Bug#502444: marked as done (sshd fails at boot-time following reload by /etc/network/if-up.d/openssh-server presumably due to race condition)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Wed, 14 Jan 2009 01:02:03 +0000
with message-id <E1LMu8x-0001Ev-ON@ries.debian.org>
and subject line Bug#502444: fixed in openssh 1:5.1p1-5
has caused the Debian Bug report #502444,
regarding sshd fails at boot-time following reload by /etc/network/if-up.d/openssh-server presumably due to race condition
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
502444: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=502444
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: sshd fails at boot-time following reload by /etc/network/if-up.d/openssh-server presumably due to race condition
• From: Tim Small <tim@seoss.co.uk>
• Date: Thu, 16 Oct 2008 15:33:44 +0100
• Message-id: <20081016143344.4631.99809.reportbug@xeon1.latitudehosting.net>

Package: openssh-server
Version: 1:5.1p1-3
Severity: important


The sshd on this server exits before the boot process in complete on approx 70% of boots on this machine - presumably due to a race condition.  It 
appears to die following the reload by /etc/network/if-up.d/openssh-server when the system is bringing up its network interfaces.

The same fault has been observed to occur at least once with the non-openvz standard 2.6.26-1 kernel.

The failure stops happening if:

.. 'reload' is changed to 'restart' in /etc/network/if-up.d/openssh-server
.. The debug level is increased in /etc/ssh/sshd_config (e.g. LogLevel VERBOSE, LogLevel DEBUG etc.)

Logging in on the console and issuing an "/etc/init.d/ssh restart" results in a message like "<PID Number> not running".  The last message in 
/var/log/auth.log is of the form:

Oct 16 14:58:19 xeon1 sshd[3065]: Server listening on :: port 22.
Oct 16 14:58:19 xeon1 sshd[3065]: Server listening on 0.0.0.0 port 22.
Oct 16 14:58:19 xeon1 sshd[3065]: Received SIGHUP; restarting.

No further messages are then logged by sshd, and nothing is listening on port 22:
On the occasions when the server reload work successfully, this is followed immediately by a message of the form:

Oct 16 <SAME TIME> xeon1 sshd[<NEWPID>]: Server listening on :: port 22.
Oct 16 <SAME TIME> xeon1 sshd[<NEWPID>]: Server listening on 0.0.0.0 port 22.


I'm speculating that reciving a SIGHUP at some point is sshd's normal restart process will cause it to fail to respawn (and that this is occuring 
on this machine when the ifup occurs on eth0, and eth1 in quick succession).  Unfortunately on this box at least, turning up debugging causes the 
symptom to go away...

Thanks,

Tim.




-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-1-openvz-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages openssh-server depends on:
ii  adduser               3.110              add and remove users and groups
ii  debconf [debconf-2.0] 1.5.22             Debian configuration management sy
ii  dpkg                  1.14.22            Debian package management system
ii  libc6                 2.7-14             GNU C Library: Shared libraries
ii  libcomerr2            1.41.2-1           common error description library
ii  libkrb53              1.6.dfsg.4~beta1-4 MIT Kerberos runtime libraries
ii  libpam-modules        1.0.1-4+b1         Pluggable Authentication Modules f
ii  libpam-runtime        1.0.1-4            Runtime support for the PAM librar
ii  libpam0g              1.0.1-4+b1         Pluggable Authentication Modules l
ii  libselinux1           2.0.65-5           SELinux shared libraries
ii  libssl0.9.8           0.9.8g-13          SSL shared libraries
ii  libwrap0              7.6.q-16           Wietse Venema's TCP wrappers libra
ii  lsb-base              3.2-20             Linux Standard Base 3.2 init scrip
ii  openssh-blacklist     0.4.1              list of default blacklisted OpenSS
ii  openssh-client        1:5.1p1-3          secure shell client, an rlogin/rsh
ii  zlib1g                1:1.2.3.3.dfsg-12  compression library - runtime

