From owner-freebsd-hackers@freebsd.org  Wed May  1 22:05:29 2019
Return-Path: <owner-freebsd-hackers@freebsd.org>
Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2FF2415A2115
 for <freebsd-hackers@mailman.ysv.freebsd.org>;
 Wed,  1 May 2019 22:05:29 +0000 (UTC)
 (envelope-from amesbury@oitsec.umn.edu)
Received: from mail.oitsec.umn.edu (mail.oitsec.umn.edu [128.101.238.120])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mail.oitsec.umn.edu",
 Issuer "InCommon RSA Server CA" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 3C3AC8F82A
 for <freebsd-hackers@freebsd.org>; Wed,  1 May 2019 22:05:28 +0000 (UTC)
 (envelope-from amesbury@oitsec.umn.edu)
Received: from mail.oitsec.umn.edu (localhost [127.0.0.1])
 by mail.oitsec.umn.edu (Postfix) with ESMTP id DEE3CB05C6
 for <freebsd-hackers@freebsd.org>; Wed,  1 May 2019 17:05:20 -0500 (CDT)
X-Virus-Scanned: amavisd-new at oitsec.umn.edu
Received: from mail.oitsec.umn.edu ([127.0.0.1])
 by mail.oitsec.umn.edu (mail.oitsec.umn.edu [127.0.0.1]) (amavisd-new,
 port 10024)
 with ESMTP id 0seZ3qasoGE2 for <freebsd-hackers@freebsd.org>;
 Wed,  1 May 2019 17:05:20 -0500 (CDT)
Received: from optimator.uis.umn.edu (optimator.uis.umn.edu [134.84.23.1])
 (Authenticated sender: amesbury)
 by mail.oitsec.umn.edu (Postfix) with ESMTPSA id 7A73FB05ED
 for <freebsd-hackers@freebsd.org>; Wed,  1 May 2019 17:05:20 -0500 (CDT)
From: Alan Amesbury <amesbury@oitsec.umn.edu>
Content-Type: text/plain;
	charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.8\))
Subject: SIGPIPE from ssh-keyscan [patch]
Message-Id: <047FD22B-04FB-46EB-96D1-BF6E03080F9F@oitsec.umn.edu>
Date: Wed, 1 May 2019 17:05:20 -0500
To: FreeBSD Hackers <freebsd-hackers@freebsd.org>
X-Mailer: Apple Mail (2.3445.104.8)
X-Rspamd-Queue-Id: 3C3AC8F82A
X-Spamd-Bar: -
Authentication-Results: mx1.freebsd.org;
 dmarc=fail reason="" header.from=umn.edu (policy=none)
X-Spamd-Result: default: False [-1.09 / 15.00]; ARC_NA(0.00)[];
 RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM_MEDIUM(-0.87)[-0.871,0];
 FROM_HAS_DN(0.00)[]; MV_CASE(0.50)[];
 TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain];
 PREVIOUSLY_DELIVERED(0.00)[freebsd-hackers@freebsd.org];
 NEURAL_HAM_LONG(-0.99)[-0.985,0]; RCPT_COUNT_ONE(0.00)[1];
 RCVD_COUNT_THREE(0.00)[4]; RCVD_TLS_LAST(0.00)[];
 TO_DN_ALL(0.00)[];
 RCVD_IN_DNSWL_MED(-0.20)[120.238.101.128.list.dnswl.org : 127.0.11.2];
 MX_GOOD(-0.01)[mail.oitsec.umn.edu];
 NEURAL_SPAM_SHORT(0.49)[0.486,0]; R_SPF_NA(0.00)[];
 FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[];
 MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:217, ipnet:128.101.0.0/16, country:US];
 MID_RHS_MATCH_FROM(0.00)[];
 IP_SCORE(-0.01)[country: US(-0.06)];
 DMARC_POLICY_SOFTFAIL(0.10)[umn.edu : No valid SPF, No valid DKIM,none]
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 01 May 2019 22:05:29 -0000

The stock ssh-keyscan bundled with 12.0-RELEASE exits with a SIGPIPE =
when it receives weird behavior from hosts it's attempting to =
communicate with.  Symptoms look like:


