| View previous topic :: View next topic |
| Author |
Message |
manwe_
l33t
Joined: 01 Feb 2006
Posts: 632
Location: Kraków/Cracow, Poland
|
 Posted: Mon Jun 27, 2016 4:44 pm Post subject: [RESOLVED][50%] ssh disconnects after upgrade |
 |
|
Hi *.
I did -uDN world on my server and… ssh stopped working. Reverting openssh didn't help. I can try downgrading package by package, but maybe some of you will be able to point the problem.
Today's emerge:
| Code: |
Mon Jun 27 11:16:47 2016 >>> media-libs/libpng-1.6.23
Mon Jun 27 11:18:39 2016 >>> sys-libs/timezone-data-2016e
Mon Jun 27 11:18:55 2016 >>> sys-apps/file-5.28
Mon Jun 27 11:19:11 2016 >>> dev-libs/expat-2.2.0
Mon Jun 27 11:19:25 2016 >>> dev-libs/gmp-6.1.1
Mon Jun 27 11:21:29 2016 >>> media-libs/libjpeg-turbo-1.5.0
Mon Jun 27 11:29:11 2016 >>> sys-apps/man-pages-4.06
Mon Jun 27 11:29:47 2016 >>> dev-libs/openssl-1.0.2h-r2
Mon Jun 27 11:33:05 2016 >>> dev-libs/libgcrypt-1.7.1
Mon Jun 27 11:33:39 2016 >>> app-admin/eselect-1.4.6
Mon Jun 27 11:36:56 2016 >>> app-shells/bash-4.3_p46
Mon Jun 27 11:48:03 2016 >>> sys-devel/gettext-0.19.8.1
Mon Jun 27 11:59:15 2016 >>> sys-devel/make-4.2.1
Mon Jun 27 11:59:38 2016 >>> sys-devel/binutils-2.25.1-r1
Mon Jun 27 12:03:02 2016 >>> app-crypt/gnupg-2.1.13
Mon Jun 27 13:01:32 2016 >>> net-libs/nodejs-6.2.1
Mon Jun 27 13:03:28 2016 >>> app-misc/screen-4.4.0
Mon Jun 27 15:00:35 2016 >>> dev-libs/libpcre-8.39
Mon Jun 27 15:08:19 2016 >>> dev-libs/glib-2.48.1
Mon Jun 27 15:10:34 2016 >>> dev-util/desktop-file-utils-0.23
Mon Jun 27 15:19:41 2016 >>> sys-libs/e2fsprogs-libs-1.43.1
Mon Jun 27 15:19:56 2016 >>> net-misc/wget-1.18
Mon Jun 27 15:20:45 2016 >>> dev-lang/python-3.4.4
Mon Jun 27 15:21:27 2016 >>> dev-util/gdbus-codegen-2.48.1
Mon Jun 27 15:23:04 2016 >>> sys-apps/portage-2.3.0
Mon Jun 27 15:25:41 2016 >>> www-servers/nginx-1.11.1
Mon Jun 27 15:26:32 2016 >>> app-text/aspell-0.60.6.1-r3
Mon Jun 27 15:27:56 2016 >>> gnome-base/dconf-0.26.0
Mon Jun 27 15:28:51 2016 >>> net-misc/dhcpcd-6.11.1
Mon Jun 27 15:33:17 2016 >>> dev-vcs/git-2.9.0
Mon Jun 27 15:33:33 2016 >>> sys-fs/e2fsprogs-1.43.1
Mon Jun 27 15:33:52 2016 >>> net-misc/openssh-7.2_p2-r1
|
And later revert:
| Code: |
Mon Jun 27 16:09:12 2016 >>> net-misc/openssh-7.2_p2
|
Log for sshd with DEBUG3:
| Code: | Jun 27 18:39:36 {host} sshd[4653]: debug3: fd 5 is not O_NONBLOCK
Jun 27 18:39:36 {host} sshd[4653]: debug1: Forked child 4724.
