After updating openssh to latest ~x86 keyworded version it does not accept connections. remote: debug1: Local version string SSH-2.0-OpenSSH_8.8p1-hpn15v2 debug1: Remote protocol version 2.0, remote software version OpenSSH_8.9p1-hpn15v2 debug1: compat_banner: match: OpenSSH_8.9p1-hpn15v2 pat OpenSSH* compat 0x04000000 debug1: Authenticating to 10.100.100.101:666 as 'root' debug1: load_hostkeys: fopen /home/yui/.ssh/known_hosts2: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: AUTH STATE IS 0 debug1: kex: algorithm: curve25519-sha256 debug1: kex: host key algorithm: ecdsa-sha2-nistp256 debug1: REQUESTED ENC.NAME is 'aes128-ctr' debug1: REQUESTED MAC.NAME is 'umac-64-etm@openssh.com' debug1: kex: server->client cipher: aes128-ctr MAC: umac-64-etm@openssh.com compression: zlib@openssh.com debug1: REQUESTED ENC.NAME is 'aes128-ctr' debug1: REQUESTED MAC.NAME is 'umac-64-etm@openssh.com' debug1: kex: client->server cipher: aes128-ctr MAC: umac-64-etm@openssh.com compression: zlib@openssh.com debug1: expecting SSH2_MSG_KEX_ECDH_REPLY local dmesg: [682483.482239] audit: type=1326 audit(1645779265.254:7): auid=0 uid=22 gid=22 ses=6 pid=6030 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=40000003 syscall=414 compat=0 ip=0xb7f2d549 code=0x0 emerge --info Portage 3.0.30 (python 3.9.9-final-0, default/linux/x86/17.0, gcc-9.4.0, glibc-2.33-r7, 5.10.101-yui i686) ================================================================= System Settings ================================================================= System uname: Linux-5.10.101-yui-i686-Intel_Xeon_Processor_-Skylake,_IBRS-with-glibc2.33 KiB Mem: 2016340 total, 726848 free KiB Swap: 786424 total, 685816 free Timestamp of repository gentoo: Fri, 25 Feb 2022 07:30:01 +0000 Head commit of repository gentoo: 278ae0bb7097451190515c02794b96f7d253fcc0 sh bash 5.1_p16 ld GNU ld (Gentoo 2.37_p1 p2) 2.37 ccache version 3.2.4 [disabled] app-misc/pax-utils: 1.3.3::gentoo app-shells/bash: 5.1_p16::gentoo dev-lang/perl: 5.34.0-r6::gentoo dev-lang/python: 2.7.18_p13::gentoo, 3.6.12-r1::gentoo, 3.7.10_p3::gentoo, 3.8.12_p1-r1::gentoo, 3.9.9-r1::gentoo, 3.10.0_p1-r1::gentoo dev-util/cmake: 3.22.2::gentoo dev-util/meson: 0.60.3::gentoo sys-apps/baselayout: 2.7-r3::gentoo sys-apps/openrc: 0.44.10::gentoo sys-apps/sandbox: 2.25::gentoo sys-devel/autoconf: 2.69-r5::gentoo, 2.71-r1::gentoo sys-devel/automake: 1.16.4::gentoo sys-devel/binutils: 2.37_p1-r2::gentoo sys-devel/binutils-config: 5.4::gentoo sys-devel/gcc: 9.3.0-r2::gentoo, 10.3.0-r2::gentoo, 11.2.0::gentoo sys-devel/gcc-config: 3.9.9::x-portage sys-devel/libtool: 2.4.6-r6::gentoo sys-devel/make: 4.3::gentoo sys-kernel/linux-headers: 5.15-r3::gentoo (virtual/os-headers) sys-libs/glibc: 2.33-r7::gentoo Repositories: gentoo location: /usr/portage sync-type: rsync sync-uri: rsync://rsync.gentoo.org/gentoo-portage priority: -1000 sync-rsync-extra-opts: sync-rsync-verify-max-age: 24 sync-rsync-verify-metamanifest: yes sync-rsync-verify-jobs: 1 x-portage location: /usr/local/portage masters: gentoo priority: 0 ACCEPT_KEYWORDS="x86 ~x86" ACCEPT_LICENSE="* -@EULA" CBUILD="i686-pc-linux-gnu" CC="gcc" CFLAGS="-O2 -march=i686 -mtune=generic -mmmx -mfpmath=sse -msse3 -fomit-frame-pointer -g0 -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXX="g++" CXXFLAGS="-O2 -march=i686 -mtune=generic -mmmx -mfpmath=sse -msse3 -fomit-frame-pointer -g0" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--keep-going=y --quiet-build=n --buildpkg-exclude "virtual/*"" ENV_UNSET="CARGO_HOME DBUS_SESSION_BUS_ADDRESS DISPLAY GOBIN GOPATH PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR" FCFLAGS="-O2 -march=i686 -pipe" FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs buildpkg