Package: openssh-server Version: 1:8.0p1-2 Severity: important Dear Maintainer,
After enabling afalg engine on OpenSSL and configuring OpenSSH server to use the following ciphers, incoming ssh connections stop working. When a client tries to connect, you can observe the following message on the server's dmesg output: [271686.264598] audit: type=1326 audit(1561879548.303:14): auid=1000 uid=104 gid=65534 ses=99 subj==unconfined pid=8164 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=40000028 syscall=281 compat=0 ip=0xb6a5ee6c code=0x0 The device is a Buffalo Linkstation LS-WXL (armel, kirkwood). I would like to use the crypto hardware accelerator (marvell_cesa) on SSH to get better performance out of it, that's why I enabled the afalg engine. This happens both with openssh-server from buster and experimental. Syscall 281 appears to be socket(...) from what I could gather. Maybe it is necessary to add a few more allowed syscall rules to the seccomp sandbox in OpenSSH? Config changes I performed below: Changes on /etc/ssh/sshd_config Ciphers aes128-cbc,aes192-cbc,aes256-cbc Changes on /etc/ssl/openssl.cnf [default_conf] engines = openssl_engines [openssl_engines] afalg = afalg_engine [afalg_engine] default_algorithms = ALL Thank you for your time, Emilio -- System Information: Debian Release: 10.0 APT prefers testing APT policy: (500, 'testing'), (1, 'experimental') Architecture: armel (armv5tel) Kernel: Linux 4.19.0-5-marvell Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: sysvinit (via /sbin/init) Versions of packages openssh-server depends on: ii adduser 3.118 ii debconf [debconf-2.0] 1.5.71 ii dpkg 1.19.7 ii libaudit1 1:2.8.4-3 ii libc6 2.28-10 ii libcom-err2 1.44.5-1 ii libgssapi-krb5-2 1.17-3 ii libkrb5-3 1.17-3 ii libpam-modules 1.3.1-5 ii libpam-runtime 1.3.1-5 ii libpam0g 1.3.1-5 ii libselinux1 2.8-1+b1 ii libssl1.1 1.1.1c-1 ii libsystemd0 241-5 ii libwrap0 7.6.q-28 ii lsb-base 10.2019051400 ii openssh-client 1:8.0p1-2 ii openssh-sftp-server 1:8.0p1-2 ii procps 2:3.3.15-2 ii ucf 3.0038+nmu1 ii zlib1g 1:1.2.11.dfsg-1 Versions of packages openssh-server recommends: pn default-logind | logind | libpam-systemd <none> ii ncurses-term 6.1+20181013-2 pn xauth <none> Versions of packages openssh-server suggests: pn molly-guard <none> pn monkeysphere <none> pn rssh <none> pn ssh-askpass <none> pn ufw <none> -- debconf information: openssh-server/permit-root-login: true openssh-server/password-authentication: true