On 3/29/21 4:25 AM, Thomas Seeling wrote:
Hallo dear list,

I have successfully compiled LFS 10.1 on my legacy P4 (32 bit) with jhalfs-4212 
(svn) on an existing LFS 10.0.
Compilation went fine overnight, after installing a kernel it boots fine.
Next step was compiling openssh 8.4 to make it headless again (I had exchanged 
some cables on my KVM switch to watch it boot for the first time).
Compilation went fine here as well, sandbox user exists, sshd starts, but 
connection fails and I have absolutely no clue what goes wrong. sshd_config and 
host keys are the same files I use on the same system, LFS 10.0 partition. I 
tried with different users, ssh keys, tried permissions on .ssh, 
authorized_keys, etc.

The last ssh message is "[server ip] closed connection". Using -vvv I see it 
fails after exchanging msg type 20 preauth kexinit.
I started sshd -e -D -d -d -d and the last messages here tell me the exact same 
thing: kexinit msg type 20 preauth kexinit happens and then the sandbox cleanup 
kicks in. There is no error message why it fails in this stage.

LFS 10.1 uses openssl 1.1.1j which works fine for me on the other system (I 
recently started to upgrade all my systems to 1.1.1k last week but I'm not sure 
this would make a difference for my current problem).

Usually for ssh problems it boils down to some permissions too wide open but I 
think I got that covered. I even checked /tmp for 1777 which is my favourite to 
overlook ;)

I'm out of ideas where to look so maybe someone here has some hints for me 
please?

Stay healthy,
Thomas
--
"Do you wanna be a legend or a passing footprint on the sands of time?"

Hi Thomas,


We've encountered this before on non-x86_64 platforms, especially on i686.

It was in the development book, but was deleted when updating to OpenSSH-8.5p1. I'll file an errata for it at my next commit, but here's what you need to do:

if [ "$(uname -m)" != "x86_64" ]; then
l1="#ifdef __NR_pselect6_timeyr"
l2="        SC_ALLOW(__NR_pselect6_time64),"
l3="#endif"
sed -e "/^ifdef __NR_read$/ i $l1\n$l2\n$\l3" -i sandbox-seccomp-filter.c
fi

And then rebuild OpenSSH using the instructions in the book.

This happens because OpenSSH added a SECCOMP sandbox into 8.4p1 that was incompatible with newer glibcs on most non-x86_64 platforms. The sed basically allows the __nr_pselect6_time64 syscall through the sandbox.

I hope this helps!

- Doug

--
http://lists.linuxfromscratch.org/listinfo/lfs-support
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Do not top post on this list.

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

http://en.wikipedia.org/wiki/Posting_style

Reply via email to