FS#29049 - [OpenSSH] segmentation fault using key exchange
Attached to Project:
Arch Linux
Opened by Rakesh Singh (rakeshsingh) - Thursday, 22 March 2012, 07:44 GMT
Last edited by Gaetan Bisson (vesath) - Thursday, 22 March 2012, 09:49 GMT
Opened by Rakesh Singh (rakeshsingh) - Thursday, 22 March 2012, 07:44 GMT
Last edited by Gaetan Bisson (vesath) - Thursday, 22 March 2012, 09:49 GMT
|
Details
Description: OpenSSH crashes with exit code 139
(Segmentation fault) when connection to remote server using
authorized keys.
Additional info: openssh 5.9p1-8 openssl 1.0.1-1 Pacman log: [2012-03-21 12:39] synchronizing package lists [2012-03-21 12:41] starting full system upgrade [2012-03-21 12:52] upgraded bash (4.2.024-1 -> 4.2.024-2) [2012-03-21 12:52] upgraded device-mapper (2.02.90-1 -> 2.02.95-1) [2012-03-21 12:52] upgraded iproute2 (3.2.0-2 -> 3.2.0-3) [2012-03-21 12:52] upgraded libdrm (2.4.31-1 -> 2.4.32-1) [2012-03-21 12:52] upgraded mercurial (2.1.1-1 -> 2.1.1-2) [2012-03-21 12:52] upgraded neon (0.29.6-3 -> 0.29.6-4) [2012-03-21 12:52] upgraded openssl (1.0.0.h-1 -> 1.0.1-1) [2012-03-21 12:52] upgraded openssh (5.9p1-5 -> 5.9p1-8) [2012-03-21 12:52] upgraded psmisc (22.15-1 -> 22.16-1) [2012-03-21 12:52] upgraded vim-runtime (7.3.434-1 -> 7.3.475-1) [2012-03-21 12:52] upgraded vim (7.3.434-1 -> 7.3.475-1) SSH client with debug level 3: ssh -v -v -v hisuper@hipfasdv OpenSSH_5.9p1, OpenSSL 1.0.1 14 Mar 2012 debug1: Reading configuration data /data/users/rakeshs/.ssh/config debug1: Reading configuration data /etc/ssh/ssh_config debug2: ssh_connect: needpriv 0 debug1: Connecting to hipfasdv [10.147.1.121] port 22. debug1: Connection established. debug3: Incorrect RSA1 identifier debug3: Could not load "/data/users/rakeshs/.ssh/id_rsa" as a RSA1 public key debug1: identity file /data/users/rakeshs/.ssh/id_rsa type 1 debug1: identity file /data/users/rakeshs/.ssh/id_rsa-cert type -1 debug3: Incorrect RSA1 identifier debug3: Could not load "/data/users/rakeshs/.ssh/id_dsa" as a RSA1 public key debug1: identity file /data/users/rakeshs/.ssh/id_dsa type 2 debug1: identity file /data/users/rakeshs/.ssh/id_dsa-cert type -1 debug1: identity file /data/users/rakeshs/.ssh/id_ecdsa type -1 debug1: identity file /data/users/rakeshs/.ssh/id_ecdsa-cert type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.6.1p1-1 debug1: match: OpenSSH_3.6.1p1-1 pat OpenSSH_3.* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.9 debug2: fd 3 setting O_NONBLOCK debug3: load_hostkeys: loading entries for host "hipfasdv" from file "/data/users/rakeshs/.ssh/known_hosts" debug3: load_hostkeys: found key type RSA in file /data/users/rakeshs/.ssh/known_hosts:70 debug3: load_hostkeys: loaded 1 keys debug3: load_hostkeys: loading entries for host "hipfasdv" from file "/data/users/rakeshs/.ssh/known_hosts2" debug3: load_hostkeys: loaded 0 keys debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-dss-cert-v00@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 123/256 debug2: bits set: 512/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Server host key: RSA 8b:08:3e:ba:0b:e0:6f:cc:ef:a0:24:8e:cc:e9:d8:83 debug3: load_hostkeys: loading entries for host "hipfasdv" from file "/data/users/rakeshs/.ssh/known_hosts" debug3: