openssh builds no problem on x32, however on 6.7 onwards there's a silent failure that results in dropping all incoming connections. I did a pretty significant package upgrade yesterday (roughly a year out of date), with the result of being locked out of the system. I've build dropbear with -m64 so it builds, however 6.6 should be restored... Please restore an ebuild from 6.6. Afflicted: net-misc/openssh-6.7_p1 net-misc/openssh-6.8_p1-r5 This is pretty serious for remote users; I'm lucky as I have IPMI access to the box. Reproducible: Always
Confirming building with -m64 results in a functional openssh with net-misc/openssh-6.8_p1-r5, this is super dangerous.
try emerging with EXTRA_ECONF=--with-sandbox=no. that will tell us whether the new seccomp code is causing a problem.
(In reply to SpanKY from comment #2) > try emerging with EXTRA_ECONF=--with-sandbox=no. that will tell us whether > the new seccomp code is causing a problem. Tried this to no avail. I'm having the exact same issue though I have another system with up to date OpenSSL and OpenSSH that does not have the same problem. On the machine I do have the issue, I can have it run on a stage3 x32 sshd (6.6) but not with the same x32 binary I have running ok elsewhere - just closes the connection.
After compiling with "debug" flag, log shows: [sshd] fatal: ssh_sandbox_violation: unexpected system call (arch:0xc000003e,syscall:228 @ 0xff9ff6da) [preauth] So I checked and I typed EXTRA_CONF instead of the correct variable and recompiled again with sandbox disabled and it works now.
*** Bug 556476 has been marked as a duplicate of this bug. ***
As per Bug 556476, using `EXTRA_ECONF=--with-sandbox=rlimit` would be more secure, or there's an as-yet-unaccepted patch (albeit one which looks reasonable to an untrained eye) which adds libseccomp support, and which appears to work.
Commit message: Use the rlimit sandbox for x32 ABI until the seccomp one is fixed http://sources.gentoo.org/net-misc/openssh/openssh-6.9_p1-r2.ebuild?r1=1.11&r2=1.12
(In reply to Stuart Shelton from comment #6) i've added that to the latest ebuild, but i'll leave this bug open until we can enable seccomp again for x32
seccomp sandbox seems to work w/openssh-7.5_p1 under x32