Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 274924

Summary: net-mail/dovecot-1.2.11-r1: dovecot-auth using pam_ssh crashes on logins that have a .ssh dir with private key
Product: Gentoo Linux Reporter: Kai Krakow <hurikhan77+bgo>
Component: [OLD] ServerAssignee: PAM Gentoo Team (OBSOLETE) <pam-bugs+disabled>
Status: RESOLVED FIXED    
Severity: critical CC: atoth, david+gentoo.org, net-mail+disabled
Priority: High    
Version: unspecified   
Hardware: x86   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: partial strace log of dovecot-auth (v1.1.7-r1)
Backtrace of dovecot-auth
pam_ssh-1.97-dovecot.patch
pam_ssh-1.97-r2.ebuild

Description Kai Krakow 2009-06-21 10:08:51 UTC
I'm attaching a reproducable segfault of dovecot-auth that occurs if a user connects who has a private key in his .ssh dir thus triggering pam-ssh passphrase feature. My pam is compiled with ssh support so this may be the key to this bug.

I'm also using dovecot mysql auth for virtual users where the problem does not trigger - works like a charm there.

Reproducible: Always

Steps to Reproduce:
1. emerge ssh-enabled pam
2. emerge dovecot
3. create user with ssh key pair
4. try to login into dovecot, dovecot-auth crashes
Actual Results:  
This is what dmesg says:

[83675.808413] dovecot-auth[28128]: segfault at 4b204554 ip 12a6beb7 sp 589f21b0 error 4 in dovecot-auth[12a3e000+54000]
[83675.808456] grsec: signal 11 sent to /usr/libexec/dovecot/dovecot-auth[dovecot-auth:28128] uid/euid:0/1000 gid/egid:0/1017, parent /usr/sbin/dovecot[dovecot:8378] uid/euid:0/0 gid/egid:0/0


Expected Results:  
dovecot-auth should not crash.

Installed and involved software:

[ebuild   R   ] sys-libs/pam-1.0.4  USE="audit cracklib nls vim-syntax (-selinux) -test" 0 kB
[ebuild   R   ] net-misc/openssh-5.2_p1-r1  USE="hpn pam pkcs11 tcpd -X -X509 -kerberos -ldap -libedit (-selinux) -skey -smartcard -static" 0 kB
[ebuild   R   ] net-mail/dovecot-1.1.7-r1  USE="berkdb managesieve mysql pam pop3d sieve sqlite3 ssl -debug -doc -ipv6 -kerberos -ldap -mbox -postgres -suid -vpopmail" 0 kB

See strace attachment...
Comment 1 Kai Krakow 2009-06-21 10:09:56 UTC
Created attachment 195333 [details]
partial strace log of dovecot-auth (v1.1.7-r1)
Comment 2 Kai Krakow 2009-06-21 10:12:15 UTC
Sorry, two more ebuild versions involved:

[ebuild   R   ] sys-auth/pam_ssh-1.92  0 kB
[ebuild   R   ] sys-auth/pambase-20081028  USE="cracklib sha512 ssh -consolekit -debug -gnome-keyring -mktemp -passwdqc (-selinux)" 0 kB
Comment 3 konstantinos metaxas 2009-08-11 21:38:25 UTC
Got hit by the same bug. I re-merged pambase with USE="-ssh" and problem i was able to authenticate again.
Comment 4 Attila Tóth 2009-09-18 13:48:00 UTC
Hit the same one here. I suspect this to be a bug must be solved upstreams.

Kai: I see you are running a grsec kernel. In this case you can workaround this by hiding the .ssh directory of the user for the dovecot-auth process.

Regards,
Dw.
Comment 5 Kai Krakow 2009-09-19 11:26:35 UTC
(In reply to comment #4)
> Kai: I see you are running a grsec kernel. In this case you can workaround this
> by hiding the .ssh directory of the user for the dovecot-auth process.

While that would work, I would consider that a Würg-Around (spoken in German words, means ugly work around). It's not a very big problem, just one user of about 1000 is affected - and that one is just me. ;-)
Comment 6 Eray Aslan gentoo-dev 2010-06-16 14:20:42 UTC
Do you still have this problem with a current version of dovecot?
Comment 7 Jeremy Olexa (darkside) (RETIRED) archtester gentoo-dev Security 2010-07-14 16:10:39 UTC
I'm closing this bug because it is for a pretty old version and there isn't any activity on this bug. Feel free to re-open for the current stable version (1.2.11-r1) or newer. Thanks for understanding.
Comment 8 Blu3 2010-07-14 16:22:42 UTC
it's caused by pam_ssh, if you remove that from the setup, things work fine.  yes, it still crashed a couple months ago.
Comment 9 Kai Krakow 2010-07-14 17:43:17 UTC
This is still an issue with 1.2.11. I will soon try to create a coredump. (since I found out that it works when one enables suid coredumps)

I reopen this bug assuming 1.2.11 being still pretty current on production systems.

