Title: #586: SSH: Do not exit abruptly if SSHD closes its end of the pipe before reading
all the SSH keys
Before writing the keys to sshd, ignore SIGPIPE so that if the pipe towards
the authorizedkeys helper is closed, the sss_ssh_authorizedkeys helper is
not terminated with SIGPIPE, but instead proceeds and then the write(2)
calls would non-terminally fail with EPIPE.
The other patch in this PR is not meant to be pushed. It is an easy way to
reproduce the bug. I would also like to write an integration test, but
I'm not sure if I can do that very soon and given that we try to release
in about a week I prefer to send the fix first.
In order to reproduce, load many SSH keys to a user object. I found it was
easiest to cheat during reproducing and do this:
- first, set a long cache expire so that the cache doesn't expire
and overwrite your local changes
- ldbedit the cache
- copy the ssh public key attribute and each time, change one character
in the attribute (ldb would otherwise detect the duplicates)
- save the ldbedit window
- run the program from the second patch. With the sss_ssh_authorizedkeys
patch in, the sss_ssh_authorizedkeys binary should finish gracefully,
without the patch, it would fail with SIGPIPE.
In my testing, I needed about 30 ssh keys to reproduce the bug.
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/586/head:pr586
git checkout pr586