I connect to my OpenSSH 3.8.1p1 server and when the password dialog
shoes up I wait a min or so, long enough for the "Timeout before
authentication for %s" alarm to trigger. If at that point I enter my
password ssh will just sit there:

debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password:
debug3: packet_send2: adding 32 (len 18 padlen 14 extra_pad 64)

And the sshd will be in this state:

Attaching to program: `/private/tmp/OpenSSH.roots/OpenSSH~obj/sshd',
process 26589.
Reading symbols for shared libraries ...................... done
0x9002cf88 in semaphore_wait_trap ()
(gdb) bt
#0 0x9002cf88 in semaphore_wait_trap ()
#1 0x9006153c in pthread_join ()
#2 0x00028a50 in sshpam_thread_cleanup () at
/tmp/OpenSSH.roots/OpenSSH/openssh/auth-pam.c:417
#3 0x00017110 in do_cleanup (authctxt=0x4034e0) at
/tmp/OpenSSH.roots/OpenSSH/openssh/session.c:2273
#4 0x00007044 in cleanup_exit (i=255) at
/tmp/OpenSSH.roots/OpenSSH/openssh/sshd.c:1923
#5 0x00035bb0 in fatal (fmt=0x547d0 "Timeout before authentication for
%s") at /tmp/OpenSSH.roots/OpenSSH/openssh/fatal.c:40
#6 0x00002d40 in grace_alarm_handler (sig=14) at
/tmp/OpenSSH.roots/OpenSSH/openssh/sshd.c:320
#7
#8 0x90013bc8 in read ()
#9 0x0002b5ec in atomicio (f=0x90013bc0 , fd=6, _s=0xbfffef60,
n=4) at /tmp/OpenSSH.roots/OpenSSH/openssh/atomicio.c:45
#10 0x00020744 in mm_request_receive (socket=6, m=0xbfffefc0) at
/tmp/OpenSSH.roots/OpenSSH/openssh/monitor_wrap.c:110
#11 0x0001c290 in monitor_read (pmonitor=0x403540, ent=0x633c4,
pent=0xbffff030) at /tmp/OpenSSH.roots/OpenSSH/openssh/monitor.c:446
#12 0x0001bda8 in monitor_child_preauth (_authctxt=0x4034e0,
pmonitor=0x403540) at /tmp/OpenSSH.roots/OpenSSH/openssh/monitor.c:343
#13 0x000039dc in privsep_preauth (authctxt=0x4034e0) at
/tmp/OpenSSH.roots/OpenSSH/openssh/sshd.c:607
#14 0x000061c0 in main (ac=3, av=0x400f10) at
/tmp/OpenSSH.roots/OpenSSH/openssh/sshd.c:1544
(gdb) info threads
2 process 26589 thread 0x1103 0x90013bcc in read ()
* 1 process 26589 thread 0x203 0x9002cf88 in semaphore_wait_trap ()
(gdb) thread 2
[Switching to thread 2 (process 26589 thread 0x1103)]
#0 0x90013bcc in read ()
(gdb) bt
#0 0x90013bcc in read ()
#1 0x0002b5ec in atomicio (f=0x90013bc0 , fd=8, _s=0xf0080ac0,
n=4) at /tmp/OpenSSH.roots/OpenSSH/openssh/atomicio.c:45
#2 0x000491fc in ssh_msg_recv (fd=8, m=0xf0080b20) at
/tmp/OpenSSH.roots/OpenSSH/openssh/msg.c:63
#3 0x00028514 in sshpam_thread_conv (n=1, msg=0xf0080bb4,
resp=0xf0080bb8, data=0x403830) at
/tmp/OpenSSH.roots/OpenSSH/openssh/auth-pam.c:272
#4 0x96798918 in _pam_system_log ()
#5 0x967989f4 in pam_get_pass ()
#6 0x0018a930 in pam_sm_authenticate ()
#7 0x967961c4 in pam_fail_delay ()
#8 0x96796514 in _pam_dispatch ()
#9 0x96797c40 in pam_authenticate ()
#10 0x00028880 in sshpam_thread (ctxtp=0x403830) at
/tmp/OpenSSH.roots/OpenSSH/openssh/auth-pam.c:354
#11 0x9002c7f4 in _pthread_body ()

Thread two will just sit there in read while thread one waits for
thread two to exit.
If i attempt this with privilege separation turned on the lowered
privilege process will exit and become a zombie, as the original
process never exits.

Shouldn't the sshpam/read thread have an alarm set so if the
authentication times out it will exit cleanly?

-Nick

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
http://www.mindrot.org/mailman/listi...enssh-unix-dev