I am using Openssh 3.8.1p1 on Solaris 2.8 compiled with gcc 3.2.3. I have
nssswitch configured to use file and PADLs ldap module.
When I use nss_ldap without SSL In can login without problem, but with SSL
enabled sshd crashes. I tried first openssl 0.9.6m which crashes in err_cmp
(line 637):


635 static int err_cmp(ERR_STRING_DATA *a, ERR_STRING_DATA *b)
636 {
637 return((int)(a->error-b->error));
638 }
639


#0 err_cmp (a=0xfee7adbc, b=0xfeb7adbc) at err.c:637
#1 0x950d8 in getrn (lh=0x134120, data=0xfeb7adbc, rhash=0x135350) at
lhash.c:418
#2 0x94d40 in lh_insert (lh=0x134120, data=0xfeb7adbc) at lhash.c:189
#3 0x69e14 in ERR_load_strings (lib=218103808, str=0xfeb7adbc) at err.c:332
#4 0xfeb19de0 in ?? ()
#5 0xfeaf3d14 in ?? ()
#6 0xfef8422c in ?? ()
#7 0xff044e30 in ?? ()
#8 0xff046904 in ?? ()
#9 0xff028df4 in ?? ()
#10 0xff039020 in ?? ()
#11 0xff02896c in ?? ()
#12 0xff038bf0 in ?? ()
#13 0xff02eda0 in ?? ()
#14 0xff02f67c in ?? ()
#15 0xff072c90 in ?? ()
#16 0xff07292c in ?? ()
#17 0xff073ad0 in ?? ()
#18 0xff073f18 in ?? ()
#19 0xff076a60 in ?? ()
#20 0xff1498c4 in nss_search () from /usr/lib/libc.so.1
#21 0xff1994b0 in getspnam_r () from /usr/lib/libc.so.1
#22 0xfec737f0 in verify_local_name () from /lib/security/pam_krb5.so.1
#23 0xfec72734 in pam_sm_authenticate () from /lib/security/pam_krb5.so.1
#24 0xfed612a8 in pam_call_module (pamh=0x1246e8, library=0x121a68
"/lib/security/pam_krb5.so.1", function=0xfed61b70 "pam_sm_authenticate",
flags=0, argc=1, argv=0xffbec9a0) at pam_local.c:198
#25 0xfed611b0 in pam_choose_module (f=0xfed61b70 "pam_sm_authenticate",
pamh=0x1246e8, flags=0, argc=-10240, argv=0x11ff18) at pam_local.c:109
#26 0xfed612e0 in pam_sm_authenticate (pamh=0x121a68, flags=-4269664,
argc=-10240, argv=0x11ff18) at pam_local.c:223
#27 0xff373098 in run_stack () from /usr/lib/libpam.so.1
#28 0xff373320 in pam_authenticate () from /usr/lib/libpam.so.1
#29 0x3f654 in sshpam_thread (ctxtp=0x124400) at auth-pam.c:353
#30 0x3f150 in pthread_create (thread=0x124400, attr=0x0,
thread_start=0x3f5a0 , arg=0x124400) at auth-pam.c:127
#31 0x3fbf8 in sshpam_init_ctx (authctxt=0x122f50) at auth-pam.c:534
#32 0x36908 in auth2_challenge_start (authctxt=0x122f50) at
auth2-chall.c:199
#33 0x36868 in auth2_challenge (authctxt=0x122f50, devs=0x150d90 "") at
auth2-chall.c:168
#34 0x373d4 in userauth_kbdint (authctxt=0x122f50) at auth2-kbdint.c:50
#35 0x320b4 in input_userauth_request (type=50, seq=7, ctxt=0x122f50) at
auth2.c:195
#36 0x5119c in dispatch_run (mode=0, done=0x122f50, ctxt=0x122f50) at
dispatch.c:93
#37 0x31cf0 in do_authentication2 (authctxt=0x122f50) at auth2.c:94
#38 0x2ac3c in main (ac=7, av=0x26) at sshd.c:1481


When I use openssl 0.9.8b sshd crashes in obj_name_cmp(line 101):


87 static int obj_name_cmp(OBJ_NAME *a, OBJ_NAME *b)
88 {
89 int ret;
90
91 ret=a->type-b->type;
92 if (ret == 0)
93 {
94 if ((name_funcs_stack != NULL)
95 && (sk_NAME_FUNCS_num(name_funcs_stack) >
a->type))
96 {
97
ret=sk_NAME_FUNCS_value(name_funcs_stack,a->type)
98 ->cmp_func(a->name,b->name);
99 }
100 else
101 ret=strcmp(a->name,b->name);
102 }
103 return(ret);
104 }