load_hostkeys: found key type RSA in file /data/users/rakeshs/.ssh/known_hosts:70 debug3: load_hostkeys: loaded 1 keys debug3: load_hostkeys: loading entries for host "hipfasdv" from file "/data/users/rakeshs/.ssh/known_hosts2" debug3: load_hostkeys: loaded 0 keys debug3: load_hostkeys: loading entries for host "10.147.1.121" from file "/data/users/rakeshs/.ssh/known_hosts" debug3: load_hostkeys: found key type RSA in file /data/users/rakeshs/.ssh/known_hosts:169 debug3: load_hostkeys: loaded 1 keys debug3: load_hostkeys: loading entries for host "10.147.1.121" from file "/data/users/rakeshs/.ssh/known_hosts2" debug3: load_hostkeys: loaded 0 keys debug1: Host 'hipfasdv' is known and matches the RSA host key. debug1: Found key in /data/users/rakeshs/.ssh/known_hosts:70 debug2: bits set: 482/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /data/users/rakeshs/.ssh/id_rsa (0x835f1f0) debug2: key: /data/users/rakeshs/.ssh/id_dsa (0x83607f8) debug2: key: /data/users/rakeshs/.ssh/id_ecdsa ((nil)) debug1: Authentications that can continue: publickey,password,keyboard-interactive debug3: start over, passed a different list publickey,password,keyboard-interactive debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: /data/users/rakeshs/.ssh/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,password,keyboard-interactive debug1: Offering DSA public key: /data/users/rakeshs/.ssh/id_dsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Server accepts key: pkalg ssh-dss blen 434 debug2: input_userauth_pk_ok: fp 48:9a:28:01:11:e2:80:6d:d3:33:8e:a4:48:af:c3:aa debug3: sign_and_send_pubkey: DSA 48:9a:28:01:11:e2:80:6d:d3:33:8e:a4:48:af:c3:aa debug1: read PEM private key done: type DSA Segmentation fault Steps to reproduce: Run ssh from the client to a user on a server that has authorized keys setup. |
This task depends upon
I have tested 3 AIX hosts and 2 Solaris hosts with key exchange enabled and disabled.
All 4 crashed.
AIX 5.3 Packages :
$ lslpp -L | grep -i opens
openssh 3.6.1.1 C F OpenSSH 3.6.1p1-1 Portable for
openssh.base.server 3.8.0.2 ? F Open Secure Shell Server
openssh.license 3.8.0.2 C F Open Secure Shell License
openssl 0.9.6g-3 C R Secure Sockets Layer and
openssl-devel 0.9.6g-3 C R Secure Sockets Layer and
openssl-doc 0.9.6g-3 C R OpenSSL miscellaneous files
I have connected to another Arch Linux machine and 2 OpenSuse servers without a problem.
The other Arch machine has not been updated in a while and running openssh 5.9p1-5, so I am using this to connect to our UNIX servers.
Please make sure your system is entirely up-to-date, see if the issue goes away when you rebuild openssh from source, and otherwise consider filing a bug report upstream.
I can confirm that the problem occurs only on the AIX servers running OpenSSH 3.6 with OpenSSL 0.9.6
(which unfortunately is the default on AIX 5.3).
I tested on another AIX 5.3 server where I installed a different version of OpenSSH (4.3), and it connects fine.
Connecting to AIX 6.1 running OpenSSH 5.2 and OpenSSL 0.9.8 connects fine as well.
So the new OpenSSH only has a problem with these very old server packages.
This issue can be closed as it is not Arch related, but rather the new OpenSSH that breaks compatibility with the old SSH packages.
Thanks