Bug#764799: openssh-server: sshd segfaults after connecting from remote client

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#764799: openssh-server: sshd segfaults after connecting from remote client
From: Marek Lukaszuk <m.lukaszuk@gmail.com>
Date: Sat, 11 Oct 2014 09:56:40 +0200
Message-id: <[🔎] 20141011075640.51398.18972.reportbug@localhost.localdomain>
Reply-to: Marek Lukaszuk <m.lukaszuk@gmail.com>, 764799@bugs.debian.org
Package: openssh-server
Version: 1:6.7p1-2
Severity: important

Dear Maintainer,

The issue started after upgrading to the 6.7p1-2 openssh-server
package. 

I was connecting from different clients (openssh, putty) from
different machines and each connection resulted in this error in the
/var/log/syslog :
kernel: [86408.871163] sshd[51390]: segfault at fffffff8 ip
00007f358d713414 sp 00007fff82af5f48 error 4 in
libc-2.19.so[7f358d697000+19f000]

client session output:
> ssh -vv localhost
OpenSSH_6.7p1 Debian-2, OpenSSL 1.0.1i 6 Aug 2014
debug1: Reading configuration data /home/USER1/.ssh/config
debug1: /home/USER1/.ssh/config line 12: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: auto-mux: Trying existing master
debug1: Control socket "/home/USER1/.ssh/sockets/USER1@localhost:22" does not exist
debug2: ssh_connect: needpriv 0
debug1: Connecting to localhost [127.0.0.1] port 22.
debug2: fd 3 setting O_NONBLOCK
debug1: fd 3 clearing O_NONBLOCK
debug1: Connection established.
debug1: identity file /home/USER1/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/USER1/.ssh/id_rsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.7p1 Debian-2
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7p1                                                                                                                      debug1: match: OpenSSH_6.7p1 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK                                                                                                                                                                 debug1: SSH2_MSG_KEXINIT sent                                                                                                                                                                   debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman
-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-c
ert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa,ssh-d
ss
debug2: kex_parse_kexinit: aes256-ctr,blowfish-cbc,3des-cbc
debug2: kex_parse_kexinit: aes256-ctr,blowfish-cbc,3des-cbc
debug2: kex_parse_kexinit: hmac-ripemd160,hmac-sha1,hmac-md5
debug2: kex_parse_kexinit: hmac-ripemd160,hmac-sha1,hmac-md5                                                                                                                                    debug2: kex_parse_kexinit: zlib@openssh.com,zlib,none
debug2: kex_parse_kexinit: zlib@openssh.com,zlib,none                                                                                                                                           debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman
-group-exchange-sha256
debug2: kex_parse_kexinit: ecdsa-sha2-nistp521,ssh-rsa
debug2: kex_parse_kexinit: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr
debug2: kex_parse_kexinit: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr
debug2: kex_parse_kexinit: umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,hmac-sha1
debug2: kex_parse_kexinit: umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,hmac-sha1
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: setup hmac-ripemd160
debug1: kex: server->client aes256-ctr hmac-ripemd160 zlib@openssh.com
debug2: mac_setup: setup hmac-ripemd160                                                                                                                                                         debug1: kex: client->server aes256-ctr hmac-ripemd160 zlib@openssh.com
debug1: sending SSH2_MSG_KEX_ECDH_INIT                                                                                                                                                          debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 25:81:6a:df:3a:65:33:2b:ae:51:53:50:47:24:8d:c3
debug1: Forcing accepting of host key for loopback/localhost.
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/USER1/.ssh/id_rsa (0x7f7c82e0f570), explicit
Connection closed by 127.0.0.1
Exit 255

My sshd_config:
# cat /etc/ssh/sshd_config | egrep -v '^#' | cat -s

Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_rsa_key
UsePrivilegeSeparation sandbox #yes

KeyRegenerationInterval 3600
ServerKeyBits 1024

SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 20s
PermitRootLogin no #forced-commands-only
StrictModes yes

RSAAuthentication no
PubkeyAuthentication yes

IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
IgnoreUserKnownHosts yes

PermitEmptyPasswords no
ChallengeResponseAuthentication no

PasswordAuthentication no

KerberosAuthentication no

GSSAPIAuthentication no

X11Forwarding no
X11DisplayOffset 10
PrintMotd yes
PrintLastLog yes
TCPKeepAlive yes

MaxStartups 3:50:20
UsePAM no
UseDNS no

AllowAgentForwarding no
AllowTcpForwarding yes
Banner none
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr
ClientAliveCountMax 3
ClientAliveInterval 1m
Compression delayed
DebianBanner no
MACs umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,hmac-sha1
MaxAuthTries 2
MaxSessions 5
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256
PermitOpen none
PermitTunnel no
RekeyLimit 2G 8h

AllowUsers user1 user2 user3 user4

Match user user1,user2
  PasswordAuthentication yes
  #X11Forwarding yes
  #X11DisplayOffset 10
  PermitOpen any
  MaxSessions 10

Match user userf
  PasswordAuthentication yes
  MaxSessions 3
  ForceCommand internal-sftp
  ChrootDirectory /home/userf
#----------------- end of sshd_config

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (600, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.14-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.ISO-8859-2 (charmap=ISO-8859-2)
Shell: /bin/sh linked to /bin/dash

Versions of packages openssh-server depends on:
ii  adduser                3.113+nmu3
ii  debconf [debconf-2.0]  1.5.53
ii  dpkg                   1.17.16
ii  init-system-helpers    1.21
ii  libc6                  2.19-11
ii  libcomerr2             1.42.12-1
ii  libgssapi-krb5-2       1.12.1+dfsg-10
ii  libkrb5-3              1.12.1+dfsg-10
ii  libpam-modules         1.1.8-3.1
ii  libpam-runtime         1.1.8-3.1
ii  libpam0g               1.1.8-3.1
ii  libselinux1            2.3-2
ii  libssl1.0.0            1.0.1i-2
ii  libwrap0               7.6.q-25
ii  lsb-base               4.1+Debian13
ii  openssh-client         1:6.7p1-2
ii  openssh-sftp-server    1:6.7p1-2
ii  procps                 2:3.3.9-8
ii  zlib1g                 1:1.2.8.dfsg-2

Versions of packages openssh-server recommends:
ii  ncurses-term  5.9+20140913-1
pn  xauth         <none>

Versions of packages openssh-server suggests:
pn  molly-guard   <none>
pn  monkeysphere  <none>
pn  rssh          <none>
pn  ssh-askpass   <none>
pn  ufw           <none>

-- debconf information:
  ssh/encrypted_host_key_but_no_keygen:
  ssh/disable_cr_auth: false
  ssh/new_config: true
  ssh/vulnerable_host_keys:
  openssh-server/permit-root-login: false
* ssh/use_old_init_script: true
Reply to:
Prev by Date: Bug#764608: patch for X11 forwarding when pam_namespace.so is used on SSH client
Next by Date: Bug#751636: openssh-server: ssh sessions are not cleanly termined on shutdown/restart with systemd
Previous by thread: Processed: your mail
Next by thread: Bug#764841: please use pam_exec to display "dynamic" motd
Index(es):
- Date
- Thread