nixops icon indicating copy to clipboard operation
nixops copied to clipboard
verified publisher icon NixOS

Storm of failing ssh clients DoS gnome-keyring locking user out

Open roberth opened this issue 4 years ago • 0 comments

I made a mistake that caused ssh authentication to fail on one of the machines in my network. I took a break and when I came back, I was locked out of my laptop.

To reproduce

  1. Break your network such that one machine doesn't accept your deployment's ssh key.
  2. Observe that it asks for a password.
  3. Let it run for a while; don't enter a password.
  4. Many ssh processes linger, gnome-keyring becomes unresponsive and logs a lot. If you try to unlock your screen, what appears to be the password check (but is probably a pam module after the check) takes forever.
  5. Recover: log in on the console as root, kill the sshs and nixops, log out, switch back, unlock screen.

Logs

The pile of ssh processes looked like this

ssh -x root@<ip> -S /run/user/1000/nixops-ssh-tmp45ypm362/master-socket -M -N -f -oNumberOfPasswordPrompts=3 -oServerAliveInterval=60 -oControlPersist=600 -C -p 22 -i /run/user/1000/nixops-ssh-tmpxpfte73/id_nixops-<deployment_name> -o ConnectTimeout=1
gnome-keyring

These two lines, apparently at a rate over 1000/sec.

Feb 19 16:26:53 feb gnome-keyring-daemon[2127]: GLib-GIO: fail: Error accepting connection: Too many open files
Feb 19 16:26:53 feb gnome-keyring-daemon[2127]: couldn't accept new control request: Too many open files

Versions

Latests nixops and nixops-aws as of the day of reporting.

forked Nixpkgs master with poetry-git-overlay.nix:


  nixops = super.nixops.overridePythonAttrs (
    _: {
      src = pkgs.fetchgit {
        url = "https://github.com/NixOS/nixops.git";
        rev = "23db83fc91952d2dbcc64b8aa1ac16f8c8f45bed";
        sha256 = "0dpw82hs5kqrrvv7gcrdpjms1dq93431fzg9hrxqs0b9spl2rl6r";
      };
    }
  );

  nixops-aws = super.nixops-aws.overridePythonAttrs (
    _: {
      src = pkgs.fetchgit {
        url = "https://github.com/hercules-ci/nixops-aws.git";
        rev = "5cafbf9648cccedc5d5aa0bd4cbcd80346bba2c8";
        sha256 = "0ipcgvrj2rp89jz03x76qj92dvrs4fm3g1a73c0cgfgx5h1gj81l";
      };
    }
  );

  nixops-encrypted-links = super.nixops-encrypted-links.overridePythonAttrs (
    _: {
      src = pkgs.fetchgit {
        url = "https://github.com/nix-community/nixops-encrypted-links.git";
        rev = "e2f196fce15fcfb00d18c055e1ac53aec33b8fb1";
        sha256 = "12ynqwd5ad6wfyv6sma55wnmrlr8i14kd5d42zqv4zl23h0xnd6m";
      };
    }
  );

  nixops-gcp = super.nixops-gcp.overridePythonAttrs (
    _: {
      src = pkgs.fetchgit {
        url = "https://github.com/nix-community/nixops-gce.git";
        rev = "fed6aadace9a9e914425589c065bb969d53f2309";
        sha256 = "096ic1kzlcv8cx51hnhlq37pkg4pis2rk5kri14dwp3865si1mdw";
      };
    }
  );

  nixops-virtd = super.nixops-virtd.overridePythonAttrs (
    _: {
      src = pkgs.fetchgit {
        url = "https://github.com/nix-community/nixops-libvirtd.git";
        rev = "af6cf5b2ced57b7b6d36b5df7dd27a14e0a5cfb6";
        sha256 = "1j75yg8a44dlbig38mf7n7p71mdzff6ii1z1pdp32i4ivk3l0hy6";
      };
    }
  );

  nixopsvbox = super.nixopsvbox.overridePythonAttrs (
    _: {
      src = pkgs.fetchgit {
        url = "https://github.com/nix-community/nixops-vbox.git";
        rev = "2729672865ebe2aa973c062a3fbddda8c1359da0";
        sha256 = "07bmrbg3g2prnba2kwg1rg6rvmnx1vzc538y2q3g04s958hala56";
      };
    }
  );

  nixos-modules-contrib = super.nixos-modules-contrib.overridePythonAttrs (
    _: {
      src = pkgs.fetchgit {
        url = "https://github.com/nix-community/nixos-modules-contrib.git";
        rev = "81a1c2ef424dcf596a97b2e46a58ca73a1dd1ff8";
        sha256 = "0f6ra5r8i1jz8ymw6l3j68b676a1lv0466lv0xa6mi80k6v9457x";
      };
    }
  );

roberth avatar Feb 19 '21 15:02 roberth