Package: openssh-server
Version: 1:6.7p1-3
Severity: important
Tags: upstream
Forwarded: https://bugzilla.mindrot.org/show_bug.cgi?id=2355
Hey.
I found a "special" situation in which ssh connections crash every few
tries and sometimes (but not always) one get's any of these along:
[527879.021049] traps: sshd[14583] general protection ip:7fbc7f04a664
sp:7fff3939fe58 error:0 in libc-2.19.so[7fbc7efce000+19f000]
[527945.727953] traps: sshd[14660] general protection ip:7f069558d664
sp:7fffc4223c88 error:0 in libc-2.19.so[7f0695511000+19f000]
[528046.264330] traps: sshd[14826] general protection ip:7f1b26eed664
sp:7fff521d7178 error:0 in libc-2.19.so[7f1b26e71000+19f000]
[536582.887955] traps: sshd[26078] general protection ip:7f96158b4664
sp:7fff2fef4a08 error:0 in libc-2.19.so[7f9615838000+19f000]
[536628.489940] traps: sshd[26206] general protection ip:7f9cc14a9664
sp:7fffdacfb478 error:0 in libc-2.19.so[7f9cc142d000+19f000]
[536734.550558] traps: sshd[26320] general protection ip:7f260fc18664
sp:7ffffb25be88 error:0 in libc-2.19.so[7f260fb9c000+19f000]
[536841.887230] traps: sshd[26513] general protection ip:7f168b350664
sp:7fff8a85a2c8 error:0 in libc-2.19.so[7f168b2d4000+19f000]
[536860.256030] traps: sshd[26572] general protection ip:7fba93937664
sp:7ffffcf18928 error:0 in libc-2.19.so[7fba938bb000+19f000]
[536949.787928] sshd[27137]: segfault at 8100000038 ip 00007f84523e666 sp
00007fff2cc1d908 error 4 in libc-2.19.so[7f845236a000+19f000]
[537088.405962] traps: sshd[27582] general protection ip:7f349cde6664
sp:7fffaf183ee8 error:0 in libc-2.19.so[7f349cd6a000+19f000]
What I do is basically the following:
Having sshd running (my sshd_config is attached), and gitolite3
(from sid) installed.
Gitolite (which I use with the "git" username) in turn has entries
like these:
command="/usr/share/gitolite3/gitolite-shell
admin",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty
ssh-ed25519 ...
in its authorized_key files
Then I repeatedly do:
$ ssh git@myserver info
Sometimes this works and I get:
> hello someName, this is git@myserver running gitolite3 3.6.1-3 (Debian) on
> git 2.1.4
But more than every 2nd time it fails and I get
> Write failed: Broken pipe
Sometimes (not always) with a general protection or segfault.
>From my sshd_config, which uses a Match block for the git
user (for reasons of hardening), I found that the
> PermitOpen none
line is the cause of the problem
When I comment it, then the connections *always* succeed (well at least
from about ~20 successive tries).
I should probably further notice: systemd/logind/PAM is used (not sure
if this could somehow interfere).
Also, I'm a bit unsure whether the "main" sshd is crashing or whethr
it's just the processes of the sessions.
I didn't manually restart sshd, but it might be that systemd does that
automatically? How would I find out?
So some bug is hidden there...
Cheers,
Chris
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_DE.utf8, LC_CTYPE=en_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages openssh-server depends on:
ii adduser 3.113+nmu3
ii debconf [debconf-2.0] 1.5.55
ii dpkg 1.17.23
ii init-system-helpers 1.22
ii libc6 2.19-15
ii libcomerr2 1.42.12-1
ii libgssapi-krb5-2 1.12.1+dfsg-18
ii libkrb5-3 1.12.1+dfsg-18
ii libpam-modules 1.1.8-3.1
ii libpam-runtime 1.1.8-3.1
ii libpam0g 1.1.8-3.1
ii libselinux1 2.3-2
ii libssl1.0.0 1.0.1k-1
ii libwrap0 7.6.q-25
ii lsb-base 4.1+Debian13+nmu1
ii openssh-client 1:6.7p1-3
ii openssh-sftp-server 1:6.7p1-3
ii procps 2:3.3.9-8
ii zlib1g 1:1.2.8.dfsg-2+b1
Versions of packages openssh-server recommends:
ii ncurses-term 5.9+20140913-1
ii xauth 1:1.0.9-1
Versions of packages openssh-server suggests:
pn molly-guard <none>
pn monkeysphere <none>
ii rssh 2.3.4-4+b1
pn ssh-askpass <none>
pn ufw <none>
-- debconf information excluded
#*******************************************************************************
#*** General ***
#*******************************************************************************
##LogLevel INFO
##SyslogFacility AUTH
##PidFile /var/run/sshd.pid
##StrictModes yes
#*******************************************************************************
#*** System Techniques ***
#*******************************************************************************
UsePrivilegeSeparation sandbox
#*******************************************************************************
#*** Networking ***
#*******************************************************************************
##AddressFamily any
##Port 22
ListenAddress localhost
ListenAddress ip6-localhost
ListenAddress foobar
TCPKeepAlive no
##IPQoS lowdelay throughput
##UseDNS yes
##MaxStartups 10:30:100
##MaxSessions 10
#*******************************************************************************
#*** Secure Shell (SSH) Protocol ***
#*******************************************************************************
Protocol 2
##VersionAddendum none
##DebianBanner yes
##Banner
Compression no
ClientAliveInterval 15
ClientAliveCountMax 8
GSSAPIKeyExchange no
KexAlgorithms
curve25519-sha...@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256
Ciphers
chacha20-poly1...@openssh.com,aes256-...@openssh.com,aes128-...@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs
hmac-sha2-512-...@openssh.com,hmac-sha2-256-...@openssh.com,umac-128-...@openssh.com
ServerKeyBits 4096
KeyRegenerationInterval 10m
RekeyLimit default 1h
#*******************************************************************************
#*** Server Authentication ***
#*******************************************************************************
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_rsa_key
#Note: SSH Version 2 DSA host keys are implicitly disabled.
