问题
飞腾2000的shellinabox-2.14版本连接sshd-7.3版本存在问题,现象是输入root账号,不弹出提示输入密码“root@127.0.0.1’s password: ”信息,并且会立刻断开连接,定位过程记录如下:
调试一:-d调试模式启动sshd
[root@IDS practice]# /usr/local/sbin/sshd -d
debug1: userauth-reuest for user root service ssh-connection method none
debug1: attempt 0 failures 0
Failed none for root from 127.0.0.1 port 41236 ssh2
debug1: userauth-request for user root ervice ssh-connection method keyboard-interactive
debug1: attempt 1 failures 0
debug1: keyboard-interactive des
debug1: auth2_challenge: user=root devs=
debug1: kbdint_alloc: devices ‘’
Failed keyboard-interactive forroot from 127.0.0.1 port 41236 ssh2
Excess permission or bad ownership on file /var/log/btmp
debug1: userauth-equest for user root service ssh-connection method password
debug1: attempt 2 failures 0
Failed password for rot from 127.0.0.1 port 41236 ssh2
Excess permission or bad ownership on file /var/log/btmp
debug1: userauth-reqest for user root service ssh-connection method password
debug1: attempt 3 failures 1
Failed password for rootfrom 127.0.0.1 port 41236 ssh2
Excess permission or bad ownership on file /var/log/btmp
debug1: userauth-request for user root service ssh-connection method password
debug1: attempt 4 failures 2
Failed password for root frm 127.0.0.1 port 41236 ssh2
Excess permission or bad ownership on file /var/log/btmp
Connection closed by 127…0.1 port 41236
debug1: do_cleanup
[Inferior 1 (process 3185) exited with code 0377]
-d调试模式启动sshd ,发现有多处Failed,比对正常流程发现前两次Failed 正常,“Failed password for root frm 127.0.0.1 port 41236 ssh2” 密码接收失败是不正常;
调试二:gdb调试sshd
[root@IDS practice]#gdb /ur/local/sbin/sshd
(gdb) b do_cleanup #断点退出函数,bt确认退出位置
(gdb) b auth_log #断点Failed 日志打印函数
(gdb) r -d
Breakpoint 1, auth_log (authctxt=0x4efcd0, authenticated=0, partial=0,
method=0x4f5ab0 “none”, sumethod=0x0) at auth.c:299
299 auth.c: No such file or directory.
(gdb) p log_level
$1 = SYSLOG_LEVEL_DEUG1
(gdb) p log_level=7 #修改log level级别打印更多信息
$2 = SYSLOG_LEVL_DEBUG3
(gdb) c
Breakpoint 1, auth_log (athctxt=0x4f4950, authenticated=0, partial=0,
method=0x4f5ab0 “password”, submethod=0x0) at auth.c:299
299 i auth.c
(gdb) c
Continuing.
Failed password for root from 127.0.0.1 port 37158 ssh2
Excess permission or bad ownership onfile /var/log/btmp
debug3: userauth_finish: failure partial=0 next methods=“publickey,password,keyboard-interactve”
debug3: send packet: type 51
debug3: receive packet: type 50
debug1: userauth-request for user root servce ssh-connection method password
debug1: attempt 3 failures 1
debug2: input_userauth_request: try method password
gdb -d调试模式启动sshd,修改日志打印级别为最高打印更多调试信息,对比正常打印及交互流程发现在"debug3: send packet: type 51"后本应该在ssh_packet_read_seqnr()中select阻塞,shellinabox界面打印密码输入提示并等待密码输入,而FT2000并没有打印信息和等待密码输入,而是直接“debug3: receive packet: type 50”收到了shellinabox里启动的ssh进程的一个回包,这是不正常的;
调试三:gdb调试shellinabox
#killall -9 shellinaboxd
#gdb /usr/local/bin/shellinaboxd
(gdb) set follow-fork-mode child
(gdb) b read_string
Breakpoint 1 at 0x4098b0: file shellinabox/launcher.c, line 265.
(gdb) r -b -t -s /:SSH:127.0.0.1 -p 4201
Breakpoint 1, read_string (echo=1, prompt=0x473870 "127 login: ", retstr=0x7ffffff158)
at shellinabox/launcher.c:265
265 shellinabox/launcher.c: No such file or directory.
(gdb) b main
Breakpoint 2 at 0x4080dc: file shellinabox/shellinaboxd.c, line 1226.
(gdb) c
Continuing.
gdb启动shellinaboxd,设置跟踪子进程,设置获取账号输入函数read_string(),触发此断点后设置main函数,利用断点的传递性断住shellinaboxd启动的/usr/local/bin/ssh进程的入口main函数,如下:
process 2070 is executing new program: /usr/local/bin/ssh
Breakpoint 2, main (ac=24, av=0x7ffffffb38) at ssh.c:515
515 ssh.c: No such file or directory.
(gdb) b userauth
Breakpoint 3 at 0x41f7d8: file sshconnect2.c, line 454.
(gdb) b authmethod_get
Breakpoint 4 at 0x4232f0: file sshconnect2.c, line 1866.
