[Touch-packages] [Bug 1690485] Re: openssh-server SIGSYS with 'UsePrivilegeSeparation sandbox'

2020-11-28 Thread Launchpad Bug Tracker
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: openssh (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu.

[Touch-packages] [Bug 1690485] Re: openssh-server SIGSYS with 'UsePrivilegeSeparation sandbox'

2019-06-10 Thread Robie Basak
Thank you for posting the additional information here. It sounds like this will help others affected. I see that the bug Importance has never been set, so I'm setting it now, to Low, based on "unusual end-user configurations" from https://wiki.ubuntu.com/Bugs/Importance. I'd like to make it clear

[Touch-packages] [Bug 1690485] Re: openssh-server SIGSYS with 'UsePrivilegeSeparation sandbox'

2019-06-08 Thread Luke A. Perkins
See also Ticket #1831765 and #1832110 regarding the path of the privilege separation directory (aka: /run/sshd). This path is hard-coded into sshd and there is no means of changing its location. I have found that if the directory is missing, all ssh communication unceremoniously stops (iff

[Touch-packages] [Bug 1690485] Re: openssh-server SIGSYS with 'UsePrivilegeSeparation sandbox'

2017-11-07 Thread Kevin Kenny
Not trying to pester, but bumping this in case you didn't see that I posted the requested file. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1690485 Title:

[Touch-packages] [Bug 1690485] Re: openssh-server SIGSYS with 'UsePrivilegeSeparation sandbox'

2017-10-30 Thread KEVIN KENNY
Yeah, this is almost starting to look like malware trying to exfiltrate keys somehow! Unauthorized socket I/O being done by a library that doesn't match the symbol tables? (I'm glad I don't have any Kerberos keys to leak!) ** Attachment added: "libkeyutils.so.1.5"

[Touch-packages] [Bug 1690485] Re: openssh-server SIGSYS with 'UsePrivilegeSeparation sandbox'

2017-10-29 Thread Colin Watson
This looks very weird. If it's calling EVP_Cipher, that should go through OpenSSL; it's conceivable that it might end up in libkeyutils via the Kerberos libraries, sure, but a simple cipher call should already have everything it needs; and libkeyutils doesn't use D-Bus. Could you attach

[Touch-packages] [Bug 1690485] Re: openssh-server SIGSYS with 'UsePrivilegeSeparation sandbox'

2017-10-27 Thread KEVIN KENNY
Disable ssl-engine, re-enable kerberos5, it still crashes. I'm pretty sure I'm running a stock OpenSSL. The only things that I can think of that I might have done in that general vicinity were to install xinetd, althttpd, and stunnel4, and to obtain a host certificate from letsencrypt.org. I'm

[Touch-packages] [Bug 1690485] Re: openssh-server SIGSYS with 'UsePrivilegeSeparation sandbox'

2017-10-27 Thread Colin Watson
I'm at a loss as to why Kerberos should affect this particular thing, at least when there's no actual Kerberos authentication involved. Silly question, but you don't have a modified OpenSSL or anything related to it, do you, and what exact package version of libssl1.0.0 do you have installed?

[Touch-packages] [Bug 1690485] Re: openssh-server SIGSYS with 'UsePrivilegeSeparation sandbox'

2017-10-27 Thread KEVIN KENNY
(And, for what it's worth, I don't, to the best of my knowledge, have anything Kerberos-related set up. There is no /etc/krb5.conf file. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu.