buildpkg-live candy cgroup config-protect-if-modified distlocks ebuild-locks fakeroot fixlafiles ipc-sandbox merge-sync multilib-strict network-sandbox news nodoc noinfo noman pid-sandbox preserve-libs protect-owned qa-unresolved-soname-deps sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-O2 -march=i686 -pipe" GENTOO_MIRRORS="http://mirror.hetzner.de/gentoo/ http://ftp.uni-erlangen.de/pub/mirrors/gentoo/ http://gentoo.osuosl.org/" LDFLAGS="-Wl,-O1 -Wl,--as-needed" LINGUAS="en ru" PKGDIR="/usr/portage/packages" PORTAGE_COMPRESS="lzma" PORTAGE_COMPRESS_FLAGS="-9" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git" PORTAGE_TMPDIR="/var/tmp" SHELL="/bin/bash" USE="acl acpi alsa bzip2 cli crypt curl dri exif expat ftp gdbm gif gmp gnutls gpm gzip iconv idn ipv6 jpeg lame libglvnd libtirpc lm_sensors lzma lzo mmap mmx mmxext mng mp3 ncurses nls nptl ogg openmp oss pam pcre png readline seccomp split-usr sql sqlite3 sse sse2 sse3 ssl svg tcpd theora truetype unicode usb vorbis wifi x86 xattr zlib" ABI_X86="32" ADA_TARGET="gnat_2020" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="mmx mmxext sse sse2 sse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="evdev keyboard mouse joystick" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LUA_SINGLE_TARGET="lua5-1" LUA_TARGETS="lua5-1" NGINX_MODULES_HTTP="access auth_basic autoindex browser charset empty_gif fastcgi geo grpc gzip limit_conn limit_req map memcached mirror proxy referer rewrite scgi split_clients ssi upstream_hash upstream_ip_hash upstream_keepalive upstream_least_conn upstream_zone uwsgi brotli cache_purge dav dav_ext echo fancyindex flv geoip geoip2 gunzip gzip_static headers_more image_filter javascript lua mp4 naxsi push_stream random_index realip secure_link slice lowfs_cache spdy sticky stub_status sub upload_progress upstream_check vhost_traffic_status xslt" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-4 php8-0" POSTGRES_TARGETS="postgres12 postgres13" PYTHON_SINGLE_TARGET="python3_8" PYTHON_TARGETS="python2_7 python3_8 python3_9" RUBY_TARGETS="ruby26 ruby27" USERLAND="GNU" VIDEO_CARDS="nvidia intel" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq proto steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: ADDR2LINE, AR, ARFLAGS, AS, ASFLAGS, CCLD, CONFIG_SHELL, CPP, CPPFLAGS, CTARGET, CXXFILT, ELFEDIT, EXTRA_ECONF, F77FLAGS, FC, GCOV, GPROF, INSTALL_MASK, LANG, LC_ALL, LD, LEX, LFLAGS, LIBTOOL, MAKE, MAKEFLAGS, MAKEOPTS, NM, OBJCOPY, OBJDUMP, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_RSYNC_EXTRA_OPTS, RANLIB, READELF, RUSTFLAGS, SIZE, STRINGS, STRIP, YACC, YFLAGS ================================================================= Package Settings ================================================================= net-misc/openssh-8.9_p1::gentoo was built with the following: USE="hpn pam pie scp ssl -X -X509 -audit (-debug) -kerberos -ldns -libedit -livecd -sctp -security-key (-selinux) -static -test -xmss" FEATURES="binpkg-docompress userpriv sfperms candy cgroup buildpkg-live protect-owned noman xattr nodoc unmerge-orphans fakeroot unknown-features-warn usersync qa-unresolved-soname-deps ipc-sandbox config-protect-if-modified preserve-libs userfetch distlocks strict multilib-strict binpkg-dostrip network-sandbox ebuild-locks pid-sandbox merge-sync binpkg-logs assume-digests buildpkg sandbox noinfo unmerge-logs usersandbox news fixlafiles" Reproducible: Always
tested with USE=-hpn HPN patch does not affect this problem, it is same issue with and without HPN
Tried on a stable x86 VM (32bit kernel too fwiw) and can reproduce by accepting ~x86 8.9. Restarting the daemon did not help, downgrading allowed connections again. Personally had no issues on amd64.