Jun 27 18:39:36 {host} sshd[4653]: debug3: send_rexec_state: entering fd = 8 config len 298
Jun 27 18:39:36 {host} sshd[4653]: debug3: ssh_msg_send: type 0
Jun 27 18:39:36 {host} sshd[4724]: debug3: oom_adjust_restore
Jun 27 18:39:36 {host} sshd[4653]: debug3: send_rexec_state: done
Jun 27 18:39:36 {host} sshd[4724]: debug1: Set /proc/self/oom_score_adj to 0
Jun 27 18:39:36 {host} sshd[4724]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8
Jun 27 18:39:36 {host} sshd[4724]: debug1: inetd sockets after dupping: 3, 3
Jun 27 18:39:36 {host} sshd[4724]: Connection from {A.B.C.D} port 34556 on {E.F.G.H} port 22
Jun 27 18:39:36 {host} sshd[4724]: debug1: Client protocol version 2.0; client software version OpenSSH_7.2
Jun 27 18:39:36 {host} sshd[4724]: debug1: match: OpenSSH_7.2 pat OpenSSH* compat 0x04000000
Jun 27 18:39:36 {host} sshd[4724]: debug1: Enabling compatibility mode for protocol 2.0
Jun 27 18:39:36 {host} sshd[4724]: debug1: Local version string SSH-2.0-OpenSSH_7.2
Jun 27 18:39:36 {host} sshd[4724]: debug2: fd 3 setting O_NONBLOCK
Jun 27 18:39:36 {host} sshd[4724]: debug3: ssh_sandbox_init: preparing seccomp filter sandbox
Jun 27 18:39:36 {host} sshd[4724]: debug2: Network child is on pid 4726
Jun 27 18:39:36 {host} sshd[4724]: debug3: preauth child monitor started
Jun 27 18:39:36 {host} sshd[4724]: debug3: privsep user:group 22:22 [preauth]
Jun 27 18:39:36 {host} sshd[4724]: debug1: permanently_set_uid: 22/22 [preauth]
Jun 27 18:39:36 {host} sshd[4724]: debug3: ssh_sandbox_child: setting PR_SET_NO_NEW_PRIVS [preauth]
Jun 27 18:39:36 {host} sshd[4724]: debug3: ssh_sandbox_child: attaching seccomp filter program [preauth]
Jun 27 18:39:36 {host} sshd[4724]: debug1: monitor_read_log: child log fd closed
Jun 27 18:39:36 {host} sshd[4724]: debug3: mm_request_receive entering
Jun 27 18:39:36 {host} sshd[4724]: debug1: do_cleanup
Jun 27 18:39:36 {host} sshd[4724]: debug3: PAM: sshpam_thread_cleanup entering
Jun 27 18:39:36 {host} sshd[4724]: debug1: Killing privsep child 4726 |
And log for ssh client:
| Code: | OpenSSH_7.2p2, OpenSSL 1.0.2h 3 May 2016
debug1: Reading configuration data /home/manwe/.ssh/config
debug3: kex names ok: [diffie-hellman-group1-sha1]
debug3: kex names ok: [diffie-hellman-group1-sha1]
debug3: kex names ok: [diffie-hellman-group1-sha1]
debug3: kex names ok: [diffie-hellman-group1-sha1]
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolving "{server.domain.com.}" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to {server.domain.com.} [{E.F.G.H}] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /home/manwe/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/manwe/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/manwe/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/manwe/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/manwe/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/manwe/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/manwe/.ssh/id_ed25519 type 4
debug1: key_load_public: No such file or directory
debug1: identity file /home/manwe/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2
debug1: match: OpenSSH_7.2 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to {server.domain.com.}:22 as 'root'
debug3: hostkeys_foreach: reading file "/home/manwe/.ssh/known_hosts"
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
Connection closed by {E.F.G.H} port 22
|
Config for sshd:
| Code: | # grep -Ev '^($|#)' /etc/ssh/sshd_config
AllowGroups root users
LogLevel DEBUG3
PasswordAuthentication no
UsePAM yes
PrintMotd no
PrintLastLog no
Subsystem sftp /usr/lib64/misc/sftp-server
AcceptEnv LANG LC_* |
Log for sshd start:
| Code: | Jun 27 18:47:05 {host} sshd[4828]: debug3: oom_adjust_setup
Jun 27 18:47:05 {host} sshd[4828]: debug1: Set /proc/self/oom_score_adj from 0 to -1000
Jun 27 18:47:05 {host} sshd[4828]: debug2: fd 3 setting O_NONBLOCK
Jun 27 18:47:05 {host} sshd[4828]: debug1: Bind to port 22 on 0.0.0.0.
