[Bug 1690485] Re: openssh-server SIGSYS with 'UsePrivilegeSeparation sandbox'

Thu Oct 26 00:47:00 UTC 2017

OK, I think I've followed instructions here.

I built with the '#define SANDBOX_SECCOMP_FILTER_DEBUG 1'
uncommented. Recalling at long last that Ubuntu is Debian
(I use Red Hat/CentOS at work and get them confused), I
used 'dpkg-buildpackage -rfakeroot -uc -b' to do the build;
hope that's OK.  I also found that I needed to comment away
the four'#include' lines that follow the
SANDBOX_SECCOMP_FILTER_DEBUG definition, or else I got
many errors relating to conflicting structure definitions.

Attached tarball 'ssd-test-20171025.tar.gz' contains 'sshd.log', 
the result of running 'sudo sshd -p 2222 -ddd'. It also contains
an etc/ hierarchy that includes the current /etc/ssh/sshd_config
and the relevant files from /etc/pam.d. I also threw in the result
of 'strace -f' applied to that command, in case it helps narrow
the point of failure further. I took a quick troll through the
output, and I don't *think* I see it revealing more than a
few bytes of a private key. 

Thanks for responding! I hope this stuff helps to move the walls
in on the problem. 

** Attachment added: "Requested files from test on 2017-10-25"
   https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1690485/+attachment/4995762/+files/sshd-test-20171025.tar.gz

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1690485

Title:
  openssh-server SIGSYS with 'UsePrivilegeSeparation sandbox'

Status in openssh package in Ubuntu:
  New

Bug description:
  The 'sshd' process gets 'authentication failure' and refuses to allow
  any login.

  dmesg indicates that the problem is SIGSYS on a call to 'socket'
  (syscall #41, signal #31).

  On a hunch, I decided to test whether the problem is related to
  'seccomp' and changed /etc/ssh/sshd_config from the default

  # UsePrivilegeSeparation sandbox

  to the former standard value

  UsePrivilegeSeparation yes

  and logins started to work again.

  Obviously, I'd like to have the additional protection that sandboxing
  would give me.

  ProblemType: Bug
  DistroRelease: Ubuntu 17.04
  Package: openssh-server 1:7.4p1-10
  ProcVersionSignature: Ubuntu 4.10.0-20.22-generic 4.10.8
  Uname: Linux 4.10.0-20-generic x86_64
  ApportVersion: 2.20.4-0ubuntu4
  Architecture: amd64
  CurrentDesktop: XFCE
  Date: Fri May 12 21:06:20 2017
  InstallationDate: Installed on 2017-04-08 (35 days ago)
  InstallationMedia:

  SourcePackage: openssh
  UpgradeStatus: Upgraded to zesty on 2017-04-24 (19 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1690485/+subscriptions