Catched on another system 64bit kernel (5.15) and 32 bit userland Also from IRC: [11:41] <genr8eofl> this is in the sshd 8.9 changelog but Idk what it means: " * Correct handling of exceptfds/POLLPRI in our select(2)-based poll(2)/ppoll(2) compat implementation. " [11:41] <genr8eofl> * All: convert all uses of select(2)/pselect(2) to poll(2)/ppoll(2). This includes the mainloops in ssh(1), ssh-agent(1), ssh-agent(1) [11:42] <genr8eofl> so yeah, whatever it means, it looks like they changed the syscalls, and its possible youve been hit with a bug due to some particular situation or whatnot This is probably to be reported upstream and maybe 8.9p1 should be hardmasked for x86 until fixed.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8718ae59ad006b2d52a88236ddd13b0670c57b83 commit 8718ae59ad006b2d52a88236ddd13b0670c57b83 Author: Ionen Wolkens <ionen@gentoo.org> AuthorDate: 2022-02-25 16:41:28 +0000 Commit: Ionen Wolkens <ionen@gentoo.org> CommitDate: 2022-02-25 16:45:37 +0000 profiles: mask net-misc/openssh-8.9_p1 everywhere for now Acked-by: Sam James <sam@gentoo.org> Bug: https://bugs.gentoo.org/834019 Bug: https://bugs.gentoo.org/834037 Signed-off-by: Ionen Wolkens <ionen@gentoo.org> profiles/package.mask | 5 +++++ 1 file changed, 5 insertions(+)
Could you file a bug at https://bugzilla.mindrot.org/ and link it here?
https://bugzilla.mindrot.org/show_bug.cgi?id=3396
I think a seccomp filter is blocking ppoll_time64. > 92955 ppoll_time64([{fd=3, events=POLLIN}], 1, NULL, NULL, 8 <unfinished ...> > 92955 <... ppoll_time64 resumed>) = 414 > 92955 +++ killed by SIGSYS (core dumped) +++
Created attachment 765834 [details, diff] Allow ppoll_time64 in seccomp filter Please try this patch to see if it fixes the problem.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9cbbc55aee6b2534bbc8d8fe12128c1083ee6850 commit 9cbbc55aee6b2534bbc8d8fe12128c1083ee6850 Author: Patrick McLean <chutzpah@gentoo.org> AuthorDate: 2022-02-26 01:06:59 +0000 Commit: Patrick McLean <chutzpah@gentoo.org> CommitDate: 2022-02-26 01:06:59 +0000 net-misc/openssh: Add patches for bugs #834019 and #834037 Bug: https://bugs.gentoo.org/834019 Bug: https://bugs.gentoo.org/834037 Package-Manager: Portage-3.0.30, Repoman-3.0.3 Signed-off-by: Patrick McLean <chutzpah@gentoo.org> .../files/openssh-8.9_p1-X509-glue-13.3.patch | 34 +++++++++++++++++++--- .../files/openssh-8.9_p1-allow-ppoll_time64.patch | 14 +++++++++ .../openssh-8.9_p1-fzero-call-used-regs.patch | 32 ++++++++++++++++++++ net-misc/openssh/openssh-8.9_p1.ebuild | 2 ++ 4 files changed, 78 insertions(+), 4 deletions(-)
Tried again on that x86 VM, and works as expected with patches.
Tested the above patch * Applying openssh-8.9_p1-seccomp.patch ... patching file sandbox-seccomp-filter.c Hunk #1 succeeded at 285 with fuzz 2 (offset 9 lines). [ ok ] .... >>> net-misc/openssh-8.9_p1 merged. # rc-service sshd restart * Caching service dependencies ... [ ok ] * Stopping sshd ... [ ok ] * Starting sshd ... remote: debug1: Local version string SSH-2.0-OpenSSH_8.9p1-hpn15v2 debug1: Remote protocol version 2.0, remote software version OpenSSH_8.9p1-hpn15v2 debug1: compat_banner: match: OpenSSH_8.9p1-hpn15v2 pat OpenSSH* compat 0x04000000 .. debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: SSH2_MSG_KEX_ECDH_REPLY received .. debug1: SSH2_MSG_KEXINIT sent debug1: Entering interactive session. All fine
thanks for testing. let's give it a day or two more in case any other portability issues pop up (keep an eye on https://github.com/openssh/openssh-portable/tree/V_8_9) and then unmask with revbump as ionen noted
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4b5ef16c3fce4736090af46795e54d3de622746e commit 4b5ef16c3fce4736090af46795e54d3de622746e Author: Sam James <sam@gentoo.org> AuthorDate: 2022-02-28 05:11:31 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-02-28 05:12:32 +0000 net-misc/openssh: unmask openssh 8.9_p1; revbump to propagate sandbox fix Revbump for the folks who had 8.9_p1 installed and hadn't upgraded since mask was added, to be sure they get the fixed version. Closes: https://bugs.gentoo.org/834019 Closes: https://bugs.gentoo.org/834037 Signed-off-by: Sam James <sam@gentoo.org> net-misc/openssh/{openssh-8.9_p1.ebuild => openssh-8.9_p1-r1.ebuild} | 0 profiles/package.mask | 5 ----- 2 files changed, 5 deletions(-)