Versions of packages openssh-server recommends:
pn  openssh-blacklist-extra       <none>     (no description available)
pn  xauth                         <none>     (no description available)

Versions of packages openssh-server suggests:
pn  molly-guard                   <none>     (no description available)
pn  rssh                          <none>     (no description available)
pn  ssh-askpass                   <none>     (no description available)

-- debconf information:
  ssh/vulnerable_host_keys:
  ssh/new_config: true
* ssh/use_old_init_script: true
  ssh/encrypted_host_key_but_no_keygen:
  ssh/disable_cr_auth: false

--- End Message ---

--- Begin Message ---

• To: 502444-close@bugs.debian.org
• Subject: Bug#502444: fixed in openssh 1:5.1p1-5
• From: Colin Watson <cjwatson@debian.org>
• Date: Wed, 14 Jan 2009 01:02:03 +0000
• Message-id: <E1LMu8x-0001Ev-ON@ries.debian.org>

Source: openssh
Source-Version: 1:5.1p1-5

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:

openssh-client-udeb_5.1p1-5_i386.udeb
  to pool/main/o/openssh/openssh-client-udeb_5.1p1-5_i386.udeb
openssh-client_5.1p1-5_i386.deb
  to pool/main/o/openssh/openssh-client_5.1p1-5_i386.deb
openssh-server-udeb_5.1p1-5_i386.udeb
  to pool/main/o/openssh/openssh-server-udeb_5.1p1-5_i386.udeb
openssh-server_5.1p1-5_i386.deb
  to pool/main/o/openssh/openssh-server_5.1p1-5_i386.deb
openssh_5.1p1-5.diff.gz
  to pool/main/o/openssh/openssh_5.1p1-5.diff.gz
openssh_5.1p1-5.dsc
  to pool/main/o/openssh/openssh_5.1p1-5.dsc
ssh-askpass-gnome_5.1p1-5_i386.deb
  to pool/main/o/openssh/ssh-askpass-gnome_5.1p1-5_i386.deb
ssh-krb5_5.1p1-5_all.deb
  to pool/main/o/openssh/ssh-krb5_5.1p1-5_all.deb
ssh_5.1p1-5_all.deb
  to pool/main/o/openssh/ssh_5.1p1-5_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 502444@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 14 Jan 2009 00:34:08 +0000
Source: openssh
Binary: openssh-client openssh-server ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: source all i386
Version: 1:5.1p1-5
Distribution: unstable
Urgency: low
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description: 
 openssh-client - secure shell client, an rlogin/rsh/rcp replacement
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell server, an rshd replacement
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 ssh        - secure shell client and server (metapackage)
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
 ssh-krb5   - secure shell client and server (transitional package)
Closes: 502444
Changes: 
 openssh (1:5.1p1-5) unstable; urgency=low
 .
   * Backport from upstream CVS (Markus Friedl):
     - packet_disconnect() on padding error, too. Should reduce the success
       probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18.
   * Check that /var/run/sshd.pid exists and that the process ID listed there
     corresponds to sshd before running '/etc/init.d/ssh reload' from if-up
     script; SIGHUP is racy if called at boot before sshd has a chance to
