I think I've found a few bugs in the NSS code for FreeBSD 5.1 . I'm not sure of the best way to split them up, so I'll list them all here. FreeBSD version: % uname -a FreeBSD myrtle 5.1-CURRENT FreeBSD 5.1-CURRENT #1: Mon Aug 11 17:15:47 EDT 2003 root_at_myrtle:/private/freebsd-src/obj/private/freebsd-src/src/sys/CISEKERN i386 1) getnetgrent still seems to ignore the NIS netgroup maps and only uses /etc/netgroup. A '+' as the only entry in /etc/netgroup does not force an NIS netgroup map lookup. This bug has been reported in the 4.x tree as well. 2) There's an odd bug in sshd/nss when the following are configured: - nsswitch.conf passwd: compat - sshd_config ChallengeResponseAuthentication yes (default) HostbasedAuthentication yes When /etc/netgroup doesn't exist, the sshd hangs when logging in with HostbasedAuthentication: <root_at_myrtle:~> # gdb /usr/sbin/sshd GNU gdb 5.2.1 (FreeBSD) (gdb) run -d -p 987 [ some debugging output deleted for readability] debug1: KEX done debug1: userauth-request for user jfh service ssh-connection method none debug1: attempt 0 failures 0 debug1: PAM: initializing for "jfh" debug1: PAM: setting PAM_RHOST to "waterspout.cise.ufl.edu" Failed none for jfh from 128.227.205.52 port 47962 ssh2 Failed none for jfh from 128.227.205.52 port 47962 ssh2 debug1: userauth-request for user jfh service ssh-connection method hostbased debug1: attempt 1 failures 1 debug1: userauth_hostbased: cuser jfh chost waterspout.cise.ufl.edu. pkalg ssh-dss slen 55 Failed hostbased for jfh from 128.227.205.52 port 47962 ssh2 debug1: userauth-request for user jfh service ssh-connection method hostbased debug1: attempt 2 failures 2 debug1: userauth_hostbased: cuser jfh chost waterspout.cise.ufl.edu. pkalg ssh-rsa slen 143 Failed hostbased for jfh from 128.227.205.52 port 47962 ssh2 debug1: userauth-request for user jfh service ssh-connection method keyboard-interactive debug1: attempt 3 failures 3 debug1: keyboard-interactive devs debug1: auth2_challenge: user=jfh devs= debug1: kbdint_alloc: devices 'pam' debug1: auth2_challenge_start: trying authentication method 'pam' ^C Program received signal SIGINT, Interrupt. 0x282e987f in read () at {standard input}:15 15 {standard input}: No such file or directory. in {standard input} Current language: auto; currently asm (gdb) Quit (gdb) where #0 0x282e987f in read () at {standard input}:15 #1 0x281409ab in atomicio (f=0x5, fd=-1077940208, _s=0xbfbff038, n=674583073) at /private/freebsd-src/src/crypto/openssh/atomicio.c:45 #2 0x281286a9 in ssh_msg_recv (fd=5, m=0xbfbff010) at /private/freebsd-src/src/crypto/openssh/msg.c:58 #3 0x08062bb5 in pam_query (ctx=0x807a870, name=0x7, info=0x7, num=0xbfbff064, prompts=0xbfbff068, echo_on=0xbfbff06c) at /private/freebsd-src/src/crypto/openssh/auth2-pam-freebsd.c:397 #4 0x0805ef2a in mm_answer_pam_query (socket=3, m=0xbfbff0a0) at /private/freebsd-src/src/crypto/openssh/monitor.c:799 #5 0x0805e51a in monitor_read (pmonitor=0x8075580, ent=0x8070320, pent=0xbfbff0ec) at /private/freebsd-src/src/crypto/openssh/monitor.c:388 #6 0x0805e208 in monitor_child_preauth (pmonitor=0x8075580) at /private/freebsd-src/src/crypto/openssh/monitor.c:301 #7 0x0804ed1f in privsep_preauth () at /private/freebsd-src/src/crypto/openssh/sshd.c:605 #8 0x0805087a in main (ac=47962, av=0x807a7b0) at /private/freebsd-src/src/crypto/openssh/sshd.c:1523 #9 0x0804e1a2 in _start (ap=0xbfbffb24 "/usr/sbin/sshd") at /private/freebsd-src/src/lib/csu/i386-elf/crt1.c:104 With either ChallengeResponseAuthentication or HostbasedAuthentication disabled, I'm prompted for a password. With both enabled, sshd hangs here, and I'm never prompted for a password on the client side. However, if /etc/netgroup does exist and is populated with netgroup info, I get a core dump in sshd: (gdb) run -d -p 987 [ ... ] debug1: KEX done debug1: userauth-request for user jfh service ssh-connection method none debug1: attempt 0 failures 0 debug1: PAM: initializing for "jfh" debug1: PAM: setting PAM_RHOST to "waterspout.cise.ufl.edu" Failed none for jfh from 128.227.205.52 port 47968 ssh2 Failed none for jfh from 128.227.205.52 port 47968 ssh2 debug1: userauth-request for user jfh service ssh-connection method hostbased debug1: attempt 1 failures 1 debug1: userauth_hostbased: cuser jfh chost waterspout.cise.ufl.edu. pkalg ssh-dss slen 55 Program received signal SIGSEGV, Segmentation fault. 