After enabling LDAPS in /etc/ldap.conf, sshd crashes when a user tries to ssh in (syslog says "Feb 15 17:38:31 [sshd] Received signal 15; terminating."). Logins with the unencrypted LDAP work fine. I have the same LDAPS setup on 3 other machines, and they work fine. After recompiling multiple times, I realized my CFLAGS was different for the machine that was having problems. Removing the "-funroll-loops" and recompiling openssh, openssl, pam_ldap, and nss_ldap fixed the problem. Reproducible: Always Steps to Reproduce: 1. Compile openssh-3.7.1_p2-r1, openssl-0.9.7c-r1, pam_ldap-156, and nss_ldap-207-r1 2. Use the above config files. Actual Results: SSH crashes when a user tries to login. Expected Results: Authenticate the user. This is the working configuration. The only difference is that "-funroll-loops" has been removed from the CFLAGS. --- make.conf USE="-X -gtk2 -gtk -qt -kde -gnome apache2 -gpm ipv6 ldap pam ssl" CHOST="i686-pc-linux-gnu" CFLAGS="-march=pentium3 -O3 -pipe" CXXFLAGS="${CFLAGS}" -- ldap.conf host ldap.local.blah base dc=local,dc=blah ldap_version 3 binddn cn=query,dc=local,dc=blah bindpw apassword rootbinddn cn=user-admin,dc=local,dc=blah scope one pam_filter objectClass=posixAccount pam_login_attribute cn pam_groupdn cn=machine,dc=local,dc=blah pam_password exop nss_base_passwd ou=users,dc=local,dc=blah?one nss_base_shadow ou=users,dc=local,dc=blah?one nss_base_group ou=groups,dc=local,dc=blah?one ssl start_tls ssl on tls_checkpeer yes tls_cacertfile /etc/ssl/certs/ca.pem tls_cacertdir /etc/ssl/certs -- nsswitch.conf passwd: compat ldap shadow: compat ldap group: compat ldap hosts: files dns networks: files dns services: db files protocols: db files rpc: db files ethers: db files netmasks: files netgroup: files bootparams: files automount: files aliases: files -- sshd_config PermitRootLogin no UsePAM yes AllowTcpForwarding yes X11Forwarding yes UsePrivilegeSeparation yes Subsystem sftp /usr/lib/misc/sftp-server -- emerge info Portage 2.0.50-r1 (default-x86-1.4, gcc-3.3.2, glibc-2.3.2-r9, 2.4.24) ================================================================= System uname: 2.4.24 i686 Pentium III (Coppermine) Gentoo Base System version 1.4.3.13 Autoconf: sys-devel/autoconf-2.58 Automake: sys-devel/automake-1.7.7 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-march=pentium3 -O3 -pipe" CHOST="i686-pc-linux-gnu" COMPILER="gcc3" CONFIG_PROTECT="/etc /opt/tomcat/conf /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/env.d" CXXFLAGS="-march=pentium3 -O3 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs ccache sandbox" GENTOO_MIRRORS="http://gentoo.oregonstate.edu http://distro.ibiblio.org/pub/Linux/distributions/gentoo" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="apache2 apm arts avi berkdb crypt cups encode foomaticdb gdbm gif imlib ipv6 java jpeg ldap libg++ libwww mad mikmod motif mpeg mysql ncurses nls oggvorbis opengl oss pam pdflib perl png python quicktime readline sdl slang spell ssl svga tcpd truetype x86 xml2 xmms xv zlib"
I've updated the openssh ebuild, please re-emerge and check if it still crashes. If it still does we'll have to move on to the next package in line.
I'm using the 3.8.1_p1-r1 ebuild for openssh and while the program compiles fine with -funroll-loops it suffers from several major runtime bugs such as: -Unable to negotiate authentication for connections -Unable to retrieve host keys (StrictHostKeyChecking acts like `yes' when set to `ask') I should note that I'm not using LDAP at all.
Hurr -Unable to negotiate authentication connections isn't a openssh issue at all (see bug #53292) My bad :(
I can confirm that this problem also shows up when using saslauthd -a pam. It looks like the problem went away after I recompiled pam and pam_ldap taking out -funroll-loops from CFLAGS.
