Downstream bug report https://bugs.archlinux.org/task/55570?project=1 https://github.com/openssh/openssh-portable/blob/d38f05dbdd291212bc95ea80648b72b7177e9f4e/sshd.c#L1643 If the result of this getpwnam called is supplied by libnss_systemd then the structure and all strings pointed to within the structure will be in a read only memory section. https://github.com/openssh/openssh-portable/blob/d38f05dbdd291212bc95ea80648b72b7177e9f4e/sshd.c#L1648 explicit_bzero will then segfault attempting to write to that read only section. POSIX.1-2008 http://pubs.opengroup.org/onlinepubs/9699919799/ forbids modifying the structure returned by getpwnam or the strings it points to. Perhaps switch the call to getpwnam_r?
Created attachment 3110 [details] keep scrubbed copy of passwd struct We can use the existing pwcopy() function to make a local, mutable copy and hope the system endpwent() does the right thing and scrubs the last returned passwd entry from memory.
Fix committed, this will be in OpenSSH 7.7.
Close all resolved bugs after release of OpenSSH 7.7.