagm4jAUNhwylqRulRxFWCpZLjEjJOiRI+6pgVK8+wsq5kpuwVe36k0wmHEPWhbGabNY1Uw6dkVWIz3pI1PtaAmmb4FZ6KLYFh6kO4u3M+uhPfj94mtJb3Yr5jPkOb/9DKhCaZqYLVm3cs7pyQZtN3oRkitjzJC34Q== felicity@severance'
debug1: matching key found: file /usr/local/sbin/ssh-lookup-key-git, line 15 RSA SHA256:LlC54jHl2i3IC3K8rSsRuvjkSIdcfhbyH1oq2e/9Uog

No output is printed after this, and the sshd server process hangs with the authorized keys command still running.

A workaround appears to be having the command flush output after printing every key, instead of buffering it as a single write; in this case, since it's a Perl script, adding "$| = 1;" to disable buffering makes things work as expected.
Comment 1 Damien Miller 2015-11-18 07:56:39 AEDT 
sshd waits for the AuthorizedKeysCommand to finish - if it doesn't finish, sshd will hang. So the question is: why is the command failing to exit?

The only differences between 6.8p1 and 7.1p1 that I think could be relevant is that 7.1p1 sets up a minimal environment ($PATH, $USER, $LOGNAME, $HOME, $LANG) whereas 6.8p1 inherited a full environment from sshd.

I'm not sure why this could cause your command to misbehave though. I suggest getting a strace/ktrace of the command as it hangs - it might yield some clues.
Comment 2 Damien Miller 2016-07-08 14:52:02 AEST 
closing: >6 months with no followup
Comment 3 Damien Miller 2016-08-02 10:43:00 AEST 
Close all resolved bugs after 7.3p1 release
Comment 4 Jakub Jelen 2017-02-18 00:58:16 AEDT 
This upstream commit fixes the problem according to discussion on IRC:

https://github.com/openssh/openssh-portable/commit/ddd3d34e5c7979ca6f4a3a98a7d219a4ed3d98c2