bin/108656: Segfault of sshd for unknown user when privilege separation is off and PAM is used

[Ludovic FLAMENT]

>Number:         108656
>Category:       bin
>Synopsis:       Segfault of sshd for unknown user when privilege separation is off and PAM is used
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Feb 01 11:10:31 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Ludovic FLAMENT
>Release:        6.2-RELEASE
>Organization:
NETASQ
>Environment:
FreeBSD build 6.2-RELEASE FreeBSD 6.2-RELEASE #0: Wed Jan 17 11:24:47 CET 2007     ludovicf at build:/usr/obj/usr/src/sys/SMP  i386
>Description:
When we not used separation privilege, and we do a connection with a username that aren't known, sshd segfault
We use PAM, but I don't think that problem is linked on, because when we see my solution to fix this crash, PAM have no impact.

pid 2029 (sshd), uid 0: exited on signal 11 (core dumped)
>How-To-Repeat:
Put this option on sshd_config file
  ChallengeResponseAuthentication yes
  PasswordAuthentication no
  PermitEmptyPasswords no
  PermitRootLogin yes
  UsePrivilegeSeparation no

connect on sshd with an unknwon username
>Fix:
in file /usr/src/crypto/openssh/auth.c
in function fakepw(void)

replace the 2 lines :
  fake.pw_uid = privsep_pw->pw_uid;
  fake.pw_gid = privsep_pw->pw_gid;
by :
  if (use_privsep && (privsep_pw != NULL))
  {
     fake.pw_uid = privsep_pw->pw_uid;
     fake.pw_gid = privsep_pw->pw_gid;
  }
  else
  {
     fake.pw_uid = (uid_t)-1;
     fake.pw_gid = (gid_t)-1;
  }
>Release-Note:
>Audit-Trail:
>Unformatted: