[Touch-packages] [Bug 1686618] Re: ssh connection attempts fail if hw crypto support on s390x is enabled on 17.04

Tue, 02 May 2017 08:56:41 -0700 

7.5 is now in artful.

https://launchpad.net/ubuntu/+source/openssh/1:7.5p1-2

** Changed in: openssh (Ubuntu Artful)
       Status: Triaged => Fix Released

** Changed in: openssh (Ubuntu Zesty)
     Assignee: (unassigned) => Dimitri John Ledkov (xnox)

** Changed in: openssh (Ubuntu Zesty)
    Milestone: None => zesty-updates

** Changed in: openssh (Ubuntu Zesty)
       Status: New => Triaged

** Changed in: openssh (Ubuntu Zesty)
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1686618

Title:
  ssh connection attempts fail if hw crypto support on s390x is enabled
  on 17.04

Status in Ubuntu on IBM z Systems:
  Triaged
Status in openssh package in Ubuntu:
  Fix Released
Status in openssh source package in Zesty:
  Triaged
Status in openssh source package in Artful:
  Fix Released

Bug description:
  short:
  after investigations the following commits are needed by openssh-server 
version 7.4p1 that is part of 17.04:
  - 5f1596e11d55539678c41f68aed358628d33d86f
  - 9e96b41682aed793fadbea5ccd472f862179fb02
  on master branch in https://github.com/openssh/openssh-portable
  that belong to openssh 7.5 release notes statement: "sshd(8): Avoid sandbox 
errors for Linux S390 systems using an ICA crypto coprocessor."
  __________

  long:

  enable z hw crypto support for openssh on an Ubuntu host (zlin42) on s390x 
like this:
  sudo apt-get install openssh-ibmca libica-utils libica2
  sudo tee -a /etc/ssl/openssl.cnf < 
/usr/share/doc/openssl-ibmca/examples/openssl.cnf.sample
  sudo sed -i 's/^\(openssl_conf = openssl_def.*$\)/# \1/g' /etc/ssl/openssl.cnf
  sudo sed -i '10i openssl_cnf = openssl_def' /etc/ssl/openssl.cnf

  afterwards ssh login attempts fail:
  $ ssh ubuntu@zlin42
  ubuntu@zlin42's password: 
  Connection to zlin42 closed by remote host.
  Connection to zlin42 closed.

  the normal logs don't provide any interesting details:

  mit log:
    Apr 24 12:37:52 zlin42 kernel: [933567.994312] audit: type=1326 
audit(1493051872.112:29): auid=4294967295 uid=107 gid=65534 ses=4294967295 
pid=25105 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=80000016 syscall=201 
compat=0 ip=0x3ffb8a3fb32 code=0x0

  Verbose:
  OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g  1 Mar 2016
  debug1: Reading configuration data /home/fheimes/.ssh/config
  debug1: /home/fheimes/.ssh/config line 6: Deprecated option "useroaming"
  debug1: /home/fheimes/.ssh/config line 7: Applying options for *
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug1: /etc/ssh/ssh_config line 19: Applying options for *
  debug1: Connecting to 10.245.208.7 [10.245.208.7] port 22.
  debug1: Connection established.
  debug1: identity file /home/fheimes/.ssh/id_rsa type 1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_rsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_dsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ecdsa-cert type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519 type -1
  debug1: key_load_public: No such file or directory
  debug1: identity file /home/fheimes/.ssh/id_ed25519-cert type -1
  debug1: Enabling compatibility mode for protocol 2.0
  debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
  debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4p1 
Ubuntu-10
  debug1: match: OpenSSH_7.4p1 Ubuntu-10 pat OpenSSH* compat 0x04000000
  debug1: Authenticating to 10.245.208.7:22 as 'ubuntu'
  debug1: SSH2_MSG_KEXINIT sent
  debug1: SSH2_MSG_KEXINIT received
  debug1: kex: algorithm: curve25519-sha...@libssh.org
  debug1: kex: host key algorithm: ecdsa-sha2-nistp256
  debug1: kex: server->client cipher: chacha20-poly1...@openssh.com MAC: 
<implicit> compression: none
  debug1: kex: client->server cipher: chacha20-poly1...@openssh.com MAC: 
<implicit> compression: none
  debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
  debug1: Server host key: ecdsa-sha2-nistp256 
SHA256:ss9j12+jMMKL9u2vxNeb3XjOeH0E9lw24IG5LxUeJXk
  debug1: Host '10.245.208.7' is known and matches the ECDSA host key.
  debug1: Found key in /home/fheimes/.ssh/known_hosts:87
  debug1: rekey after 134217728 blocks
  debug1: SSH2_MSG_NEWKEYS sent
  debug1: expecting SSH2_MSG_NEWKEYS
  debug1: rekey after 134217728 blocks
  debug1: SSH2_MSG_NEWKEYS received
  debug1: SSH2_MSG_EXT_INFO received
  debug1: kex_input_ext_info: 
server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
  debug1: SSH2_MSG_SERVICE_ACCEPT received
  debug1: Authentications that can continue: publickey,password
  debug1: Next authentication method: publickey
  debug1: Offering RSA public key: /home/fheimes/.ssh/id_rsa
  debug1: Authentications that can continue: publickey,password
  debug1: Trying private key: /home/fheimes/.ssh/id_dsa
  debug1: Trying private key: /home/fheimes/.ssh/id_ecdsa
  debug1: Trying private key: /home/fheimes/.ssh/id_ed25519
  debug1: Next authentication method: password
  ubuntu@10.245.208.7's password: 
  debug1: Authentication succeeded (password).
  Authenticated to 10.245.208.7 ([10.245.208.7]:22).
  debug1: channel 0: new [client-session]
  debug1: Requesting no-more-sessi...@openssh.com
  debug1: Entering interactive session.
  debug1: pledge: network
  debug1: channel 0: free: client-session, nchannels 1
  Connection to 10.245.208.7 closed by remote host.
  Connection to 10.245.208.7 closed.
  Transferred: sent 2084, received 1596 bytes, in 0.0 seconds
  Bytes per second: sent 10518567.4, received 8055486.4
  debug1: Exit status -1

