Bug#868009: Immediate disconnect after successful authentication when "UsePrivilegeSeparation sandbox" is used

Wed, 12 Jul 2017 00:00:21 -0700 

Hello,

Some more info:

The described behavior happened on a machine with ~100 days uptime, out
of the blue, with no update whatsoever.


I enabled audit logs and get the following entries:

type=USER_AUTH msg=audit(1499842045.292:124): pid=5780 uid=0 auid=0
ses=28127 msg='op=PAM:authentication acct="root" exe="/usr/sbin/sshd"
hostname=xxx.xxx.xxx.xxx addr=xxx.xxx.xxx.xxx terminal=ssh res=success'
type=USER_ACCT msg=audit(1499842045.292:125): pid=5780 uid=0 auid=0
ses=28127 msg='op=PAM:accounting acct="root" exe="/usr/sbin/sshd"
hostname=xxx.xxx.xxx.xxx addr=xxx.xxx.xxx.xxx terminal=ssh res=success'
type=SECCOMP msg=audit(1499842045.292:126): auid=0 uid=107 gid=65534
ses=28127 pid=5824 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=c000003e
syscall=41 compat=0 ip=0x7f85b3ef3d07 code=0x0


One more thing: Using UsePrivilegeSeparation=yes, on trying to log in
(intentionally) with a non-existing user, i get 3 passwort prompts
(which is expected, the same with an existing user + wrong password, so
PAM is working). When i use the sandbox setting, i get disconnected
after the first try.

Regards,

Simon




Am 2017-07-11 um 10:37 schrieb Colin Watson:
> On Tue, Jul 11, 2017 at 08:43:58AM +0200, Simon Kainz wrote:
>> When using the default
>>
>> UsePrivilegeSeparation sandbox
>>
>> i am unable to connect via SSH.
>>
>> This even does not work when i try it locally, eg.
>>
>> ssh skainz@127.0.0.1
>>
>>
>> SSH fails right after pre-authentication. Systme log tells me, the
>> authentication itself works correctly, but i get disconnected afterwards.
>>
>> If i set
>>
>> UsePrivilegeSeparation yes
>>
>>
>> it works.
>>
>>
>> Please see the attached ssh -vvv log.
> 
> Can you also get an sshd -ddd log from the server side, or at the very
> least look at /var/log/auth.log?  The client log is unlikely to be of
> much use in tracking this sort of thing down.
> 
> Thanks,
> 

-- 
ᘓ Debian Developer
  4096R/ED98D2D344641A6859A0864F1CB4F0F78DECAFE9
  Get my key:  finger skainz/k...@db.debian.org
               http://blog.familiekainz.at/static/gpg/8DECAFE9.asc

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to