In reply to comment #8: I want to keep pam_ssh - so this is not an option. BTW: I don't think it is a proper solution to remove software that was installed on intent.
Comment 10 Blu3 2010-07-14 17:47:45 UTC
i fully agree, i simply ran out of time for debugging what the bad data was that pam_ssh was handing back to dovecot that made it crash.  i suspect a null value
Comment 11 Kai Krakow 2010-07-14 17:56:02 UTC
(In reply to comment #10)
> i fully agree, i simply ran out of time for debugging what the bad data was
> that pam_ssh was handing back to dovecot that made it crash.  i suspect a null
> value

As far as I figured out the chat parser of dovecot does not handle that pam_ssh yields "Passphrase" instead of "Password" as the password prompt.
Comment 12 Kai Krakow 2010-07-14 18:10:11 UTC
Created attachment 238747 [details]
Backtrace of dovecot-auth

According to the backtrace the error is within pam_ssh. I removed my username and password from it.
Comment 13 Kai Krakow 2010-07-14 19:43:43 UTC
I changed the summary to reflect my current setup
Comment 14 Eray Aslan gentoo-dev 2010-08-04 13:24:17 UTC
(In reply to comment #12)
> According to the backtrace the error is within pam_ssh.

In that case, pam herd should have a look.  Reassigning.

Comment 15 Eray Aslan gentoo-dev 2010-08-07 06:45:20 UTC
Created attachment 241717 [details, diff]
pam_ssh-1.97-dovecot.patch
Comment 16 Eray Aslan gentoo-dev 2010-08-07 06:47:05 UTC
Created attachment 241719 [details]
pam_ssh-1.97-r2.ebuild

Please check the attached ebuild and patch.

For your ref, diff for the ebuild:

--- pam_ssh-1.97-r1.ebuild	2010-03-31 02:36:03.000000000 +0000
+++ pam_ssh-1.97-r2.ebuild	2010-08-07 06:38:49.000000000 +0000
@@ -1,6 +1,6 @@
 # Copyright 1999-2010 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-auth/pam_ssh/pam_ssh-1.97-r1.ebuild,v 1.7 2010/01/17 05:31:51 abcd Exp $
+# $Header: $
 
 EAPI=2
 
@@ -12,7 +12,8 @@
 
 LICENSE="BSD as-is"
 SLOT="0"
-KEYWORDS="alpha amd64 arm hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-linux ~ia64-linux ~x86-linux"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh
+~sparc ~x86 ~amd64-linux ~ia64-linux ~x86-linux"
 IUSE=""
 
 # Doesn't work on OpenPAM.
@@ -24,13 +25,13 @@
 
 src_prepare() {
 	epatch "${FILESDIR}/${P}-doublefree.patch"
+	epatch "${FILESDIR}/${P}-dovecot.patch"
 	eautoreconf
 }
 
 src_configure() {
 	econf \
-		"--with-pam-dir=$(getpam_mod_dir)" \
-		|| die "econf failed"
+		"--with-pam-dir=$(getpam_mod_dir)"
 }
 
 src_install() {
Comment 17 Diego Elio Pettenò (RETIRED) gentoo-dev 2010-08-07 10:24:29 UTC
Comment on attachment 241717 [details, diff]
pam_ssh-1.97-dovecot.patch

Ehm, a bit too hacky...

why did you do that? Does it have problems with symbol collisions? In that case we have better solutions anyway.
Comment 18 Eray Aslan gentoo-dev 2010-08-07 10:58:49 UTC
Both pam_ssh and dovecot have buffer_free() leading to a collision.  True, hacky indeed but...  I am open to suggestions.
Comment 19 Diego Elio Pettenò (RETIRED) gentoo-dev 2010-08-07 11:03:12 UTC
Okay... I'll come up with a saner solution for pam_ssh, but that package really needs some help upstream.
Comment 20 Diego Elio Pettenò (RETIRED) gentoo-dev 2010-08-07 11:26:09 UTC
Fixed by hiding all the non-PAM-related symbols from the export via LD versioning script.
Comment 21 Eray Aslan gentoo-dev 2010-08-07 12:17:51 UTC
Noted the solution.  Thanks.  Point taken.

Do we need to inherit flag-o-matic?
Comment 22 Diego Elio Pettenò (RETIRED) gentoo-dev 2010-08-07 12:44:47 UTC
I thought I did ...
d'oh!
Comment 23 Kai Krakow 2010-08-08 11:32:20 UTC
Looks like this fixes the problems with dovecot-auth. Thanks!