[Touch-packages] [Bug 1686618] Re: ssh connection attempts fail if hw crypto support on s390x is enabled on 17.04

[Frank Heimes]

** Description changed:

  [ Impact ]
  
  * Unable to ssh into Ubuntu, using default sshd configuration, when hw
  acceleration is enabled in openssl.
  
  [ Proposed solution ]
  
  * Cherrypick upstream fixes for:
-   - sandboxing code on big endian
-   - allowing hw accel iocls in the sandbox
+   - sandboxing code on big endian
+   - allowing hw accel iocls in the sandbox
  
  short:
  after investigations the following commits are needed by openssh-server 
version 7.4p1 that is part of 17.04:
  - 5f1596e11d55539678c41f68aed358628d33d86f
  - 9e96b41682aed793fadbea5ccd472f862179fb02
  on master branch in https://github.com/openssh/openssh-portable
  that belong to openssh 7.5 release notes statement: "sshd(8): Avoid sandbox 
errors for Linux S390 systems using an ICA crypto coprocessor."
  __
  
  [Test case]
  
  long:
  
  enable z hw crypto support for openssh on an Ubuntu host (zlin42) on s390x 
like this:
  sudo apt-get install openssl-ibmca libica-utils libica2
  sudo tee -a /etc/ssl/openssl.cnf < 
/usr/share/doc/openssl-ibmca/examples/openssl.cnf.sample
  sudo sed -i 's/^\(openssl_conf = openssl_def.*$\)/# \1/g' /etc/ssl/openssl.cnf
- sudo sed -i '10i openssl_cnf = openssl_def' /etc/ssl/openssl.cnf
+ sudo sed -i '10i openssl_conf = openssl_def' /etc/ssl/openssl.cnf
  
  afterwards ssh login attempts fail:
  $ ssh ubuntu@zlin42
  ubuntu@zlin42's password:
  Connection to zlin42 closed by remote host.
  Connection to zlin42 closed.
  
  the normal logs don't provide any interesting details:
  
  mit log:
    Apr 24 12:37:52 zlin42 kernel: [933567.994312] audit: type=1326 
audit(1493051872.112:29): auid=4294967295 uid=107 gid=65534 ses=4294967295 
pid=25105 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=8016 syscall=201 
compat=0 ip=0x3ffb8a3fb32 code=0x0
  
  Verbose:
  OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g  1 Mar 2016
  debug1: Reading configuration data /home/fheimes/.ssh/config
  debug1: /home/fheimes/.ssh/config line 6: Deprecated option "useroaming"
  debug1: /home/fheimes/.ssh/config line 7: Applying options for *
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug1: /etc/ssh/ssh_config line 19: Applying options for *
  debug1: Connecting to 10.245.208.7 [10.245.208.7] port 22.
  debug1: Connection established.
  debug1: identity file /home/fheimes/.ssh/id_rsa type 1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_rsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519 type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519-cert type -1
  debug1: Enabling compatibility mode for protocol 2.0
  debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
  debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4p1 
Ubuntu-10
  debug1: match: OpenSSH_7.4p1 Ubuntu-10 pat OpenSSH* compat 0x0400
  debug1: Authenticating to 10.245.208.7:22 as 'ubuntu'
  debug1: SSH2_MSG_KEXINIT sent
  debug1: SSH2_MSG_KEXINIT received
  debug1: kex: algorithm: curve25519-sha...@libssh.org
  debug1: kex: host key algorithm: ecdsa-sha2-nistp256
  debug1: kex: server->client cipher: chacha20-poly1...@openssh.com MAC: 
 compression: none
  debug1: kex: client->server cipher: chacha20-poly1...@openssh.com MAC: 
 compression: none
  debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
  debug1: Server host key: ecdsa-sha2-nistp256 
SHA256:ss9j12+jMMKL9u2vxNeb3XjOeH0E9lw24IG5LxUeJXk
  debug1: Host '10.245.208.7' is known and matches the ECDSA host key.
  debug1: Found key in /home/fheimes/.ssh/known_hosts:87
  debug1: rekey after 134217728 blocks
  debug1: SSH2_MSG_NEWKEYS sent
  debug1: expecting SSH2_MSG_NEWKEYS
  debug1: rekey after 134217728 blocks
  debug1: SSH2_MSG_NEWKEYS received
  debug1: SSH2_MSG_EXT_INFO received
  debug1: kex_input_ext_info: 
server-sig-algs=
  debug1: SSH2_MSG_SERVICE_ACCEPT received
  debug1: Authentications that can continue: publickey,password
  debug1: Next authentication method: publickey
  debug1: Offering RSA public key: /home/fheimes/.ssh/id_rsa
  debug1: Authentications that can continue: publickey,password
  debug1: Trying private key: /home/fheimes/.ssh/id_dsa
  debug1: Trying private key: /home/fheimes/.ssh/id_ecdsa
  debug1: Trying private key: /home/fheimes/.ssh/id_ed25519
  debug1: Next authentication method: password
  ubuntu@10.245.208.7's password:
  debug1: Authentication succeeded (password).
  

[Touch-packages] [Bug 1686618] Re: ssh connection attempts fail if hw crypto support on s390x is enabled on 17.04

[bugproxy]

--- Comment From heinz-werner_se...@de.ibm.com 2018-01-17 08:56 EDT---
IBM Bugzilla status -> closed, Fix Released by Canonical.

** Tags removed: verification-failed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1686618

Title:
  ssh connection attempts fail if hw crypto support on s390x is enabled
  on 17.04

Status in Ubuntu on IBM z Systems:
  Fix Released
Status in openssh package in Ubuntu:
  Fix Released
Status in openssh source package in Zesty:
  Invalid
Status in openssh source package in Artful:
  Fix Released

Bug description:
  [ Impact ]

  * Unable to ssh into Ubuntu, using default sshd configuration, when hw
  acceleration is enabled in openssl.

  [ Proposed solution ]

  * Cherrypick upstream fixes for:
- sandboxing code on big endian
- allowing hw accel iocls in the sandbox

  short:
  after investigations the following commits are needed by openssh-server 
version 7.4p1 that is part of 17.04:
  - 5f1596e11d55539678c41f68aed358628d33d86f
  - 9e96b41682aed793fadbea5ccd472f862179fb02
  on master branch in https://github.com/openssh/openssh-portable
  that belong to openssh 7.5 release notes statement: "sshd(8): Avoid sandbox 
errors for Linux S390 systems using an ICA crypto coprocessor."
  __

  [Test case]

  long:

  enable z hw crypto support for openssh on an Ubuntu host (zlin42) on s390x 
like this:
  sudo apt-get install openssl-ibmca libica-utils libica2
  sudo tee -a /etc/ssl/openssl.cnf < 
/usr/share/doc/openssl-ibmca/examples/openssl.cnf.sample
  sudo sed -i 's/^\(openssl_conf = openssl_def.*$\)/# \1/g' /etc/ssl/openssl.cnf
  sudo sed -i '10i openssl_cnf = openssl_def' /etc/ssl/openssl.cnf

  afterwards ssh login attempts fail:
  $ ssh ubuntu@zlin42
  ubuntu@zlin42's password:
  Connection to zlin42 closed by remote host.
  Connection to zlin42 closed.

  the normal logs don't provide any interesting details:

  mit log:
    Apr 24 12:37:52 zlin42 kernel: [933567.994312] audit: type=1326 
audit(1493051872.112:29): auid=4294967295 uid=107 gid=65534 ses=4294967295 
pid=25105 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=8016 syscall=201 
compat=0 ip=0x3ffb8a3fb32 code=0x0

  Verbose:
  OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g  1 Mar 2016
  debug1: Reading configuration data /home/fheimes/.ssh/config
  debug1: /home/fheimes/.ssh/config line 6: Deprecated option "useroaming"
  debug1: /home/fheimes/.ssh/config line 7: Applying options for *
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug1: /etc/ssh/ssh_config line 19: Applying options for *
  debug1: Connecting to 10.245.208.7 [10.245.208.7] port 22.
  debug1: Connection established.
  debug1: identity file /home/fheimes/.ssh/id_rsa type 1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_rsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519 type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519-cert type -1
  debug1: Enabling compatibility mode for protocol 2.0
  debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
  debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4p1 
Ubuntu-10
  debug1: match: OpenSSH_7.4p1 Ubuntu-10 pat OpenSSH* compat 0x0400
  debug1: Authenticating to 10.245.208.7:22 as 'ubuntu'
  debug1: SSH2_MSG_KEXINIT sent
  debug1: SSH2_MSG_KEXINIT received
  debug1: kex: algorithm: curve25519-sha...@libssh.org
  debug1: kex: host key algorithm: ecdsa-sha2-nistp256
  debug1: kex: server->client cipher: chacha20-poly1...@openssh.com MAC: 
 compression: none
  debug1: kex: client->server cipher: chacha20-poly1...@openssh.com MAC: 
 compression: none
  debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
  debug1: Server host key: ecdsa-sha2-nistp256 
SHA256:ss9j12+jMMKL9u2vxNeb3XjOeH0E9lw24IG5LxUeJXk
  debug1: Host '10.245.208.7' is known and matches the ECDSA host key.
  debug1: Found key in /home/fheimes/.ssh/known_hosts:87
  debug1: rekey after 134217728 blocks
  debug1: SSH2_MSG_NEWKEYS sent
  debug1: expecting SSH2_MSG_NEWKEYS
  debug1: rekey after 134217728 blocks
  debug1: SSH2_MSG_NEWKEYS received
  debug1: SSH2_MSG_EXT_INFO received
  debug1: kex_input_ext_info: 
server-sig-algs=
  debug1: 

[Touch-packages] [Bug 1686618] Re: ssh connection attempts fail if hw crypto support on s390x is enabled on 17.04

[Frank Heimes]

closing this ticket - since Zesty ran out of support on Jan the 13th:
https://www.google.de/url?https://lists.ubuntu.com/archives/ubuntu-announce/2018-January/000227.html
and kernel 4.10 is no longer supported.
Even on Xenial we moved the HWE kernel already from 4.10 to 4.13 

** Changed in: openssh (Ubuntu Zesty)
   Status: Confirmed => Invalid

** Changed in: ubuntu-z-systems
   Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1686618

Title:
  ssh connection attempts fail if hw crypto support on s390x is enabled
  on 17.04

Status in Ubuntu on IBM z Systems:
  Fix Released
Status in openssh package in Ubuntu:
  Fix Released
Status in openssh source package in Zesty:
  Invalid
Status in openssh source package in Artful:
  Fix Released

Bug description:
  [ Impact ]

  * Unable to ssh into Ubuntu, using default sshd configuration, when hw
  acceleration is enabled in openssl.

  [ Proposed solution ]

  * Cherrypick upstream fixes for:
- sandboxing code on big endian
- allowing hw accel iocls in the sandbox

  short:
  after investigations the following commits are needed by openssh-server 
version 7.4p1 that is part of 17.04:
  - 5f1596e11d55539678c41f68aed358628d33d86f
  - 9e96b41682aed793fadbea5ccd472f862179fb02
  on master branch in https://github.com/openssh/openssh-portable
  that belong to openssh 7.5 release notes statement: "sshd(8): Avoid sandbox 
errors for Linux S390 systems using an ICA crypto coprocessor."
  __

  [Test case]

  long:

  enable z hw crypto support for openssh on an Ubuntu host (zlin42) on s390x 
like this:
  sudo apt-get install openssl-ibmca libica-utils libica2
  sudo tee -a /etc/ssl/openssl.cnf < 
/usr/share/doc/openssl-ibmca/examples/openssl.cnf.sample
  sudo sed -i 's/^\(openssl_conf = openssl_def.*$\)/# \1/g' /etc/ssl/openssl.cnf
  sudo sed -i '10i openssl_cnf = openssl_def' /etc/ssl/openssl.cnf

  afterwards ssh login attempts fail:
  $ ssh ubuntu@zlin42
  ubuntu@zlin42's password:
  Connection to zlin42 closed by remote host.
  Connection to zlin42 closed.

  the normal logs don't provide any interesting details:

  mit log:
    Apr 24 12:37:52 zlin42 kernel: [933567.994312] audit: type=1326 
audit(1493051872.112:29): auid=4294967295 uid=107 gid=65534 ses=4294967295 
pid=25105 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=8016 syscall=201 
compat=0 ip=0x3ffb8a3fb32 code=0x0

  Verbose:
  OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g  1 Mar 2016
  debug1: Reading configuration data /home/fheimes/.ssh/config
  debug1: /home/fheimes/.ssh/config line 6: Deprecated option "useroaming"
  debug1: /home/fheimes/.ssh/config line 7: Applying options for *
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug1: /etc/ssh/ssh_config line 19: Applying options for *
  debug1: Connecting to 10.245.208.7 [10.245.208.7] port 22.
  debug1: Connection established.
  debug1: identity file /home/fheimes/.ssh/id_rsa type 1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_rsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519 type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519-cert type -1
  debug1: Enabling compatibility mode for protocol 2.0
  debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
  debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4p1 
Ubuntu-10
  debug1: match: OpenSSH_7.4p1 Ubuntu-10 pat OpenSSH* compat 0x0400
  debug1: Authenticating to 10.245.208.7:22 as 'ubuntu'
  debug1: SSH2_MSG_KEXINIT sent
  debug1: SSH2_MSG_KEXINIT received
  debug1: kex: algorithm: curve25519-sha...@libssh.org
  debug1: kex: host key algorithm: ecdsa-sha2-nistp256
  debug1: kex: server->client cipher: chacha20-poly1...@openssh.com MAC: 
 compression: none
  debug1: kex: client->server cipher: chacha20-poly1...@openssh.com MAC: 
 compression: none
  debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
  debug1: Server host key: ecdsa-sha2-nistp256 
SHA256:ss9j12+jMMKL9u2vxNeb3XjOeH0E9lw24IG5LxUeJXk
  debug1: Host '10.245.208.7' is known and matches the ECDSA host key.
  debug1: Found key in /home/fheimes/.ssh/known_hosts:87
  debug1: rekey after 134217728 blocks
  debug1: SSH2_MSG_NEWKEYS sent
  debug1: expecting SSH2_MSG_NEWKEYS
  debug1: 

[Touch-packages] [Bug 1686618] Re: ssh connection attempts fail if hw crypto support on s390x is enabled on 17.04

[Francis Ginther]

** Tags added: id-597a835aabb9be94fe80eb45

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1686618

Title:
  ssh connection attempts fail if hw crypto support on s390x is enabled
  on 17.04

Status in Ubuntu on IBM z Systems:
  In Progress
Status in openssh package in Ubuntu:
  Fix Released
Status in openssh source package in Zesty:
  Confirmed
Status in openssh source package in Artful:
  Fix Released

Bug description:
  [ Impact ]

  * Unable to ssh into Ubuntu, using default sshd configuration, when hw
  acceleration is enabled in openssl.

  [ Proposed solution ]

  * Cherrypick upstream fixes for:
- sandboxing code on big endian
- allowing hw accel iocls in the sandbox

  short:
  after investigations the following commits are needed by openssh-server 
version 7.4p1 that is part of 17.04:
  - 5f1596e11d55539678c41f68aed358628d33d86f
  - 9e96b41682aed793fadbea5ccd472f862179fb02
  on master branch in https://github.com/openssh/openssh-portable
  that belong to openssh 7.5 release notes statement: "sshd(8): Avoid sandbox 
errors for Linux S390 systems using an ICA crypto coprocessor."
  __

  [Test case]

  long:

  enable z hw crypto support for openssh on an Ubuntu host (zlin42) on s390x 
like this:
  sudo apt-get install openssl-ibmca libica-utils libica2
  sudo tee -a /etc/ssl/openssl.cnf < 
/usr/share/doc/openssl-ibmca/examples/openssl.cnf.sample
  sudo sed -i 's/^\(openssl_conf = openssl_def.*$\)/# \1/g' /etc/ssl/openssl.cnf
  sudo sed -i '10i openssl_cnf = openssl_def' /etc/ssl/openssl.cnf

  afterwards ssh login attempts fail:
  $ ssh ubuntu@zlin42
  ubuntu@zlin42's password:
  Connection to zlin42 closed by remote host.
  Connection to zlin42 closed.

  the normal logs don't provide any interesting details:

  mit log:
    Apr 24 12:37:52 zlin42 kernel: [933567.994312] audit: type=1326 
audit(1493051872.112:29): auid=4294967295 uid=107 gid=65534 ses=4294967295 
pid=25105 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=8016 syscall=201 
compat=0 ip=0x3ffb8a3fb32 code=0x0

  Verbose:
  OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g  1 Mar 2016
  debug1: Reading configuration data /home/fheimes/.ssh/config
  debug1: /home/fheimes/.ssh/config line 6: Deprecated option "useroaming"
  debug1: /home/fheimes/.ssh/config line 7: Applying options for *
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug1: /etc/ssh/ssh_config line 19: Applying options for *
  debug1: Connecting to 10.245.208.7 [10.245.208.7] port 22.
  debug1: Connection established.
  debug1: identity file /home/fheimes/.ssh/id_rsa type 1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_rsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519 type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519-cert type -1
  debug1: Enabling compatibility mode for protocol 2.0
  debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
  debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4p1 
Ubuntu-10
  debug1: match: OpenSSH_7.4p1 Ubuntu-10 pat OpenSSH* compat 0x0400
  debug1: Authenticating to 10.245.208.7:22 as 'ubuntu'
  debug1: SSH2_MSG_KEXINIT sent
  debug1: SSH2_MSG_KEXINIT received
  debug1: kex: algorithm: curve25519-sha...@libssh.org
  debug1: kex: host key algorithm: ecdsa-sha2-nistp256
  debug1: kex: server->client cipher: chacha20-poly1...@openssh.com MAC: 
 compression: none
  debug1: kex: client->server cipher: chacha20-poly1...@openssh.com MAC: 
 compression: none
  debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
  debug1: Server host key: ecdsa-sha2-nistp256 
SHA256:ss9j12+jMMKL9u2vxNeb3XjOeH0E9lw24IG5LxUeJXk
  debug1: Host '10.245.208.7' is known and matches the ECDSA host key.
  debug1: Found key in /home/fheimes/.ssh/known_hosts:87
  debug1: rekey after 134217728 blocks
  debug1: SSH2_MSG_NEWKEYS sent
  debug1: expecting SSH2_MSG_NEWKEYS
  debug1: rekey after 134217728 blocks
  debug1: SSH2_MSG_NEWKEYS received
  debug1: SSH2_MSG_EXT_INFO received
  debug1: kex_input_ext_info: 
server-sig-algs=
  debug1: SSH2_MSG_SERVICE_ACCEPT received
  debug1: Authentications that can continue: publickey,password
  debug1: Next authentication method: 

[Touch-packages] [Bug 1686618] Re: ssh connection attempts fail if hw crypto support on s390x is enabled on 17.04

[Francis Ginther]

** Tags added: id-59a6de69fde9c920947b3d4b

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1686618

Title:
  ssh connection attempts fail if hw crypto support on s390x is enabled
  on 17.04

Status in Ubuntu on IBM z Systems:
  In Progress
Status in openssh package in Ubuntu:
  Fix Released
Status in openssh source package in Zesty:
  Confirmed
Status in openssh source package in Artful:
  Fix Released

Bug description:
  [ Impact ]

  * Unable to ssh into Ubuntu, using default sshd configuration, when hw
  acceleration is enabled in openssl.

