[Bug 208668] [NEW] sshd core dumps while trying to connect with a password

bnsmb Bernd.Schemmer at gmx.de
Sat Mar 29 08:24:52 GMT 2008 

Public bug reported:

Binary package hint: openssh-server

Running

Linux tp61p 2.6.22-14-generic #1 SMP Tue Feb 12 02:46:46 UTC 2008 x86_64
GNU/Linux

on a Thinkpad T61p; the finger print reader is configured and works.

Connecting to Ubuntu via ssh with password  fails ; connecting via ssh
with public key works.

In most cases the sshd silently dies; but in some cases it prints some
output before dieing if executed with the -d parameter. Examples:

# first example

xtrnaw7 at tp61p:~$ sudo /usr/sbin/sshd -p 1234 -d
Password or swipe finger: 
debug1: sshd version OpenSSH_4.6p1 Debian-5ubuntu0.1
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-p'
debug1: rexec_argv[2]='1234'
debug1: rexec_argv[3]='-d'
debug1: Bind to port 1234 on 0.0.0.0.
Server listening on 0.0.0.0 port 1234.
socket: Address family not supported by protocol


debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7
debug1: inetd sockets after dupping: 3, 3
Connection from 192.168.1.164 port 50182
debug1: Client protocol version 2.0; client software version Sun_SSH_1.2
debug1: no match: Sun_SSH_1.2
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.6p1 Debian-5ubuntu0.1
debug1: permanently_set_uid: 109/65534
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user xtrnaw7 service ssh-connection method none
debug1: attempt 0 failures 0
debug1: PAM: initializing for "xtrnaw7"
debug1: PAM: setting PAM_RHOST to "pb001"
debug1: PAM: setting PAM_TTY to "ssh"
Failed none for xtrnaw7 from 192.168.1.164 port 50182 ssh2
debug1: userauth-request for user xtrnaw7 service ssh-connection method password
debug1: attempt 1 failures 1
debug1: do_cleanup
Segmentation fault (core dumped)

