sshd logging WARNING: line XX disappeared in /etc/moduli, giving up

Mon, 25 Jun 2018 13:19:55 -0700 

Hi all,

Since upgrading my SSH jump host to the latest snap two days ago, its
sshd has been logging these errors:

2018-06-25T19:47:35.716Z tuna.alm.weirdnet.nl tuna sshd[91261]: WARNING: line 6 
disappeared in /etc/moduli, giving up

As far as I can see, these are all caused by 'the internet' trying to
log in: I've not had any problems with sshd misbehaving and when I log
in no such warning is logged.  It happened for 'Invalid user' (36x), 'Failed
password' (8x), 'Connection closed' (1x) and 'fatal: Timeout before
authentication' (1x) in the space of just over 2 days.

It comes from this bit in usr.bin/ssh/dh.c:

        linenum = 0;
        which = arc4random_uniform(bestcount);
        while (getline(&line, &linesize, f) != -1) {
                linenum++;
                if (!parse_prime(linenum, line, &dhg))
                        continue;
                if ((dhg.size > max || dhg.size < min) ||
                    dhg.size != best ||
                    linenum++ != which) {
                        BN_clear_free(dhg.g);
                        BN_clear_free(dhg.p);
                        continue;
                }
                break;
        }
        free(line);
        line = NULL;
        fclose(f);
        if (linenum != which+1) {
                logit("WARNING: line %d disappeared in %s, giving up",
                    which, _PATH_DH_MODULI);
                return (dh_new_group_fallback(max));
        }


If I understand the logic correctly (note: I'm pretty sure I don't),
then i don't quite see how this could happen unless the /etc/moduli
file is changed between runs.  Which it isn't.  It smells like an
off-by-one somehow, maybe when which == 0 or which == bestcount-1, but
my read of this snippet doesn't spot such a problem.

Also, I saw this one:

2018-06-25T18:01:30.410Z tuna.alm.weirdnet.nl tuna sshd[34906]: WARNING: line 0 
disappeared in /etc/moduli, giving up

Where which == 0... So .. why is this being logged?

I'm tempted to change the log to include both bestcount too, but I
rather not mess around with sshd on an important (to me) machine.  I
do note that r1.64 introduced the move from fgets to getline which
touched this bit of code, so there may have been a problem there.

Anyone an idea?

Paul 'WEiRD' de Weerd

-- 
>++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+
+++++++++++>-]<.>++[<------------>-]<+.--------------.[-]
                 http://www.weirdnet.nl/

Reply via email to