Merge ~sergiodj/ubuntu/+source/openssh:bug1877454-hangs-authorizedkeyscommand into ubuntu/+source/openssh:ubuntu/xenial-devel
Status: | Merged | ||||
---|---|---|---|---|---|
Approved by: | Rafael David Tinoco | ||||
Approved revision: | ab3c0fca6361c92c646cf17ec413a4e2ce939796 | ||||
Merged at revision: | ab3c0fca6361c92c646cf17ec413a4e2ce939796 | ||||
Proposed branch: | ~sergiodj/ubuntu/+source/openssh:bug1877454-hangs-authorizedkeyscommand | ||||
Merge into: | ubuntu/+source/openssh:ubuntu/xenial-devel | ||||
Diff against target: |
159 lines (+131/-0) 4 files modified
debian/changelog (+14/-0) debian/patches/authkeyscommand-deadlock-01.patch (+41/-0) debian/patches/authkeyscommand-deadlock-02.patch (+74/-0) debian/patches/series (+2/-0) |
||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Rafael David Tinoco (community) | Approve | ||
Canonical Server | Pending | ||
Canonical Server Core Reviewers | Pending | ||
Review via email: mp+383879@code.launchpad.net |
Description of the change
When sshd is configured to obtain the list of allowed keys using AuthorizedKeysC
There are two upstream fixes that needed to be backported to fix this problem:
https:/
https:/
They make sure that sshd will consume everything that the subprocess generates, and will properly fclose(2) the file handlers used for that.
To reproduce the problem, one can do:
$ lxc launch ubuntu-daily:xenial openssh-server-bug1877454
$ lxc shell openssh-server-bug1877454
# ssh-keygen
(no need to choose a passphrase for the key, just hit ENTER on all prompts)
# cat > authkeyscommand.sh << __EOF__
#!/bin/bash
cat /root/.
echo
head -c 1M < /dev/urandom
__EOF__
# chmod +x authkeyscommand.sh
# cat >> /etc/ssh/
AuthorizedKeysC
AuthorizedKeysC
__EOF__
# systemctl reload sshd.service
# ssh root@127.0.0.1
You will notice that ssh will stay there waiting for sshd's reply, which won't come.
You can find a PPA with the proposed fix here:
https:/
autopkgtest is still happy:
autopkgtest [10:53:36]: test regress: -------
autopkgtest [10:53:36]: test regress: - - - - - - - - - - results - - - - - - - - - -
regress PASS
autopkgtest [10:53:36]: @@@@@@@
regress PASS
# checklist for fixes ------- ------- ------- patches/ series? ------- ------- ------- ------- ------- -------
-------
[.] changelog entry correct:
[.] targeted to correct codename
[.] version number is correct
[.] update-maintainer has been run before
----
[-] changes forwarded upstream/debian (if appropriate)
[.] patches match what was proposed upstream
----
[.] patches correctly included in debian/
[.] patches have correct DEP3 metadata
- suggestion: when upstream header is too ugly I usually
rip things off and rely ONLY on DEP3 (other comment)
----
[.] relying on PPA only for build check ?
[.] if relying on PPA, did it install correctly ?
----
[.] building it locally ?
[.] if building locally, was source build good ?
[.] if building locally, was binary build good ?
----
[-] was autopkgtest tested ?
----
[.] is this a SRU ?
[.] if a SRU, does the public bug have a template ?
[-] is this a bundle of fixes ?
[.] is this a single fix ?
----
[.] if single fix, was testcase provided ?
[-] if single fix, and testcase provided, could I reproduce it ?
[-] if single fix, and testcase provided, did it work ?
-------
[.] = ok
[x] = not ok
[?] = question
[!] = note
[-] = n/a
-------
# files touched:
$ git log -2 -p | diffstat authkeyscommand -deadlock- 01.patch | 41 ++++++++++++++++ authkeyscommand -deadlock- 02.patch | 74 +++++++ +++++++ +++++++ +++++++ ++
changelog | 14 +++++
patches/
patches/
patches/series | 2
4 files changed, 131 insertions(+)
------- ------- ------- -------
# files check:
------- ------- ------- -------
# comments:
next comment