Hello, This morning I upgraded a LXC container and since I can’t log with ssh anymore. Client side: debug1: Authentication succeeded (publickey). debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug2: channel 0: send open debug3: send packet: type 90 debug1: Requesting no-more-sessions@openssh.com debug3: send packet: type 80 debug1: Entering interactive session. debug1: pledge: network debug3: send packet: type 1 debug1: channel 0: free: client-session, nchannels 1 debug3: channel 0: status: The following connections are open: #0 client-session (t3 nr0 i0/0 o0/0 e[write]/0 fd 4/5/6 sock -1 cc -1) debug3: fd 1 is not O_NONBLOCK Connection to alarig closed by remote host. Server side: Oct 8 15:48:07 alarig sshd[7789]: Accepted publickey for alarig from 217.70.181.1 port 2595 ssh2: RSA SHA256:zFZoKQ/RQ1exR92xTSuZoSp/kvbJouA5nvwUvkOyCYQ Oct 8 15:48:07 alarig sshd[7789]: fatal: privsep_preauth: preauth child terminated by signal 31 A github issue suggests to add the build flag -DOPENSSL_RAND_SEED_DEVRANDOM_SHM_ID=-1 https://github.com/openssl/openssl/issues/9984 Which I did. ~ # diff /var/db/repos/gentoo/dev-libs/openssl/openssl-1.1.1d-r1.ebuild /var/db/repos/gentoo/dev-libs/openssl/openssl-1.1.1d-r2.ebuild 148c148 < append-cppflags -DOPENSSL_NO_BUF_FREELISTS --- > append-cppflags -DOPENSSL_NO_BUF_FREELISTS -DOPENSSL_RAND_SEED_DEVRANDOM_SHM_ID=-1 And now I can log again. I’m not a developer at all, so I don’t know if this patch will break other things, but at least there is a patchable issue there. Regards, -- Alarig Le Lay
*** Bug 696952 has been marked as a duplicate of this bug. ***
Pushing updated openssh shortly.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3e5450cea62dc5bc913d68a05f9de96c76eb8fb9 commit 3e5450cea62dc5bc913d68a05f9de96c76eb8fb9 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2019-10-08 15:56:59 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2019-10-08 15:56:59 +0000 dev-libs/openssl: block incompatible net-misc/openssh versions Bug: https://bugs.gentoo.org/696950 Package-Manager: Portage-2.3.76, Repoman-2.3.17 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> .../openssl/{openssl-1.1.1d-r1.ebuild => openssl-1.1.1d-r2.ebuild} | 3 +++ 1 file changed, 3 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b013540990395e21715894f064343e2395781c25 commit b013540990395e21715894f064343e2395781c25 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2019-10-08 15:49:59 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2019-10-08 15:49:59 +0000 net-misc/openssh: arm/m68k/sh stable Forced stabilization due to bug 696950. Closes: https://bugs.gentoo.org/691932 Bug: https://bugs.gentoo.org/696950 Package-Manager: Portage-2.3.76, Repoman-2.3.17 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> net-misc/openssh/openssh-8.0_p1-r3.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a8476cc3013b8303167fec09ffe03ed7ca193646 commit a8476cc3013b8303167fec09ffe03ed7ca193646 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2019-10-08 15:47:34 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2019-10-08 15:47:34 +0000 net-misc/openssh: adjust sandbox for >=dev-libs/openssl-1.1.1d Link: https://github.com/openssh/openssh-portable/pull/149 Bug: https://bugs.gentoo.org/696950 Package-Manager: Portage-2.3.76, Repoman-2.3.17 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> ...mget-shmat-shmdt-in-preauth-privsep-child.patch | 31 ++ net-misc/openssh/openssh-8.0_p1-r3.ebuild | 463 +++++++++++++++++++++ 2 files changed, 494 insertions(+)
I didn’t see any login failure since the patch has been published. Thanks a lot! -- Alarig Le Lay