  [ Proposed solution ]

  * Cherrypick upstream fixes for:
- sandboxing code on big endian
- allowing hw accel iocls in the sandbox

  short:
  after investigations the following commits are needed by openssh-server 
version 7.4p1 that is part of 17.04:
  - 5f1596e11d55539678c41f68aed358628d33d86f
  - 9e96b41682aed793fadbea5ccd472f862179fb02
  on master branch in https://github.com/openssh/openssh-portable
  that belong to openssh 7.5 release notes statement: "sshd(8): Avoid sandbox 
errors for Linux S390 systems using an ICA crypto coprocessor."
  __

  [Test case]

  long:

  enable z hw crypto support for openssh on an Ubuntu host (zlin42) on s390x 
like this:
  sudo apt-get install openssl-ibmca libica-utils libica2
  sudo tee -a /etc/ssl/openssl.cnf < 
/usr/share/doc/openssl-ibmca/examples/openssl.cnf.sample
  sudo sed -i 's/^\(openssl_conf = openssl_def.*$\)/# \1/g' /etc/ssl/openssl.cnf
  sudo sed -i '10i openssl_cnf = openssl_def' /etc/ssl/openssl.cnf

  afterwards ssh login attempts fail:
  $ ssh ubuntu@zlin42
  ubuntu@zlin42's password:
  Connection to zlin42 closed by remote host.
  Connection to zlin42 closed.

  the normal logs don't provide any interesting details:

  mit log:
    Apr 24 12:37:52 zlin42 kernel: [933567.994312] audit: type=1326 
audit(1493051872.112:29): auid=4294967295 uid=107 gid=65534 ses=4294967295 
pid=25105 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=8016 syscall=201 
compat=0 ip=0x3ffb8a3fb32 code=0x0

  Verbose:
  OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g  1 Mar 2016
  debug1: Reading configuration data /home/fheimes/.ssh/config
  debug1: /home/fheimes/.ssh/config line 6: Deprecated option "useroaming"
  debug1: /home/fheimes/.ssh/config line 7: Applying options for *
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug1: /etc/ssh/ssh_config line 19: Applying options for *
  debug1: Connecting to 10.245.208.7 [10.245.208.7] port 22.
  debug1: Connection established.
  debug1: identity file /home/fheimes/.ssh/id_rsa type 1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_rsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519 type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519-cert type -1
  debug1: Enabling compatibility mode for protocol 2.0
  debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
  debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4p1 
Ubuntu-10
  debug1: match: OpenSSH_7.4p1 Ubuntu-10 pat OpenSSH* compat 0x0400
  debug1: Authenticating to 10.245.208.7:22 as 'ubuntu'
  debug1: SSH2_MSG_KEXINIT sent
  debug1: SSH2_MSG_KEXINIT received
  debug1: kex: algorithm: curve25519-sha...@libssh.org
  debug1: kex: host key algorithm: ecdsa-sha2-nistp256
  debug1: kex: server->client cipher: chacha20-poly1...@openssh.com MAC: 
 compression: none
  debug1: kex: client->server cipher: chacha20-poly1...@openssh.com MAC: 
 compression: none
  debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
  debug1: Server host key: ecdsa-sha2-nistp256 
SHA256:ss9j12+jMMKL9u2vxNeb3XjOeH0E9lw24IG5LxUeJXk
  debug1: Host '10.245.208.7' is known and matches the ECDSA host key.
  debug1: Found key in /home/fheimes/.ssh/known_hosts:87
  debug1: rekey after 134217728 blocks
  debug1: SSH2_MSG_NEWKEYS sent
  debug1: expecting SSH2_MSG_NEWKEYS
  debug1: rekey after 134217728 blocks
  debug1: SSH2_MSG_NEWKEYS received
  debug1: SSH2_MSG_EXT_INFO received
  debug1: kex_input_ext_info: 
server-sig-algs=
  debug1: SSH2_MSG_SERVICE_ACCEPT received
  debug1: Authentications that can continue: publickey,password
  debug1: Next authentication method: 

[Touch-packages] [Bug 1686618] Re: ssh connection attempts fail if hw crypto support on s390x is enabled on 17.04

[Paulo Vital]

Is there any plan to release this fix into Zesty (zesty-updates) ?

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1686618

Title:
  ssh connection attempts fail if hw crypto support on s390x is enabled
  on 17.04

Status in Ubuntu on IBM z Systems:
  In Progress
Status in openssh package in Ubuntu:
  Fix Released
Status in openssh source package in Zesty:
  Confirmed
Status in openssh source package in Artful:
  Fix Released

Bug description:
  [ Impact ]

  * Unable to ssh into Ubuntu, using default sshd configuration, when hw
  acceleration is enabled in openssl.

  [ Proposed solution ]

  * Cherrypick upstream fixes for:
- sandboxing code on big endian
- allowing hw accel iocls in the sandbox

  short:
  after investigations the following commits are needed by openssh-server 
version 7.4p1 that is part of 17.04:
  - 5f1596e11d55539678c41f68aed358628d33d86f
  - 9e96b41682aed793fadbea5ccd472f862179fb02
  on master branch in https://github.com/openssh/openssh-portable
  that belong to openssh 7.5 release notes statement: "sshd(8): Avoid sandbox 
errors for Linux S390 systems using an ICA crypto coprocessor."
  __

  [Test case]

  long:

  enable z hw crypto support for openssh on an Ubuntu host (zlin42) on s390x 
like this:
  sudo apt-get install openssl-ibmca libica-utils libica2
  sudo tee -a /etc/ssl/openssl.cnf < 
/usr/share/doc/openssl-ibmca/examples/openssl.cnf.sample
  sudo sed -i 's/^\(openssl_conf = openssl_def.*$\)/# \1/g' /etc/ssl/openssl.cnf
  sudo sed -i '10i openssl_cnf = openssl_def' /etc/ssl/openssl.cnf

  afterwards ssh login attempts fail:
  $ ssh ubuntu@zlin42
  ubuntu@zlin42's password:
  Connection to zlin42 closed by remote host.
  Connection to zlin42 closed.

  the normal logs don't provide any interesting details:

  mit log:
    Apr 24 12:37:52 zlin42 kernel: [933567.994312] audit: type=1326 
audit(1493051872.112:29): auid=4294967295 uid=107 gid=65534 ses=4294967295 
pid=25105 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=8016 syscall=201 
compat=0 ip=0x3ffb8a3fb32 code=0x0

  Verbose:
  OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g  1 Mar 2016
  debug1: Reading configuration data /home/fheimes/.ssh/config
  debug1: /home/fheimes/.ssh/config line 6: Deprecated option "useroaming"
  debug1: /home/fheimes/.ssh/config line 7: Applying options for *
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug1: /etc/ssh/ssh_config line 19: Applying options for *
  debug1: Connecting to 10.245.208.7 [10.245.208.7] port 22.
  debug1: Connection established.
  debug1: identity file /home/fheimes/.ssh/id_rsa type 1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_rsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519 type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519-cert type -1
  debug1: Enabling compatibility mode for protocol 2.0
  debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
  debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4p1 
Ubuntu-10
  debug1: match: OpenSSH_7.4p1 Ubuntu-10 pat OpenSSH* compat 0x0400
  debug1: Authenticating to 10.245.208.7:22 as 'ubuntu'
  debug1: SSH2_MSG_KEXINIT sent
  debug1: SSH2_MSG_KEXINIT received
  debug1: kex: algorithm: curve25519-sha...@libssh.org
  debug1: kex: host key algorithm: ecdsa-sha2-nistp256
  debug1: kex: server->client cipher: chacha20-poly1...@openssh.com MAC: 
 compression: none
  debug1: kex: client->server cipher: chacha20-poly1...@openssh.com MAC: 
 compression: none
  debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
  debug1: Server host key: ecdsa-sha2-nistp256 
SHA256:ss9j12+jMMKL9u2vxNeb3XjOeH0E9lw24IG5LxUeJXk
  debug1: Host '10.245.208.7' is known and matches the ECDSA host key.
  debug1: Found key in /home/fheimes/.ssh/known_hosts:87
  debug1: rekey after 134217728 blocks
  debug1: SSH2_MSG_NEWKEYS sent
  debug1: expecting SSH2_MSG_NEWKEYS
  debug1: rekey after 134217728 blocks
  debug1: SSH2_MSG_NEWKEYS received
  debug1: SSH2_MSG_EXT_INFO received
  debug1: kex_input_ext_info: 
server-sig-algs=
  debug1: SSH2_MSG_SERVICE_ACCEPT received
  debug1: Authentications that can continue: publickey,password
  debug1: Next 

[Touch-packages] [Bug 1686618] Re: ssh connection attempts fail if hw crypto support on s390x is enabled on 17.04

[Launchpad Bug Tracker]

This bug was fixed in the package openssh - 1:7.5p1-5ubuntu1

---
openssh (1:7.5p1-5ubuntu1) artful; urgency=low

  * Merge from Debian unstable.  Remaining changes:
- Cherrypick updated patchset to open up sandbox, when openssl engine calls
into OpenCryptoki for hardware accelerated encryption. LP: #1686618

openssh (1:7.5p1-5) unstable; urgency=medium

  * Upload to unstable.
  * Fix syntax error in debian/copyright.

openssh (1:7.5p1-4) experimental; urgency=medium

  * Drop README.Debian section on privilege separation, as it's no longer
optional.
  * Only call "initctl set-env" from agent-launch if $UPSTART_SESSION is set
(LP: #1689299).
  * Fix incoming compression statistics (thanks, Russell Coker; closes:
#797964).
  * Relicense debian/* under a two-clause BSD licence for bidirectional
compatibility with upstream, with permission from Matthew Vernon and
others.

 -- Dimitri John Ledkov   Fri, 28 Jul 2017 14:13:11
+0100

** Changed in: openssh (Ubuntu Artful)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1686618

Title:
  ssh connection attempts fail if hw crypto support on s390x is enabled
  on 17.04

Status in Ubuntu on IBM z Systems:
  In Progress
Status in openssh package in Ubuntu:
  Fix Released
Status in openssh source package in Zesty:
  Confirmed
Status in openssh source package in Artful:
  Fix Released

Bug description:
  [ Impact ]

  * Unable to ssh into Ubuntu, using default sshd configuration, when hw
  acceleration is enabled in openssl.

  [ Proposed solution ]

  * Cherrypick upstream fixes for:
- sandboxing code on big endian
- allowing hw accel iocls in the sandbox

  short:
  after investigations the following commits are needed by openssh-server 
version 7.4p1 that is part of 17.04:
  - 5f1596e11d55539678c41f68aed358628d33d86f
  - 9e96b41682aed793fadbea5ccd472f862179fb02
  on master branch in https://github.com/openssh/openssh-portable
  that belong to openssh 7.5 release notes statement: "sshd(8): Avoid sandbox 
errors for Linux S390 systems using an ICA crypto coprocessor."
  __

  [Test case]

  long:

  enable z hw crypto support for openssh on an Ubuntu host (zlin42) on s390x 
like this:
  sudo apt-get install openssl-ibmca libica-utils libica2
  sudo tee -a /etc/ssl/openssl.cnf < 
/usr/share/doc/openssl-ibmca/examples/openssl.cnf.sample
  sudo sed -i 's/^\(openssl_conf = openssl_def.*$\)/# \1/g' /etc/ssl/openssl.cnf
  sudo sed -i '10i openssl_cnf = openssl_def' /etc/ssl/openssl.cnf

  afterwards ssh login attempts fail:
  $ ssh ubuntu@zlin42
  ubuntu@zlin42's password:
  Connection to zlin42 closed by remote host.
  Connection to zlin42 closed.

  the normal logs don't provide any interesting details:

  mit log:
    Apr 24 12:37:52 zlin42 kernel: [933567.994312] audit: type=1326 
audit(1493051872.112:29): auid=4294967295 uid=107 gid=65534 ses=4294967295 
pid=25105 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=8016 syscall=201 
compat=0 ip=0x3ffb8a3fb32 code=0x0

  Verbose:
  OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g  1 Mar 2016
  debug1: Reading configuration data /home/fheimes/.ssh/config
  debug1: /home/fheimes/.ssh/config line 6: Deprecated option "useroaming"
  debug1: /home/fheimes/.ssh/config line 7: Applying options for *
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug1: /etc/ssh/ssh_config line 19: Applying options for *
  debug1: Connecting to 10.245.208.7 [10.245.208.7] port 22.
  debug1: Connection established.
  debug1: identity file /home/fheimes/.ssh/id_rsa type 1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_rsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519 type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519-cert type -1
  debug1: Enabling compatibility mode for protocol 2.0
  debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
  debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4p1 
Ubuntu-10
  debug1: match: OpenSSH_7.4p1 Ubuntu-10 pat OpenSSH* compat 0x0400
  debug1: Authenticating to 10.245.208.7:22 as 'ubuntu'
  debug1: SSH2_MSG_KEXINIT sent
  debug1: SSH2_MSG_KEXINIT received
  debug1: kex: algorithm: 

[Touch-packages] [Bug 1686618] Re: ssh connection attempts fail if hw crypto support on s390x is enabled on 17.04

[bugproxy]

--- Comment From ebarre...@br.ibm.com 2017-07-28 16:01 EDT---
(In reply to comment #23)
> If the patch isn't getting any review on the upstream mailing list, then
> please open a bug on https://bugzilla.mindrot.org/ so that it doesn't fall
> through the cracks permanently.

Done:
https://bugzilla.mindrot.org/show_bug.cgi?id=2752

** Bug watch added: OpenSSH Portable Bugzilla #2752
   https://bugzilla.mindrot.org/show_bug.cgi?id=2752

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1686618

Title:
  ssh connection attempts fail if hw crypto support on s390x is enabled
  on 17.04

Status in Ubuntu on IBM z Systems:
  In Progress
Status in openssh package in Ubuntu:
  Fix Committed
Status in openssh source package in Zesty:
  Confirmed
Status in openssh source package in Artful:
  Fix Committed

Bug description:
  [ Impact ]

  * Unable to ssh into Ubuntu, using default sshd configuration, when hw
  acceleration is enabled in openssl.

  [ Proposed solution ]

  * Cherrypick upstream fixes for:
- sandboxing code on big endian
- allowing hw accel iocls in the sandbox

  short:
  after investigations the following commits are needed by openssh-server 
version 7.4p1 that is part of 17.04:
  - 5f1596e11d55539678c41f68aed358628d33d86f
  - 9e96b41682aed793fadbea5ccd472f862179fb02
  on master branch in https://github.com/openssh/openssh-portable
  that belong to openssh 7.5 release notes statement: "sshd(8): Avoid sandbox 
errors for Linux S390 systems using an ICA crypto coprocessor."
  __

  [Test case]

  long:

  enable z hw crypto support for openssh on an Ubuntu host (zlin42) on s390x 
like this:
  sudo apt-get install openssl-ibmca libica-utils libica2
  sudo tee -a /etc/ssl/openssl.cnf < 
/usr/share/doc/openssl-ibmca/examples/openssl.cnf.sample
  sudo sed -i 's/^\(openssl_conf = openssl_def.*$\)/# \1/g' /etc/ssl/openssl.cnf
  sudo sed -i '10i openssl_cnf = openssl_def' /etc/ssl/openssl.cnf

  afterwards ssh login attempts fail:
  $ ssh ubuntu@zlin42
  ubuntu@zlin42's password:
  Connection to zlin42 closed by remote host.
  Connection to zlin42 closed.

  the normal logs don't provide any interesting details:

  mit log:
    Apr 24 12:37:52 zlin42 kernel: [933567.994312] audit: type=1326 
audit(1493051872.112:29): auid=4294967295 uid=107 gid=65534 ses=4294967295 
pid=25105 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=8016 syscall=201 
compat=0 ip=0x3ffb8a3fb32 code=0x0

  Verbose:
  OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g  1 Mar 2016
  debug1: Reading configuration data /home/fheimes/.ssh/config
  debug1: /home/fheimes/.ssh/config line 6: Deprecated option "useroaming"
  debug1: /home/fheimes/.ssh/config line 7: Applying options for *
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug1: /etc/ssh/ssh_config line 19: Applying options for *
  debug1: Connecting to 10.245.208.7 [10.245.208.7] port 22.
  debug1: Connection established.
  debug1: identity file /home/fheimes/.ssh/id_rsa type 1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_rsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519 type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519-cert type -1
  debug1: Enabling compatibility mode for protocol 2.0
  debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
  debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4p1 
Ubuntu-10
  debug1: match: OpenSSH_7.4p1 Ubuntu-10 pat OpenSSH* compat 0x0400
  debug1: Authenticating to 10.245.208.7:22 as 'ubuntu'
  debug1: SSH2_MSG_KEXINIT sent
  debug1: SSH2_MSG_KEXINIT received
  debug1: kex: algorithm: curve25519-sha...@libssh.org
  debug1: kex: host key algorithm: ecdsa-sha2-nistp256
  debug1: kex: server->client cipher: chacha20-poly1...@openssh.com MAC: 
 compression: none
  debug1: kex: client->server cipher: chacha20-poly1...@openssh.com MAC: 
 compression: none
  debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
  debug1: Server host key: ecdsa-sha2-nistp256 
SHA256:ss9j12+jMMKL9u2vxNeb3XjOeH0E9lw24IG5LxUeJXk
  debug1: Host '10.245.208.7' is known and matches the ECDSA host key.
  debug1: Found key in /home/fheimes/.ssh/known_hosts:87
  debug1: rekey after 134217728 blocks
  debug1: SSH2_MSG_NEWKEYS sent
  debug1: expecting 

[Touch-packages] [Bug 1686618] Re: ssh connection attempts fail if hw crypto support on s390x is enabled on 17.04

[Colin Watson]

If the patch isn't getting any review on the upstream mailing list, then
please open a bug on https://bugzilla.mindrot.org/ so that it doesn't
fall through the cracks permanently.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1686618

Title:
  ssh connection attempts fail if hw crypto support on s390x is enabled
  on 17.04

Status in Ubuntu on IBM z Systems:
  In Progress
Status in openssh package in Ubuntu:
  Fix Committed
Status in openssh source package in Zesty:
  Confirmed
Status in openssh source package in Artful:
  Fix Committed

Bug description:
  [ Impact ]

  * Unable to ssh into Ubuntu, using default sshd configuration, when hw
  acceleration is enabled in openssl.