     install its signal handler, but fortunately the pid file is written
     after that which lets us avoid the race (closes: #502444).
   * While the above is a valuable sanity-check, it turns out that it doesn't
     really fix the bug (thanks to Kevin Price for testing), so for the
     meantime we'll just use '/etc/init.d/ssh restart', even though it is
     unfortunately heavyweight.
Checksums-Sha1: 
 ba646eae4bbb64f344be39e728297c90b958d1ac 1500 openssh_5.1p1-5.dsc
 06f8431dc09feef73c3ba042f16c40ec8bbce539 216528 openssh_5.1p1-5.diff.gz
 2d52dd43b6f1ca91645b382c70d8d6caa607d090 1202 ssh_5.1p1-5_all.deb
 a75c9272b09cf8b074c066114543dbac7901f806 115700 ssh-krb5_5.1p1-5_all.deb
 11f2ac5f539f8ec645085829bf17b89860572d88 816358 openssh-client_5.1p1-5_i386.deb
 2a76b53405fbf744f9b671340f89331939012a68 295098 openssh-server_5.1p1-5_i386.deb
 e9259a69b7b8f909552e92592e5c46cf7b2d0e1e 123248 ssh-askpass-gnome_5.1p1-5_i386.deb
 33c853d9ff0caffc03f7dd8d00e67c9fda5aa9db 177226 openssh-client-udeb_5.1p1-5_i386.udeb
 0a2ca8234dc40e226ee49fb5cb1b1e190ac56cf9 198830 openssh-server-udeb_5.1p1-5_i386.udeb
Checksums-Sha256: 
 ff74d76f8aca28ed1be155c055f8c0c6e9cccefe05989c5a523ff35f305c2056 1500 openssh_5.1p1-5.dsc
 8569bbd80a6d65313f06e555d5646c2802410fb3245b15d4698c7c47ac8bae06 216528 openssh_5.1p1-5.diff.gz
 e69b000bd5235fe04520cce23c15d03535a242deabb9f68b23b171a00481d3d0 1202 ssh_5.1p1-5_all.deb
 cb1a51af83f5fb7a61219b8d460ad8cf3dd2baa2129eee7a1dcea798c72614b7 115700 ssh-krb5_5.1p1-5_all.deb
 7fdb69ac99a4d82d8a3343f05fde0f286601b673c5b479871554719d738e432b 816358 openssh-client_5.1p1-5_i386.deb
 cdcd34e9f741c2fd5bb788b3aa0542b45ab493a29efd09ba970d1519e2780aeb 295098 openssh-server_5.1p1-5_i386.deb
 a537e8a890f123b716bcbf2c5f850c12ab64f055c4e31ef86cc2fabd20b0fdc4 123248 ssh-askpass-gnome_5.1p1-5_i386.deb
 8d595bf8695fa0d5d7d8d2d24813f3a68fd23ab06a54987de4547ad868b4ab87 177226 openssh-client-udeb_5.1p1-5_i386.udeb
 82f5d43d3efd279582494886ec6cd5ded1fd5a4947d37a060e19b35dd84dfb97 198830 openssh-server-udeb_5.1p1-5_i386.udeb
Files: 
 338282d6bc34e9ea227862557a042818 1500 net standard openssh_5.1p1-5.dsc
 e6a593c2767c02cc9e72a8252b8e2709 216528 net standard openssh_5.1p1-5.diff.gz
 2ca663df6fd8e7625b6833f3e0db6021 1202 net extra ssh_5.1p1-5_all.deb
 ddd1930735964a57247fbd97c433ba2d 115700 net extra ssh-krb5_5.1p1-5_all.deb
 50146536e1e6c255417dfefddf4e0f97 816358 net standard openssh-client_5.1p1-5_i386.deb
 1fdda584de5a3a3ce89a1e7dab01e1f4 295098 net optional openssh-server_5.1p1-5_i386.deb
 e5a082f9ac389a69d4afe51a33e77f4a 123248 gnome optional ssh-askpass-gnome_5.1p1-5_i386.deb
 b7eca5e99c656a5e16c32d30dd829579 177226 debian-installer optional openssh-client-udeb_5.1p1-5_i386.udeb
 b0100f45a3e733bc83450d51b34c79a0 198830 debian-installer optional openssh-server-udeb_5.1p1-5_i386.udeb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer

iD8DBQFJbTbg9t0zAhD6TNERApBnAJ0ZY8W4HW2uqAReHECdSjodIP9EwwCdFEHk
cwQiqjV3QoofCLFSma6g6rI=
=aI8k
-----END PGP SIGNATURE-----

--- End Message ---