Bugzilla – Bug 145809
shell is frozen after logout
Last modified: 2006-02-03 18:15:27 UTC
In sshd, shipped with SuSE 10.0, there is a patch introduced for removing xauth after logout: openssh-4.1p1-xauth.diff. With this patch, the command "sh -c unset XAUTHORITY && HOME=USERSHOME /usr/X11R6/bin/xauth -q -" is issued after every logout. The process is running as root! The problem occures, when the HOME is an NFS-mounted Home, with option "root_squash" exported. This means User root ist mapped to nobody. So the process ist not allowed do access .Xauthority. So xauth hangs and the ssh process doesn't end (until timeout after about 30 seconds).
fixed for STABLE Tim, could you please test my fix, the fixed rpms are in ftp://ftp.suse.com/pub/people/postadal/bug145758/
Sorry: On the cluster-machine: # rpm -q openssh openssh-4.1p1-10 # wget ftp://ftp.suse.com/pub/people/postadal/bug145758/openssh-4.1p1-10.2.i586.rpm [...] # rpm -Uhv openssh-4.1p1-10.2.i586.rpm Preparing... ########################################### [100%] 1:openssh ########################################### [100%] Updating etc/sysconfig/ssh... Starting SuSEconfig, the SuSE Configuration Tool... Running module permissions only Reading /etc/sysconfig and updating the system... Executing /sbin/conf.d/SuSEconfig.permissions... Finished. # rcsshd restart Shutting down SSH daemon done Starting SSH daemon done now, ssh to the computer as Cluster-User: ssh cluster-machine -l tehlers Last login: Mon Jan 30 17:55:22 2006 from ... Have a lot of fun... - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Bitte verwenden Sie auf gwdu7x-Maschinen (login) nur die ersten 8 Zeichen Ihres Passwortes. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Am Montag, 30.1.2006 kann es weiterhin wegen Umstellungsarbeiten mehrfach zu kurzfristigen Stoerungen bei der Nutzung des Archivservers ($AHOME) kommen. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Mon Jan 30 17:58:35 CET 2006 cluster-machine> logout hangs... And ps on the cluster-machine: ps auxww [...] tehlers 3922 0.3 0.6 5936 3220 ? Ss 17:58 0:00 sshd: tehlers@pts/2 root 3975 0.0 0.2 2480 1112 ? S 17:58 0:00 sh -c unset XAUTHORITY && HOME=/usr/users/tehlers /usr/X11R6/bin/xauth -q - root 3976 0.0 0.0 2584 464 ? S 17:58 0:00 /usr/X11R6/bin/xauth -q - [...] It's the same like before. Local user without NFS-mounted home is still working normal.
Do you use default configuration of openssh?
I think so. I added some lines after update, because ssh_config and sshd_config have got some new default lines in new installed systems. # cat ssh_config | grep -v ^# Host * ForwardAgent yes ForwardX11 yes ForwardX11Trusted yes RhostsRSAAuthentication yes HostbasedAuthentication yes Protocol 1,2 SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT SendEnv LC_IDENTIFICATION LC_ALL cat sshd_config | grep -v ^# PasswordAuthentication no UsePAM yes AllowTcpForwarding yes X11Forwarding yes X11DisplayOffset 10 X11UseLocalhost yes UsePrivilegeSeparation no Subsystem sftp /usr/lib/ssh/sftp-server AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL
For disable UsePrivilegeSeparation mode I had to change fix, could you try it again from my ftp? ( ftp://ftp.suse.com/pub/people/postadal/bug145758/ )
Wow, it works! Can you shortly describe what you have done? Thanks
I fork process which removes xauth and call permanently_set_uid() to get correct permissions. (see openssh-4.1p1-xauth.diff patch)
fixed and submited with security bug #143435 for SL10.0 and sles9