飞腾shellinabox连接账号立刻断开连接问题定位解决

问题
飞腾2000的shellinabox-2.14版本连接sshd-7.3版本存在问题，现象是输入root账号，不弹出提示输入密码“root@127.0.0.1’s password: ”信息，并且会立刻断开连接，定位过程记录如下：

调试一：-d调试模式启动sshd

[root@IDS practice]# /usr/local/sbin/sshd -d
debug1: userauth-reuest for user root service ssh-connection method none
debug1: attempt 0 failures 0
Failed none for root from 127.0.0.1 port 41236 ssh2
debug1: userauth-request for user root ervice ssh-connection method keyboard-interactive
debug1: attempt 1 failures 0
debug1: keyboard-interactive des
debug1: auth2_challenge: user=root devs=
debug1: kbdint_alloc: devices ‘’
Failed keyboard-interactive forroot from 127.0.0.1 port 41236 ssh2
Excess permission or bad ownership on file /var/log/btmp
debug1: userauth-equest for user root service ssh-connection method password
debug1: attempt 2 failures 0
Failed password for rot from 127.0.0.1 port 41236 ssh2
Excess permission or bad ownership on file /var/log/btmp
debug1: userauth-reqest for user root service ssh-connection method password
debug1: attempt 3 failures 1
Failed password for rootfrom 127.0.0.1 port 41236 ssh2
Excess permission or bad ownership on file /var/log/btmp
debug1: userauth-request for user root service ssh-connection method password
debug1: attempt 4 failures 2
Failed password for root frm 127.0.0.1 port 41236 ssh2
Excess permission or bad ownership on file /var/log/btmp
Connection closed by 127…0.1 port 41236
debug1: do_cleanup
[Inferior 1 (process 3185) exited with code 0377]

-d调试模式启动sshd ，发现有多处Failed，比对正常流程发现前两次Failed 正常，“Failed password for root frm 127.0.0.1 port 41236 ssh2” 密码接收失败是不正常；

调试二：gdb调试sshd

[root@IDS practice]#gdb /ur/local/sbin/sshd
(gdb) b do_cleanup #断点退出函数，bt确认退出位置
(gdb) b auth_log #断点Failed 日志打印函数
(gdb) r -d
Breakpoint 1, auth_log (authctxt=0x4efcd0, authenticated=0, partial=0,
method=0x4f5ab0 “none”, sumethod=0x0) at auth.c:299
299 auth.c: No such file or directory.
(gdb) p log_level
$1 = SYSLOG_LEVEL_DEUG1
(gdb) p log_level=7 #修改log level级别打印更多信息
$2 = SYSLOG_LEVL_DEBUG3
(gdb) c
Breakpoint 1, auth_log (athctxt=0x4f4950, authenticated=0, partial=0,
method=0x4f5ab0 “password”, submethod=0x0) at auth.c:299
299 i auth.c
(gdb) c
Continuing.
Failed password for root from 127.0.0.1 port 37158 ssh2
Excess permission or bad ownership onfile /var/log/btmp
debug3: userauth_finish: failure partial=0 next methods=“publickey,password,keyboard-interactve”
debug3: send packet: type 51
debug3: receive packet: type 50
debug1: userauth-request for user root servce ssh-connection method password
debug1: attempt 3 failures 1
debug2: input_userauth_request: try method password

gdb -d调试模式启动sshd，修改日志打印级别为最高打印更多调试信息，对比正常打印及交互流程发现在"debug3: send packet: type 51"后本应该在ssh_packet_read_seqnr()中select阻塞，shellinabox界面打印密码输入提示并等待密码输入，而FT2000并没有打印信息和等待密码输入，而是直接“debug3: receive packet: type 50”收到了shellinabox里启动的ssh进程的一个回包，这是不正常的；

调试三：gdb调试shellinabox

#killall -9 shellinaboxd
#gdb /usr/local/bin/shellinaboxd
(gdb) set follow-fork-mode child
(gdb) b read_string
Breakpoint 1 at 0x4098b0: file shellinabox/launcher.c, line 265.
(gdb) r -b -t -s /:SSH:127.0.0.1 -p 4201
Breakpoint 1, read_string (echo=1, prompt=0x473870 "127 login: ", retstr=0x7ffffff158)
at shellinabox/launcher.c:265
265 shellinabox/launcher.c: No such file or directory.
(gdb) b main
Breakpoint 2 at 0x4080dc: file shellinabox/shellinaboxd.c, line 1226.
(gdb) c
Continuing.