% ssh-keyscan -f /tmp/randtargetlist > /dev/null
# [REDACTED]:22 SSH-2.0-OpenSSH_7.4
# [REDACTED]:22 SSH-2.0-OpenSSH_7.4
# [REDACTED]:22 SSH-2.0-OpenSSH_7.4
# [REDACTED]:22 SSH-2.0-OpenSSH_7.4
# [REDACTED]:22 SSH-2.0-OpenSSH_7.4
# [REDACTED]:22 SSH-2.0-OpenSSH_7.4
# [REDACTED]:22 SSH-2.0-OpenSSH_7.4
# [REDACTED]:22 SSH-2.0-OpenSSH_7.4
# [REDACTED]:22 SSH-2.0-OpenSSH_7.4
Broken pipe
%=20


Output from truss confirms it's SIGPIPE:

			.
			.
			.
99597: write(7,"\0\0\^Dd\a\^T\M-Y\M-Jw(E\M-ty"...,1128) =3D 1128 (0x468)
99597: select(8,{ 7 },0x0,0x0,{ 5.000000 })      =3D 1 (0x1)
99597: read(7,"\0\0\^D\M-|\n\^T\M^X\M-N]\M-O\^C"...,8192) =3D 1280 =
(0x500)
99597: write(7,"\0\0\0,\^F\^^\0\0\0 0\M^S\M^J#"...,48) =3D 48 (0x30)
99597: select(8,{ 7 },0x0,0x0,{ 5.000000 })      =3D 1 (0x1)
99597: read(7,"\0\0\0\M-<\b\^_\0\0\0003\0\0\0\v"...,8192) =3D 208 (0xd0)
99597: write(1,"[REDACTED] ssh-ed255"...,104) =3D 104 (0x68)
99597: close(7)                                  =3D 0 (0x0)
99597: write(16,"SSH-2.0-OpenSSH-keyscan\r\n",25) ERR#32 'Broken pipe'
99597: process killed, signal =3D 13



The behavior exists in openssh-portable ("$FreeBSD: =
head/security/openssh-portable/Makefile 484842 2018-11-12 21:55:35Z =
bdrewery $") as well.

The arguably naive patch I came up with is:


--- /tmp/ssh-keyscan.c	2019-05-01 16:09:11.761587000 -0500
+++ ssh-keyscan.c	2019-05-01 16:08:50.425879000 -0500
@@ -644,6 +644,8 @@
 int
 main(int argc, char **argv)
 {
+        // ignore SIGPIPE
+        signal(SIGPIPE, SIG_IGN);
 	int debug_flag =3D 0, log_level =3D SYSLOG_LEVEL_INFO;
 	int opt, fopt_count =3D 0, j;
 	char *tname, *cp, *line =3D NULL;




Straightforward and brutish:  it ignores SIGPIPE within the main =
function in ssh-keyscan.c.  This appears to work as expected, e.g.:


% ./ssh-keyscan_PATCHED -f /tmp/randtargetlist -T 15 > /dev/null
# [REDACTED]:22 SSH-2.0-OpenSSH_7.4
# [REDACTED]:22 SSH-2.0-OpenSSH_7.4
# [REDACTED]:22 SSH-2.0-OpenSSH_7.4
# [REDACTED]:22 SSH-2.0-OpenSSH_7.4
# [REDACTED]:22 SSH-2.0-OpenSSH_7.4
# [REDACTED]:22 SSH-2.0-OpenSSH_7.4
# [REDACTED]:22 SSH-2.0-OpenSSH_7.4
# [REDACTED]:22 SSH-2.0-OpenSSH_7.4
# [REDACTED]:22 SSH-2.0-OpenSSH_7.4
write ([REDACTED]): Broken pipe
write ([REDACTED]): Broken pipe
write ([REDACTED]): Broken pipe
# [REDACTED]:22 SSH-2.0-babeld-81e0741
			.
			.
			.



Is this something that's best done by adding it upstream, in the FreeBSD =
source (and ports), or ???  Also, is this sane?  I don't see it as a =
huge deal because it's not a modification to the actual server or client =
code, just to the part that grabs host keys, but I freely admit that I'm =
outta my depth here.


--=20
Alan