(gdb) b _exit
Breakpoint 5 at 0x7fb7ce2d98
(gdb) handle SIGPIPE nostop noprint
Signal Stop Print Pass to program Description
SIGPIPE No No Yes Broken pipe
(gdb) c
Continuing.
Breakpoint 4, authmethod_get (authlist=0x4f7ae0 “publickey,password,keyboard-interactive”) at sshconnect2.c:1866
1866 in sshconnect2.c
(gdb) finish
Run till exit from #0 authmethod_get (authlist=0x4f7ae0 “publickey,password,keyboard-interactive”)
at sshconnect2.c:1866
0x000000000041f860 in userauth (authctxt=0x7fffffda90,
authlist=0x4f7ae0 “publickey,password,keyboard-interactive”) at sshconnect2.c:466
466 in sshconnect2.c
Value returned is $7 = (Authmethod *) 0x0
问题原因是authmethod_get 最后返回空指针而触发了SSH进程退出,调用栈如下:
Breakpoint 5, 0x0000007fb7ce2d98 in _exit () from /lib/libc.so.6
(gdb) bt
#0 0x0000007fb7ce2d98 in _exit () from /lib/libc.so.6
#1 0x000000000041b0d8 in cleanup_exit (i=255) at clientloop.c:2730
#2 0x00000000004460c0 in fatal (fmt=0x497dc0 “Permission denied (%s).”) at fatal.c:44
#3 0x000000000041f880 in userauth (authctxt=0x7fffffda90,
authlist=0x4f7ae0 “publickey,password,keyboard-interactive”) at sshconnect2.c:468
#4 0x000000000041fc08 in input_userauth_failure (type=51, seq=9, ctxt=0x7fffffda90) at sshconnect2.c:566
#5 0x0000000000458910 in ssh_dispatch_run (ssh=0x4f4fe0, mode=0, done=0x7fffffdab8, ctxt=0x7fffffda90)
at dispatch.c:119
#6 0x000000000041f5cc in ssh_userauth2 (local_user=0x4d9150 “nobody”, server_user=0x4d9230 “root”,
host=0x4d9170 “127.0.0.1”, sensitive=0x4d69d8 <sensitive_data>) at sshconnect2.c:402
#7 0x000000000041e514 in ssh_login (sensitive=0x4d69d8 <sensitive_data>, orighost=0x4d9250 “127.0.0.1”,
hostaddr=0x4d6958 , port=22, pw=0x4d8ba0, timeout_ms=-1000) at sshconnect.c:1384
#8 0x000000000040b368 in main (ac=0, av=0x4d80f0) at ssh.c:1411
对比正常交换流程及SSH代码method->userauth的回调函数userauth_passwd(),此函数走完打印提示输入密码及等待密码输入完成,而FT2000在此函数中没有阻塞停留;
调试四:gdb调试ssh
Breakpoint 3, read_passphrase (prompt=0x7fffffc7d0 "root@127.0.0.1’s
password: ",
prompt@entry=0x7fffffc7f0 “\260\062J”, flags=flags@entry=0) at readpass.c:120
Breakpoint 8, readpassphrase (prompt=0x1e00000076 <error: Cannot access memory at address 0x1e00000076>,
prompt@entry=0x7fffffc7d0 "root@127.0.0.1’s password: ",
buf=0x437400 <debug3+152> "\241\067@\371`\002@\371 ", buf@entry=0x7fffffc3d8 “\244\262\375\267\177”,
bufsiz=bufsiz@entry=1024, flags=4861136, flags@entry=2) at readpassphrase.c:89
89 in readpassphrase.c
(gdb) p errno
$1 = 13
跟踪userauth_passwd()进入readpassphrase ()函数单步跟踪,发现组装完成的密码提示信息并没有在shellinabox上回显提示,原因是无权限open “/dev/tty”失败导致提前返回而没有进行write写操作,后面也没有read循环等待输入密码操作了。
#ls -l /dev/tty
crw-rw---- 1 root tty 5, 0 Jan 1 1970 /dev/tty
#chmod 777 /dev/tty
#chown root:root /dev/tty
#ls -l /dev/tty
crwxrwxrwx 1 root root 5, 0 Jan 1 1970 /dev/tty
手动修改权限后再次尝试连接后成功。
此处代码尝试打开/dev/tty设备,但是失败情况下并没有做exit退出进程操作,debug打印在shellinabox启动ssh进程时也无法打印出提示信息;
readpassphrase()函数返回NULL,read_passphrase()也返回NULL,而外层调用函数userauth_passwd()并没有做返回值判断,也就是没有判断用户是否正常输入密码,此处代码实际是有问题的;SSH在password为空情况下也发送了一个报文给SSHD进程,SSHD进程未收到正确的密码字符串,导致后续认证失败超过三次后SSHD进程退出,同样的SSH进程在authmethod_get 最后返回空指针后也触发了SSH进程退出,shellinabox端显示断开连接,未有密码输入提示信息。
如果您发现该资源为电子书等存在侵权的资源或对该资源描述不正确等,可点击“私信”按钮向作者进行反馈;如作者无回复可进行平台仲裁,我们会在第一时间进行处理!
加入交流群
请使用微信扫一扫!