[Bug 1690485] Re: openssh-server SIGSYS with 'UsePrivilegeSeparation sandbox'

Colin Watson cjwatson at canonical.com
Wed Oct 25 16:00:00 UTC 2017 

This issue was never previously closed, only marked Incomplete (which is
an open state).

While it's possible to do a normal package build to get things
configured exactly the way we do, I don't think that's necessary here.
I suggest:

 * git clone https://anonscm.debian.org/git/pkg-ssh/openssh.git
 * cd openssh
 * sudo apt build-dep ./
 * make the change I suggested in comment #2
 * ./configure --sysconfdir=/etc/ssh --libexecdir=/usr/lib/openssh --with-privsep-path=/run/sshd --with-pid-dir=/run --with-pam
 * make

Don't install the result.  Instead, run "sudo `pwd`/sshd -p 2222 -ddd"
(where 2222 is some free port on your system) and try "ssh
-oStrictHostKeyChecking=no -p 2222 localhost".  That should be close
enough for this purpose, and if it isn't then we can refine from there.

Also, could you attach your PAM configuration (/etc/pam.d/sshd plus any
files mentioned in @include lines there)?

The strace you attached is unfortunately not very useful.  What we need
to find out here is what bit of code is making the offending socket
call, which is going to require some context around it: that's usually
best achieved by not limiting the set of syscalls traced by strace.
Unfortunately that also means that your private host keys will show up
in the strace, so if you do that then you need to be careful to redact
anything like that from the output!

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1690485

Title:
  openssh-server SIGSYS with 'UsePrivilegeSeparation sandbox'

Status in openssh package in Ubuntu:
  New

Bug description:
  The 'sshd' process gets 'authentication failure' and refuses to allow
  any login.

  dmesg indicates that the problem is SIGSYS on a call to 'socket'
  (syscall #41, signal #31).

  On a hunch, I decided to test whether the problem is related to
  'seccomp' and changed /etc/ssh/sshd_config from the default

  # UsePrivilegeSeparation sandbox

  to the former standard value

  UsePrivilegeSeparation yes

  and logins started to work again.

  Obviously, I'd like to have the additional protection that sandboxing
  would give me.

  ProblemType: Bug
  DistroRelease: Ubuntu 17.04
  Package: openssh-server 1:7.4p1-10
  ProcVersionSignature: Ubuntu 4.10.0-20.22-generic 4.10.8
  Uname: Linux 4.10.0-20-generic x86_64
  ApportVersion: 2.20.4-0ubuntu4
  Architecture: amd64
  CurrentDesktop: XFCE
  Date: Fri May 12 21:06:20 2017
  InstallationDate: Installed on 2017-04-08 (35 days ago)
  InstallationMedia:
   
  SourcePackage: openssh
  UpgradeStatus: Upgraded to zesty on 2017-04-24 (19 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1690485/+subscriptions

More information about the foundations-bugs mailing list