  [ Proposed solution ]

  * Cherrypick upstream fixes for:
- sandboxing code on big endian
- allowing hw accel iocls in the sandbox

  short:
  after investigations the following commits are needed by openssh-server 
version 7.4p1 that is part of 17.04:
  - 5f1596e11d55539678c41f68aed358628d33d86f
  - 9e96b41682aed793fadbea5ccd472f862179fb02
  on master branch in https://github.com/openssh/openssh-portable
  that belong to openssh 7.5 release notes statement: "sshd(8): Avoid sandbox 
errors for Linux S390 systems using an ICA crypto coprocessor."
  __

  [Test case]

  long:

  enable z hw crypto support for openssh on an Ubuntu host (zlin42) on s390x 
like this:
  sudo apt-get install openssl-ibmca libica-utils libica2
  sudo tee -a /etc/ssl/openssl.cnf < 
/usr/share/doc/openssl-ibmca/examples/openssl.cnf.sample
  sudo sed -i 's/^\(openssl_conf = openssl_def.*$\)/# \1/g' /etc/ssl/openssl.cnf
  sudo sed -i '10i openssl_cnf = openssl_def' /etc/ssl/openssl.cnf

  afterwards ssh login attempts fail:
  $ ssh ubuntu@zlin42
  ubuntu@zlin42's password:
  Connection to zlin42 closed by remote host.
  Connection to zlin42 closed.

  the normal logs don't provide any interesting details:

  mit log:
    Apr 24 12:37:52 zlin42 kernel: [933567.994312] audit: type=1326 
audit(1493051872.112:29): auid=4294967295 uid=107 gid=65534 ses=4294967295 
pid=25105 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=8016 syscall=201 
compat=0 ip=0x3ffb8a3fb32 code=0x0

  Verbose:
  OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g  1 Mar 2016
  debug1: Reading configuration data /home/fheimes/.ssh/config
  debug1: /home/fheimes/.ssh/config line 6: Deprecated option "useroaming"
  debug1: /home/fheimes/.ssh/config line 7: Applying options for *
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug1: /etc/ssh/ssh_config line 19: Applying options for *
  debug1: Connecting to 10.245.208.7 [10.245.208.7] port 22.
  debug1: Connection established.
  debug1: identity file /home/fheimes/.ssh/id_rsa type 1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_rsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519 type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519-cert type -1
  debug1: Enabling compatibility mode for protocol 2.0
  debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
  debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4p1 
Ubuntu-10
  debug1: match: OpenSSH_7.4p1 Ubuntu-10 pat OpenSSH* compat 0x0400
  debug1: Authenticating to 10.245.208.7:22 as 'ubuntu'
  debug1: SSH2_MSG_KEXINIT sent
  debug1: SSH2_MSG_KEXINIT received
  debug1: kex: algorithm: curve25519-sha...@libssh.org
  debug1: kex: host key algorithm: ecdsa-sha2-nistp256
  debug1: kex: server->client cipher: chacha20-poly1...@openssh.com MAC: 
 compression: none
  debug1: kex: client->server cipher: chacha20-poly1...@openssh.com MAC: 
 compression: none
  debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
  debug1: Server host key: ecdsa-sha2-nistp256 
SHA256:ss9j12+jMMKL9u2vxNeb3XjOeH0E9lw24IG5LxUeJXk
  debug1: Host '10.245.208.7' is known and matches the ECDSA host key.
  debug1: Found key in /home/fheimes/.ssh/known_hosts:87
  debug1: rekey after 134217728 blocks
  debug1: SSH2_MSG_NEWKEYS sent
  debug1: expecting SSH2_MSG_NEWKEYS
  debug1: rekey after 134217728 blocks
  debug1: SSH2_MSG_NEWKEYS received
  debug1: SSH2_MSG_EXT_INFO received
  debug1: kex_input_ext_info: 
server-sig-algs=
  debug1: 

[Touch-packages] [Bug 1686618] Re: ssh connection attempts fail if hw crypto support on s390x is enabled on 17.04

[Frank Heimes]

** Changed in: ubuntu-z-systems
   Status: Triaged => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1686618

Title:
  ssh connection attempts fail if hw crypto support on s390x is enabled
  on 17.04

Status in Ubuntu on IBM z Systems:
  In Progress
Status in openssh package in Ubuntu:
  Fix Committed
Status in openssh source package in Zesty:
  Confirmed
Status in openssh source package in Artful:
  Fix Committed

Bug description:
  [ Impact ]

  * Unable to ssh into Ubuntu, using default sshd configuration, when hw
  acceleration is enabled in openssl.

  [ Proposed solution ]

  * Cherrypick upstream fixes for:
- sandboxing code on big endian
- allowing hw accel iocls in the sandbox

  short:
  after investigations the following commits are needed by openssh-server 
version 7.4p1 that is part of 17.04:
  - 5f1596e11d55539678c41f68aed358628d33d86f
  - 9e96b41682aed793fadbea5ccd472f862179fb02
  on master branch in https://github.com/openssh/openssh-portable
  that belong to openssh 7.5 release notes statement: "sshd(8): Avoid sandbox 
errors for Linux S390 systems using an ICA crypto coprocessor."
  __

  [Test case]

  long:

  enable z hw crypto support for openssh on an Ubuntu host (zlin42) on s390x 
like this:
  sudo apt-get install openssl-ibmca libica-utils libica2
  sudo tee -a /etc/ssl/openssl.cnf < 
/usr/share/doc/openssl-ibmca/examples/openssl.cnf.sample
  sudo sed -i 's/^\(openssl_conf = openssl_def.*$\)/# \1/g' /etc/ssl/openssl.cnf
  sudo sed -i '10i openssl_cnf = openssl_def' /etc/ssl/openssl.cnf

  afterwards ssh login attempts fail:
  $ ssh ubuntu@zlin42
  ubuntu@zlin42's password:
  Connection to zlin42 closed by remote host.
  Connection to zlin42 closed.

  the normal logs don't provide any interesting details:

  mit log:
    Apr 24 12:37:52 zlin42 kernel: [933567.994312] audit: type=1326 
audit(1493051872.112:29): auid=4294967295 uid=107 gid=65534 ses=4294967295 
pid=25105 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=8016 syscall=201 
compat=0 ip=0x3ffb8a3fb32 code=0x0

  Verbose:
  OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g  1 Mar 2016
  debug1: Reading configuration data /home/fheimes/.ssh/config
  debug1: /home/fheimes/.ssh/config line 6: Deprecated option "useroaming"
  debug1: /home/fheimes/.ssh/config line 7: Applying options for *
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug1: /etc/ssh/ssh_config line 19: Applying options for *
  debug1: Connecting to 10.245.208.7 [10.245.208.7] port 22.
  debug1: Connection established.
  debug1: identity file /home/fheimes/.ssh/id_rsa type 1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_rsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519 type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519-cert type -1
  debug1: Enabling compatibility mode for protocol 2.0
  debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
  debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4p1 
Ubuntu-10
  debug1: match: OpenSSH_7.4p1 Ubuntu-10 pat OpenSSH* compat 0x0400
  debug1: Authenticating to 10.245.208.7:22 as 'ubuntu'
  debug1: SSH2_MSG_KEXINIT sent
  debug1: SSH2_MSG_KEXINIT received
  debug1: kex: algorithm: curve25519-sha...@libssh.org
  debug1: kex: host key algorithm: ecdsa-sha2-nistp256
  debug1: kex: server->client cipher: chacha20-poly1...@openssh.com MAC: 
 compression: none
  debug1: kex: client->server cipher: chacha20-poly1...@openssh.com MAC: 
 compression: none
  debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
  debug1: Server host key: ecdsa-sha2-nistp256 
SHA256:ss9j12+jMMKL9u2vxNeb3XjOeH0E9lw24IG5LxUeJXk
  debug1: Host '10.245.208.7' is known and matches the ECDSA host key.
  debug1: Found key in /home/fheimes/.ssh/known_hosts:87
  debug1: rekey after 134217728 blocks
  debug1: SSH2_MSG_NEWKEYS sent
  debug1: expecting SSH2_MSG_NEWKEYS
  debug1: rekey after 134217728 blocks
  debug1: SSH2_MSG_NEWKEYS received
  debug1: SSH2_MSG_EXT_INFO received
  debug1: kex_input_ext_info: 
server-sig-algs=
  debug1: SSH2_MSG_SERVICE_ACCEPT received
  debug1: Authentications that can continue: publickey,password
  debug1: 

[Touch-packages] [Bug 1686618] Re: ssh connection attempts fail if hw crypto support on s390x is enabled on 17.04

[Dimitri John Ledkov]

** Changed in: openssh (Ubuntu Artful)
   Status: Triaged => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1686618

Title:
  ssh connection attempts fail if hw crypto support on s390x is enabled
  on 17.04

Status in Ubuntu on IBM z Systems:
  Triaged
Status in openssh package in Ubuntu:
  Fix Committed
Status in openssh source package in Zesty:
  Confirmed
Status in openssh source package in Artful:
  Fix Committed

Bug description:
  [ Impact ]

  * Unable to ssh into Ubuntu, using default sshd configuration, when hw
  acceleration is enabled in openssl.

  [ Proposed solution ]

  * Cherrypick upstream fixes for:
- sandboxing code on big endian
- allowing hw accel iocls in the sandbox

  short:
  after investigations the following commits are needed by openssh-server 
version 7.4p1 that is part of 17.04:
  - 5f1596e11d55539678c41f68aed358628d33d86f
  - 9e96b41682aed793fadbea5ccd472f862179fb02
  on master branch in https://github.com/openssh/openssh-portable
  that belong to openssh 7.5 release notes statement: "sshd(8): Avoid sandbox 
errors for Linux S390 systems using an ICA crypto coprocessor."
  __

  [Test case]

  long:

  enable z hw crypto support for openssh on an Ubuntu host (zlin42) on s390x 
like this:
  sudo apt-get install openssl-ibmca libica-utils libica2
  sudo tee -a /etc/ssl/openssl.cnf < 
/usr/share/doc/openssl-ibmca/examples/openssl.cnf.sample
  sudo sed -i 's/^\(openssl_conf = openssl_def.*$\)/# \1/g' /etc/ssl/openssl.cnf
  sudo sed -i '10i openssl_cnf = openssl_def' /etc/ssl/openssl.cnf

  afterwards ssh login attempts fail:
  $ ssh ubuntu@zlin42
  ubuntu@zlin42's password:
  Connection to zlin42 closed by remote host.
  Connection to zlin42 closed.

  the normal logs don't provide any interesting details:

  mit log:
    Apr 24 12:37:52 zlin42 kernel: [933567.994312] audit: type=1326 
audit(1493051872.112:29): auid=4294967295 uid=107 gid=65534 ses=4294967295 
pid=25105 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=8016 syscall=201 
compat=0 ip=0x3ffb8a3fb32 code=0x0

  Verbose:
  OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g  1 Mar 2016
  debug1: Reading configuration data /home/fheimes/.ssh/config
  debug1: /home/fheimes/.ssh/config line 6: Deprecated option "useroaming"
  debug1: /home/fheimes/.ssh/config line 7: Applying options for *
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug1: /etc/ssh/ssh_config line 19: Applying options for *
  debug1: Connecting to 10.245.208.7 [10.245.208.7] port 22.
  debug1: Connection established.
  debug1: identity file /home/fheimes/.ssh/id_rsa type 1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_rsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519 type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519-cert type -1
  debug1: Enabling compatibility mode for protocol 2.0
  debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
  debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4p1 
Ubuntu-10
  debug1: match: OpenSSH_7.4p1 Ubuntu-10 pat OpenSSH* compat 0x0400
  debug1: Authenticating to 10.245.208.7:22 as 'ubuntu'
  debug1: SSH2_MSG_KEXINIT sent
  debug1: SSH2_MSG_KEXINIT received
  debug1: kex: algorithm: curve25519-sha...@libssh.org
  debug1: kex: host key algorithm: ecdsa-sha2-nistp256
  debug1: kex: server->client cipher: chacha20-poly1...@openssh.com MAC: 
 compression: none
  debug1: kex: client->server cipher: chacha20-poly1...@openssh.com MAC: 
 compression: none
  debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
  debug1: Server host key: ecdsa-sha2-nistp256 
SHA256:ss9j12+jMMKL9u2vxNeb3XjOeH0E9lw24IG5LxUeJXk
  debug1: Host '10.245.208.7' is known and matches the ECDSA host key.
  debug1: Found key in /home/fheimes/.ssh/known_hosts:87
  debug1: rekey after 134217728 blocks
  debug1: SSH2_MSG_NEWKEYS sent
  debug1: expecting SSH2_MSG_NEWKEYS
  debug1: rekey after 134217728 blocks
  debug1: SSH2_MSG_NEWKEYS received
  debug1: SSH2_MSG_EXT_INFO received
  debug1: kex_input_ext_info: 
server-sig-algs=
  debug1: SSH2_MSG_SERVICE_ACCEPT received
  debug1: Authentications that can continue: publickey,password
  

[Touch-packages] [Bug 1686618] Re: ssh connection attempts fail if hw crypto support on s390x is enabled on 17.04

[Dimitri John Ledkov]

I am preparing a test build of openssh as part of merging changes from
Debian, with the updated patchset that opens up more syscalls. This will
land in artful shortly - but currently artful is very busy with many
migration thus it may take some time before the package migrates from
proposed into the released pocket. This should be done for artful by end
of next week the latest. After that I will prepare an updated SRU into
zesty that previously failed verification with all the cherrypicks from
7.5 and the updated not-yet-merged patchset for all the extra syscalls.
So zesty will get these fixes later in August.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1686618

Title:
  ssh connection attempts fail if hw crypto support on s390x is enabled
  on 17.04

Status in Ubuntu on IBM z Systems:
  Triaged
Status in openssh package in Ubuntu:
  Triaged
Status in openssh source package in Zesty:
  Confirmed
Status in openssh source package in Artful:
  Triaged

Bug description:
  [ Impact ]

  * Unable to ssh into Ubuntu, using default sshd configuration, when hw
  acceleration is enabled in openssl.

  [ Proposed solution ]

  * Cherrypick upstream fixes for:
- sandboxing code on big endian
- allowing hw accel iocls in the sandbox

  short:
  after investigations the following commits are needed by openssh-server 
version 7.4p1 that is part of 17.04:
  - 5f1596e11d55539678c41f68aed358628d33d86f
  - 9e96b41682aed793fadbea5ccd472f862179fb02
  on master branch in https://github.com/openssh/openssh-portable
  that belong to openssh 7.5 release notes statement: "sshd(8): Avoid sandbox 
errors for Linux S390 systems using an ICA crypto coprocessor."
  __

  [Test case]

  long:

  enable z hw crypto support for openssh on an Ubuntu host (zlin42) on s390x 
like this:
  sudo apt-get install openssl-ibmca libica-utils libica2
  sudo tee -a /etc/ssl/openssl.cnf < 
/usr/share/doc/openssl-ibmca/examples/openssl.cnf.sample
  sudo sed -i 's/^\(openssl_conf = openssl_def.*$\)/# \1/g' /etc/ssl/openssl.cnf
  sudo sed -i '10i openssl_cnf = openssl_def' /etc/ssl/openssl.cnf

  afterwards ssh login attempts fail:
  $ ssh ubuntu@zlin42
  ubuntu@zlin42's password:
  Connection to zlin42 closed by remote host.
  Connection to zlin42 closed.

  the normal logs don't provide any interesting details:

  mit log:
    Apr 24 12:37:52 zlin42 kernel: [933567.994312] audit: type=1326 
audit(1493051872.112:29): auid=4294967295 uid=107 gid=65534 ses=4294967295 
pid=25105 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=8016 syscall=201 
compat=0 ip=0x3ffb8a3fb32 code=0x0

  Verbose:
  OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g  1 Mar 2016
  debug1: Reading configuration data /home/fheimes/.ssh/config
  debug1: /home/fheimes/.ssh/config line 6: Deprecated option "useroaming"
  debug1: /home/fheimes/.ssh/config line 7: Applying options for *
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug1: /etc/ssh/ssh_config line 19: Applying options for *
  debug1: Connecting to 10.245.208.7 [10.245.208.7] port 22.
  debug1: Connection established.
  debug1: identity file /home/fheimes/.ssh/id_rsa type 1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_rsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519 type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519-cert type -1
  debug1: Enabling compatibility mode for protocol 2.0
  debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
  debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4p1 
Ubuntu-10
  debug1: match: OpenSSH_7.4p1 Ubuntu-10 pat OpenSSH* compat 0x0400
  debug1: Authenticating to 10.245.208.7:22 as 'ubuntu'
  debug1: SSH2_MSG_KEXINIT sent
  debug1: SSH2_MSG_KEXINIT received
  debug1: kex: algorithm: curve25519-sha...@libssh.org
  debug1: kex: host key algorithm: ecdsa-sha2-nistp256
  debug1: kex: server->client cipher: chacha20-poly1...@openssh.com MAC: 
 compression: none
  debug1: kex: client->server cipher: chacha20-poly1...@openssh.com MAC: 
 compression: none
  debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
  debug1: Server host key: ecdsa-sha2-nistp256 
SHA256:ss9j12+jMMKL9u2vxNeb3XjOeH0E9lw24IG5LxUeJXk
  debug1: Host '10.245.208.7' is known and matches the ECDSA host key.
  

