Fix mistracking of MaxStartups process exits in some situations
Resolves: RHEL-121768 Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
This commit is contained in:
Zoltan Fridrich
parent
394f1022a0
commit
952d882d0a
73
openssh-9.9p1-maxstartups-mistracking.patch
Normal file
73
openssh-9.9p1-maxstartups-mistracking.patch
Normal file
@ -0,0 +1,73 @@
|
||||
diff --color -ruNp a/srclimit.c b/srclimit.c
|
||||
--- a/srclimit.c 2024-09-20 00:20:48.000000000 +0200
|
||||
+++ b/srclimit.c 2026-03-06 13:30:48.408309619 +0100
|
||||
@@ -427,7 +427,9 @@ srclimit_penalise(struct xaddr *addr, in
|
||||
penalty->active = 1;
|
||||
if (RB_INSERT(penalties_by_expiry, by_expiry, penalty) != NULL)
|
||||
fatal_f("internal error: %s penalty tables corrupt", t);
|
||||
- verbose_f("%s: new %s %s penalty of %d seconds for %s", t,
|
||||
+ do_log2_f(penalty->active ?
|
||||
+ SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_VERBOSE,
|
||||
+ "%s: new %s %s penalty of %d seconds for %s", t,
|
||||
addrnetmask, penalty->active ? "active" : "deferred",
|
||||
penalty_secs, reason);
|
||||
if (++(*npenaltiesp) > (size_t)max_sources)
|
||||
@@ -446,7 +448,7 @@ srclimit_penalise(struct xaddr *addr, in
|
||||
existing->expiry = now + penalty_cfg.penalty_max;
|
||||
if (existing->expiry - now > penalty_cfg.penalty_min &&
|
||||
!existing->active) {
|
||||
- verbose_f("%s: activating %s penalty of %lld seconds for %s",
|
||||
+ logit_f("%s: activating %s penalty of %lld seconds for %s",
|
||||
addrnetmask, t, (long long)(existing->expiry - now),
|
||||
reason);
|
||||
existing->active = 1;
|
||||
diff --color -ruNp a/sshd.c b/sshd.c
|
||||
--- a/sshd.c 2026-03-06 13:10:52.653617548 +0100
|
||||
+++ b/sshd.c 2026-03-06 13:24:50.865079998 +0100
|
||||
@@ -291,8 +291,10 @@ child_finish(struct early_child *child)
|
||||
{
|
||||
if (children_active == 0)
|
||||
fatal_f("internal error: children_active underflow");
|
||||
- if (child->pipefd != -1)
|
||||
+ if (child->pipefd != -1) {
|
||||
+ srclimit_done(child->pipefd);
|
||||
close(child->pipefd);
|
||||
+ }
|
||||
free(child->id);
|
||||
memset(child, '\0', sizeof(*child));
|
||||
child->pipefd = -1;
|
||||
@@ -311,6 +313,7 @@ child_close(struct early_child *child, i
|
||||
if (!quiet)
|
||||
debug_f("enter%s", force_final ? " (forcing)" : "");
|
||||
if (child->pipefd != -1) {
|
||||
+ srclimit_done(child->pipefd);
|
||||
close(child->pipefd);
|
||||
child->pipefd = -1;
|
||||
}
|
||||
@@ -978,10 +981,11 @@ server_accept_loop(int *sock_in, int *so
|
||||
}
|
||||
/* FALLTHROUGH */
|
||||
case 0:
|
||||
- /* child exited preauth */
|
||||
+ /* child closed pipe */
|
||||
if (children[i].early)
|
||||
listening--;
|
||||
- srclimit_done(children[i].pipefd);
|
||||
+ debug3_f("child %lu for %s closed pipe",
|
||||
+ (long)children[i].pid, children[i].id);
|
||||
child_close(&(children[i]), 0, 0);
|
||||
break;
|
||||
case 1:
|
||||
@@ -1003,6 +1007,12 @@ server_accept_loop(int *sock_in, int *so
|
||||
"child %ld for %s in state %d",
|
||||
(int)c, (long)children[i].pid,
|
||||
children[i].id, children[i].early);
|
||||
+
|
||||
+ if (children[i].early)
|
||||
+ listening--;
|
||||
+ if (children[i].pid > 0)
|
||||
+ kill(children[i].pid, SIGTERM);
|
||||
+ child_close(&(children[i]), 0, 0);
|
||||
}
|
||||
break;
|
||||
}
|
||||
@ -234,6 +234,9 @@ Patch1036: openssh-9.9p1-gssapi-s4u.patch
|
||||
# upstream 19f7cb39eecb4b8f768f37e8294dc3a9142e022b
|
||||
# upstream 97b32fa2af25c16aec4de85c5cbb63fd038b4dfa
|
||||
Patch1037: openssh-9.9p1-first-match-wins.patch
|
||||
# upstream eddd1d2daa64a6ab1a915ca88436fa41aede44d4
|
||||
# upstream bc328144f149af07139a0f2c1329018cd85b86b7
|
||||
Patch1038: openssh-9.9p1-maxstartups-mistracking.patch
|
||||
|
||||
License: BSD-3-Clause AND BSD-2-Clause AND ISC AND SSH-OpenSSH AND ssh-keyscan AND sprintf AND LicenseRef-Fedora-Public-Domain AND X11-distribute-modifications-variant
|
||||
Requires: /sbin/nologin
|
||||
@ -435,6 +438,7 @@ gpgv2 --quiet --keyring %{SOURCE3} %{SOURCE1} %{SOURCE0}
|
||||
%patch -P 1035 -p1 -b .mlkem-nist-fips
|
||||
%patch -P 1036 -p1 -b .gssapi-s4u
|
||||
%patch -P 1037 -p1 -b .first-match-wins
|
||||
%patch -P 1038 -p1 -b .maxstartups-mistracking
|
||||
|
||||
%patch -P 100 -p1 -b .coverity
|
||||
|
||||
@ -721,6 +725,8 @@ test -f %{sysconfig_anaconda} && \
|
||||
- Only the first value of MaxStartups, PerSourceNetBlockSize and IPQoS
|
||||
in sshd_config should count when defined multiple times
|
||||
Resolves: RHEL-150365
|
||||
- Fix mistracking of MaxStartups process exits in some situations
|
||||
Resolves: RHEL-121768
|
||||
|
||||
* Wed Mar 11 2026 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.9p1-21
|
||||
- Implement obtaining Kerberos tickets on behalf of user on SSH authentication
|
||||
|
||||
Loading…
Reference in New Issue
Block a user