Package: openssh-server Version: 1:7.9p1-10 Severity: minor Hi,
I am running sshd with systemd socket activation, which is a non-standard configuration, hence severity: minor. Since the buster upgrade, on a host that is hit by ssh brute force attacks hundreds of times a day, I get "fatal: chroot("/run/sshd"): No such file or directory [preauth]" log entries about three times a day. When I look, /run/sshd is there. It is also confusing that the message does happen so seldomly, only in a very small fraction of cases. So it must be an exotic race condition. sshd doesn't delete and recreate the privsep directory after a chrooted daemon exits, does it? What I notice is that this message soemtimes happens when two connections come in together: Exapmle 1: syslog: Aug 13 05:25:03 q systemd[1]: Started OpenBSD Secure Shell server per-connection daemon (176.31.172.40:44702). Aug 13 05:25:07 q systemd[1]: Started OpenBSD Secure Shell server per-connection daemon (40.125.172.86:1088). Aug 13 05:25:08 q systemd[1]: ssh@17885-85.214.213.124:22-176.31.172.40:44702.service: Succeeded. Aug 13 05:25:08 q systemd[1]: ssh@17886-85.214.213.138:22-40.125.172.86:1088.service: Succeeded. auth.log: Aug 13 05:25:03 q sshd[13138]: Invalid user oracle from 176.31.172.40 port 44702 Aug 13 05:25:03 q sshd[13138]: pam_unix(sshd:auth): check pass; user unknown Aug 13 05:25:03 q sshd[13138]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=176.31.172 Aug 13 05:25:05 q sshd[13138]: Failed password for invalid user oracle from 176.31.172.40 port 44702 ssh2 Aug 13 05:25:08 q sshd[13138]: Received disconnect from 176.31.172.40 port 44702:11: Bye Bye [preauth] Aug 13 05:25:08 q sshd[13138]: Disconnected from invalid user oracle 176.31.172.40 port 44702 [preauth] Aug 13 05:25:08 q sshd[13142]: fatal: chroot("/run/sshd"): No such file or directory [preauth] there were no auth.log entries for the connection from 40.125.172.86. Example 2: syslog: Aug 13 00:12:41 q systemd[1]: Started OpenBSD Secure Shell server per-connection daemon (192.117.186.215:34594). Aug 13 00:12:45 q systemd[1]: Started OpenBSD Secure Shell server per-connection daemon (222.255.146.19:54636). Aug 13 00:12:46 q systemd[1]: ssh@16199-85.214.213.124:22-192.117.186.215:34594.service: Succeeded. Aug 13 00:12:46 q systemd[1]: ssh@16200-85.214.213.124:22-222.255.146.19:54636.service: Succeeded. auth.log: Aug 13 00:12:42 q sshd[28305]: Invalid user tez from 192.117.186.215 port 34594 Aug 13 00:12:42 q sshd[28305]: pam_unix(sshd:auth): check pass; user unknown Aug 13 00:12:42 q sshd[28305]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.117.18 Aug 13 00:12:44 q sshd[28305]: Failed password for invalid user tez from 192.117.186.215 port 34594 ssh2 Aug 13 00:12:46 q sshd[28305]: Received disconnect from 192.117.186.215 port 34594:11: Bye Bye [preauth] Aug 13 00:12:46 q sshd[28305]: Disconnected from invalid user tez 192.117.186.215 port 34594 [preauth] Aug 13 00:12:46 q sshd[28308]: fatal: chroot("/run/sshd"): No such file or directory [preauth] there were no auth.log entries for the connection from 222.255.146.19 This is not a big deal, but I'd really like to know that I am still running the sshd with privilege separation. Greetings Marc -- System Information: Debian Release: 10.0 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.2.7-zgsrv20080 (SMP w/2 CPU cores; PREEMPT) Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8), LANGUAGE=en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages openssh-server depends on: ii adduser 3.118 ii debconf [debconf-2.0] 1.5.71 ii dpkg 1.19.7 ii libaudit1 1:2.8.4-3 ii libc6 2.28-10 ii libcom-err2 1.44.5-1 ii libgssapi-krb5-2 1.17-3 ii libkrb5-3 1.17-3 ii libpam-modules 1.3.1-5 ii libpam-runtime 1.3.1-5 ii libpam0g 1.3.1-5 ii libselinux1 2.8-1+b1 ii libssl1.1 1.1.1c-1 ii libsystemd0 241-5 ii libwrap0 7.6.q-28 ii lsb-base 10.2019051400 ii openssh-client 1:7.9p1-10 ii openssh-sftp-server 1:7.9p1-10 ii procps 2:3.3.15-2 ii ucf 3.0038+nmu1 ii zlib1g 1:1.2.11.dfsg-1 Versions of packages openssh-server recommends: ii libpam-systemd 241-5 pn ncurses-term <none> pn xauth <none> Versions of packages openssh-server suggests: ii molly-guard 0.7.1 pn monkeysphere <none> pn rssh <none> pn ssh-askpass <none> pn ufw <none> -- debconf information: * ssh/use_old_init_script: true ssh/encrypted_host_key_but_no_keygen: * openssh-server/permit-root-login: true ssh/vulnerable_host_keys: * openssh-server/password-authentication: true ssh/disable_cr_auth: false