[Touch-packages] [Bug 1686618] Re: ssh connection attempts fail if hw crypto support on s390x is enabled on 17.04

[Dimitri John Ledkov]

** Changed in: openssh (Ubuntu Artful)
   Status: Fix Released => Triaged

** Changed in: openssh (Ubuntu Artful)
   Importance: High => Critical

** Changed in: openssh (Ubuntu Zesty)
   Status: In Progress => Confirmed

** Changed in: openssh (Ubuntu Zesty)
   Importance: High => Critical

** Changed in: ubuntu-z-systems
   Status: Fix Committed => Triaged

** Changed in: ubuntu-z-systems
   Importance: High => Critical

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1686618

Title:
  ssh connection attempts fail if hw crypto support on s390x is enabled
  on 17.04

Status in Ubuntu on IBM z Systems:
  Triaged
Status in openssh package in Ubuntu:
  Triaged
Status in openssh source package in Zesty:
  Confirmed
Status in openssh source package in Artful:
  Triaged

Bug description:
  [ Impact ]

  * Unable to ssh into Ubuntu, using default sshd configuration, when hw
  acceleration is enabled in openssl.

  [ Proposed solution ]

  * Cherrypick upstream fixes for:
- sandboxing code on big endian
- allowing hw accel iocls in the sandbox

  short:
  after investigations the following commits are needed by openssh-server 
version 7.4p1 that is part of 17.04:
  - 5f1596e11d55539678c41f68aed358628d33d86f
  - 9e96b41682aed793fadbea5ccd472f862179fb02
  on master branch in https://github.com/openssh/openssh-portable
  that belong to openssh 7.5 release notes statement: "sshd(8): Avoid sandbox 
errors for Linux S390 systems using an ICA crypto coprocessor."
  __

  [Test case]

  long:

  enable z hw crypto support for openssh on an Ubuntu host (zlin42) on s390x 
like this:
  sudo apt-get install openssl-ibmca libica-utils libica2
  sudo tee -a /etc/ssl/openssl.cnf < 
/usr/share/doc/openssl-ibmca/examples/openssl.cnf.sample
  sudo sed -i 's/^\(openssl_conf = openssl_def.*$\)/# \1/g' /etc/ssl/openssl.cnf
  sudo sed -i '10i openssl_cnf = openssl_def' /etc/ssl/openssl.cnf

  afterwards ssh login attempts fail:
  $ ssh ubuntu@zlin42
  ubuntu@zlin42's password:
  Connection to zlin42 closed by remote host.
  Connection to zlin42 closed.

  the normal logs don't provide any interesting details:

  mit log:
    Apr 24 12:37:52 zlin42 kernel: [933567.994312] audit: type=1326 
audit(1493051872.112:29): auid=4294967295 uid=107 gid=65534 ses=4294967295 
pid=25105 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=8016 syscall=201 
compat=0 ip=0x3ffb8a3fb32 code=0x0

  Verbose:
  OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g  1 Mar 2016
  debug1: Reading configuration data /home/fheimes/.ssh/config
  debug1: /home/fheimes/.ssh/config line 6: Deprecated option "useroaming"
  debug1: /home/fheimes/.ssh/config line 7: Applying options for *
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug1: /etc/ssh/ssh_config line 19: Applying options for *
  debug1: Connecting to 10.245.208.7 [10.245.208.7] port 22.
  debug1: Connection established.
  debug1: identity file /home/fheimes/.ssh/id_rsa type 1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_rsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519 type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519-cert type -1
  debug1: Enabling compatibility mode for protocol 2.0
  debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
  debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4p1 
Ubuntu-10
  debug1: match: OpenSSH_7.4p1 Ubuntu-10 pat OpenSSH* compat 0x0400
  debug1: Authenticating to 10.245.208.7:22 as 'ubuntu'
  debug1: SSH2_MSG_KEXINIT sent
  debug1: SSH2_MSG_KEXINIT received
  debug1: kex: algorithm: curve25519-sha...@libssh.org
  debug1: kex: host key algorithm: ecdsa-sha2-nistp256
  debug1: kex: server->client cipher: chacha20-poly1...@openssh.com MAC: 
 compression: none
  debug1: kex: client->server cipher: chacha20-poly1...@openssh.com MAC: 
 compression: none
  debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
  debug1: Server host key: ecdsa-sha2-nistp256 
SHA256:ss9j12+jMMKL9u2vxNeb3XjOeH0E9lw24IG5LxUeJXk
  debug1: Host '10.245.208.7' is known and matches the ECDSA host key.
  debug1: Found key in /home/fheimes/.ssh/known_hosts:87
  debug1: rekey after 134217728 blocks
  debug1: SSH2_MSG_NEWKEYS sent
  debug1: expecting SSH2_MSG_NEWKEYS
  debug1: rekey 

[Touch-packages] [Bug 1686618] Re: ssh connection attempts fail if hw crypto support on s390x is enabled on 17.04

[Launchpad Bug Tracker]

This bug was fixed in the package openssh - 1:7.5p1-3ubuntu1

---
openssh (1:7.5p1-3ubuntu1) artful; urgency=medium

  * On s390x, allow geteuid syscall in the sandbox, to allow openssh
connections to work when hw accelerated cryptography is enabled. This
patch is to be replaced by the one accepted upstream, when
reviewed. LP: #1686618

 -- Dimitri John Ledkov   Mon, 22 May 2017 13:13:59
+0100

** Changed in: openssh (Ubuntu Artful)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1686618

Title:
  ssh connection attempts fail if hw crypto support on s390x is enabled
  on 17.04

Status in Ubuntu on IBM z Systems:
  Fix Committed
Status in openssh package in Ubuntu:
  Fix Released
Status in openssh source package in Zesty:
  In Progress
Status in openssh source package in Artful:
  Fix Released

Bug description:
  [ Impact ]

  * Unable to ssh into Ubuntu, using default sshd configuration, when hw
  acceleration is enabled in openssl.

  [ Proposed solution ]

  * Cherrypick upstream fixes for:
- sandboxing code on big endian
- allowing hw accel iocls in the sandbox

  short:
  after investigations the following commits are needed by openssh-server 
version 7.4p1 that is part of 17.04:
  - 5f1596e11d55539678c41f68aed358628d33d86f
  - 9e96b41682aed793fadbea5ccd472f862179fb02
  on master branch in https://github.com/openssh/openssh-portable
  that belong to openssh 7.5 release notes statement: "sshd(8): Avoid sandbox 
errors for Linux S390 systems using an ICA crypto coprocessor."
  __

  [Test case]

  long:

  enable z hw crypto support for openssh on an Ubuntu host (zlin42) on s390x 
like this:
  sudo apt-get install openssl-ibmca libica-utils libica2
  sudo tee -a /etc/ssl/openssl.cnf < 
/usr/share/doc/openssl-ibmca/examples/openssl.cnf.sample
  sudo sed -i 's/^\(openssl_conf = openssl_def.*$\)/# \1/g' /etc/ssl/openssl.cnf
  sudo sed -i '10i openssl_cnf = openssl_def' /etc/ssl/openssl.cnf

  afterwards ssh login attempts fail:
  $ ssh ubuntu@zlin42
  ubuntu@zlin42's password:
  Connection to zlin42 closed by remote host.
  Connection to zlin42 closed.

  the normal logs don't provide any interesting details:

  mit log:
    Apr 24 12:37:52 zlin42 kernel: [933567.994312] audit: type=1326 
audit(1493051872.112:29): auid=4294967295 uid=107 gid=65534 ses=4294967295 
pid=25105 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=8016 syscall=201 
compat=0 ip=0x3ffb8a3fb32 code=0x0

  Verbose:
  OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g  1 Mar 2016
  debug1: Reading configuration data /home/fheimes/.ssh/config
  debug1: /home/fheimes/.ssh/config line 6: Deprecated option "useroaming"
  debug1: /home/fheimes/.ssh/config line 7: Applying options for *
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug1: /etc/ssh/ssh_config line 19: Applying options for *
  debug1: Connecting to 10.245.208.7 [10.245.208.7] port 22.
  debug1: Connection established.
  debug1: identity file /home/fheimes/.ssh/id_rsa type 1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_rsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519 type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519-cert type -1
  debug1: Enabling compatibility mode for protocol 2.0
  debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
  debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4p1 
Ubuntu-10
  debug1: match: OpenSSH_7.4p1 Ubuntu-10 pat OpenSSH* compat 0x0400
  debug1: Authenticating to 10.245.208.7:22 as 'ubuntu'
  debug1: SSH2_MSG_KEXINIT sent
  debug1: SSH2_MSG_KEXINIT received
  debug1: kex: algorithm: curve25519-sha...@libssh.org
  debug1: kex: host key algorithm: ecdsa-sha2-nistp256
  debug1: kex: server->client cipher: chacha20-poly1...@openssh.com MAC: 
 compression: none
  debug1: kex: client->server cipher: chacha20-poly1...@openssh.com MAC: 
 compression: none
  debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
  debug1: Server host key: ecdsa-sha2-nistp256 
SHA256:ss9j12+jMMKL9u2vxNeb3XjOeH0E9lw24IG5LxUeJXk
  debug1: Host '10.245.208.7' is known and matches the ECDSA host key.
  debug1: Found key in /home/fheimes/.ssh/known_hosts:87
  debug1: rekey after 

[Touch-packages] [Bug 1686618] Re: ssh connection attempts fail if hw crypto support on s390x is enabled on 17.04

[Dimitri John Ledkov]

** Changed in: openssh (Ubuntu Artful)
   Status: Triaged => Fix Committed

** Changed in: openssh (Ubuntu Zesty)
   Status: Fix Committed => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1686618

Title:
  ssh connection attempts fail if hw crypto support on s390x is enabled
  on 17.04

Status in Ubuntu on IBM z Systems:
  Fix Committed
Status in openssh package in Ubuntu:
  Fix Committed
Status in openssh source package in Zesty:
  In Progress
Status in openssh source package in Artful:
  Fix Committed

Bug description:
  [ Impact ]

  * Unable to ssh into Ubuntu, using default sshd configuration, when hw
  acceleration is enabled in openssl.

  [ Proposed solution ]

  * Cherrypick upstream fixes for:
- sandboxing code on big endian
- allowing hw accel iocls in the sandbox

  short:
  after investigations the following commits are needed by openssh-server 
version 7.4p1 that is part of 17.04:
  - 5f1596e11d55539678c41f68aed358628d33d86f
  - 9e96b41682aed793fadbea5ccd472f862179fb02
  on master branch in https://github.com/openssh/openssh-portable
  that belong to openssh 7.5 release notes statement: "sshd(8): Avoid sandbox 
errors for Linux S390 systems using an ICA crypto coprocessor."
  __

  [Test case]

  long:

  enable z hw crypto support for openssh on an Ubuntu host (zlin42) on s390x 
like this:
  sudo apt-get install openssl-ibmca libica-utils libica2
  sudo tee -a /etc/ssl/openssl.cnf < 
/usr/share/doc/openssl-ibmca/examples/openssl.cnf.sample
  sudo sed -i 's/^\(openssl_conf = openssl_def.*$\)/# \1/g' /etc/ssl/openssl.cnf
  sudo sed -i '10i openssl_cnf = openssl_def' /etc/ssl/openssl.cnf

  afterwards ssh login attempts fail:
  $ ssh ubuntu@zlin42
  ubuntu@zlin42's password:
  Connection to zlin42 closed by remote host.
  Connection to zlin42 closed.

  the normal logs don't provide any interesting details:

  mit log:
    Apr 24 12:37:52 zlin42 kernel: [933567.994312] audit: type=1326 
audit(1493051872.112:29): auid=4294967295 uid=107 gid=65534 ses=4294967295 
pid=25105 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=8016 syscall=201 
compat=0 ip=0x3ffb8a3fb32 code=0x0

  Verbose:
  OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g  1 Mar 2016
  debug1: Reading configuration data /home/fheimes/.ssh/config
  debug1: /home/fheimes/.ssh/config line 6: Deprecated option "useroaming"
  debug1: /home/fheimes/.ssh/config line 7: Applying options for *
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug1: /etc/ssh/ssh_config line 19: Applying options for *
  debug1: Connecting to 10.245.208.7 [10.245.208.7] port 22.
  debug1: Connection established.
  debug1: identity file /home/fheimes/.ssh/id_rsa type 1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_rsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519 type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519-cert type -1
  debug1: Enabling compatibility mode for protocol 2.0
  debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
  debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4p1 
Ubuntu-10
  debug1: match: OpenSSH_7.4p1 Ubuntu-10 pat OpenSSH* compat 0x0400
  debug1: Authenticating to 10.245.208.7:22 as 'ubuntu'
  debug1: SSH2_MSG_KEXINIT sent
  debug1: SSH2_MSG_KEXINIT received
  debug1: kex: algorithm: curve25519-sha...@libssh.org
  debug1: kex: host key algorithm: ecdsa-sha2-nistp256
  debug1: kex: server->client cipher: chacha20-poly1...@openssh.com MAC: 
 compression: none
  debug1: kex: client->server cipher: chacha20-poly1...@openssh.com MAC: 
 compression: none
  debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
  debug1: Server host key: ecdsa-sha2-nistp256 
SHA256:ss9j12+jMMKL9u2vxNeb3XjOeH0E9lw24IG5LxUeJXk
  debug1: Host '10.245.208.7' is known and matches the ECDSA host key.
  debug1: Found key in /home/fheimes/.ssh/known_hosts:87
  debug1: rekey after 134217728 blocks
  debug1: SSH2_MSG_NEWKEYS sent
  debug1: expecting SSH2_MSG_NEWKEYS
  debug1: rekey after 134217728 blocks
  debug1: SSH2_MSG_NEWKEYS received
  debug1: SSH2_MSG_EXT_INFO received
  debug1: kex_input_ext_info: 
server-sig-algs=
  debug1: 

[Touch-packages] [Bug 1686618] Re: ssh connection attempts fail if hw crypto support on s390x is enabled on 17.04

[Dimitri John Ledkov]

Excellent.

We need patch for 7.5p as well, because that is the release in artful,
current development series. If you could forward that one as well to us,
that would be great.

Regards,

Dimitri.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1686618

Title:
  ssh connection attempts fail if hw crypto support on s390x is enabled
  on 17.04

Status in Ubuntu on IBM z Systems:
  Fix Committed
Status in openssh package in Ubuntu:
  Triaged
Status in openssh source package in Zesty:
  Fix Committed
Status in openssh source package in Artful:
  Triaged

Bug description:
  [ Impact ]

  * Unable to ssh into Ubuntu, using default sshd configuration, when hw
  acceleration is enabled in openssl.

  [ Proposed solution ]

  * Cherrypick upstream fixes for:
- sandboxing code on big endian
- allowing hw accel iocls in the sandbox

  short:
  after investigations the following commits are needed by openssh-server 
version 7.4p1 that is part of 17.04:
  - 5f1596e11d55539678c41f68aed358628d33d86f
  - 9e96b41682aed793fadbea5ccd472f862179fb02
  on master branch in https://github.com/openssh/openssh-portable
  that belong to openssh 7.5 release notes statement: "sshd(8): Avoid sandbox 
errors for Linux S390 systems using an ICA crypto coprocessor."
  __

  [Test case]

  long:

  enable z hw crypto support for openssh on an Ubuntu host (zlin42) on s390x 
like this:
  sudo apt-get install openssl-ibmca libica-utils libica2
  sudo tee -a /etc/ssl/openssl.cnf < 
/usr/share/doc/openssl-ibmca/examples/openssl.cnf.sample
  sudo sed -i 's/^\(openssl_conf = openssl_def.*$\)/# \1/g' /etc/ssl/openssl.cnf
  sudo sed -i '10i openssl_cnf = openssl_def' /etc/ssl/openssl.cnf

  afterwards ssh login attempts fail:
  $ ssh ubuntu@zlin42
  ubuntu@zlin42's password:
  Connection to zlin42 closed by remote host.
  Connection to zlin42 closed.

  the normal logs don't provide any interesting details:

  mit log:
    Apr 24 12:37:52 zlin42 kernel: [933567.994312] audit: type=1326 
audit(1493051872.112:29): auid=4294967295 uid=107 gid=65534 ses=4294967295 
pid=25105 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=8016 syscall=201 
compat=0 ip=0x3ffb8a3fb32 code=0x0

  Verbose:
  OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g  1 Mar 2016
  debug1: Reading configuration data /home/fheimes/.ssh/config
  debug1: /home/fheimes/.ssh/config line 6: Deprecated option "useroaming"
  debug1: /home/fheimes/.ssh/config line 7: Applying options for *
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug1: /etc/ssh/ssh_config line 19: Applying options for *
  debug1: Connecting to 10.245.208.7 [10.245.208.7] port 22.
  debug1: Connection established.
  debug1: identity file /home/fheimes/.ssh/id_rsa type 1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_rsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519 type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519-cert type -1
  debug1: Enabling compatibility mode for protocol 2.0
  debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
  debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4p1 
Ubuntu-10
  debug1: match: OpenSSH_7.4p1 Ubuntu-10 pat OpenSSH* compat 0x0400
  debug1: Authenticating to 10.245.208.7:22 as 'ubuntu'
  debug1: SSH2_MSG_KEXINIT sent
  debug1: SSH2_MSG_KEXINIT received
  debug1: kex: algorithm: curve25519-sha...@libssh.org
  debug1: kex: host key algorithm: ecdsa-sha2-nistp256
  debug1: kex: server->client cipher: chacha20-poly1...@openssh.com MAC: 
 compression: none
  debug1: kex: client->server cipher: chacha20-poly1...@openssh.com MAC: 
 compression: none
  debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
  debug1: Server host key: ecdsa-sha2-nistp256 
SHA256:ss9j12+jMMKL9u2vxNeb3XjOeH0E9lw24IG5LxUeJXk
  debug1: Host '10.245.208.7' is known and matches the ECDSA host key.
  debug1: Found key in /home/fheimes/.ssh/known_hosts:87
  debug1: rekey after 134217728 blocks
  debug1: SSH2_MSG_NEWKEYS sent
  debug1: expecting SSH2_MSG_NEWKEYS
  debug1: rekey after 134217728 blocks
  debug1: SSH2_MSG_NEWKEYS received
  debug1: SSH2_MSG_EXT_INFO received
  debug1: kex_input_ext_info: 

[Touch-packages] [Bug 1686618] Re: ssh connection attempts fail if hw crypto support on s390x is enabled on 17.04

[Dimitri John Ledkov]

May 05 10:45:13 s1lp15 sshd[138567]: fatal: ssh_sandbox_violation:
unexpected system call (arch:0x8016,syscall:201 @ 0x3ffb853fb32)
[preauth]

Syscall 201 is
{ "geteuid", 201 },
from seccomp sources.