  but loglevel verbose points to this issue:
  "fatal: privsep_preauth: preauth child terminated by signal 31"

  syslog:
  Apr 26 12:39:18 s1lp15 kernel: [12676.655977] audit: type=1326 
audit(1493224758.414:99): auid=4294967295 uid=107 gid=65534 ses=4294967295 
pid=12380 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=80000016 syscall=201 
compat=0 ip=0x3ff850bfb32 code=0x0

  authlog:
  Apr 26 12:38:40 s1lp15 sshd[12323]: Connection from 10.172.194.66 port 51512 
on 10.245.236.15 port 22
  Apr 26 12:38:40 s1lp15 sshd[12323]: Failed publickey for ubuntu from 
10.172.194.66 port 51512 ssh2: RSA 
SHA256:joGsdfW7NbJRkg17sRyXaegoR0iZEdDWdR9Hpbc2KIw
  Apr 26 12:38:43 s1lp15 sshd[12323]: Accepted password for ubuntu from 
10.172.194.66 port 51512 ssh2
  Apr 26 12:38:43 s1lp15 sshd[12323]: fatal: privsep_preauth: preauth child 
terminated by signal 31

  Apr 26 12:39:15 s1lp15 sshd[12379]: Connection from 10.172.194.66 port 51534 
on 10.245.236.15 port 22
  Apr 26 12:39:16 s1lp15 sshd[12379]: Failed publickey for ubuntu from 
10.172.194.66 port 51534 ssh2: RSA 
SHA256:joGsdfW7NbJRkg17sRyXaegoR0iZEdDWdR9Hpbc2KIw
  Apr 26 12:39:18 s1lp15 sshd[12379]: Accepted password for ubuntu from 
10.172.194.66 port 51534 ssh2
  Apr 26 12:39:18 s1lp15 sshd[12379]: fatal: privsep_preauth: preauth child 
terminated by signal 31

  
  compared to a system with hw cryto disabled (means ssh working):

  syslog:
  Apr 26 12:42:04 s1lp15 systemd[1]: Started Session 30 of user ubuntu.

  authlog:
  Apr 26 12:42:01 s1lp15 sshd[12542]: Connection from 10.172.194.66 port 51658 
on 10.245.236.15 port 22
  Apr 26 12:42:02 s1lp15 sshd[12542]: Failed publickey for ubuntu from 
10.172.194.66 port 51658 ssh2: RSA 
SHA256:joGsdfW7NbJRkg17sRyXaegoR0iZEdDWdR9Hpbc2KIw
  Apr 26 12:42:04 s1lp15 sshd[12542]: Accepted password for ubuntu from 
10.172.194.66 port 51658 ssh2
  Apr 26 12:42:04 s1lp15 sshd[12542]: pam_unix(sshd:session): session opened 
for user ubuntu by (uid=0)
  Apr 26 12:42:04 s1lp15 systemd-logind[1167]: New session 30 of user ubuntu.
  Apr 26 12:42:09 s1lp15 sshd[12542]: User child is on pid 12605
  Apr 26 12:42:09 s1lp15 sshd[12605]: Starting session: shell on pts/5 for 
ubuntu from 10.172.194.66 port 51658 id 0

  Workaround:
  in /etc/ssh/sshd_config
  change:
  #UsePrivilegeSeparation sandbox
  to:
  UsePrivilegeSeparation yes

  So it's an issue with the sandbox / seccomp
  that got fixed in openssh 7.5
  release notes: "sshd(8): Avoid sandbox errors for Linux S390 systems using an 
ICA crypto coprocessor."
  corresponding patches/commits:
  master branch https://github.com/openssh/openssh-portable
  - 5f1596e11d55539678c41f68aed358628d33d86f
  - 9e96b41682aed793fadbea5ccd472f862179fb02

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1686618/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to