gdb启动shellinaboxd，设置跟踪子进程，设置获取账号输入函数read_string()，触发此断点后设置main函数，利用断点的传递性断住shellinaboxd启动的/usr/local/bin/ssh进程的入口main函数，如下：

process 2070 is executing new program: /usr/local/bin/ssh
Breakpoint 2, main (ac=24, av=0x7ffffffb38) at ssh.c:515
515 ssh.c: No such file or directory.
(gdb) b userauth
Breakpoint 3 at 0x41f7d8: file sshconnect2.c, line 454.
(gdb) b authmethod_get
Breakpoint 4 at 0x4232f0: file sshconnect2.c, line 1866.
(gdb) b _exit
Breakpoint 5 at 0x7fb7ce2d98
(gdb) handle SIGPIPE nostop noprint
Signal Stop Print Pass to program Description
SIGPIPE No No Yes Broken pipe
(gdb) c
Continuing.
Breakpoint 4, authmethod_get (authlist=0x4f7ae0 “publickey,password,keyboard-interactive”) at sshconnect2.c:1866
1866 in sshconnect2.c
(gdb) finish
Run till exit from #0 authmethod_get (authlist=0x4f7ae0 “publickey,password,keyboard-interactive”)
at sshconnect2.c:1866
0x000000000041f860 in userauth (authctxt=0x7fffffda90,
authlist=0x4f7ae0 “publickey,password,keyboard-interactive”) at sshconnect2.c:466
466 in sshconnect2.c
Value returned is $7 = (Authmethod *) 0x0

问题原因是authmethod_get 最后返回空指针而触发了SSH进程退出，调用栈如下：

Breakpoint 5, 0x0000007fb7ce2d98 in _exit () from /lib/libc.so.6
(gdb) bt
#0 0x0000007fb7ce2d98 in _exit () from /lib/libc.so.6
#1 0x000000000041b0d8 in cleanup_exit (i=255) at clientloop.c:2730
#2 0x00000000004460c0 in fatal (fmt=0x497dc0 “Permission denied (%s).”) at fatal.c:44
#3 0x000000000041f880 in userauth (authctxt=0x7fffffda90,
authlist=0x4f7ae0 “publickey,password,keyboard-interactive”) at sshconnect2.c:468
#4 0x000000000041fc08 in input_userauth_failure (type=51, seq=9, ctxt=0x7fffffda90) at sshconnect2.c:566
#5 0x0000000000458910 in ssh_dispatch_run (ssh=0x4f4fe0, mode=0, done=0x7fffffdab8, ctxt=0x7fffffda90)
at dispatch.c:119
#6 0x000000000041f5cc in ssh_userauth2 (local_user=0x4d9150 “nobody”, server_user=0x4d9230 “root”,
host=0x4d9170 “127.0.0.1”, sensitive=0x4d69d8 <sensitive_data>) at sshconnect2.c:402
#7 0x000000000041e514 in ssh_login (sensitive=0x4d69d8 <sensitive_data>, orighost=0x4d9250 “127.0.0.1”,
hostaddr=0x4d6958 , port=22, pw=0x4d8ba0, timeout_ms=-1000) at sshconnect.c:1384
#8 0x000000000040b368 in main (ac=0, av=0x4d80f0) at ssh.c:1411

对比正常交换流程及SSH代码method->userauth的回调函数userauth_passwd()，此函数走完打印提示输入密码及等待密码输入完成，而FT2000在此函数中没有阻塞停留；

调试四：gdb调试ssh

Breakpoint 3, read_passphrase (prompt=0x7fffffc7d0 "root@127.0.0.1’s
password: ",
prompt@entry=0x7fffffc7f0 “\260\062J”, flags=flags@entry=0) at readpass.c:120

Breakpoint 8, readpassphrase (prompt=0x1e00000076 <error: Cannot access memory at address 0x1e00000076>,
prompt@entry=0x7fffffc7d0 "root@127.0.0.1’s password: ",
buf=0x437400 <debug3+152> "\241\067@\371`\002@\371 ", buf@entry=0x7fffffc3d8 “\244\262\375\267\177”,
bufsiz=bufsiz@entry=1024, flags=4861136, flags@entry=2) at readpassphrase.c:89
89 in readpassphrase.c
(gdb) p errno
$1 = 13

跟踪userauth_passwd()进入readpassphrase ()函数单步跟踪，发现组装完成的密码提示信息并没有在shellinabox上回显提示，原因是无权限open “/dev/tty”失败导致提前返回而没有进行write写操作，后面也没有read循环等待输入密码操作了。

#ls -l /dev/tty
crw-rw---- 1 root tty 5, 0 Jan 1 1970 /dev/tty
#chmod 777 /dev/tty
#chown root:root /dev/tty
#ls -l /dev/tty
crwxrwxrwx 1 root root 5, 0 Jan 1 1970 /dev/tty

手动修改权限后再次尝试连接后成功。

此处代码尝试打开/dev/tty设备，但是失败情况下并没有做exit退出进程操作，debug打印在shellinabox启动ssh进程时也无法打印出提示信息；

readpassphrase()函数返回NULL，read_passphrase()也返回NULL，而外层调用函数userauth_passwd()并没有做返回值判断，也就是没有判断用户是否正常输入密码，此处代码实际是有问题的；SSH在password为空情况下也发送了一个报文给SSHD进程，SSHD进程未收到正确的密码字符串，导致后续认证失败超过三次后SSHD进程退出，同样的SSH进程在authmethod_get 最后返回空指针后也触发了SSH进程退出，shellinabox端显示断开连接，未有密码输入提示信息。