It seems like more syscalls are used, when encryption enabled, at least
on Ubuntu, when hardware accelerated crypto is enabled.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1686618

Title:
  ssh connection attempts fail if hw crypto support on s390x is enabled
  on 17.04

Status in Ubuntu on IBM z Systems:
  Fix Committed
Status in openssh package in Ubuntu:
  Triaged
Status in openssh source package in Zesty:
  Fix Committed
Status in openssh source package in Artful:
  Triaged

Bug description:
  [ Impact ]

  * Unable to ssh into Ubuntu, using default sshd configuration, when hw
  acceleration is enabled in openssl.

  [ Proposed solution ]

  * Cherrypick upstream fixes for:
- sandboxing code on big endian
- allowing hw accel iocls in the sandbox

  short:
  after investigations the following commits are needed by openssh-server 
version 7.4p1 that is part of 17.04:
  - 5f1596e11d55539678c41f68aed358628d33d86f
  - 9e96b41682aed793fadbea5ccd472f862179fb02
  on master branch in https://github.com/openssh/openssh-portable
  that belong to openssh 7.5 release notes statement: "sshd(8): Avoid sandbox 
errors for Linux S390 systems using an ICA crypto coprocessor."
  __

  [Test case]

  long:

  enable z hw crypto support for openssh on an Ubuntu host (zlin42) on s390x 
like this:
  sudo apt-get install openssl-ibmca libica-utils libica2
  sudo tee -a /etc/ssl/openssl.cnf < 
/usr/share/doc/openssl-ibmca/examples/openssl.cnf.sample
  sudo sed -i 's/^\(openssl_conf = openssl_def.*$\)/# \1/g' /etc/ssl/openssl.cnf
  sudo sed -i '10i openssl_cnf = openssl_def' /etc/ssl/openssl.cnf

  afterwards ssh login attempts fail:
  $ ssh ubuntu@zlin42
  ubuntu@zlin42's password:
  Connection to zlin42 closed by remote host.
  Connection to zlin42 closed.

  the normal logs don't provide any interesting details:

  mit log:
    Apr 24 12:37:52 zlin42 kernel: [933567.994312] audit: type=1326 
audit(1493051872.112:29): auid=4294967295 uid=107 gid=65534 ses=4294967295 
pid=25105 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=8016 syscall=201 
compat=0 ip=0x3ffb8a3fb32 code=0x0

  Verbose:
  OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g  1 Mar 2016
  debug1: Reading configuration data /home/fheimes/.ssh/config
  debug1: /home/fheimes/.ssh/config line 6: Deprecated option "useroaming"
  debug1: /home/fheimes/.ssh/config line 7: Applying options for *
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug1: /etc/ssh/ssh_config line 19: Applying options for *
  debug1: Connecting to 10.245.208.7 [10.245.208.7] port 22.
  debug1: Connection established.
  debug1: identity file /home/fheimes/.ssh/id_rsa type 1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_rsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519 type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519-cert type -1
  debug1: Enabling compatibility mode for protocol 2.0
  debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
  debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4p1 
Ubuntu-10
  debug1: match: OpenSSH_7.4p1 Ubuntu-10 pat OpenSSH* compat 0x0400
  debug1: Authenticating to 10.245.208.7:22 as 'ubuntu'
  debug1: SSH2_MSG_KEXINIT sent
  debug1: SSH2_MSG_KEXINIT received
  debug1: kex: algorithm: curve25519-sha...@libssh.org
  debug1: kex: host key algorithm: ecdsa-sha2-nistp256
  debug1: kex: server->client cipher: chacha20-poly1...@openssh.com MAC: 
 compression: none
  debug1: kex: client->server cipher: chacha20-poly1...@openssh.com MAC: 
 compression: none
  debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
  debug1: Server host key: ecdsa-sha2-nistp256 
SHA256:ss9j12+jMMKL9u2vxNeb3XjOeH0E9lw24IG5LxUeJXk
  debug1: Host '10.245.208.7' is known and matches the ECDSA host key.
  debug1: Found key in /home/fheimes/.ssh/known_hosts:87
  debug1: rekey after 134217728 blocks
  debug1: SSH2_MSG_NEWKEYS sent
  debug1: expecting SSH2_MSG_NEWKEYS
  debug1: rekey after 134217728 blocks
  debug1: SSH2_MSG_NEWKEYS received
  debug1: SSH2_MSG_EXT_INFO received

[Touch-packages] [Bug 1686618] Re: ssh connection attempts fail if hw crypto support on s390x is enabled on 17.04

[Dimitri John Ledkov]

May 05 10:45:13 s1lp15 sshd[138567]: debug3: send packet: type 52 [preauth]
May 05 10:45:13 s1lp15 sshd[138567]: debug1: Enabling compression at level 6. 
[preauth]
May 05 10:45:13 s1lp15 sshd[138567]: debug3: mm_request_send entering: type 26 
[preauth]
May 05 10:45:13 s1lp15 sshd[138567]: debug3: mm_send_keystate: Finished sending 
state [preauth]
May 05 10:45:13 s1lp15 sshd[138567]: fatal: ssh_sandbox_violation: unexpected 
system call (arch:0x8016,syscall:201 @ 0x3ffb853fb32) [preauth]
May 05 10:45:13 s1lp15 sshd[138567]: debug1: monitor_read_log: child log fd 
closed
May 05 10:45:13 s1lp15 sshd[138567]: fatal: privsep_preauth: preauth child 
exited with status 1
May 05 10:45:13 s1lp15 sshd[138567]: debug1: do_cleanup
May 05 10:45:13 s1lp15 sshd[138567]: debug3: PAM: sshpam_thread_cleanup entering

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1686618

Title:
  ssh connection attempts fail if hw crypto support on s390x is enabled
  on 17.04

Status in Ubuntu on IBM z Systems:
  Fix Committed
Status in openssh package in Ubuntu:
  Triaged
Status in openssh source package in Zesty:
  Fix Committed
Status in openssh source package in Artful:
  Triaged

Bug description:
  [ Impact ]

  * Unable to ssh into Ubuntu, using default sshd configuration, when hw
  acceleration is enabled in openssl.

  [ Proposed solution ]

  * Cherrypick upstream fixes for:
- sandboxing code on big endian
- allowing hw accel iocls in the sandbox

  short:
  after investigations the following commits are needed by openssh-server 
version 7.4p1 that is part of 17.04:
  - 5f1596e11d55539678c41f68aed358628d33d86f
  - 9e96b41682aed793fadbea5ccd472f862179fb02
  on master branch in https://github.com/openssh/openssh-portable
  that belong to openssh 7.5 release notes statement: "sshd(8): Avoid sandbox 
errors for Linux S390 systems using an ICA crypto coprocessor."
  __

  [Test case]

  long:

  enable z hw crypto support for openssh on an Ubuntu host (zlin42) on s390x 
like this:
  sudo apt-get install openssl-ibmca libica-utils libica2
  sudo tee -a /etc/ssl/openssl.cnf < 
/usr/share/doc/openssl-ibmca/examples/openssl.cnf.sample
  sudo sed -i 's/^\(openssl_conf = openssl_def.*$\)/# \1/g' /etc/ssl/openssl.cnf
  sudo sed -i '10i openssl_cnf = openssl_def' /etc/ssl/openssl.cnf

  afterwards ssh login attempts fail:
  $ ssh ubuntu@zlin42
  ubuntu@zlin42's password:
  Connection to zlin42 closed by remote host.
  Connection to zlin42 closed.

  the normal logs don't provide any interesting details:

  mit log:
    Apr 24 12:37:52 zlin42 kernel: [933567.994312] audit: type=1326 
audit(1493051872.112:29): auid=4294967295 uid=107 gid=65534 ses=4294967295 
pid=25105 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=8016 syscall=201 
compat=0 ip=0x3ffb8a3fb32 code=0x0

  Verbose:
  OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g  1 Mar 2016
  debug1: Reading configuration data /home/fheimes/.ssh/config
  debug1: /home/fheimes/.ssh/config line 6: Deprecated option "useroaming"
  debug1: /home/fheimes/.ssh/config line 7: Applying options for *
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug1: /etc/ssh/ssh_config line 19: Applying options for *
  debug1: Connecting to 10.245.208.7 [10.245.208.7] port 22.
  debug1: Connection established.
  debug1: identity file /home/fheimes/.ssh/id_rsa type 1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_rsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519 type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519-cert type -1
  debug1: Enabling compatibility mode for protocol 2.0
  debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
  debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4p1 
Ubuntu-10
  debug1: match: OpenSSH_7.4p1 Ubuntu-10 pat OpenSSH* compat 0x0400
  debug1: Authenticating to 10.245.208.7:22 as 'ubuntu'
  debug1: SSH2_MSG_KEXINIT sent
  debug1: SSH2_MSG_KEXINIT received
  debug1: kex: algorithm: curve25519-sha...@libssh.org
  debug1: kex: host key algorithm: ecdsa-sha2-nistp256
  debug1: kex: server->client cipher: chacha20-poly1...@openssh.com MAC: 
 compression: none
  debug1: kex: client->server cipher: chacha20-poly1...@openssh.com MAC: 
 compression: none
  

[Touch-packages] [Bug 1686618] Re: ssh connection attempts fail if hw crypto support on s390x is enabled on 17.04

[Dimitri John Ledkov]

This does not appear to work with 7.5 either

** Changed in: openssh (Ubuntu Artful)
   Status: Fix Released => Triaged

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1686618

Title:
  ssh connection attempts fail if hw crypto support on s390x is enabled
  on 17.04

Status in Ubuntu on IBM z Systems:
  Fix Committed
Status in openssh package in Ubuntu:
  Triaged
Status in openssh source package in Zesty:
  Fix Committed
Status in openssh source package in Artful:
  Triaged

Bug description:
  [ Impact ]

  * Unable to ssh into Ubuntu, using default sshd configuration, when hw
  acceleration is enabled in openssl.

  [ Proposed solution ]

  * Cherrypick upstream fixes for:
- sandboxing code on big endian
- allowing hw accel iocls in the sandbox

  short:
  after investigations the following commits are needed by openssh-server 
version 7.4p1 that is part of 17.04:
  - 5f1596e11d55539678c41f68aed358628d33d86f
  - 9e96b41682aed793fadbea5ccd472f862179fb02
  on master branch in https://github.com/openssh/openssh-portable
  that belong to openssh 7.5 release notes statement: "sshd(8): Avoid sandbox 
errors for Linux S390 systems using an ICA crypto coprocessor."
  __

  [Test case]

  long:

  enable z hw crypto support for openssh on an Ubuntu host (zlin42) on s390x 
like this:
  sudo apt-get install openssl-ibmca libica-utils libica2
  sudo tee -a /etc/ssl/openssl.cnf < 
/usr/share/doc/openssl-ibmca/examples/openssl.cnf.sample
  sudo sed -i 's/^\(openssl_conf = openssl_def.*$\)/# \1/g' /etc/ssl/openssl.cnf
  sudo sed -i '10i openssl_cnf = openssl_def' /etc/ssl/openssl.cnf

  afterwards ssh login attempts fail:
  $ ssh ubuntu@zlin42
  ubuntu@zlin42's password:
  Connection to zlin42 closed by remote host.
  Connection to zlin42 closed.

  the normal logs don't provide any interesting details:

  mit log:
    Apr 24 12:37:52 zlin42 kernel: [933567.994312] audit: type=1326 
audit(1493051872.112:29): auid=4294967295 uid=107 gid=65534 ses=4294967295 
pid=25105 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=8016 syscall=201 
compat=0 ip=0x3ffb8a3fb32 code=0x0

  Verbose:
  OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g  1 Mar 2016
  debug1: Reading configuration data /home/fheimes/.ssh/config
  debug1: /home/fheimes/.ssh/config line 6: Deprecated option "useroaming"
  debug1: /home/fheimes/.ssh/config line 7: Applying options for *
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug1: /etc/ssh/ssh_config line 19: Applying options for *
  debug1: Connecting to 10.245.208.7 [10.245.208.7] port 22.
  debug1: Connection established.
  debug1: identity file /home/fheimes/.ssh/id_rsa type 1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_rsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519 type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519-cert type -1
  debug1: Enabling compatibility mode for protocol 2.0
  debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
  debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4p1 
Ubuntu-10
  debug1: match: OpenSSH_7.4p1 Ubuntu-10 pat OpenSSH* compat 0x0400
  debug1: Authenticating to 10.245.208.7:22 as 'ubuntu'
  debug1: SSH2_MSG_KEXINIT sent
  debug1: SSH2_MSG_KEXINIT received
  debug1: kex: algorithm: curve25519-sha...@libssh.org
  debug1: kex: host key algorithm: ecdsa-sha2-nistp256
  debug1: kex: server->client cipher: chacha20-poly1...@openssh.com MAC: 
 compression: none
  debug1: kex: client->server cipher: chacha20-poly1...@openssh.com MAC: 
 compression: none
  debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
  debug1: Server host key: ecdsa-sha2-nistp256 
SHA256:ss9j12+jMMKL9u2vxNeb3XjOeH0E9lw24IG5LxUeJXk
  debug1: Host '10.245.208.7' is known and matches the ECDSA host key.
  debug1: Found key in /home/fheimes/.ssh/known_hosts:87
  debug1: rekey after 134217728 blocks
  debug1: SSH2_MSG_NEWKEYS sent
  debug1: expecting SSH2_MSG_NEWKEYS
  debug1: rekey after 134217728 blocks
  debug1: SSH2_MSG_NEWKEYS received
  debug1: SSH2_MSG_EXT_INFO received
  debug1: kex_input_ext_info: 
server-sig-algs=
  debug1: SSH2_MSG_SERVICE_ACCEPT received
  debug1: Authentications 

[Touch-packages] [Bug 1686618] Re: ssh connection attempts fail if hw crypto support on s390x is enabled on 17.04

[Dimitri John Ledkov]

** Tags removed: verification-needed
** Tags added: verification-failed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1686618

Title:
  ssh connection attempts fail if hw crypto support on s390x is enabled
  on 17.04

Status in Ubuntu on IBM z Systems:
  Fix Committed
Status in openssh package in Ubuntu:
  Fix Released
Status in openssh source package in Zesty:
  Fix Committed
Status in openssh source package in Artful:
  Fix Released

Bug description:
  [ Impact ]

  * Unable to ssh into Ubuntu, using default sshd configuration, when hw
  acceleration is enabled in openssl.

