[Bug 1690485] Re: openssh-server SIGSYS with 'UsePrivilegeSeparation sandbox'

KEVIN KENNY 1690485 at bugs.launchpad.net
Fri Oct 27 13:58:52 UTC 2017 

I lied. I experimented with ./configure flags.

    --with-kerberos5=/usr

is definitely the flag that is triggering the crash. Removing this
flag alone cures the crash.

Command that was used:

../configure --build=x86_64-linux-gnu --prefix=/usr \
	     --includedir=\${prefix}/include --mandir=\${prefix}/share/man \
	     --infodir=\${prefix}/share/info --sysconfdir=/etc \
	     --localstatedir=/var --disable-silent-rules \
	     --libdir=\${prefix}/lib/x86_64-linux-gnu \
	     --libexecdir=\${prefix}/lib/x86_64-linux-gnu \
	     --disable-maintainer-mode --disable-dependency-tracking \
	     --sysconfdir=/etc/ssh --libexecdir=\${prefix}/lib/openssh \
	     --disable-strip --with-mantype=doc --with-4in6 \
	     --with-privsep-path=/run/sshd --with-pid-dir=/run \
	     --with-tcp-wrappers --with-pam --with-libedit \
	     --with-systemd \
	     --with-xauth=/usr/bin/xauth \
	     --with-default-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games \
	     --with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \
	     --with-cflags="-Wdate-time -D_FORTIFY_SOURCE=2 -g -O2 -fdebug-prefix-map=/home/kennykb/debian.org/openssh=. -fstack-protector-strong -Wformat -Werror=format-security -DSSH_EXTRAVERSION=\\\"Ubuntu-3\\\"" "--with-ldflags=-Wl,--as-needed -Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now" \
	     --with-ssl-engine --with-selinux --with-audit=linux
# removed
#	     --with-kerberos5=/usr

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1690485

Title:
  openssh-server SIGSYS with 'UsePrivilegeSeparation sandbox'

Status in openssh package in Ubuntu:
  New

Bug description:
  The 'sshd' process gets 'authentication failure' and refuses to allow
  any login.

  dmesg indicates that the problem is SIGSYS on a call to 'socket'
  (syscall #41, signal #31).

  On a hunch, I decided to test whether the problem is related to
  'seccomp' and changed /etc/ssh/sshd_config from the default

  # UsePrivilegeSeparation sandbox

  to the former standard value

  UsePrivilegeSeparation yes

  and logins started to work again.

  Obviously, I'd like to have the additional protection that sandboxing
  would give me.

  ProblemType: Bug
  DistroRelease: Ubuntu 17.04
  Package: openssh-server 1:7.4p1-10
  ProcVersionSignature: Ubuntu 4.10.0-20.22-generic 4.10.8
  Uname: Linux 4.10.0-20-generic x86_64
  ApportVersion: 2.20.4-0ubuntu4
  Architecture: amd64
  CurrentDesktop: XFCE
  Date: Fri May 12 21:06:20 2017
  InstallationDate: Installed on 2017-04-08 (35 days ago)
  InstallationMedia:
   
  SourcePackage: openssh
  UpgradeStatus: Upgraded to zesty on 2017-04-24 (19 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1690485/+subscriptions

More information about the foundations-bugs mailing list