##HostKey /etc/ssh/ssh_host_dsa_key
#Note: SSH Version 1 RSA host keys are implicitly disabled.
##HostKey /etc/ssh/ssh_host_key
##HostKeyAgent
##HostCertificate
#*******************************************************************************
#*** Client Authentication Methods ***
#*******************************************************************************
PasswordAuthentication no
PermitEmptyPasswords no
KbdInteractiveAuthentication no
ChallengeResponseAuthentication no
RhostsRSAAuthentication no
HostbasedAuthentication no
HostbasedUsesNameFromPacketOnly no
KerberosAuthentication no
KerberosOrLocalPasswd no
##KerberosGetAFSToken no
##KerberosTicketCleanup yes
GSSAPIAuthentication no
GSSAPIStrictAcceptorCheck yes
##GSSAPIStoreCredentialsOnRekey no
##GSSAPICleanupCredentials yes
RSAAuthentication no
PubkeyAuthentication yes
IgnoreUserKnownHosts yes
IgnoreRhosts yes
#*******************************************************************************
#*** Client Authentication And Authorisation ***
#*******************************************************************************
AuthenticationMethods publickey
LoginGraceTime 60
MaxAuthTries 4
##RevokedKeys
##AuthorizedKeysCommand none
AuthorizedKeysCommandUser invalid
AuthorizedKeysFile .ssh/authorized_keys
##TrustedUserCAKeys
##AuthorizedPrincipalsFile
#Note: These directives are processed in the following order: DenyUsers,
AllowUsers, DenyGroups, AllowGroups
##DenyUsers
AllowUsers root git
##DenyGroups
##AllowGroups *
PermitRootLogin without-password
#*******************************************************************************
#*** Session ***
#*******************************************************************************
UsePAM yes
##UseLogin no
##PermitTTY yes
##AllowAgentForwarding yes
##PermitUserRC yes
AcceptEnv LANG LC_ALL LC_ADDRESS LC_COLLATE LC_CTYPE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC
LC_PAPER LC_TELEPHONE LC_TIME
PermitUserEnvironment no
##PrintLastLog yes
PrintMotd no
##ChrootDirectory
##ForceCommand
#*******************************************************************************
#*** Forwarding ***
#*******************************************************************************
##AllowStreamLocalForwarding yes
StreamLocalBindMask 0177
StreamLocalBindUnlink no
##AllowTcpForwarding yes
##PermitOpen any
PermitTunnel no
X11Forwarding yes
X11UseLocalhost yes
##X11DisplayOffset 10
##XAuthLocation /usr/bin/xauth
GatewayPorts no
#*******************************************************************************
#*** Subsystems ***
#*******************************************************************************
Subsystem sftp /usr/lib/openssh/sftp-server
#*******************************************************************************
#*** Conditional Directive Blocks ***
#*******************************************************************************
#for the user “git” used with Gitolite
Match User git
#Note: Gitolite via SSH must only be used with the public key
authentication method, therefore the following completely disables all others.
However, the former isn’t explicitily enabled here, but rather “inherited” from
the “global” configuration.
PasswordAuthentication no
PermitEmptyPasswords no
KbdInteractiveAuthentication no
RhostsRSAAuthentication no
HostbasedAuthentication no
HostbasedUsesNameFromPacketOnly no
KerberosAuthentication no
GSSAPIAuthentication no
RSAAuthentication no
###PubkeyAuthentication yes
AuthenticationMethods publickey
#Note: As of now, Gitolite doesn’t make use of an “authorized keys
command”. It could have been “inherited” from the “global” configuration,
therefore the following disables it explicitly.
AuthorizedKeysCommand none
AuthorizedKeysCommandUser invalid
#Note: Gitolite always expects the authorized keys to be found at
“~/.ssh/authorized_keys”. A different value could have been “inherited” from
the “global” configuration, therefore the following sets it explicitly.
AuthorizedKeysFile .ssh/authorized_keys
#Note: The following makes sure that it is really the user “git” which
is used and that it isn’t an “alias for root” (in other words: any user name
having the user ID 0).
AllowUsers git
PermitRootLogin no
#Note: The following restricts miscellaneous things which shouldn’t be
necessary for respectively used with git or Gitolite.
PermitTTY no
AllowAgentForwarding no
PermitUserRC no
AcceptEnv LANG LC_ALL LC_ADDRESS LC_COLLATE
LC_CTYPE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME
LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME
AllowStreamLocalForwarding no
StreamLocalBindMask 0777
StreamLocalBindUnlink no
AllowTcpForwarding no
PermitOpen none
PermitTunnel no
X11Forwarding no
X11UseLocalhost yes
GatewayPorts no
#Note: The following effectively forbids SSH channel multiplexing,
which might have security implications (simplified: further channels “inherit”
some parameters from the initiating one) if allowed.
MaxSessions 1
#TODO: Consider running Gitolite from within a chroot.
#ChrootDirectory
#TODO: Currently, “ForceCommand” cannot be used with Gitolite, but
reconsider this once it should become possible.
#ForceCommand