  [ Proposed solution ]

  * Cherrypick upstream fixes for:
- sandboxing code on big endian
- allowing hw accel iocls in the sandbox

  short:
  after investigations the following commits are needed by openssh-server 
version 7.4p1 that is part of 17.04:
  - 5f1596e11d55539678c41f68aed358628d33d86f
  - 9e96b41682aed793fadbea5ccd472f862179fb02
  on master branch in https://github.com/openssh/openssh-portable
  that belong to openssh 7.5 release notes statement: "sshd(8): Avoid sandbox 
errors for Linux S390 systems using an ICA crypto coprocessor."
  __

  [Test case]

  long:

  enable z hw crypto support for openssh on an Ubuntu host (zlin42) on s390x 
like this:
  sudo apt-get install openssl-ibmca libica-utils libica2
  sudo tee -a /etc/ssl/openssl.cnf < 
/usr/share/doc/openssl-ibmca/examples/openssl.cnf.sample
  sudo sed -i 's/^\(openssl_conf = openssl_def.*$\)/# \1/g' /etc/ssl/openssl.cnf
  sudo sed -i '10i openssl_cnf = openssl_def' /etc/ssl/openssl.cnf

  afterwards ssh login attempts fail:
  $ ssh ubuntu@zlin42
  ubuntu@zlin42's password:
  Connection to zlin42 closed by remote host.
  Connection to zlin42 closed.

  the normal logs don't provide any interesting details:

  mit log:
    Apr 24 12:37:52 zlin42 kernel: [933567.994312] audit: type=1326 
audit(1493051872.112:29): auid=4294967295 uid=107 gid=65534 ses=4294967295 
pid=25105 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=8016 syscall=201 
compat=0 ip=0x3ffb8a3fb32 code=0x0

  Verbose:
  OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g  1 Mar 2016
  debug1: Reading configuration data /home/fheimes/.ssh/config
  debug1: /home/fheimes/.ssh/config line 6: Deprecated option "useroaming"
  debug1: /home/fheimes/.ssh/config line 7: Applying options for *
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug1: /etc/ssh/ssh_config line 19: Applying options for *
  debug1: Connecting to 10.245.208.7 [10.245.208.7] port 22.
  debug1: Connection established.
  debug1: identity file /home/fheimes/.ssh/id_rsa type 1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_rsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519 type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519-cert type -1
  debug1: Enabling compatibility mode for protocol 2.0
  debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
  debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4p1 
Ubuntu-10
  debug1: match: OpenSSH_7.4p1 Ubuntu-10 pat OpenSSH* compat 0x0400
  debug1: Authenticating to 10.245.208.7:22 as 'ubuntu'
  debug1: SSH2_MSG_KEXINIT sent
  debug1: SSH2_MSG_KEXINIT received
  debug1: kex: algorithm: curve25519-sha...@libssh.org
  debug1: kex: host key algorithm: ecdsa-sha2-nistp256
  debug1: kex: server->client cipher: chacha20-poly1...@openssh.com MAC: 
 compression: none
  debug1: kex: client->server cipher: chacha20-poly1...@openssh.com MAC: 
 compression: none
  debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
  debug1: Server host key: ecdsa-sha2-nistp256 
SHA256:ss9j12+jMMKL9u2vxNeb3XjOeH0E9lw24IG5LxUeJXk
  debug1: Host '10.245.208.7' is known and matches the ECDSA host key.
  debug1: Found key in /home/fheimes/.ssh/known_hosts:87
  debug1: rekey after 134217728 blocks
  debug1: SSH2_MSG_NEWKEYS sent
  debug1: expecting SSH2_MSG_NEWKEYS
  debug1: rekey after 134217728 blocks
  debug1: SSH2_MSG_NEWKEYS received
  debug1: SSH2_MSG_EXT_INFO received
  debug1: kex_input_ext_info: 
server-sig-algs=
  debug1: SSH2_MSG_SERVICE_ACCEPT received
  debug1: Authentications that can continue: publickey,password
  

[Touch-packages] [Bug 1686618] Re: ssh connection attempts fail if hw crypto support on s390x is enabled on 17.04

[Frank Heimes]

ubuntu@zlin42:~$ sudo sh -c "echo 'deb http://ports.ubuntu.com/ubuntu-ports 
$(lsb_release -sc)-proposed restricted main multiverse universe' >> 
/etc/apt/sources.list.d/proposed-repositories.list"
ubuntu@zlin42:~$ sudo apt -y update -qq 
12 packages can be upgraded. Run 'apt list --upgradable' to see them.
ubuntu@zlin42:~$ apt list --upgradable
Listing... Done
linux-firmware/zesty-proposed 1.164.1 all [upgradable from: 1.164]
linux-generic/zesty-proposed 4.10.0.21.23 s390x [upgradable from: 4.10.0.20.22]
linux-headers-generic/zesty-proposed 4.10.0.21.23 s390x [upgradable from: 
4.10.0.20.22]
linux-image-generic/zesty-proposed 4.10.0.21.23 s390x [upgradable from: 
4.10.0.20.22]
linux-libc-dev/zesty-proposed 4.10.0-21.23 s390x [upgradable from: 4.10.0-20.22]
openssh-client/zesty-proposed 1:7.4p1-10ubuntu0.1 s390x [upgradable from: 
1:7.4p1-10]
openssh-server/zesty-proposed 1:7.4p1-10ubuntu0.1 s390x [upgradable from: 
1:7.4p1-10]
openssh-sftp-server/zesty-proposed 1:7.4p1-10ubuntu0.1 s390x [upgradable from: 
1:7.4p1-10]
snap-confine/zesty-proposed 2.25+17.04 s390x [upgradable from: 2.24.1+17.04]
snapd/zesty-proposed 2.25+17.04 s390x [upgradable from: 2.24.1+17.04]
sosreport/zesty-proposed 3.4-1~ubuntu17.04.1 s390x [upgradable from: 
3.3+git50-g3c0349b-2]
unattended-upgrades/zesty-proposed 0.93.1ubuntu2.1 all [upgradable from: 
0.93.1ubuntu2]
ubuntu@zlin42:~$
### 
ubuntu@zlin42:~$ sudo vi /etc/ssh/sshd_config
ubuntu@zlin42:~$ sudo systemctl restart sshd
ubuntu@zlin42:~$ apt-cache policy openssh-server
openssh-server:
  Installed: 1:7.4p1-10
  Candidate: 1:7.4p1-10ubuntu0.1
  Version table:
 1:7.4p1-10ubuntu0.1 500
500 http://ports.ubuntu.com/ubuntu-ports zesty-proposed/main s390x 
Packages
 *** 1:7.4p1-10 500
500 http://us.ports.ubuntu.com/ubuntu-ports zesty/main s390x Packages
100 /var/lib/dpkg/status
ubuntu@zlin42:~$

me@WS:~$ ssh ubuntu@zlin42
ubuntu@zlin42's password: 
Welcome to Ubuntu 17.04 (GNU/Linux 4.10.0-20-generic s390x)

 * Documentation:  https://help.ubuntu.com
 * Management: https://landscape.canonical.com
 * Support:https://ubuntu.com/advantage

0 packages can be updated.
0 updates are security updates.


Last login: Fri May  5 03:22:00 2017 from 10.172.66.66
ubuntu@zlin42:~$ exit
logout
Connection to zlin42 closed.
me@WS:~$

### activate hw crypto for ssl / ibmca engine
ubuntu@zlin42:~$ sudo vi /etc/ssl/openssl.cnf
# set: openssl_conf = openssl_def

ubuntu@zlin42:~$ openssl engine
(dynamic) Dynamic engine loading support
(ibmca) Ibmca hardware engine support
ubuntu@zlin42:~$

### negative test - expecting the problem to occur

me@WS:~$ ssh ubuntu@zlin42
ubuntu@zlin42's password: 
Connection to zlin42 closed by remote host.
Connection to zlin42 closed.
me@WS:~$

ubuntu@zlin42:~$ sudo apt install openssh-server
Reading package lists... Done
Building dependency tree   
Reading state information... Done
The following additional packages will be installed:
  openssh-client openssh-sftp-server
Suggested packages:
  keychain libpam-ssh monkeysphere ssh-askpass molly-guard rssh
The following packages will be upgraded:
  openssh-client openssh-server openssh-sftp-server
3 upgraded, 0 newly installed, 0 to remove and 9 not upgraded.
Need to get 928 kB of archives.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n] Y
Get:1 http://ports.ubuntu.com/ubuntu-ports zesty-proposed/main s390x 
openssh-sftp-server s390x 1:7.4p1-10ubuntu0.1 [38.0 kB]
Get:2 http://ports.ubuntu.com/ubuntu-ports zesty-proposed/main s390x 
openssh-server s390x 1:7.4p1-10ubuntu0.1 [316 kB]
Get:3 http://ports.ubuntu.com/ubuntu-ports zesty-proposed/main s390x 
openssh-client s390x 1:7.4p1-10ubuntu0.1 [574 kB]
Fetched 928 kB in 1s (722 kB/s) 
Preconfiguring packages ...
(Reading database ... 134327 files and directories currently installed.)
Preparing to unpack .../openssh-sftp-server_1%3a7.4p1-10ubuntu0.1_s390x.deb ...
Unpacking openssh-sftp-server (1:7.4p1-10ubuntu0.1) over (1:7.4p1-10) ...
Preparing to unpack .../openssh-server_1%3a7.4p1-10ubuntu0.1_s390x.deb ...
Unpacking openssh-server (1:7.4p1-10ubuntu0.1) over (1:7.4p1-10) ...
Preparing to unpack .../openssh-client_1%3a7.4p1-10ubuntu0.1_s390x.deb ...
Unpacking openssh-client (1:7.4p1-10ubuntu0.1) over (1:7.4p1-10) ...
Processing triggers for ufw (0.35-4) ...
Processing triggers for ureadahead (0.100.0-19) ...
Processing triggers for systemd (232-21ubuntu3) ...
Processing triggers for man-db (2.7.6.1-2) ...
Setting up openssh-client (1:7.4p1-10ubuntu0.1) ...
Setting up openssh-sftp-server (1:7.4p1-10ubuntu0.1) ...
Setting up openssh-server (1:7.4p1-10ubuntu0.1) ...
ubuntu@zlin42:~$

ubuntu@zlin42:~$ exit
logout
Connection to zlin42 closed.
me@WS:~$ ssh ubuntu@zlin42
ubuntu@zlin42's password: 
Connection to zlin42 closed by remote host.
Connection to zlin42 closed.
me@WS:~$ ssh ubuntu@zlin42
ubuntu@zlin42's password: 
Connection to zlin42 closed by remote host.
Connection to zlin42 

[Touch-packages] [Bug 1686618] Re: ssh connection attempts fail if hw crypto support on s390x is enabled on 17.04

[Frank Heimes]

** Changed in: ubuntu-z-systems
   Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1686618

Title:
  ssh connection attempts fail if hw crypto support on s390x is enabled
  on 17.04

Status in Ubuntu on IBM z Systems:
  Fix Committed
Status in openssh package in Ubuntu:
  Fix Released
Status in openssh source package in Zesty:
  Fix Committed
Status in openssh source package in Artful:
  Fix Released

Bug description:
  [ Impact ]

  * Unable to ssh into Ubuntu, using default sshd configuration, when hw
  acceleration is enabled in openssl.

  [ Proposed solution ]

  * Cherrypick upstream fixes for:
- sandboxing code on big endian
- allowing hw accel iocls in the sandbox

  short:
  after investigations the following commits are needed by openssh-server 
version 7.4p1 that is part of 17.04:
  - 5f1596e11d55539678c41f68aed358628d33d86f
  - 9e96b41682aed793fadbea5ccd472f862179fb02
  on master branch in https://github.com/openssh/openssh-portable
  that belong to openssh 7.5 release notes statement: "sshd(8): Avoid sandbox 
errors for Linux S390 systems using an ICA crypto coprocessor."
  __

  [Test case]

  long:

  enable z hw crypto support for openssh on an Ubuntu host (zlin42) on s390x 
like this:
  sudo apt-get install openssl-ibmca libica-utils libica2
  sudo tee -a /etc/ssl/openssl.cnf < 
/usr/share/doc/openssl-ibmca/examples/openssl.cnf.sample
  sudo sed -i 's/^\(openssl_conf = openssl_def.*$\)/# \1/g' /etc/ssl/openssl.cnf
  sudo sed -i '10i openssl_cnf = openssl_def' /etc/ssl/openssl.cnf

  afterwards ssh login attempts fail:
  $ ssh ubuntu@zlin42
  ubuntu@zlin42's password:
  Connection to zlin42 closed by remote host.
  Connection to zlin42 closed.

  the normal logs don't provide any interesting details:

  mit log:
    Apr 24 12:37:52 zlin42 kernel: [933567.994312] audit: type=1326 
audit(1493051872.112:29): auid=4294967295 uid=107 gid=65534 ses=4294967295 
pid=25105 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=8016 syscall=201 
compat=0 ip=0x3ffb8a3fb32 code=0x0

  Verbose:
  OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g  1 Mar 2016
  debug1: Reading configuration data /home/fheimes/.ssh/config
  debug1: /home/fheimes/.ssh/config line 6: Deprecated option "useroaming"
  debug1: /home/fheimes/.ssh/config line 7: Applying options for *
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug1: /etc/ssh/ssh_config line 19: Applying options for *
  debug1: Connecting to 10.245.208.7 [10.245.208.7] port 22.
  debug1: Connection established.
  debug1: identity file /home/fheimes/.ssh/id_rsa type 1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_rsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519 type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519-cert type -1
  debug1: Enabling compatibility mode for protocol 2.0
  debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
  debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4p1 
Ubuntu-10
  debug1: match: OpenSSH_7.4p1 Ubuntu-10 pat OpenSSH* compat 0x0400
  debug1: Authenticating to 10.245.208.7:22 as 'ubuntu'
  debug1: SSH2_MSG_KEXINIT sent
  debug1: SSH2_MSG_KEXINIT received
  debug1: kex: algorithm: curve25519-sha...@libssh.org
  debug1: kex: host key algorithm: ecdsa-sha2-nistp256
  debug1: kex: server->client cipher: chacha20-poly1...@openssh.com MAC: 
 compression: none
  debug1: kex: client->server cipher: chacha20-poly1...@openssh.com MAC: 
 compression: none
  debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
  debug1: Server host key: ecdsa-sha2-nistp256 
SHA256:ss9j12+jMMKL9u2vxNeb3XjOeH0E9lw24IG5LxUeJXk
  debug1: Host '10.245.208.7' is known and matches the ECDSA host key.
  debug1: Found key in /home/fheimes/.ssh/known_hosts:87
  debug1: rekey after 134217728 blocks
  debug1: SSH2_MSG_NEWKEYS sent
  debug1: expecting SSH2_MSG_NEWKEYS
  debug1: rekey after 134217728 blocks
  debug1: SSH2_MSG_NEWKEYS received
  debug1: SSH2_MSG_EXT_INFO received
  debug1: kex_input_ext_info: 
server-sig-algs=
  debug1: SSH2_MSG_SERVICE_ACCEPT received
  debug1: Authentications that can continue: publickey,password
  

[Touch-packages] [Bug 1686618] Re: ssh connection attempts fail if hw crypto support on s390x is enabled on 17.04

[Brian Murray]

Hello Frank, or anyone else affected,

Accepted openssh into zesty-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/openssh/1:7.4p1-10ubuntu0.1 in a
few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed.  In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Changed in: openssh (Ubuntu Zesty)
   Status: In Progress => Fix Committed

** Tags added: verification-needed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1686618

Title:
  ssh connection attempts fail if hw crypto support on s390x is enabled
  on 17.04

Status in Ubuntu on IBM z Systems:
  In Progress
Status in openssh package in Ubuntu:
  Fix Released
Status in openssh source package in Zesty:
  Fix Committed
Status in openssh source package in Artful:
  Fix Released

Bug description:
  [ Impact ]

  * Unable to ssh into Ubuntu, using default sshd configuration, when hw
  acceleration is enabled in openssl.

  [ Proposed solution ]

  * Cherrypick upstream fixes for:
- sandboxing code on big endian
- allowing hw accel iocls in the sandbox

  short:
  after investigations the following commits are needed by openssh-server 
version 7.4p1 that is part of 17.04:
  - 5f1596e11d55539678c41f68aed358628d33d86f
  - 9e96b41682aed793fadbea5ccd472f862179fb02
  on master branch in https://github.com/openssh/openssh-portable
  that belong to openssh 7.5 release notes statement: "sshd(8): Avoid sandbox 
errors for Linux S390 systems using an ICA crypto coprocessor."
  __

  [Test case]

  long:

  enable z hw crypto support for openssh on an Ubuntu host (zlin42) on s390x 
like this:
  sudo apt-get install openssl-ibmca libica-utils libica2
  sudo tee -a /etc/ssl/openssl.cnf < 
/usr/share/doc/openssl-ibmca/examples/openssl.cnf.sample
  sudo sed -i 's/^\(openssl_conf = openssl_def.*$\)/# \1/g' /etc/ssl/openssl.cnf
  sudo sed -i '10i openssl_cnf = openssl_def' /etc/ssl/openssl.cnf

  afterwards ssh login attempts fail:
  $ ssh ubuntu@zlin42
  ubuntu@zlin42's password:
  Connection to zlin42 closed by remote host.
  Connection to zlin42 closed.

  the normal logs don't provide any interesting details:

  mit log:
    Apr 24 12:37:52 zlin42 kernel: [933567.994312] audit: type=1326 
audit(1493051872.112:29): auid=4294967295 uid=107 gid=65534 ses=4294967295 
pid=25105 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=8016 syscall=201 
compat=0 ip=0x3ffb8a3fb32 code=0x0

  Verbose:
  OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g  1 Mar 2016
  debug1: Reading configuration data /home/fheimes/.ssh/config
  debug1: /home/fheimes/.ssh/config line 6: Deprecated option "useroaming"
  debug1: /home/fheimes/.ssh/config line 7: Applying options for *
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug1: /etc/ssh/ssh_config line 19: Applying options for *
  debug1: Connecting to 10.245.208.7 [10.245.208.7] port 22.
  debug1: Connection established.
  debug1: identity file /home/fheimes/.ssh/id_rsa type 1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_rsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519 type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519-cert type -1
  debug1: Enabling compatibility mode for protocol 2.0
  debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
  debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4p1 
Ubuntu-10
  debug1: match: OpenSSH_7.4p1 Ubuntu-10 pat OpenSSH* compat 0x0400
  debug1: Authenticating to 10.245.208.7:22 as 'ubuntu'
  debug1: SSH2_MSG_KEXINIT sent
  debug1: SSH2_MSG_KEXINIT 

[Touch-packages] [Bug 1686618] Re: ssh connection attempts fail if hw crypto support on s390x is enabled on 17.04

[bugproxy]

** Tags added: architecture-s39064 bugnameltc-153940 severity-high
targetmilestone-inin1704

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1686618

Title:
  ssh connection attempts fail if hw crypto support on s390x is enabled
  on 17.04

Status in Ubuntu on IBM z Systems:
  In Progress
Status in openssh package in Ubuntu:
  Fix Released
Status in openssh source package in Zesty:
  In Progress
Status in openssh source package in Artful:
  Fix Released

Bug description:
  [ Impact ]

  * Unable to ssh into Ubuntu, using default sshd configuration, when hw
  acceleration is enabled in openssl.