[Touch-packages] [Bug 1690485] Re: openssh-server SIGSYS with 'UsePrivilegeSeparation sandbox'

2017-10-27 Thread KEVIN KENNY
I lied. I experimented with ./configure flags. --with-kerberos5=/usr is definitely the flag that is triggering the crash. Removing this flag alone cures the crash. Command that was used: ../configure --build=x86_64-linux-gnu --prefix=/usr \ --includedir=\${prefix}/include

[Touch-packages] [Bug 1690485] Re: openssh-server SIGSYS with 'UsePrivilegeSeparation sandbox'

2017-10-27 Thread KEVIN KENNY
OK, I applied your patch, and was lucid enough to follow farther into the maze with a few additional debug3's. I get down into the 'cipher_crypt' function, at line 378: if (EVP_Cipher(cc->evp, dest + aadlen, (u_char *)src + aadlen, len) < 0) return

[Touch-packages] [Bug 1690485] Re: openssh-server SIGSYS with 'UsePrivilegeSeparation sandbox'

2017-10-27 Thread Colin Watson
OK, so that puts it somewhere inside ssh_packet_send2_wrapped. Can you revert my previous patch (patch -p1 -R

[Touch-packages] [Bug 1690485] Re: openssh-server SIGSYS with 'UsePrivilegeSeparation sandbox'

2017-10-27 Thread Colin Watson
Seth, this is not as helpful as you might think, because the socket call is being denied by seccomp so the relevant call never shows up in perf. Feel free to try to construct a different perf call that takes account of that ... -- You received this bug notification because you are a member of

[Touch-packages] [Bug 1690485] Re: openssh-server SIGSYS with 'UsePrivilegeSeparation sandbox'

2017-10-26 Thread KEVIN KENNY
Seth: Your requested output is perf-20171026.txt It's not clear to me what's out of the ordinary in the stack traces, except of course that once we're in the Python code of 'apport', things have unquestionably already gone to Hell. Maybe someone who's familiar with the code will have a better

[Touch-packages] [Bug 1690485] Re: openssh-server SIGSYS with 'UsePrivilegeSeparation sandbox'

2017-10-26 Thread KEVIN KENNY
The plot thickens. The configuration of the build appears to be partially implicated. Could it be that with your ./configure flags, it's failing to find a failing PAM or something? When I build with the ./configure that you suggested, it works. When I build with dpkg-buildpackage, on the same

[Touch-packages] [Bug 1690485] Re: openssh-server SIGSYS with 'UsePrivilegeSeparation sandbox'

2017-10-26 Thread Seth Arnold
Hello Kevin, I don't want to step on Colin's toes here, but I couldn't sort out anything from the logs or files so far. I've had success before with perf to grab call graph information. The usual process is along the lines of: - enable the ddebs.ubuntu.com repository to get access to debug

[Touch-packages] [Bug 1690485] Re: openssh-server SIGSYS with 'UsePrivilegeSeparation sandbox'

2017-10-26 Thread Colin Watson
Thanks. The strace is indeed useful, although it doesn't get us all the way there. This is very strange! It appears that the network monitor is attempting to create a Unix socket in the middle of sending a USERAUTH_SUCCESS packet, which is peculiar to say the least. This may take a few

[Touch-packages] [Bug 1690485] Re: openssh-server SIGSYS with 'UsePrivilegeSeparation sandbox'

2017-10-25 Thread KEVIN KENNY
OK, I think I've followed instructions here. I built with the '#define SANDBOX_SECCOMP_FILTER_DEBUG 1' uncommented. Recalling at long last that Ubuntu is Debian (I use Red Hat/CentOS at work and get them confused), I used 'dpkg-buildpackage -rfakeroot -uc -b' to do the build; hope that's OK. I

[Touch-packages] [Bug 1690485] Re: openssh-server SIGSYS with 'UsePrivilegeSeparation sandbox'

2017-10-25 Thread Colin Watson
And the exact change I want is to uncomment the "#define SANDBOX_SECCOMP_FILTER_DEBUG 1" line in sandbox-seccomp-filter.c; but please read the block comment above that line first. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed

[Touch-packages] [Bug 1690485] Re: openssh-server SIGSYS with 'UsePrivilegeSeparation sandbox'

2017-10-25 Thread Colin Watson
This issue was never previously closed, only marked Incomplete (which is an open state). While it's possible to do a normal package build to get things configured exactly the way we do, I don't think that's necessary here. I suggest: * git clone

