On Tue, 13 Aug 2019 07:37:29 +0200 Marc Haber <mh+debian-packa...@zugschlus.de>
wrote:
> Package: openssh-server
> Version: 1:7.9p1-10
> Severity: minor
>
> Hi,
>
> I am running sshd with systemd socket activation, which is a
> non-standard configuration, hence severity: minor.
>
> Since the buster upgrade, on a host that is hit by ssh brute force
> attacks hundreds of times a day, I get "fatal: chroot("/run/sshd"): No
> such file or directory [preauth]" log entries about three times a day.
>
> When I look, /run/sshd is there. It is also confusing that the message
> does happen so seldomly, only in a very small fraction of cases. So it
> must be an exotic race condition.
>
> sshd doesn't delete and recreate the privsep directory after a chrooted
> daemon exits, does it?
I have also run into this problem.
The reason is rather simple: systemd creates the RuntimeDirectory when
the service starts, and deletes when it stops. Since it's an instanced unit
activated by socket connection, multiple units access the same directory
concurrently in a racy way.
Instance A may delete the directory after instance B is started, but before
it has chrooted into it, which causes the instance B to fail. The time window
is small, so it happens rarely.
Given that, RuntimeDirectoryPreserve=yes seems like the proper fix.
/run/sshd problems with socket activation were previously addressed in
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872978, but it was an
incomplete fix.
