Debian Bug report logs - #164797
ssh: UsePrivilegeSeparation stops autolog from logging out users

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Joergen Haegg <jorgen.hagg@axis.com>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: ssh: UsePrivilegeSeparation stops autolog from logging out users

Date: Tue, 15 Oct 2002 08:46:09 +0200

Package: ssh
Version: 1:3.4p1-2
Severity: important
Tags: security

Autolog sends a SIGHUP to the first sshd-process for a terminal, owned by root,
this does not propagate down thru all the processes for that
terminal, the result is that autolog cannot log out people.

Also, after HUP 'w' and 'who' output differs, 'w' does not
report outlogged people. And that may create other security problems,
since there are now 'hidden' users logged in.


Output from 'w':
08:41:58 up 22:58,  7 users,  load average: 0.00, 0.01, 0.03
USER	TTY      FROM          LOGIN@   IDLE   JCPU   PCPU  WHAT
usera	pts/0    hosta		08:02    0.00s  0.12s  0.01s  w 
userb	pts/1    hostb		07:11    1:28m  0.09s  0.07s /bin/zsh 
userc	pts/4    hostc		07:53   14:30   0.08s  0.07s /bin/zsh 
userd	pts/5    hostd		07:57   40:53   0.06s  0.04s /bin/zsh 

Output from 'who':
usera	pts/0        Oct 15 08:02 (hosta)
userb	pts/1        Oct 15 07:11 (hostb)
usera	pts/3        Oct 15 07:49 (hosta)
userc	pts/4        Oct 15 07:53 (hostc)
userd	pts/5        Oct 15 07:57 (hostd)
usera	pts/7        Oct 14 14:13 (hosta)
usera	pts/8        Oct 14 14:18 (hosta)


-- System Information
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux zev 2.4.18-zev #1 Fri Apr 12 09:12:23 CEST 2002 i686
Locale: LANG=C, LC_CTYPE=en_US

Versions of packages ssh depends on:
ii  adduser                     3.47         Add and remove users and groups
ii  debconf                     1.1.27       Debian configuration management sy
ii  libc6                       2.2.5-14     GNU C Library: Shared libraries an
ii  libpam-modules              0.72-35      Pluggable Authentication Modules f
ii  libpam0g                    0.72-35      Pluggable Authentication Modules l
ii  libssl0.9.6                 0.9.6g-2     SSL shared libraries
ii  libwrap0                    7.6-ipv6.1-2 Wietse Venema's TCP wrappers libra
ii  zlib1g                      1:1.1.4-3    compression library - runtime

Message #12 received at 164797@bugs.debian.org (full text, mbox, reply):

From: Donovan Baarda <abo@minkirri.apana.org.au>

To: Debian Bug Tracking System <164797@bugs.debian.org>

Subject: ssh: More analysis and implications of this 'bug'.

Date: Mon, 03 Mar 2003 23:31:50 +1100

Package: ssh
Version: 1:3.4p1-4
Followup-For: Bug #164797

I hit this problem on another "autolog" type program that I wrote called
pyttymon (see freshmeat). Thought I'd contribute some more info on this.

autolog (and pyttymon) get the pid of the process using the tty from utmp.
In the case of ssh, this pid is the pid of the "first" sshd process. 

After the "first" sshd process is killed, it leaves the child sshd and its
subprocesses running, and does not clean up utmp. This leaves a utmp entry
behind with the pid of a now-dead process.

At this point the user is still logged in with processes running on that
tty. A 'who' still shows the user as logged in (it just reads utmp), but 'w'
doesn't show the user (I suspect it checks the utmp pid's to only show utmp
entries with the process still running).

After the user logs out, the "second" ssh process exits and there are no
processes running on that tty. However, the "second" sshd process doesn't
clean up utmp either, leaving a utmp entry for a session that is long gone. 

I suspect the "first" sshd is the "privileged" process that is responsible
for utmp entry creation and removal. The "second" sshd is the
"privilege-separated" one that handles the session. The "privileged" sshd
process is simply terminating on a -HUP. It should probably have signal
handlers that capture and propogate the signals, cleaning up utmp and
terminating only when the "privilege-separated" sshd instance terminates.

Disclaimer... I have not looked at the code. I have not even straced
anything. I could be totally wrong, but thought I'd toss in my analysis
anyway. Please forward upstream as necissary.