  [ Proposed solution ]

  * Cherrypick upstream fixes for:
- sandboxing code on big endian
- allowing hw accel iocls in the sandbox

  short:
  after investigations the following commits are needed by openssh-server 
version 7.4p1 that is part of 17.04:
  - 5f1596e11d55539678c41f68aed358628d33d86f
  - 9e96b41682aed793fadbea5ccd472f862179fb02
  on master branch in https://github.com/openssh/openssh-portable
  that belong to openssh 7.5 release notes statement: "sshd(8): Avoid sandbox 
errors for Linux S390 systems using an ICA crypto coprocessor."
  __

  [Test case]

  long:

  enable z hw crypto support for openssh on an Ubuntu host (zlin42) on s390x 
like this:
  sudo apt-get install openssl-ibmca libica-utils libica2
  sudo tee -a /etc/ssl/openssl.cnf < 
/usr/share/doc/openssl-ibmca/examples/openssl.cnf.sample
  sudo sed -i 's/^\(openssl_conf = openssl_def.*$\)/# \1/g' /etc/ssl/openssl.cnf
  sudo sed -i '10i openssl_cnf = openssl_def' /etc/ssl/openssl.cnf

  afterwards ssh login attempts fail:
  $ ssh ubuntu@zlin42
  ubuntu@zlin42's password:
  Connection to zlin42 closed by remote host.
  Connection to zlin42 closed.

  the normal logs don't provide any interesting details:

  mit log:
    Apr 24 12:37:52 zlin42 kernel: [933567.994312] audit: type=1326 
audit(1493051872.112:29): auid=4294967295 uid=107 gid=65534 ses=4294967295 
pid=25105 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=8016 syscall=201 
compat=0 ip=0x3ffb8a3fb32 code=0x0

  Verbose:
  OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g  1 Mar 2016
  debug1: Reading configuration data /home/fheimes/.ssh/config
  debug1: /home/fheimes/.ssh/config line 6: Deprecated option "useroaming"
  debug1: /home/fheimes/.ssh/config line 7: Applying options for *
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug1: /etc/ssh/ssh_config line 19: Applying options for *
  debug1: Connecting to 10.245.208.7 [10.245.208.7] port 22.
  debug1: Connection established.
  debug1: identity file /home/fheimes/.ssh/id_rsa type 1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_rsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519 type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519-cert type -1
  debug1: Enabling compatibility mode for protocol 2.0
  debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
  debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4p1 
Ubuntu-10
  debug1: match: OpenSSH_7.4p1 Ubuntu-10 pat OpenSSH* compat 0x0400
  debug1: Authenticating to 10.245.208.7:22 as 'ubuntu'
  debug1: SSH2_MSG_KEXINIT sent
  debug1: SSH2_MSG_KEXINIT received
  debug1: kex: algorithm: curve25519-sha...@libssh.org
  debug1: kex: host key algorithm: ecdsa-sha2-nistp256
  debug1: kex: server->client cipher: chacha20-poly1...@openssh.com MAC: 
 compression: none
  debug1: kex: client->server cipher: chacha20-poly1...@openssh.com MAC: 
 compression: none
  debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
  debug1: Server host key: ecdsa-sha2-nistp256 
SHA256:ss9j12+jMMKL9u2vxNeb3XjOeH0E9lw24IG5LxUeJXk
  debug1: Host '10.245.208.7' is known and matches the ECDSA host key.
  debug1: Found key in /home/fheimes/.ssh/known_hosts:87
  debug1: rekey after 134217728 blocks
  debug1: SSH2_MSG_NEWKEYS sent
  debug1: expecting SSH2_MSG_NEWKEYS
  debug1: rekey after 134217728 blocks
  debug1: SSH2_MSG_NEWKEYS received
  debug1: SSH2_MSG_EXT_INFO received
  debug1: kex_input_ext_info: 
server-sig-algs=
  debug1: SSH2_MSG_SERVICE_ACCEPT received
  debug1: Authentications that can continue: 

[Touch-packages] [Bug 1686618] Re: ssh connection attempts fail if hw crypto support on s390x is enabled on 17.04

[Frank Heimes]

** Changed in: ubuntu-z-systems
   Status: Triaged => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1686618

Title:
  ssh connection attempts fail if hw crypto support on s390x is enabled
  on 17.04

Status in Ubuntu on IBM z Systems:
  In Progress
Status in openssh package in Ubuntu:
  Fix Released
Status in openssh source package in Zesty:
  In Progress
Status in openssh source package in Artful:
  Fix Released

Bug description:
  [ Impact ]

  * Unable to ssh into Ubuntu, using default sshd configuration, when hw
  acceleration is enabled in openssl.

  [ Proposed solution ]

  * Cherrypick upstream fixes for:
- sandboxing code on big endian
- allowing hw accel iocls in the sandbox

  short:
  after investigations the following commits are needed by openssh-server 
version 7.4p1 that is part of 17.04:
  - 5f1596e11d55539678c41f68aed358628d33d86f
  - 9e96b41682aed793fadbea5ccd472f862179fb02
  on master branch in https://github.com/openssh/openssh-portable
  that belong to openssh 7.5 release notes statement: "sshd(8): Avoid sandbox 
errors for Linux S390 systems using an ICA crypto coprocessor."
  __

  [Test case]

  long:

  enable z hw crypto support for openssh on an Ubuntu host (zlin42) on s390x 
like this:
  sudo apt-get install openssl-ibmca libica-utils libica2
  sudo tee -a /etc/ssl/openssl.cnf < 
/usr/share/doc/openssl-ibmca/examples/openssl.cnf.sample
  sudo sed -i 's/^\(openssl_conf = openssl_def.*$\)/# \1/g' /etc/ssl/openssl.cnf
  sudo sed -i '10i openssl_cnf = openssl_def' /etc/ssl/openssl.cnf

  afterwards ssh login attempts fail:
  $ ssh ubuntu@zlin42
  ubuntu@zlin42's password:
  Connection to zlin42 closed by remote host.
  Connection to zlin42 closed.

  the normal logs don't provide any interesting details:

  mit log:
    Apr 24 12:37:52 zlin42 kernel: [933567.994312] audit: type=1326 
audit(1493051872.112:29): auid=4294967295 uid=107 gid=65534 ses=4294967295 
pid=25105 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=8016 syscall=201 
compat=0 ip=0x3ffb8a3fb32 code=0x0

  Verbose:
  OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g  1 Mar 2016
  debug1: Reading configuration data /home/fheimes/.ssh/config
  debug1: /home/fheimes/.ssh/config line 6: Deprecated option "useroaming"
  debug1: /home/fheimes/.ssh/config line 7: Applying options for *
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug1: /etc/ssh/ssh_config line 19: Applying options for *
  debug1: Connecting to 10.245.208.7 [10.245.208.7] port 22.
  debug1: Connection established.
  debug1: identity file /home/fheimes/.ssh/id_rsa type 1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_rsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519 type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519-cert type -1
  debug1: Enabling compatibility mode for protocol 2.0
  debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
  debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4p1 
Ubuntu-10
  debug1: match: OpenSSH_7.4p1 Ubuntu-10 pat OpenSSH* compat 0x0400
  debug1: Authenticating to 10.245.208.7:22 as 'ubuntu'
  debug1: SSH2_MSG_KEXINIT sent
  debug1: SSH2_MSG_KEXINIT received
  debug1: kex: algorithm: curve25519-sha...@libssh.org
  debug1: kex: host key algorithm: ecdsa-sha2-nistp256
  debug1: kex: server->client cipher: chacha20-poly1...@openssh.com MAC: 
 compression: none
  debug1: kex: client->server cipher: chacha20-poly1...@openssh.com MAC: 
 compression: none
  debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
  debug1: Server host key: ecdsa-sha2-nistp256 
SHA256:ss9j12+jMMKL9u2vxNeb3XjOeH0E9lw24IG5LxUeJXk
  debug1: Host '10.245.208.7' is known and matches the ECDSA host key.
  debug1: Found key in /home/fheimes/.ssh/known_hosts:87
  debug1: rekey after 134217728 blocks
  debug1: SSH2_MSG_NEWKEYS sent
  debug1: expecting SSH2_MSG_NEWKEYS
  debug1: rekey after 134217728 blocks
  debug1: SSH2_MSG_NEWKEYS received
  debug1: SSH2_MSG_EXT_INFO received
  debug1: kex_input_ext_info: 
server-sig-algs=
  debug1: SSH2_MSG_SERVICE_ACCEPT received
  debug1: Authentications that can continue: publickey,password
  debug1: 

[Touch-packages] [Bug 1686618] Re: ssh connection attempts fail if hw crypto support on s390x is enabled on 17.04

[Dimitri John Ledkov]

** Changed in: openssh (Ubuntu Zesty)
   Status: Triaged => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1686618

Title:
  ssh connection attempts fail if hw crypto support on s390x is enabled
  on 17.04

Status in Ubuntu on IBM z Systems:
  Triaged
Status in openssh package in Ubuntu:
  Fix Released
Status in openssh source package in Zesty:
  In Progress
Status in openssh source package in Artful:
  Fix Released

Bug description:
  [ Impact ]

  * Unable to ssh into Ubuntu, using default sshd configuration, when hw
  acceleration is enabled in openssl.

  [ Proposed solution ]

  * Cherrypick upstream fixes for:
- sandboxing code on big endian
- allowing hw accel iocls in the sandbox

  short:
  after investigations the following commits are needed by openssh-server 
version 7.4p1 that is part of 17.04:
  - 5f1596e11d55539678c41f68aed358628d33d86f
  - 9e96b41682aed793fadbea5ccd472f862179fb02
  on master branch in https://github.com/openssh/openssh-portable
  that belong to openssh 7.5 release notes statement: "sshd(8): Avoid sandbox 
errors for Linux S390 systems using an ICA crypto coprocessor."
  __

  [Test case]

  long:

  enable z hw crypto support for openssh on an Ubuntu host (zlin42) on s390x 
like this:
  sudo apt-get install openssl-ibmca libica-utils libica2
  sudo tee -a /etc/ssl/openssl.cnf < 
/usr/share/doc/openssl-ibmca/examples/openssl.cnf.sample
  sudo sed -i 's/^\(openssl_conf = openssl_def.*$\)/# \1/g' /etc/ssl/openssl.cnf
  sudo sed -i '10i openssl_cnf = openssl_def' /etc/ssl/openssl.cnf

  afterwards ssh login attempts fail:
  $ ssh ubuntu@zlin42
  ubuntu@zlin42's password:
  Connection to zlin42 closed by remote host.
  Connection to zlin42 closed.

  the normal logs don't provide any interesting details:

  mit log:
    Apr 24 12:37:52 zlin42 kernel: [933567.994312] audit: type=1326 
audit(1493051872.112:29): auid=4294967295 uid=107 gid=65534 ses=4294967295 
pid=25105 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=8016 syscall=201 
compat=0 ip=0x3ffb8a3fb32 code=0x0

  Verbose:
  OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g  1 Mar 2016
  debug1: Reading configuration data /home/fheimes/.ssh/config
  debug1: /home/fheimes/.ssh/config line 6: Deprecated option "useroaming"
  debug1: /home/fheimes/.ssh/config line 7: Applying options for *
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug1: /etc/ssh/ssh_config line 19: Applying options for *
  debug1: Connecting to 10.245.208.7 [10.245.208.7] port 22.
  debug1: Connection established.
  debug1: identity file /home/fheimes/.ssh/id_rsa type 1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_rsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519 type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519-cert type -1
  debug1: Enabling compatibility mode for protocol 2.0
  debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
  debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4p1 
Ubuntu-10
  debug1: match: OpenSSH_7.4p1 Ubuntu-10 pat OpenSSH* compat 0x0400
  debug1: Authenticating to 10.245.208.7:22 as 'ubuntu'
  debug1: SSH2_MSG_KEXINIT sent
  debug1: SSH2_MSG_KEXINIT received
  debug1: kex: algorithm: curve25519-sha...@libssh.org
  debug1: kex: host key algorithm: ecdsa-sha2-nistp256
  debug1: kex: server->client cipher: chacha20-poly1...@openssh.com MAC: 
 compression: none
  debug1: kex: client->server cipher: chacha20-poly1...@openssh.com MAC: 
 compression: none
  debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
  debug1: Server host key: ecdsa-sha2-nistp256 
SHA256:ss9j12+jMMKL9u2vxNeb3XjOeH0E9lw24IG5LxUeJXk
  debug1: Host '10.245.208.7' is known and matches the ECDSA host key.
  debug1: Found key in /home/fheimes/.ssh/known_hosts:87
  debug1: rekey after 134217728 blocks
  debug1: SSH2_MSG_NEWKEYS sent
  debug1: expecting SSH2_MSG_NEWKEYS
  debug1: rekey after 134217728 blocks
  debug1: SSH2_MSG_NEWKEYS received
  debug1: SSH2_MSG_EXT_INFO received
  debug1: kex_input_ext_info: 
server-sig-algs=
  debug1: SSH2_MSG_SERVICE_ACCEPT received
  debug1: Authentications that can continue: publickey,password
  debug1: 

[Touch-packages] [Bug 1686618] Re: ssh connection attempts fail if hw crypto support on s390x is enabled on 17.04

[Dimitri John Ledkov]

** Description changed:

+ [ Impact ]
+ 
+ * Unable to ssh into Ubuntu, using default sshd configuration, when hw
+ acceleration is enabled in openssl.
+ 
+ [ Proposed solution ]
+ 
+ * Cherrypick upstream fixes for:
+   - sandboxing code on big endian
+   - allowing hw accel iocls in the sandbox
+ 
  short:
  after investigations the following commits are needed by openssh-server 
version 7.4p1 that is part of 17.04:
  - 5f1596e11d55539678c41f68aed358628d33d86f
  - 9e96b41682aed793fadbea5ccd472f862179fb02
  on master branch in https://github.com/openssh/openssh-portable
  that belong to openssh 7.5 release notes statement: "sshd(8): Avoid sandbox 
errors for Linux S390 systems using an ICA crypto coprocessor."
  __
  
+ [Test case]
+ 
  long:
  
  enable z hw crypto support for openssh on an Ubuntu host (zlin42) on s390x 
like this:
- sudo apt-get install openssh-ibmca libica-utils libica2
+ sudo apt-get install openssl-ibmca libica-utils libica2
  sudo tee -a /etc/ssl/openssl.cnf < 
/usr/share/doc/openssl-ibmca/examples/openssl.cnf.sample
  sudo sed -i 's/^\(openssl_conf = openssl_def.*$\)/# \1/g' /etc/ssl/openssl.cnf
  sudo sed -i '10i openssl_cnf = openssl_def' /etc/ssl/openssl.cnf
  
  afterwards ssh login attempts fail:
  $ ssh ubuntu@zlin42
- ubuntu@zlin42's password: 
+ ubuntu@zlin42's password:
  Connection to zlin42 closed by remote host.
  Connection to zlin42 closed.
  
  the normal logs don't provide any interesting details:
  
  mit log:
-   Apr 24 12:37:52 zlin42 kernel: [933567.994312] audit: type=1326 
audit(1493051872.112:29): auid=4294967295 uid=107 gid=65534 ses=4294967295 
pid=25105 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=8016 syscall=201 
compat=0 ip=0x3ffb8a3fb32 code=0x0
+   Apr 24 12:37:52 zlin42 kernel: [933567.994312] audit: type=1326 
audit(1493051872.112:29): auid=4294967295 uid=107 gid=65534 ses=4294967295 
pid=25105 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=8016 syscall=201 
compat=0 ip=0x3ffb8a3fb32 code=0x0
  
  Verbose:
  OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g  1 Mar 2016
  debug1: Reading configuration data /home/fheimes/.ssh/config
  debug1: /home/fheimes/.ssh/config line 6: Deprecated option "useroaming"
  debug1: /home/fheimes/.ssh/config line 7: Applying options for *
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug1: /etc/ssh/ssh_config line 19: Applying options for *
  debug1: Connecting to 10.245.208.7 [10.245.208.7] port 22.
  debug1: Connection established.
  debug1: identity file /home/fheimes/.ssh/id_rsa type 1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_rsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519 type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519-cert type -1
  debug1: Enabling compatibility mode for protocol 2.0
  debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
  debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4p1 
Ubuntu-10
  debug1: match: OpenSSH_7.4p1 Ubuntu-10 pat OpenSSH* compat 0x0400
  debug1: Authenticating to 10.245.208.7:22 as 'ubuntu'
  debug1: SSH2_MSG_KEXINIT sent
  debug1: SSH2_MSG_KEXINIT received
  debug1: kex: algorithm: curve25519-sha...@libssh.org
  debug1: kex: host key algorithm: ecdsa-sha2-nistp256
  debug1: kex: server->client cipher: chacha20-poly1...@openssh.com MAC: 
 compression: none
  debug1: kex: client->server cipher: chacha20-poly1...@openssh.com MAC: 
 compression: none
  debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
  debug1: Server host key: ecdsa-sha2-nistp256 
SHA256:ss9j12+jMMKL9u2vxNeb3XjOeH0E9lw24IG5LxUeJXk
  debug1: Host '10.245.208.7' is known and matches the ECDSA host key.
  debug1: Found key in /home/fheimes/.ssh/known_hosts:87
  debug1: rekey after 134217728 blocks
  debug1: SSH2_MSG_NEWKEYS sent
  debug1: expecting SSH2_MSG_NEWKEYS
  debug1: rekey after 134217728 blocks
  debug1: SSH2_MSG_NEWKEYS received
  debug1: SSH2_MSG_EXT_INFO received
  debug1: kex_input_ext_info: 
server-sig-algs=
  debug1: SSH2_MSG_SERVICE_ACCEPT received
  debug1: Authentications that can continue: publickey,password
  debug1: Next authentication method: publickey
  debug1: Offering RSA public key: /home/fheimes/.ssh/id_rsa
  debug1: Authentications that can continue: publickey,password
  debug1: Trying private 

[Touch-packages] [Bug 1686618] Re: ssh connection attempts fail if hw crypto support on s390x is enabled on 17.04

[Dimitri John Ledkov]

7.5 is now in artful.