0x2830d7d7 in getnetgrent (hostp=0x80db2b0, userp=0x80db2b0, domp=0x80db2b0) at /private/freebsd-src/src/lib/libc/gen/getnetgrent.c:231 (gdb) where #0 0x2830d7d7 in getnetgrent (hostp=0x80db2b0, userp=0x80db2b0, domp=0x80db2b0) at /private/freebsd-src/src/lib/libc/gen/getnetgrent.c:231 #1 0x2830cfdd in compat_passwd (retval=0xbfbfee28, mdata=0x2, ap=0x4 <Error reading address 0x4: Bad address>) at /private/freebsd-src/src/lib/libc/gen/getpwent.c:1531 #2 0x2833091b in _nsdispatch (retval=0xbfbfee28, disp_tab=0x28362020, database=0x2835bd87 "passwd", method_name=0x2835bdad "getpwuid_r", defaults=0x28361ec0) at /private/freebsd-src/src/lib/libc/net/nsdispatch.c:601 #3 0x2830aa95 in getpwuid_r (uid=135115440, pwd=0x28369580, buffer=0x80db2b0 <Error reading address 0x80db2b0: Bad address>, bufsize=135115440, result=0xbfbfee28) at /private/freebsd-src/src/lib/libc/gen/getpwent.c:332 #4 0x2830ac9b in wrap_getpwuid_r (key= {name = 0x80db2b0 <Error reading address 0x80db2b0: Bad address>, uid = 135115440}, pwd=0x80db2b0, buffer=0x80db2b0 <Error reading address 0x80db2b0: Bad address>, bufsize=135115440, res=0x80db2b0) at /private/freebsd-src/src/lib/libc/gen/getpwent.c:406 #5 0x2830ab9b in getpw (fn=0x2830ac60 <wrap_getpwuid_r>, key={name = 0xbfbfee28 "", uid = 3217026600}) at /private/freebsd-src/src/lib/libc/gen/getpwent.c:377 #6 0x2830ad49 in getpwuid (uid=135115440) at /private/freebsd-src/src/lib/libc/gen/getpwent.c:434 #7 0x2812df7f in tilde_expand_filename (filename=0x8068d41 "/.ssh/known_hosts", my_uid=135115440) at /private/freebsd-src/src/crypto/openssh/tildexpand.c:48 #8 0x08056be6 in check_key_in_hostfiles (pw=0x8079400, key=0x8089100, host=0x808c160 "waterspout.cise.ufl.edu", sysfile=0x80db2b0 <Error reading address 0x80db2b0: Bad address>, userfile=0x8068d40 "~/.ssh/known_hosts") at /private/freebsd-src/src/crypto/openssh/auth.c:389 #9 0x080620df in hostbased_key_allowed (pw=0x8079400, cuser=0x80890e0 "jfh", chost=0x808c1c0 "waterspout.cise.ufl.edu", key=0x8089100) at /private/freebsd-src/src/crypto/openssh/auth2-hostbased.c:164 #10 0x0805f410 in mm_answer_keyallowed (socket=135115440, m=0xbfbff070) at /private/freebsd-src/src/crypto/openssh/monitor.c:909 #11 0x0805e51a in monitor_read (pmonitor=0x8075580, ent=0x8070344, pent=0xbfbff0bc) at /private/freebsd-src/src/crypto/openssh/monitor.c:388 #12 0x0805e208 in monitor_child_preauth (pmonitor=0x8075580) at /private/freebsd-src/src/crypto/openssh/monitor.c:301 #13 0x0804ed1f in privsep_preauth () at /private/freebsd-src/src/crypto/openssh/sshd.c:605 #14 0x0805087a in main (ac=47968, av=0x807a7b0) at /private/freebsd-src/src/crypto/openssh/sshd.c:1523 #15 0x0804e1a2 in _start (ap=0xbfbffb00 "/usr/sbin/sshd") at /private/freebsd-src/src/lib/csu/i386-elf/crt1.c:104 If I switch to passwd: nis files in /etc/nsswitch.conf, the following happen: - /etc/netgroup with netgroup info : login without password (Hostbased) - /etc/netgroup non-existent, empty, or containing '+' : login with password Let me know if I can do any further testing/debugging on my end. ---------------------------------------------------------------------- | Jim Hranicky, Senior SysAdmin UF/CISE Department | | E314D CSE Building Phone (352) 392-1499 | | jfh_at_cise.ufl.edu http://www.cise.ufl.edu/~jfh | ---------------------------------------------------------------------- About politics: Don't worry about results It's the thought that countsReceived on Tue Aug 12 2003 - 06:21:26 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:18 UTC