-- System Information
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux minkirri 2.4.20-686 #1 Mon Jan 13 22:22:30 EST 2003 i686
Locale: LANG=en_AU, LC_CTYPE=en_AU

Versions of packages ssh depends on:
ii  adduser                     3.49         Add and remove users and groups
ii  debconf                     1.2.21       Debian configuration management sy
ii  libc6                       2.3.1-3      GNU C Library: Shared libraries an
ii  libpam-modules              0.76-7       Pluggable Authentication Modules f
ii  libpam0g                    0.76-7       Pluggable Authentication Modules l
ii  libssl0.9.6                 0.9.6g-6     SSL shared libraries
ii  libwrap0                    7.6-ipv6.1-3 Wietse Venema's TCP wrappers libra
ii  zlib1g                      1:1.1.4-6    compression library - runtime

Message #17 received at 164797@bugs.debian.org (full text, mbox, reply):

From: Darren Tucker <dtucker@zip.com.au>

To: Joergen Haegg <jorgen.hagg@axis.com>

Cc: 164797@bugs.debian.org

Subject: Debian bug #164797: forwarded upstream

Date: Mon, 12 May 2003 21:55:49 +1000

Hi,
	I'm helping out with some outstanding Debian OpenSSH bugs.

	I have opened an OpenSSH bugzilla bug [1] upstream for this.  I also have
a patch [2] that fixes it for me.  I'm not sure what upstream will make of
this.

		-Daz.

[1] http://bugzilla.mindrot.org/show_bug.cgi?id=560
[2] http://bugzilla.mindrot.org/attachment.cgi?id=290&action=view

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Message #22 received at 164797@bugs.debian.org (full text, mbox, reply):

From: Darren Tucker <dtucker@zip.com.au>

To: Joergen Haegg <jorgen.hagg@axis.com>

Cc: 164797@bugs.debian.org

Subject: Debian bug #164797: now fixed upstream

Date: Wed, 14 May 2003 20:40:10 +1000

Hi.
	The Debian OpenSSH bug you reported ("UsePrivilegeSeparation stops
autolog from logging out users") has been fixed in the upstream (and in
OpenBSD too, apparently).

		-Daz.

From OpenSSH portable CVS:
$ cvs log monitor.c
[snip]
revision 1.46
date: 2003/05/14 09:31:12;  author: djm;  state: Exp;  lines: +18 -1
   - markus@cvs.openbsd.org 2003/05/14 08:57:49
     [monitor.c]
     http://bugzilla.mindrot.org/show_bug.cgi?id=560
     Privsep child continues to run after monitor killed.
     Pass monitor signals through to child; Darren Tucker

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Message #29 received at 164797-close@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: 164797-close@bugs.debian.org

Subject: Bug#164797: fixed in openssh 1:3.6.1p2-4

Date: Sun, 27 Jul 2003 13:02:28 -0400

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:

openssh_3.6.1p2-4.diff.gz
  to pool/main/o/openssh/openssh_3.6.1p2-4.diff.gz
openssh_3.6.1p2-4.dsc
  to pool/main/o/openssh/openssh_3.6.1p2-4.dsc
ssh-askpass-gnome_3.6.1p2-4_i386.deb
  to pool/main/o/openssh/ssh-askpass-gnome_3.6.1p2-4_i386.deb
ssh_3.6.1p2-4_i386.deb
  to pool/main/o/openssh/ssh_3.6.1p2-4_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 164797@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 27 Jul 2003 17:31:15 +0100
Source: openssh
Binary: ssh-askpass-gnome ssh
Architecture: source i386
Version: 1:3.6.1p2-4
Distribution: unstable
Urgency: low
Maintainer: Matthew Vernon <matthew@debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description: 
 ssh        - Secure rlogin/rsh/rcp replacement (OpenSSH)
 ssh-askpass-gnome - under X, asks user for a passphrase for ssh-add
Closes: 164797 197040 198456 201150
Changes: 
 openssh (1:3.6.1p2-4) unstable; urgency=low
 .
   * getent can get just one key; no need to use grep (thanks, James Troup).
   * Move /usr/local/bin to the front of the default path, following
     /etc/login.defs (closes: #201150).
   * Remove specifics of problematic countries from package description
     (closes: #197040).
   * Update Spanish debconf template translation (thanks, Carlos Valdivia
     Yagüe; closes: #198456).
   * Backport upstream patch to pass monitor signals through to child
     (closes: #164797).
Files: 
 ccd555ecd77cdb2434a53d84f1f496f7 847 net standard openssh_3.6.1p2-4.dsc
 fcb2da18569f4582010eb210a85874cc 82112 net standard openssh_3.6.1p2-4.diff.gz
 972a12794fbd22da5d4a6484adc7f79b 628914 net standard ssh_3.6.1p2-4_i386.deb
 8c3b7a1c153b41d9cfc650ad9318bae2 42064 gnome optional ssh-askpass-gnome_3.6.1p2-4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer

iD4DBQE/JAMI9t0zAhD6TNERAvd6AJYm7iYvYsiytrOVvLy5D1jwdFmkAJ9+SGwD
dinw9IzUXGvsiPekrVmFXA==
=CLqk
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.