Package: openssh-server
Version: 1:8.0p1-2
Severity: important
Dear Maintainer,
After enabling afalg engine on OpenSSL and configuring OpenSSH server to use
the following
ciphers, incoming ssh connections stop working. When a client tries to connect,
you can
observe the following message on the server's dmesg output:
[271686.264598] audit: type=1326 audit(1561879548.303:14): auid=1000
uid=104 gid=65534 ses=99 subj==unconfined pid=8164 comm="sshd"
exe="/usr/sbin/sshd" sig=31 arch=4028 syscall=281 compat=0 ip=0xb6a5ee6c
code=0x0
The device is a Buffalo Linkstation LS-WXL (armel, kirkwood). I would like to
use the crypto
hardware accelerator (marvell_cesa) on SSH to get better performance out of it,
that's why
I enabled the afalg engine.
This happens both with openssh-server from buster and experimental. Syscall 281
appears to be
socket(...) from what I could gather. Maybe it is necessary to add a few more
allowed syscall
rules to the seccomp sandbox in OpenSSH?
Config changes I performed below:
Changes on /etc/ssh/sshd_config
Ciphers aes128-cbc,aes192-cbc,aes256-cbc
Changes on /etc/ssl/openssl.cnf
[default_conf]
engines = openssl_engines
[openssl_engines]
afalg = afalg_engine
[afalg_engine]
default_algorithms = ALL
Thank you for your time,
Emilio
-- System Information:
Debian Release: 10.0
APT prefers testing
APT policy: (500, 'testing'), (1, 'experimental')
Architecture: armel (armv5tel)
Kernel: Linux 4.19.0-5-marvell
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages openssh-server depends on:
ii adduser3.118
ii debconf [debconf-2.0] 1.5.71
ii dpkg 1.19.7
ii libaudit1 1:2.8.4-3
ii libc6 2.28-10
ii libcom-err21.44.5-1
ii libgssapi-krb5-2 1.17-3
ii libkrb5-3 1.17-3
ii libpam-modules 1.3.1-5
ii libpam-runtime 1.3.1-5
ii libpam0g 1.3.1-5
ii libselinux12.8-1+b1
ii libssl1.1 1.1.1c-1
ii libsystemd0241-5
ii libwrap0 7.6.q-28
ii lsb-base 10.2019051400
ii openssh-client 1:8.0p1-2
ii openssh-sftp-server1:8.0p1-2
ii procps 2:3.3.15-2
ii ucf3.0038+nmu1
ii zlib1g 1:1.2.11.dfsg-1
Versions of packages openssh-server recommends:
pn default-logind | logind | libpam-systemd
ii ncurses-term 6.1+20181013-2
pn xauth
Versions of packages openssh-server suggests:
pn molly-guard
pn monkeysphere
pn rssh
pn ssh-askpass
pn ufw
-- debconf information:
openssh-server/permit-root-login: true
openssh-server/password-authentication: true