1225106 – pam_ssh_agent_auth: undefined symbol: ssh_get_first_identity

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1225106 - pam_ssh_agent_auth: undefined symbol: ssh_get_first_identity

Summary: pam_ssh_agent_auth: undefined symbol: ssh_get_first_identity

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	openssh
Sub Component:
Version:	22
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Jakub Jelen
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-05-26 15:12 UTC by Sjoerd Mullender
Modified:	2015-12-08 07:24 UTC (History)
CC List:	5 users (show)
Fixed In Version:	openssh-6.8p1-7.fc22
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-06-07 16:02:08 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Sjoerd Mullender 2015-05-26 15:12:30 UTC

Description of problem:
pam_ssh_agent_auth no longer works since Fedora 22.  In the log I find the message
pam_ssh_agent_auth: undefined symbol: ssh_get_first_identity

Version-Release number of selected component (if applicable):
pam_ssh_agent_auth-0.9.3-5.5.fc22.1.x86_64

How reproducible:
100%

Steps to Reproduce:
1.install pam_ssh_agent_auth
2.configure according to man page (man pam_ssh_agent_auth)
3.try sudo

Actual results:
sudo still asks for password and the /var/log/security file has the above-mentioned message.

Expected results:
sudo accepts openssh key.

Additional info:

Comment 1 Jakub Jelen 2015-05-27 13:17:13 UTC

Thanks for report. There was some refactorization of openssh internals around authfd. 

I managed to update pam_ssh_agent code to cooperate with current openssh and my rough testing shows that it works. If you will have time to check it out, there is scratch build:
http://koji.fedoraproject.org/koji/taskinfo?taskID=9857246

Regular build will be available with another fixes later.

Comment 2 Sjoerd Mullender 2015-05-27 13:52:56 UTC

That's an fc23 package.  Is there also an fc22 package?

Comment 3 Jakub Jelen 2015-05-27 13:59:40 UTC

For testing purpose it shouldn't matter to install F23 packages. Within openssh, there is no difference between them.

Full update for F22 will be available in few days. I need to figure out some stuff.

Comment 4 Fedora Update System 2015-05-28 13:56:36 UTC

openssh-6.8p1-6.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/openssh-6.8p1-6.fc22

Comment 5 Fedora Update System 2015-05-30 15:39:14 UTC

Package openssh-6.8p1-6.fc22:
* should fix your issue,
* was pushed to the Fedora 22 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing openssh-6.8p1-6.fc22'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-9070/openssh-6.8p1-6.fc22
then log in and leave karma (feedback).

Comment 6 Fedora Update System 2015-06-01 17:10:05 UTC

openssh-6.8p1-6.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Sjoerd Mullender 2015-06-01 20:11:55 UTC

I'm sorry I wasn't able to test this sooner, but I'm afraid this fix makes it (quite a bit) worse.  sudo crashes due to a double free in the pam_ssh_agent_auth.so shared library:

*** Error in `sudo': double free or corruption (fasttop): 0xb87b6fa0 ***
======= Backtrace: =========
/lib/libc.so.6(+0x6b716)[0xb7553716]
/lib/libc.so.6(+0x7414a)[0xb755c14a]
/lib/libc.so.6(cfree+0x50)[0xb755f930]
/usr/lib/security/pam_ssh_agent_auth.so(+0x79f7)[0xb6e2a9f7]
/usr/lib/security/pam_ssh_agent_auth.so(+0x10bc2)[0xb6e33bc2]
/usr/lib/security/pam_ssh_agent_auth.so(+0x4261)[0xb6e27261]
/usr/lib/security/pam_ssh_agent_auth.so(pam_sm_authenticate+0x489)[0xb6e5b199]
/lib/libpam.so.0(+0x2615)[0xb71e7615]
/lib/libpam.so.0(pam_authenticate+0x47)[0xb71e6d77]
/usr/libexec/sudo/sudoers.so(+0x5bcb)[0xb71f9bcb]
/usr/libexec/sudo/sudoers.so(+0x51a2)[0xb71f91a2]
/usr/libexec/sudo/sudoers.so(+0x6a76)[0xb71faa76]
/usr/libexec/sudo/sudoers.so(+0x1821d)[0xb720c21d]
/usr/libexec/sudo/sudoers.so(+0x12100)[0xb7206100]
sudo(main+0x82c)[0xb775fe5c]
/lib/libc.so.6(__libc_start_main+0xf7)[0xb75006c7]
sudo(+0x53ed)[0xb77613ed]

[ large memory map elided ]

Perhaps this should be a new bug report?

