SIGPIPE from ssh-keyscan [patch]
Alan Amesbury
amesbury at oitsec.umn.edu
Wed May 1 22:05:29 UTC 2019
The stock ssh-keyscan bundled with 12.0-RELEASE exits with a SIGPIPE when it receives weird behavior from hosts it's attempting to communicate with. Symptoms look like:
% ssh-keyscan -f /tmp/randtargetlist > /dev/null
# [REDACTED]:22 SSH-2.0-OpenSSH_7.4
# [REDACTED]:22 SSH-2.0-OpenSSH_7.4
# [REDACTED]:22 SSH-2.0-OpenSSH_7.4
# [REDACTED]:22 SSH-2.0-OpenSSH_7.4
# [REDACTED]:22 SSH-2.0-OpenSSH_7.4
# [REDACTED]:22 SSH-2.0-OpenSSH_7.4
# [REDACTED]:22 SSH-2.0-OpenSSH_7.4
# [REDACTED]:22 SSH-2.0-OpenSSH_7.4
# [REDACTED]:22 SSH-2.0-OpenSSH_7.4
Broken pipe
%
Output from truss confirms it's SIGPIPE:
.
.
.
99597: write(7,"\0\0\^Dd\a\^T\M-Y\M-Jw(E\M-ty"...,1128) = 1128 (0x468)
99597: select(8,{ 7 },0x0,0x0,{ 5.000000 }) = 1 (0x1)
99597: read(7,"\0\0\^D\M-|\n\^T\M^X\M-N]\M-O\^C"...,8192) = 1280 (0x500)
99597: write(7,"\0\0\0,\^F\^^\0\0\0 0\M^S\M^J#"...,48) = 48 (0x30)
99597: select(8,{ 7 },0x0,0x0,{ 5.000000 }) = 1 (0x1)
99597: read(7,"\0\0\0\M-<\b\^_\0\0\0003\0\0\0\v"...,8192) = 208 (0xd0)
99597: write(1,"[REDACTED] ssh-ed255"...,104) = 104 (0x68)
99597: close(7) = 0 (0x0)
99597: write(16,"SSH-2.0-OpenSSH-keyscan\r\n",25) ERR#32 'Broken pipe'
99597: process killed, signal = 13
The behavior exists in openssh-portable ("$FreeBSD: head/security/openssh-portable/Makefile 484842 2018-11-12 21:55:35Z bdrewery $") as well.
The arguably naive patch I came up with is:
--- /tmp/ssh-keyscan.c 2019-05-01 16:09:11.761587000 -0500
+++ ssh-keyscan.c 2019-05-01 16:08:50.425879000 -0500
@@ -644,6 +644,8 @@
int
main(int argc, char **argv)
{
+ // ignore SIGPIPE
+ signal(SIGPIPE, SIG_IGN);
int debug_flag = 0, log_level = SYSLOG_LEVEL_INFO;
int opt, fopt_count = 0, j;
char *tname, *cp, *line = NULL;
Straightforward and brutish: it ignores SIGPIPE within the main function in ssh-keyscan.c. This appears to work as expected, e.g.:
% ./ssh-keyscan_PATCHED -f /tmp/randtargetlist -T 15 > /dev/null
# [REDACTED]:22 SSH-2.0-OpenSSH_7.4
# [REDACTED]:22 SSH-2.0-OpenSSH_7.4
# [REDACTED]:22 SSH-2.0-OpenSSH_7.4
# [REDACTED]:22 SSH-2.0-OpenSSH_7.4
# [REDACTED]:22 SSH-2.0-OpenSSH_7.4
# [REDACTED]:22 SSH-2.0-OpenSSH_7.4
# [REDACTED]:22 SSH-2.0-OpenSSH_7.4
# [REDACTED]:22 SSH-2.0-OpenSSH_7.4
# [REDACTED]:22 SSH-2.0-OpenSSH_7.4
write ([REDACTED]): Broken pipe
write ([REDACTED]): Broken pipe
write ([REDACTED]): Broken pipe
# [REDACTED]:22 SSH-2.0-babeld-81e0741
.
.
.
Is this something that's best done by adding it upstream, in the FreeBSD source (and ports), or ??? Also, is this sane? I don't see it as a huge deal because it's not a modification to the actual server or client code, just to the part that grabs host keys, but I freely admit that I'm outta my depth here.
--
Alan
More information about the freebsd-hackers
mailing list