https://launchpad.net/ubuntu/+source/openssh/1:7.5p1-2

** Changed in: openssh (Ubuntu Artful)
   Status: Triaged => Fix Released

** Changed in: openssh (Ubuntu Zesty)
 Assignee: (unassigned) => Dimitri John Ledkov (xnox)

** Changed in: openssh (Ubuntu Zesty)
Milestone: None => zesty-updates

** Changed in: openssh (Ubuntu Zesty)
   Status: New => Triaged

** Changed in: openssh (Ubuntu Zesty)
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1686618

Title:
  ssh connection attempts fail if hw crypto support on s390x is enabled
  on 17.04

Status in Ubuntu on IBM z Systems:
  Triaged
Status in openssh package in Ubuntu:
  Fix Released
Status in openssh source package in Zesty:
  Triaged
Status in openssh source package in Artful:
  Fix Released

Bug description:
  short:
  after investigations the following commits are needed by openssh-server 
version 7.4p1 that is part of 17.04:
  - 5f1596e11d55539678c41f68aed358628d33d86f
  - 9e96b41682aed793fadbea5ccd472f862179fb02
  on master branch in https://github.com/openssh/openssh-portable
  that belong to openssh 7.5 release notes statement: "sshd(8): Avoid sandbox 
errors for Linux S390 systems using an ICA crypto coprocessor."
  __

  long:

  enable z hw crypto support for openssh on an Ubuntu host (zlin42) on s390x 
like this:
  sudo apt-get install openssh-ibmca libica-utils libica2
  sudo tee -a /etc/ssl/openssl.cnf < 
/usr/share/doc/openssl-ibmca/examples/openssl.cnf.sample
  sudo sed -i 's/^\(openssl_conf = openssl_def.*$\)/# \1/g' /etc/ssl/openssl.cnf
  sudo sed -i '10i openssl_cnf = openssl_def' /etc/ssl/openssl.cnf

  afterwards ssh login attempts fail:
  $ ssh ubuntu@zlin42
  ubuntu@zlin42's password: 
  Connection to zlin42 closed by remote host.
  Connection to zlin42 closed.

  the normal logs don't provide any interesting details:

  mit log:
Apr 24 12:37:52 zlin42 kernel: [933567.994312] audit: type=1326 
audit(1493051872.112:29): auid=4294967295 uid=107 gid=65534 ses=4294967295 
pid=25105 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=8016 syscall=201 
compat=0 ip=0x3ffb8a3fb32 code=0x0

  Verbose:
  OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g  1 Mar 2016
  debug1: Reading configuration data /home/fheimes/.ssh/config
  debug1: /home/fheimes/.ssh/config line 6: Deprecated option "useroaming"
  debug1: /home/fheimes/.ssh/config line 7: Applying options for *
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug1: /etc/ssh/ssh_config line 19: Applying options for *
  debug1: Connecting to 10.245.208.7 [10.245.208.7] port 22.
  debug1: Connection established.
  debug1: identity file /home/fheimes/.ssh/id_rsa type 1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_rsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519 type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519-cert type -1
  debug1: Enabling compatibility mode for protocol 2.0
  debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
  debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4p1 
Ubuntu-10
  debug1: match: OpenSSH_7.4p1 Ubuntu-10 pat OpenSSH* compat 0x0400
  debug1: Authenticating to 10.245.208.7:22 as 'ubuntu'
  debug1: SSH2_MSG_KEXINIT sent
  debug1: SSH2_MSG_KEXINIT received
  debug1: kex: algorithm: curve25519-sha...@libssh.org
  debug1: kex: host key algorithm: ecdsa-sha2-nistp256
  debug1: kex: server->client cipher: chacha20-poly1...@openssh.com MAC: 
 compression: none
  debug1: kex: client->server cipher: chacha20-poly1...@openssh.com MAC: 
 compression: none
  debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
  debug1: Server host key: ecdsa-sha2-nistp256 
SHA256:ss9j12+jMMKL9u2vxNeb3XjOeH0E9lw24IG5LxUeJXk
  debug1: Host '10.245.208.7' is known and matches the ECDSA host key.
  debug1: Found key in /home/fheimes/.ssh/known_hosts:87
  debug1: rekey after 134217728 blocks
  debug1: SSH2_MSG_NEWKEYS sent
  debug1: expecting SSH2_MSG_NEWKEYS
  debug1: rekey after 134217728 blocks
  debug1: SSH2_MSG_NEWKEYS received
  debug1: SSH2_MSG_EXT_INFO received
  debug1: kex_input_ext_info: 
server-sig-algs=
  

[Touch-packages] [Bug 1686618] Re: ssh connection attempts fail if hw crypto support on s390x is enabled on 17.04

[Frank Heimes]

** Changed in: ubuntu-z-systems
   Status: New => Triaged

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1686618

Title:
  ssh connection attempts fail if hw crypto support on s390x is enabled
  on 17.04

Status in Ubuntu on IBM z Systems:
  Triaged
Status in openssh package in Ubuntu:
  Triaged
Status in openssh source package in Zesty:
  New
Status in openssh source package in Artful:
  Triaged

Bug description:
  short:
  after investigations the following commits are needed by openssh-server 
version 7.4p1 that is part of 17.04:
  - 5f1596e11d55539678c41f68aed358628d33d86f
  - 9e96b41682aed793fadbea5ccd472f862179fb02
  on master branch in https://github.com/openssh/openssh-portable
  that belong to openssh 7.5 release notes statement: "sshd(8): Avoid sandbox 
errors for Linux S390 systems using an ICA crypto coprocessor."
  __

  long:

  enable z hw crypto support for openssh on an Ubuntu host (zlin42) on s390x 
like this:
  sudo apt-get install openssh-ibmca libica-utils libica2
  sudo tee -a /etc/ssl/openssl.cnf < 
/usr/share/doc/openssl-ibmca/examples/openssl.cnf.sample
  sudo sed -i 's/^\(openssl_conf = openssl_def.*$\)/# \1/g' /etc/ssl/openssl.cnf
  sudo sed -i '10i openssl_cnf = openssl_def' /etc/ssl/openssl.cnf

  afterwards ssh login attempts fail:
  $ ssh ubuntu@zlin42
  ubuntu@zlin42's password: 
  Connection to zlin42 closed by remote host.
  Connection to zlin42 closed.

  the normal logs don't provide any interesting details:

  mit log:
Apr 24 12:37:52 zlin42 kernel: [933567.994312] audit: type=1326 
audit(1493051872.112:29): auid=4294967295 uid=107 gid=65534 ses=4294967295 
pid=25105 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=8016 syscall=201 
compat=0 ip=0x3ffb8a3fb32 code=0x0

  Verbose:
  OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g  1 Mar 2016
  debug1: Reading configuration data /home/fheimes/.ssh/config
  debug1: /home/fheimes/.ssh/config line 6: Deprecated option "useroaming"
  debug1: /home/fheimes/.ssh/config line 7: Applying options for *
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug1: /etc/ssh/ssh_config line 19: Applying options for *
  debug1: Connecting to 10.245.208.7 [10.245.208.7] port 22.
  debug1: Connection established.
  debug1: identity file /home/fheimes/.ssh/id_rsa type 1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_rsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519 type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519-cert type -1
  debug1: Enabling compatibility mode for protocol 2.0
  debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
  debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4p1 
Ubuntu-10
  debug1: match: OpenSSH_7.4p1 Ubuntu-10 pat OpenSSH* compat 0x0400
  debug1: Authenticating to 10.245.208.7:22 as 'ubuntu'
  debug1: SSH2_MSG_KEXINIT sent
  debug1: SSH2_MSG_KEXINIT received
  debug1: kex: algorithm: curve25519-sha...@libssh.org
  debug1: kex: host key algorithm: ecdsa-sha2-nistp256
  debug1: kex: server->client cipher: chacha20-poly1...@openssh.com MAC: 
 compression: none
  debug1: kex: client->server cipher: chacha20-poly1...@openssh.com MAC: 
 compression: none
  debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
  debug1: Server host key: ecdsa-sha2-nistp256 
SHA256:ss9j12+jMMKL9u2vxNeb3XjOeH0E9lw24IG5LxUeJXk
  debug1: Host '10.245.208.7' is known and matches the ECDSA host key.
  debug1: Found key in /home/fheimes/.ssh/known_hosts:87
  debug1: rekey after 134217728 blocks
  debug1: SSH2_MSG_NEWKEYS sent
  debug1: expecting SSH2_MSG_NEWKEYS
  debug1: rekey after 134217728 blocks
  debug1: SSH2_MSG_NEWKEYS received
  debug1: SSH2_MSG_EXT_INFO received
  debug1: kex_input_ext_info: 
server-sig-algs=
  debug1: SSH2_MSG_SERVICE_ACCEPT received
  debug1: Authentications that can continue: publickey,password
  debug1: Next authentication method: publickey
  debug1: Offering RSA public key: /home/fheimes/.ssh/id_rsa
  debug1: Authentications that can continue: publickey,password
  debug1: Trying private key: /home/fheimes/.ssh/id_dsa
  debug1: Trying private key: /home/fheimes/.ssh/id_ecdsa
  debug1: Trying private key: 

[Touch-packages] [Bug 1686618] Re: ssh connection attempts fail if hw crypto support on s390x is enabled on 17.04

[Dimitri John Ledkov]

** Changed in: openssh (Ubuntu)
   Status: New => Triaged

** Changed in: openssh (Ubuntu)
   Importance: Undecided => High

** Changed in: openssh (Ubuntu)
 Assignee: (unassigned) => Dimitri John Ledkov (xnox)

** Changed in: openssh (Ubuntu)
Milestone: None => ubuntu-17.05

** Also affects: openssh (Ubuntu Artful)
   Importance: High
 Assignee: Dimitri John Ledkov (xnox)
   Status: Triaged

** Also affects: openssh (Ubuntu Zesty)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1686618

Title:
  ssh connection attempts fail if hw crypto support on s390x is enabled
  on 17.04

Status in Ubuntu on IBM z Systems:
  New
Status in openssh package in Ubuntu:
  Triaged
Status in openssh source package in Zesty:
  New
Status in openssh source package in Artful:
  Triaged

Bug description:
  short:
  after investigations the following commits are needed by openssh-server 
version 7.4p1 that is part of 17.04:
  - 5f1596e11d55539678c41f68aed358628d33d86f
  - 9e96b41682aed793fadbea5ccd472f862179fb02
  on master branch in https://github.com/openssh/openssh-portable
  that belong to openssh 7.5 release notes statement: "sshd(8): Avoid sandbox 
errors for Linux S390 systems using an ICA crypto coprocessor."
  __

  long:

  enable z hw crypto support for openssh on an Ubuntu host (zlin42) on s390x 
like this:
  sudo apt-get install openssh-ibmca libica-utils libica2
  sudo tee -a /etc/ssl/openssl.cnf < 
/usr/share/doc/openssl-ibmca/examples/openssl.cnf.sample
  sudo sed -i 's/^\(openssl_conf = openssl_def.*$\)/# \1/g' /etc/ssl/openssl.cnf
  sudo sed -i '10i openssl_cnf = openssl_def' /etc/ssl/openssl.cnf

  afterwards ssh login attempts fail:
  $ ssh ubuntu@zlin42
  ubuntu@zlin42's password: 
  Connection to zlin42 closed by remote host.
  Connection to zlin42 closed.

  the normal logs don't provide any interesting details:

  mit log:
Apr 24 12:37:52 zlin42 kernel: [933567.994312] audit: type=1326 
audit(1493051872.112:29): auid=4294967295 uid=107 gid=65534 ses=4294967295 
pid=25105 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=8016 syscall=201 
compat=0 ip=0x3ffb8a3fb32 code=0x0

  Verbose:
  OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g  1 Mar 2016
  debug1: Reading configuration data /home/fheimes/.ssh/config
  debug1: /home/fheimes/.ssh/config line 6: Deprecated option "useroaming"
  debug1: /home/fheimes/.ssh/config line 7: Applying options for *
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug1: /etc/ssh/ssh_config line 19: Applying options for *
  debug1: Connecting to 10.245.208.7 [10.245.208.7] port 22.
  debug1: Connection established.
  debug1: identity file /home/fheimes/.ssh/id_rsa type 1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_rsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519 type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519-cert type -1
  debug1: Enabling compatibility mode for protocol 2.0
  debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
  debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4p1 
Ubuntu-10
  debug1: match: OpenSSH_7.4p1 Ubuntu-10 pat OpenSSH* compat 0x0400
  debug1: Authenticating to 10.245.208.7:22 as 'ubuntu'
  debug1: SSH2_MSG_KEXINIT sent
  debug1: SSH2_MSG_KEXINIT received
  debug1: kex: algorithm: curve25519-sha...@libssh.org
  debug1: kex: host key algorithm: ecdsa-sha2-nistp256
  debug1: kex: server->client cipher: chacha20-poly1...@openssh.com MAC: 
 compression: none
  debug1: kex: client->server cipher: chacha20-poly1...@openssh.com MAC: 
 compression: none
  debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
  debug1: Server host key: ecdsa-sha2-nistp256 
SHA256:ss9j12+jMMKL9u2vxNeb3XjOeH0E9lw24IG5LxUeJXk
  debug1: Host '10.245.208.7' is known and matches the ECDSA host key.
  debug1: Found key in /home/fheimes/.ssh/known_hosts:87
  debug1: rekey after 134217728 blocks
  debug1: SSH2_MSG_NEWKEYS sent
  debug1: expecting SSH2_MSG_NEWKEYS
  debug1: rekey after 134217728 blocks
  debug1: SSH2_MSG_NEWKEYS received
  debug1: SSH2_MSG_EXT_INFO received
  debug1: kex_input_ext_info: 

[Touch-packages] [Bug 1686618] Re: ssh connection attempts fail if hw crypto support on s390x is enabled on 17.04

[Frank Heimes]

** Also affects: openssh (Ubuntu)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1686618

Title:
  ssh connection attempts fail if hw crypto support on s390x is enabled
  on 17.04

Status in Ubuntu on IBM z Systems:
  New
Status in openssh package in Ubuntu:
  New

Bug description:
  short:
  after investigations the following commits are needed by openssh-server 
version 7.4p1 that is part of 17.04:
  - 5f1596e11d55539678c41f68aed358628d33d86f
  - 9e96b41682aed793fadbea5ccd472f862179fb02
  on master branch in https://github.com/openssh/openssh-portable
  that belong to openssh 7.5 release notes statement: "sshd(8): Avoid sandbox 
errors for Linux S390 systems using an ICA crypto coprocessor."
  __

  long:

  enable z hw crypto support for openssh on an Ubuntu host (zlin42) on s390x 
like this:
  sudo apt-get install openssh-ibmca libica-utils libica2
  sudo tee -a /etc/ssl/openssl.cnf < 
/usr/share/doc/openssl-ibmca/examples/openssl.cnf.sample
  sudo sed -i 's/^\(openssl_conf = openssl_def.*$\)/# \1/g' /etc/ssl/openssl.cnf
  sudo sed -i '10i openssl_cnf = openssl_def' /etc/ssl/openssl.cnf

  afterwards ssh login attempts fail:
  $ ssh ubuntu@zlin42
  ubuntu@zlin42's password: 
  Connection to zlin42 closed by remote host.
  Connection to zlin42 closed.

  the normal logs don't provide any interesting details:

  mit log:
Apr 24 12:37:52 zlin42 kernel: [933567.994312] audit: type=1326 
audit(1493051872.112:29): auid=4294967295 uid=107 gid=65534 ses=4294967295 
pid=25105 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=8016 syscall=201 
compat=0 ip=0x3ffb8a3fb32 code=0x0

  Verbose:
  OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g  1 Mar 2016
  debug1: Reading configuration data /home/fheimes/.ssh/config
  debug1: /home/fheimes/.ssh/config line 6: Deprecated option "useroaming"
  debug1: /home/fheimes/.ssh/config line 7: Applying options for *
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug1: /etc/ssh/ssh_config line 19: Applying options for *
  debug1: Connecting to 10.245.208.7 [10.245.208.7] port 22.
  debug1: Connection established.
  debug1: identity file /home/fheimes/.ssh/id_rsa type 1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_rsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519 type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519-cert type -1
  debug1: Enabling compatibility mode for protocol 2.0
  debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
  debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4p1 
Ubuntu-10
  debug1: match: OpenSSH_7.4p1 Ubuntu-10 pat OpenSSH* compat 0x0400
  debug1: Authenticating to 10.245.208.7:22 as 'ubuntu'
  debug1: SSH2_MSG_KEXINIT sent
  debug1: SSH2_MSG_KEXINIT received
  debug1: kex: algorithm: curve25519-sha...@libssh.org
  debug1: kex: host key algorithm: ecdsa-sha2-nistp256
  debug1: kex: server->client cipher: chacha20-poly1...@openssh.com MAC: 
 compression: none
  debug1: kex: client->server cipher: chacha20-poly1...@openssh.com MAC: 
 compression: none
  debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
  debug1: Server host key: ecdsa-sha2-nistp256 
SHA256:ss9j12+jMMKL9u2vxNeb3XjOeH0E9lw24IG5LxUeJXk
  debug1: Host '10.245.208.7' is known and matches the ECDSA host key.
  debug1: Found key in /home/fheimes/.ssh/known_hosts:87
  debug1: rekey after 134217728 blocks
  debug1: SSH2_MSG_NEWKEYS sent
  debug1: expecting SSH2_MSG_NEWKEYS
  debug1: rekey after 134217728 blocks
  debug1: SSH2_MSG_NEWKEYS received
  debug1: SSH2_MSG_EXT_INFO received
  debug1: kex_input_ext_info: 
server-sig-algs=
  debug1: SSH2_MSG_SERVICE_ACCEPT received
  debug1: Authentications that can continue: publickey,password
  debug1: Next authentication method: publickey
  debug1: Offering RSA public key: /home/fheimes/.ssh/id_rsa
  debug1: Authentications that can continue: publickey,password
  debug1: Trying private key: /home/fheimes/.ssh/id_dsa
  debug1: Trying private key: /home/fheimes/.ssh/id_ecdsa
  debug1: Trying private key: /home/fheimes/.ssh/id_ed25519
  debug1: Next authentication method: password
  ubuntu@10.245.208.7's