Jun 27 18:47:05 {host} sshd[4828]: Server listening on 0.0.0.0 port 22.
Jun 27 18:47:05 {host} sshd[4828]: debug2: fd 4 setting O_NONBLOCK
Jun 27 18:47:05 {host} sshd[4828]: debug3: sock_set_v6only: set socket 4 IPV6_V6ONLY
Jun 27 18:47:05 {host} sshd[4828]: debug1: Bind to port 22 on ::.
Jun 27 18:47:05 {host} sshd[4828]: Server listening on :: port 22. |
Last edited by manwe_ on Sun Aug 28, 2016 2:05 pm; edited 2 times in total |
|
| Back to top |
|
 |
manwe_
l33t
Joined: 01 Feb 2006
Posts: 632
Location: Kraków/Cracow, Poland
|
| Posted: Mon Jun 27, 2016 4:56 pm Post subject: |
|
|
| OK, found it. Changing UsePrivilegeSeparation from default "sandbox" to "yes" worked. Any ideas what changed? |
|
| Back to top |
|
|
khayyam
Watchman
Joined: 07 Jun 2012
Posts: 6227
Location: Room 101
|
| Posted: Mon Jun 27, 2016 6:00 pm Post subject: |
|
|
| manwe_ wrote: | | OK, found it. Changing UsePrivilegeSeparation from default "sandbox" to "yes" worked. Any ideas what changed? |
manwe_ ... in the above grep of sshd_config that wasn't enabled.
| manwe_ wrote: | | Code: | | debug1: Authenticating to {server.domain.com.}:22 as 'root' |
|
Well, as root (and with 'PasswordAuthentication no') you would need 'PermitRootLogin prohibit-password'. I expect you can set this and revert UsePrivilegeSeparation to sandbox and all should be well.
best ... khay |
|
| Back to top |
|
|
manwe_
l33t
Joined: 01 Feb 2006
Posts: 632
Location: Kraków/Cracow, Poland
|
| Posted: Mon Jun 27, 2016 9:45 pm Post subject: |
|
|
UsePrivilegeSeparation wasn't "enabled" because "sandbox" is the default value. Also, PermitRootLogin is by default set to "prohibit-password", and today's problem wasn't related to root.
Prove with non-root user, and with UsePrivilegeSeparation back to default "sandbox" (by #).
| Code: | OpenSSH_7.2p2, OpenSSL 1.0.2h 3 May 2016
debug1: Reading configuration data /home/manwe/.ssh/config
debug3: kex names ok: [diffie-hellman-group1-sha1]
debug3: kex names ok: [diffie-hellman-group1-sha1]
debug3: kex names ok: [diffie-hellman-group1-sha1]
debug3: kex names ok: [diffie-hellman-group1-sha1]
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolving "{server.domain.com.}" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to {server.domain.com.} [{E.F.G.H}] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /home/manwe/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/manwe/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/manwe/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/manwe/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/manwe/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/manwe/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/manwe/.ssh/id_ed25519 type 4
debug1: key_load_public: No such file or directory
debug1: identity file /home/manwe/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2
debug1: match: OpenSSH_7.2 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to {server.domain.com.}:22 as 'manwe'
debug3: hostkeys_foreach: reading file "/home/manwe/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/manwe/.ssh/known_hosts:113
debug3: load_hostkeys: loaded 1 keys from {server.domain.com.}
debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
Connection closed by {E.F.G.H} port 22
|
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
