From owner-freebsd-bugs@FreeBSD.ORG  Fri Jul 11 11:00:26 2003
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 85DAC37B401
	for <freebsd-bugs@hub.freebsd.org>;
	Fri, 11 Jul 2003 11:00:26 -0700 (PDT)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8AB3E43F85
	for <freebsd-bugs@hub.freebsd.org>;
	Fri, 11 Jul 2003 11:00:25 -0700 (PDT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h6BI0PUp049397
	for <freebsd-bugs@freefall.freebsd.org>;
	Fri, 11 Jul 2003 11:00:25 -0700 (PDT)
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h6BI0Pmb049396;
	Fri, 11 Jul 2003 11:00:25 -0700 (PDT)
Resent-Date: Fri, 11 Jul 2003 11:00:25 -0700 (PDT)
Resent-Message-Id: <200307111800.h6BI0Pmb049396@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Paul Civati <paul@xciv.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8956B37B401
	for <FreeBSD-gnats-submit@freebsd.org>;
	Fri, 11 Jul 2003 10:57:48 -0700 (PDT)
Received: from mailhost.xciv.org (vantage.xciv.org [217.158.13.13])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 09A3C43F3F
	for <FreeBSD-gnats-submit@freebsd.org>;
	Fri, 11 Jul 2003 10:57:48 -0700 (PDT)	(envelope-from paul@xciv.org)
Received: from paul by mailhost.xciv.org with local
	id 19b29Q-0003fj-00; Fri, 11 Jul 2003 18:57:44 +0100
Message-Id: <E19b29Q-0003fj-00@mailhost.xciv.org>
Date: Fri, 11 Jul 2003 18:57:44 +0100
From: Paul Civati <paul@xciv.org>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
cc: paul@xciv.org
Subject: 
	bin/54394: SSH/v1 leaves dead processes after session ends (4.8-REL)
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: Paul Civati <paul@xciv.org>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Jul 2003 18:00:26 -0000


>Number:         54394
>Category:       bin
>Synopsis:       SSH/v1 leaves dead processes after session ends (4.8-REL)
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jul 11 11:00:25 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator:     Paul Civati
>Release:        FreeBSD 4.8-RELEASE i386
>Organization:
>Environment:
 FreeBSD 4.8-RELEASE i386

>Description:

Between 4.7-REL and 4.8-REL ssh was upgraded and now exhibits the
following bug.

If you connect with protocol v1 you get three ssh processes, one of
which never dies, even after the ssh session has been closed.

% ps aux | grep ssh
root      219  0.0  0.0  4076    0  ??  IW   -         0:00.00 sshd: paul [priv
root      265  0.0  0.0  4076    0  ??  IW   -         0:00.00 sshd: paul [priv
root      580  0.0  0.3  2592  640  ??  Is   Wed09PM   0:01.54 /usr/sbin/sshd
root      584  0.0  0.0  4076    0  ??  IW   -         0:00.00 sshd: root [priv
root      592  0.0  0.0  4076    0  ??  IW   -         0:00.00 sshd: root [priv
root     1687  0.0  0.0  4076    0  ??  IW   -         0:00.00 sshd: root [priv
root     5077  0.0  0.0  4076    0  ??  IW   -         0:00.00 sshd: root [priv
root    40458  0.0  0.0  4076    0  ??  IW   -         0:00.00 sshd: paul [priv
root    40467  0.0  0.0  4076    0  ??  IW   -         0:00.00 sshd: paul [priv
root    41042  0.0  0.0  4076    0  ??  IW   -         0:00.00 sshd: paul [priv
root    79545  0.0  0.6  5292 1568  ??  I    10:33AM   0:00.03 sshd: paul [priv
root    79547  0.0  0.6  4076 1532  ??  I    10:33AM   0:00.00 sshd: paul [priv
paul    79548  0.0  0.7  5292 1656  ??  S    10:33AM   0:00.41 sshd: paul@ttyp0
root    80170  0.0  0.7  5292 1624  ??  I    11:07AM   0:00.03 sshd: paul [priv
root    80172  0.0  0.6  4076 1592  ??  I    11:07AM   0:00.00 sshd: paul [priv
paul    80173  0.0  0.8  5292 2044  ??  I    11:07AM   0:00.01 sshd: paul@ttypc
root    80290  0.0  0.7  5292 1644  ??  I    11:12AM   0:00.02 sshd: paul [priv
paul    80319  0.0  0.7  5292 1704  ??  I    11:14AM   0:00.01 sshd: paul@ttypd

You'll see the dead ssh processes without any timestamp, two open v1
connections with three processes, and one v2 connection with just two
processes.

The nasty problem with this I've found is that once you reach a certain
number of these dead processes lying around, ssh seems to start refusing
connections with:

ssh_exchange_identification: Connection closed by remote host

Hence this bug has been submitted as 'serious' severity.

>How-To-Repeat:

Connect to sshd in 4.8-REL using protocol v1 and then close the session.

>Fix:

Use SSH protocol v2. ;)
>Release-Note:
>Audit-Trail:
>Unformatted: