Page MenuHomePhabricator

Crash in libssh in canonical multipass due to certain entries in `~/.ssh/config`
Open, Needs TriagePublic


Canonical multipass, which is in turn used by ubuntu snapcraft may crash unless ~/.ssh/config is moved away. This seems to be due to two issues. One of them is in multipass, that lets libssh parse ~/.ssh/config when there is no reason to do so. The second one seems to be in libssh itself that ends up crashing on pieces of configuration in ~/.ssh/config that it does not understand.

For instance, proxyjump entries or pointers to keys that do not exist seem to be enough to cause the crash.

I believe that the version of libssh in multipass may not be the latest one (probably 0.90). Hence, please forgive the noise if this issue has already been cleared.

Otherwise, may constitute a pointer for a bug in libssh.

Event Timeline

Jakuje added a subscriber: Jakuje.Dec 27 2019, 9:56 PM

Without information about the libssh version, what configuration file was used (at least the offending match line), more verbose libssh logs (there is quite a lot of tracing logs around), it is hard to guess what went wrong with the parsing.

Indeed. For the time being, I have opened the bug to follow the multipass issue, where I hope that this data shall be made available. In the meantime, proxyjump as in ProxyJump = myhost seems to be a trigger for the issue.

The backtrace in the attached issue points to the match block parsing:

0   libsystem_c.dylib             	0x00007fff6acc7b44 strcasecmp_l + 92
1   libssh.4.dylib                	0x0000000107d27bbe ssh_config_get_match_opcode + 78
2   libssh.4.dylib                	0x0000000107d2608b ssh_config_parse_line + 763
3   libssh.4.dylib                	0x0000000107d25cfa ssh_config_parse_file + 266
4   libssh.4.dylib                	0x0000000107d40806 ssh_options_parse_config + 262
5   libssh.4.dylib                	0x0000000107d248e4 ssh_connect + 292

if you have some other crash report, please let us know.