Bug#764799: openssh-server: sshd segfaults after connecting from remote client
Package: openssh-server
Version: 1:6.7p1-2
Severity: important
Dear Maintainer,
The issue started after upgrading to the 6.7p1-2 openssh-server
package.
I was connecting from different clients (openssh, putty) from
different machines and each connection resulted in this error in the
/var/log/syslog :
kernel: [86408.871163] sshd[51390]: segfault at fffffff8 ip
00007f358d713414 sp 00007fff82af5f48 error 4 in
libc-2.19.so[7f358d697000+19f000]
client session output:
> ssh -vv localhost
OpenSSH_6.7p1 Debian-2, OpenSSL 1.0.1i 6 Aug 2014
debug1: Reading configuration data /home/USER1/.ssh/config
debug1: /home/USER1/.ssh/config line 12: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: auto-mux: Trying existing master
debug1: Control socket "/home/USER1/.ssh/sockets/USER1@localhost:22" does not exist
debug2: ssh_connect: needpriv 0
debug1: Connecting to localhost [127.0.0.1] port 22.
debug2: fd 3 setting O_NONBLOCK
debug1: fd 3 clearing O_NONBLOCK
debug1: Connection established.
debug1: identity file /home/USER1/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/USER1/.ssh/id_rsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.7p1 Debian-2
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7p1 debug1: match: OpenSSH_6.7p1 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman
-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-c
ert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa,ssh-d
ss
debug2: kex_parse_kexinit: aes256-ctr,blowfish-cbc,3des-cbc
debug2: kex_parse_kexinit: aes256-ctr,blowfish-cbc,3des-cbc
debug2: kex_parse_kexinit: hmac-ripemd160,hmac-sha1,hmac-md5
debug2: kex_parse_kexinit: hmac-ripemd160,hmac-sha1,hmac-md5 debug2: kex_parse_kexinit: zlib@openssh.com,zlib,none
debug2: kex_parse_kexinit: zlib@openssh.com,zlib,none debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman
-group-exchange-sha256
debug2: kex_parse_kexinit: ecdsa-sha2-nistp521,ssh-rsa
debug2: kex_parse_kexinit: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr
debug2: kex_parse_kexinit: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr
debug2: kex_parse_kexinit: umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,hmac-sha1
debug2: kex_parse_kexinit: umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,hmac-sha1
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: setup hmac-ripemd160
debug1: kex: server->client aes256-ctr hmac-ripemd160 zlib@openssh.com
debug2: mac_setup: setup hmac-ripemd160 debug1: kex: client->server aes256-ctr hmac-ripemd160 zlib@openssh.com
debug1: sending SSH2_MSG_KEX_ECDH_INIT debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 25:81:6a:df:3a:65:33:2b:ae:51:53:50:47:24:8d:c3
debug1: Forcing accepting of host key for loopback/localhost.
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/USER1/.ssh/id_rsa (0x7f7c82e0f570), explicit
Connection closed by 127.0.0.1
Exit 255
My sshd_config:
# cat /etc/ssh/sshd_config | egrep -v '^#' | cat -s
Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_rsa_key
UsePrivilegeSeparation sandbox #yes
KeyRegenerationInterval 3600
ServerKeyBits 1024
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 20s
PermitRootLogin no #forced-commands-only
StrictModes yes
RSAAuthentication no
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
IgnoreUserKnownHosts yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
PasswordAuthentication no
KerberosAuthentication no
GSSAPIAuthentication no
X11Forwarding no
X11DisplayOffset 10
PrintMotd yes
PrintLastLog yes
TCPKeepAlive yes
MaxStartups 3:50:20
UsePAM no
UseDNS no
AllowAgentForwarding no
AllowTcpForwarding yes
Banner none
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr
ClientAliveCountMax 3
ClientAliveInterval 1m
Compression delayed
DebianBanner no
MACs umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,hmac-sha1
MaxAuthTries 2
MaxSessions 5
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256
PermitOpen none
PermitTunnel no
RekeyLimit 2G 8h
AllowUsers user1 user2 user3 user4
Match user user1,user2
PasswordAuthentication yes
#X11Forwarding yes
#X11DisplayOffset 10
PermitOpen any
MaxSessions 10
Match user userf
PasswordAuthentication yes
MaxSessions 3
ForceCommand internal-sftp
ChrootDirectory /home/userf
#----------------- end of sshd_config
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (600, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.14-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.ISO-8859-2 (charmap=ISO-8859-2)
Shell: /bin/sh linked to /bin/dash
Versions of packages openssh-server depends on:
ii adduser 3.113+nmu3
ii debconf [debconf-2.0] 1.5.53
ii dpkg 1.17.16
ii init-system-helpers 1.21
ii libc6 2.19-11
ii libcomerr2 1.42.12-1
ii libgssapi-krb5-2 1.12.1+dfsg-10
ii libkrb5-3 1.12.1+dfsg-10
ii libpam-modules 1.1.8-3.1
ii libpam-runtime 1.1.8-3.1
ii libpam0g 1.1.8-3.1
ii libselinux1 2.3-2
ii libssl1.0.0 1.0.1i-2
ii libwrap0 7.6.q-25
ii lsb-base 4.1+Debian13
ii openssh-client 1:6.7p1-2
ii openssh-sftp-server 1:6.7p1-2
ii procps 2:3.3.9-8
ii zlib1g 1:1.2.8.dfsg-2
Versions of packages openssh-server recommends:
ii ncurses-term 5.9+20140913-1
pn xauth <none>
Versions of packages openssh-server suggests:
pn molly-guard <none>
pn monkeysphere <none>
pn rssh <none>
pn ssh-askpass <none>
pn ufw <none>
-- debconf information:
ssh/encrypted_host_key_but_no_keygen:
ssh/disable_cr_auth: false
ssh/new_config: true
ssh/vulnerable_host_keys:
openssh-server/permit-root-login: false
* ssh/use_old_init_script: true
Reply to: