#3747 sss_ssh_authorizedkeys exits abruptly if SSHD closes its end of the pipe before reading all the SSH keys
Closed: Fixed 2 years ago Opened 2 years ago by jhrozek.

ssh reads the public keys from sss_ssh_authorizedkeys in chunks and looks for a matching key in each of the chunks. If a matching key is found, then the pipe to sss_ssh_authorizedkey is closed, which causes sss_ssh_authorizedkey to receive SIGPIPE and terminate abnormally, which in turn causes the pubkey authentication to fail.

Note that in some distributions, notably RHEL-7, this bug was only recently triggered by a patch added to openssh in RHEL-7.5, so for all intents and purposes, users of RHEL-7.5 consider this a regression.

In order to trigger this bug, the amount of keys must be larger than the chunk openssh reads (16kb) and the matching key must be present in the first chunk.

I managed to reproduce the bug with about 30 keys the user had.


Metadata Update from @jhrozek:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1583343

2 years ago

Metadata Update from @jhrozek:
- Issue tagged with: PR

2 years ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.16.3

2 years ago

Metadata Update from @fidencio:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

2 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4754

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata