#3747 sss_ssh_authorizedkeys exits abruptly if SSHD closes its end of the pipe before reading all the SSH keys

Created 3 months ago by jhrozek
Modified 2 months ago

ssh reads the public keys from sss_ssh_authorizedkeys in chunks and looks for a matching key in each of the chunks. If a matching key is found, then the pipe to sss_ssh_authorizedkey is closed, which causes sss_ssh_authorizedkey to receive SIGPIPE and terminate abnormally, which in turn causes the pubkey authentication to fail.

Note that in some distributions, notably RHEL-7, this bug was only recently triggered by a patch added to openssh in RHEL-7.5, so for all intents and purposes, users of RHEL-7.5 consider this a regression.

In order to trigger this bug, the amount of keys must be larger than the chunk openssh reads (16kb) and the matching key must be present in the first chunk.

I managed to reproduce the bug with about 30 keys the user had.

3 months ago

Metadata Update from @jhrozek:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1583343

Issue linked to Bugzilla: Bug 1583343

3 months ago

Metadata Update from @jhrozek:
- Issue tagged with: PR

2 months ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.16.3

2 months ago

Metadata Update from @fidencio:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

Login to comment on this ticket.