Comment 8 Jakub Jelen 2015-06-02 11:32:29 UTC

I think it can stay in this bugzilla. Sorry for it and thanks for reopening. I gave it another try with more care and fixed few problems.

Here is scratch build:
http://koji.fedoraproject.org/koji/taskinfo?taskID=9916345

and if my last testing will end good, I will push it later today.

Comment 9 Sjoerd Mullender 2015-06-02 13:53:35 UTC

I installed pam_ssh_agent_auth-0.9.3-5.7.fc23.1.x86_64 on a test machine running F22 (upgraded from F21) and the result is:
$ sudo whoami
Segmentation fault

I then incorporated the change in /etc/pam.d/sudo.rpmnew into /etc/pam.d/sudo (after the upgrade from F21 to F22 the last line containing "session include system-auth" was missing), and the result became:
*** Error in `sudo': double free or corruption (out): 0x00007fdb00000000 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x77e9d)[0x7fdb05594e9d]
/lib64/libc.so.6(+0x7f53c)[0x7fdb0559c53c]
/lib64/libc.so.6(cfree+0x4c)[0x7fdb055a0e9c]
/usr/lib64/security/pam_ssh_agent_auth.so(+0x638e)[0x7fdafbfae38e]
/usr/lib64/security/pam_ssh_agent_auth.so(+0x6260)[0x7fdafbfae260]
/usr/lib64/security/pam_ssh_agent_auth.so(pam_sm_authenticate+0x3f4)[0x7fdafbfd4524]
/lib64/libpam.so.0(+0x2f82)[0x7fdafe369f82]
/lib64/libpam.so.0(pam_authenticate+0x30)[0x7fdafe369840]
/usr/libexec/sudo/sudoers.so(+0x8b9b)[0x7fdafe57eb9b]
/usr/libexec/sudo/sudoers.so(+0x82f2)[0x7fdafe57e2f2]
/usr/libexec/sudo/sudoers.so(+0x987c)[0x7fdafe57f87c]
/usr/libexec/sudo/sudoers.so(+0x18a9f)[0x7fdafe58ea9f]
/usr/libexec/sudo/sudoers.so(+0x137cf)[0x7fdafe5897cf]
sudo(+0x568e)[0x7fdb0656a68e]
/lib64/libc.so.6(__libc_start_main+0xf0)[0x7fdb0553d790]
sudo(+0x6829)[0x7fdb0656b829]

Comment 10 Jakub Jelen 2015-06-02 17:06:07 UTC

Yes. I found out after I posted. So one more time, hopefully tested all use cases. There were more changes than I expected and even some fun with changed types. I will do update tomorrow, if you will report success.

http://koji.fedoraproject.org/koji/taskinfo?taskID=9920781 (F22 package)

Comment 11 Sjoerd Mullender 2015-06-02 17:23:34 UTC

Now that I have pam_ssh_agent_auth-0.9.3-5.7.fc22.1.x86_64 installed, sudo worked.  Looking good so far.

Comment 12 Fedora Update System 2015-06-03 07:32:30 UTC

openssh-6.8p1-7.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/openssh-6.8p1-7.fc22

Comment 13 Fedora Update System 2015-06-06 00:02:47 UTC

Package openssh-6.8p1-7.fc22:
* should fix your issue,
* was pushed to the Fedora 22 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing openssh-6.8p1-7.fc22'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-9537/openssh-6.8p1-7.fc22
then log in and leave karma (feedback).

Comment 14 Fedora Update System 2015-06-07 16:02:08 UTC

openssh-6.8p1-7.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.