[Bug 1690485] Re: openssh-server SIGSYS with 'UsePrivilegeSeparation sandbox'

KEVIN KENNY 1690485 at bugs.launchpad.net
Sat Oct 28 03:35:46 UTC 2017 

Disable ssl-engine, re-enable kerberos5, it still crashes.

I'm pretty sure I'm running a stock OpenSSL. The only things
that I can think of that I might have done in that general
vicinity were to install xinetd, althttpd, and stunnel4, and
to obtain a host certificate from letsencrypt.org.

I'm still seeing it falling apart in EVP_Cipher. When I
allow 'socket', it unsurprisingly fails with SIGSYS on a
'connect' that follows immediately. The stack trace is
confusing. I've installed libkeyutils1-dbgsym, but it still
reports [unknown] for the locations.

sshd  9257 [006] 260133.546558: syscalls:sys_enter_socket: family: 0x00000001, type: 0x00000001, protocol: 0x00000000
                  115eb7 __socket (/lib/x86_64-linux-gnu/libc-2.26.so)
                    464e [unknown] (/lib/x86_64-linux-gnu/tls/libkeyutils.so.1.5)
                    484b [unknown] (/lib/x86_64-linux-gnu/tls/libkeyutils.so.1.5)
                    4be7 [unknown] (/lib/x86_64-linux-gnu/tls/libkeyutils.so.1.5)
                   4a24a cipher_crypt (/home/kennykb/debian.org/openssh/kevinbuild/sshd)
                   4feec ssh_packet_send2_wrapped (/home/kennykb/debian.org/openssh/kevinbuild/sshd)
                   500ef ssh_packet_send2 (/home/kennykb/debian.org/openssh/kevinbuild/sshd)
                   52b78 ssh_packet_send (/home/kennykb/debian.org/openssh/kevinbuild/sshd)
                   1a920 userauth_finish (/home/kennykb/debian.org/openssh/kevinbuild/sshd)
                   1ae72 input_userauth_request (/home/kennykb/debian.org/openssh/kevinbuild/sshd)
                   56699 ssh_dispatch_run (/home/kennykb/debian.org/openssh/kevinbuild/sshd)
                   56748 ssh_dispatch_run_fatal (/home/kennykb/debian.org/openssh/kevinbuild/sshd)
                   19d06 do_authentication2 (/home/kennykb/debian.org/openssh/kevinbuild/sshd)
                    de67 main (/home/kennykb/debian.org/openssh/kevinbuild/sshd)
                   211c0 __libc_start_main (/lib/x86_64-linux-gnu/libc-2.26.so)
                    f2b9 _start (/home/kennykb/debian.org/openssh/kevinbuild/sshd)
        ffffffffffffffff [unknown] ([unknown])

But at least we know it's going through keyutils, which isn't a huge
library!

What I get from a separate run using strace is also likely a usefil clue. The abort
on 'connect' shows that it's trying to connect to D-Bus. I have Absolutely No Idea
what's going on there, but it seems quite peculiar. (There are a bunch of writes
from debug3 calls that I strewed throughout cipher_crypt.) 

[pid  9903] write(7, "\0\0\0#\0\0\0\7\0\0\0\33cipher_crypt seqnr=7"..., 39 <unfinished ...>
[pid  9901] <... write resumed> )       = 53
[pid  9903] <... write resumed> )       = 39
[pid  9901] write(2, "debug3: mm_request_receive enter"..., 37debug3: mm_request_receive entering
 <unfinished ...>
[pid  9903] write(7, "\0\0\0\26\0\0\0\7\0\0\0\16not CHACHAPOLY", 26 <unfinished ...>
[pid  9901] <... write resumed> )       = 37
[pid  9903] <... write resumed> )       = 26
[pid  9901] read(5,  <unfinished ...>
[pid  9903] write(7, "\0\0\0#\0\0\0\7\0\0\0\33neither CHACHAPOLY n"..., 39) = 39
[pid  9903] write(7, "\0\0\0\23\0\0\0\7\0\0\0\vauthlen = 0", 23) = 23
[pid  9903] write(7, "\0\0\0\22\0\0\0\7\0\0\0\naadlen = 4", 22) = 22
[pid  9903] write(7, "\0\0\0\31\0\0\0\7\0\0\0\21Before EVP_Cipher", 29) = 29
[pid  9903] socket(AF_UNIX, SOCK_STREAM, 0) = 5
[pid  9903] connect(5, {sa_family=AF_UNIX, sun_path=@"/tmp/dbus-kZ8VEtJDOJ"}, 23) = ?
[pid  9903] +++ killed by SIGSYS (core dumped) +++
<... read resumed> "", 4)               = 0
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=9903, si_uid=117, si_status=SIGSYS, si_utime=0, si_stime=0} ---

So somehow, with Kerberos5 enabled, it's trying to do some sort of IPC (for key management?)
and getting blocked by the seccomp rules?

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1690485

Title:
  openssh-server SIGSYS with 'UsePrivilegeSeparation sandbox'

Status in openssh package in Ubuntu:
  New

Bug description:
  The 'sshd' process gets 'authentication failure' and refuses to allow
  any login.

  dmesg indicates that the problem is SIGSYS on a call to 'socket'
  (syscall #41, signal #31).

  On a hunch, I decided to test whether the problem is related to
  'seccomp' and changed /etc/ssh/sshd_config from the default

  # UsePrivilegeSeparation sandbox

  to the former standard value

  UsePrivilegeSeparation yes

  and logins started to work again.

  Obviously, I'd like to have the additional protection that sandboxing
  would give me.

  ProblemType: Bug
  DistroRelease: Ubuntu 17.04
  Package: openssh-server 1:7.4p1-10
  ProcVersionSignature: Ubuntu 4.10.0-20.22-generic 4.10.8
  Uname: Linux 4.10.0-20-generic x86_64
  ApportVersion: 2.20.4-0ubuntu4
  Architecture: amd64
  CurrentDesktop: XFCE
  Date: Fri May 12 21:06:20 2017
  InstallationDate: Installed on 2017-04-08 (35 days ago)
  InstallationMedia:
   
  SourcePackage: openssh
  UpgradeStatus: Upgraded to zesty on 2017-04-24 (19 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1690485/+subscriptions

More information about the foundations-bugs mailing list