[Touch-packages] [Bug 1690485] Re: openssh-server SIGSYS with 'UsePrivilegeSeparation sandbox'

2017-10-24 Thread KEVIN KENNY
Upgraded to 17.10. Uninstalled and reinstalled openssh-client, openssh- server (including loading a fresh /usr/etc/ssh directory). Still fails. I attach the output of: sudo strace -f -e trace=socket /usr/sbin/sshd -d 2>&1 | tee sshd.result.txt All the other configuration is as before. What

[Touch-packages] [Bug 1690485] Re: openssh-server SIGSYS with 'UsePrivilegeSeparation sandbox'

2017-10-24 Thread KEVIN KENNY
Oh, another note: changing the UsePrivilegeSeparation setting no longer works. It reports that the setting is deprecated and ignores it. This leaves me without a workaround. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to

[Touch-packages] [Bug 1690485] Re: openssh-server SIGSYS with 'UsePrivilegeSeparation sandbox'

2017-05-15 Thread KEVIN KENNY
Here's the output of 'ssh -v localhost' when authorization is failing ** Attachment added: "Output of 'ssh -v localhost'" https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1690485/+attachment/4877135/+files/sshclient.txt -- You received this bug notification because you are a member of

[Touch-packages] [Bug 1690485] Re: openssh-server SIGSYS with 'UsePrivilegeSeparation sandbox'

2017-05-15 Thread KEVIN KENNY
And here's /etc/ssh/sshd_config on which authorization is failing. ** Attachment added: "/etc/ssh/sshd_config" https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1690485/+attachment/4877150/+files/sshd_config ** Changed in: openssh (Ubuntu) Status: Incomplete => New -- You

[Touch-packages] [Bug 1690485] Re: openssh-server SIGSYS with 'UsePrivilegeSeparation sandbox'

2017-05-15 Thread KEVIN KENNY
Here's /var/log/syslog from the ssh daemon restart through the authorization failure ** Attachment added: "/var/log/syslog" https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1690485/+attachment/4877134/+files/syslog.txt -- You received this bug notification because you are a member of

[Touch-packages] [Bug 1690485] Re: openssh-server SIGSYS with 'UsePrivilegeSeparation sandbox'

2017-05-15 Thread KEVIN KENNY
I reset /etc/ssh/sshd_config to the attached version, and attempted ssh -v localhost while logged in as username=kennykb uid=117 The output of 'ssh -v' is attached as 'sshclient.txt'. The only lines that appeared in syslog after I restarted the daemon were in the attached 'syslog.txt'. The

[Touch-packages] [Bug 1690485] Re: openssh-server SIGSYS with 'UsePrivilegeSeparation sandbox'

2017-05-15 Thread ChristianEhrhardt
Thank you for taking the time to report this bug and helping to make Ubuntu better. There isn't really enough information here for a developer to confirm this issue is a bug, or to begin working on it, so I am marking this bug Incomplete for now. If you can provide exact steps so that a

[Touch-packages] [Bug 1690485] Re: openssh-server SIGSYS with 'UsePrivilegeSeparation sandbox'

2017-05-15 Thread ChristianEhrhardt
Hi Kevin, I quickly checked in the default config in zesty but ssh logins are working fine (pw logins is what I tested). There must be more to your config that triggers this. Is what you see in dmesg an apparmor denial or something else? Could you attach your dmesg covering the issue that you

[Touch-packages] [Bug 1690485] Re: openssh-server SIGSYS with 'UsePrivilegeSeparation sandbox'

2017-05-15 Thread Colin Watson
It seems surprising to me that the pre-authentication network listener would need to create new sockets. I think the best thing to do here is going to be to rebuild sshd locally with SANDBOX_SECCOMP_FILTER_DEBUG defined (see the top of sandbox-seccomp-filter.c) to try to narrow this down. --