#0 0xff132d58 in strcmp () from /usr/lib/libc.so.1
#1 0x96660 in obj_name_cmp (a=0x121788, b=0x142290) at o_names.c:101
#2 0x950d8 in getrn (lh=0x120c50, data=0x142290, rhash=0x142278) at
lhash.c:418
#3 0x94d40 in lh_insert (lh=0x120c50, data=0x142290) at lhash.c:189
#4 0x96208 in OBJ_NAME_add (name=0x0, type=2, data=0xfee7163c "") at
o_names.c:175
#5 0x6d978 in EVP_add_cipher (c=0xfee7163c) at names.c:71
#6 0xfeeb4f70 in SSL_library_init () from /opt/DBssllib/lib/libssl.so.0.9.8
#7 0xff04478c in ldap_pvt_tls_init () at tls.c:169
#8 0xff046298 in ldap_int_tls_start (ld=0x12cb00, conn=0x12cb90,
srv=0x12dbe8) at tls.c:1332
#9 0xff02906c in ldap_int_open_connection (ld=0x12cb00, conn=0x12cb90,
srv=0x12cbf0, async=0) at open.c:365
#10 0xff038a3c in ldap_new_connection (ld=0x12cb00, srvlist=0x12cbf0,
use_ldsb=1, connect=1231856, bind=0x0) at request.c:315
#11 0xff028af0 in ldap_open_defconn (ld=0x12cb00) at open.c:30
#12 0xff0385c0 in ldap_send_initial_request (ld=0x12cb00, msgtype=96,
dn=0xff08c1a3 "uid=unixclient,dc=group,dc=com", ber=0x12cc20) at
request.c:98
#13 0xff02ef60 in ldap_sasl_bind (ld=0x12cb00, dn=0xff08c1a3
"uid=unixclient,dc=group,dc=com", mechanism=0x0, cred=0xffbebe58,
sctrls=0x0, cctrls=0x12cc20, msgidp=0xffbebe54) at sasl.c:148
#14 0xff02f720 in ldap_simple_bind (ld=0x12cb00, dn=0xff08c1a3
"uid=unixclient,dc=group,dc=com", passwd=0xff08c1f8 "dummy") at sbind.c:81
#15 0xff072c90 in do_bind (ld=0x12cb00, timelimit=5, dn=0xff08c1a3
"uid=unixclient,dc=group,dc=com", pw=0xff08c1f8 "dummy", with_sasl=0) at
ldap-nss.c:1420
#16 0xff07292c in do_open () at ldap-nss.c:1277
#17 0xff073ad0 in _nss_ldap_search_s (args=0xffbec860, filterprot=0xff08e798
"(&(objectclass=posixGroup)(memberUid=%s))",
sel=LM_GROUP, sizelimit=0, res=0xffbec85c) at ldap-ns.c:2285
#18 0xff074f68 in _nss_ldap_getgroupsbymember_r (be=0x12db88,
args=0xffbecd5c) at ldap-grp.c:305
#19 0xff1498c4 in nss_search () from /usr/lib/libc.so.1
#20 0xff1986a0 in _getgroupsbymember () from /usr/lib/libc.so.1
#21 0xff140f08 in initgroups () from /usr/lib/libc.so.1
#22 0x30314 in temporarily_use_uid (pw=0x12b320) at uidswap.c:88
#23 0x37b54 in user_key_allowed2 (pw=0x12b320, key=0x12db70, file=0x12f280
"/home/moelma/.ssh/authorized_keys2") at auth2-pubkey.c:179
#24 0x37eb0 in user_key_allowed (pw=0x12b320, key=0x12db70) at
auth2-pubkey.c:264
#25 0x37aa4 in userauth_pubkey (authctxt=0x123408) at auth2-pubkey.c:142
#26 0x320b4 in input_userauth_request (type=50, seq=6, ctxt=0x123408) at
auth2.c:195
#27 0x5119c in dispatch_run (mode=0, done=0x123408, ctxt=0x123408) at
dispatch.c:93
#28 0x31cf0 in do_authentication2 (authctxt=0x123408) at auth2.c:94
#29 0x2ac3c in main (ac=11, av=0x2a) at sshd.c:1481


In both cases a->error and a->name respectively are NULL. Is there a fix for
this ?


BTW It has been also reported on RedHat
https://bugzilla.redhat.com/bugzilla....cgi?id=121734 for pam_ldap.

Thanks
Markus