# second example:

xtrnaw7 at tp61p:~$ 
xtrnaw7 at tp61p:~$ sudo /usr/sbin/sshd -p 1234 -d
debug1: sshd version OpenSSH_4.6p1 Debian-5ubuntu0.1
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-p'
debug1: rexec_argv[2]='1234'
debug1: rexec_argv[3]='-d'
debug1: Bind to port 1234 on 0.0.0.0.
Server listening on 0.0.0.0 port 1234.
socket: Address family not supported by protocol
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7
debug1: inetd sockets after dupping: 3, 3
Connection from 192.168.1.164 port 46810
debug1: Client protocol version 2.0; client software version Sun_SSH_1.2
debug1: no match: Sun_SSH_1.2
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.6p1 Debian-5ubuntu0.1
debug1: permanently_set_uid: 109/65534
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user xtrnaw7 service ssh-connection method none
debug1: attempt 0 failures 0
debug1: PAM: initializing for "xtrnaw7"
debug1: PAM: setting PAM_RHOST to "pb001"
debug1: PAM: setting PAM_TTY to "ssh"
Failed none for xtrnaw7 from 192.168.1.164 port 46810 ssh2
debug1: userauth-request for user xtrnaw7 service ssh-connection method password
debug1: attempt 1 failures 1
Error: Bad address.
*** glibc detected *** sshd: xtrnaw7 [priv]: malloc(): memory corruption (fast): 0x00005555557cf8b0 ***
======= Backtrace: =========
/lib/libc.so.6[0x2b3f43940ecf]
/lib/libc.so.6(__libc_malloc+0x93)[0x2b3f43941e23]
/lib/libc.so.6(__nss_lookup_function+0xc0)[0x2b3f439b1d60]
/lib/libc.so.6[0x2b3f439b1ff5]
/lib/libc.so.6(getspnam_r+0x158)[0x2b3f439a68d8]
/lib/libpam.so.0(pam_modutil_getspnam+0x7a)[0x2b3f41bc624a]
/lib/security/pam_unix.so[0x2b3f452e6e57]
/lib/security/pam_unix.so(pam_sm_authenticate+0x243)[0x2b3f452e3873]
/lib/libpam.so.0[0x2b3f41bc1bd1]
/lib/libpam.so.0(pam_authenticate+0x43)[0x2b3f41bc1513]
sshd: xtrnaw7 [priv][0x55555557c23e]
sshd: xtrnaw7 [priv][0x555555562ffb]
sshd: xtrnaw7 [priv][0x555555574c40]
sshd: xtrnaw7 [priv][0x555555575276]
sshd: xtrnaw7 [priv][0x5555555754f7]
sshd: xtrnaw7 [priv][0x55555555ff20]
sshd: xtrnaw7 [priv](main+0x262d)[0x5555555626fd]
/lib/libc.so.6(__libc_start_main+0xf4)[0x2b3f438ebb44]
sshd: xtrnaw7 [priv][0x55555555efc9]
======= Memory map: ========
40000000-40001000 ---p 40000000 00:00 0 
40001000-40801000 rw-p 40001000 00:00 0 
40801000-40802000 ---p 40801000 00:00 0 
40802000-41002000 rw-p 40802000 00:00 0 
2aaaaaac0000-2aaaaaacd000 r-xp 00000000 08:03 754875                     /lib/libgcc_s.so.1
2aaaaaacd000-2aaaaaccd000 ---p 0000d000 08:03 754875                     /lib/libgcc_s.so.1
2aaaaaccd000-2aaaaacce000 rw-p 0000d000 08:03 754875                     /lib/libgcc_s.so.1
2b3f41798000-2b3f417b5000 r-xp 00000000 08:03 754890                     /lib/ld-2.6.1.so
2b3f417b5000-2b3f417b8000 rw-p 2b3f417b5000 00:00 0 
2b3f417b8000-2b3f417c8000 rw-s 00000000 00:09 52678                      /dev/zero (deleted)
2b3f417c8000-2b3f41908000 rw-s 00000000 00:09 52679                      /dev/zero (deleted)
2b3f419b4000-2b3f419b6000 rw-p 0001c000 08:03 754890                     /lib/ld-2.6.1.so
2b3f419b6000-2b3f419be000 r-xp 00000000 08:03 754894                     /lib/libwrap.so.0.7.6
2b3f419be000-2b3f41bbd000 ---p 00008000 08:03 754894                     /lib/libwrap.so.0.7.6
2b3f41bbd000-2b3f41bbf000 rw-p 00007000 08:03 754894                     /lib/libwrap.so.0.7.6
2b3f41bbf000-2b3f41bc9000 r-xp 00000000 08:03 752270                     /lib/libpam.so.0.81.6
2b3f41bc9000-2b3f41dc9000 ---p 0000a000 08:03 752270                     /lib/libpam.so.0.81.6
2b3f41dc9000-2b3f41dca000 rw-p 0000a000 08:03 752270                     /lib/libpam.so.0.81.6
2b3f41dca000-2b3f41dcc000 r-xp 00000000 08:03 754878                     /lib/libdl-2.6.1.so
2b3f41dcc000-2b3f41fcc000 ---p 00002000 08:03 754878                     /lib/libdl-2.6.1.so
2b3f41fcc000-2b3f41fce000 rw-p 00002000 08:03 754878                     /lib/libdl-2.6.1.so
2b3f41fce000-2b3f41fe5000 r-xp 00000000 08:03 752267                     /lib/libselinux.so.1
2b3f41fe5000-2b3f421e4000 ---p 00017000 08:03 752267                     /lib/libselinux.so.1
2b3f421e4000-2b3f421e6000 rw-p 00016000 08:03 752267                     /lib/libselinux.so.1
2b3f421e6000-2b3f421e8000 rw-p 2b3f421e6000 00:00 0 
2b3f421e8000-2b3f42343000 r-xp 00000000 08:03 1560061                    /usr/lib/libcrypto.so.0.9.8
2b3f42343000-2b3f42543000 ---p 0015b000 08:03 1560061                    /usr/lib/libcrypto.so.0.9.8
2b3f42543000-2b3f42566000 rw-p 0015b000 08:03 1560061                    /usr/lib/libcrypto.so.0.9.8
2b3f42566000-2b3f42569000 rw-p 2b3f42566000 00:00 0 
2b3f42569000-2b3f4256b000 r-xp 00000000 08:03 754924                     /lib/libutil-2.6.1.so
2b3f4256b000-2b3f4276a000 ---p 00002000 08:03 754924                     /lib/libutil-2.6.1.so
2b3f4276a000-2b3f4276c000 rw-p 00001000 08:03 754924                     /lib/libutil-2.6.1.so
2b3f4276c000-2b3f42782000 r-xp 00000000 08:03 1558534                    /usr/lib/libz.so.1.2.3.3
2b3f42782000-2b3f42982000 ---p 00016000 08:03 1558534                    /usr/lib/libz.so.1.2.3.3
2b3f42982000-2b3f42983000 rw-p 00016000 08:03 1558534                    /usr/lib/libz.so.1.2.3.3
2b3f42983000-2b3f42984000 rw-p 2b3f42983000 00:00 0 
2b3f42984000-2b3f4299adebug1: do_cleanup
Aborted (core dumped)
xtrnaw7 at tp61p:~$ 


xtrnaw7 at tp61p:/data/source$ grep -v "^#"  /etc/ssh/sshd_config  | grep -v "^$"
Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 768
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
PasswordAuthentication yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes


xtrnaw7 at tp61p:/data/source$ grep -v "^#"  /etc/pam.d/ssh  | grep -v "^$"
auth       required     pam_env.so # [1]
auth       required     pam_env.so envfile=/etc/default/locale
@include common-auth
account    required     pam_nologin.so
@include common-account
@include common-session
session    optional     pam_motd.so # [1]
session    optional     pam_mail.so standard noenv # [1]
session    required     pam_limits.so
@include common-password

** Affects: openssh (Ubuntu)
     Importance: Undecided
         Status: New

-- 
sshd core dumps while trying to connect with a password
https://bugs.launchpad.net/bugs/208668
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openssh in ubuntu.

More information about the Ubuntu-server-bugs mailing list