Bug#778807: "kernel: [537088.405962] traps: sshd[27582] general protection ip:7f349cde6664 sp:7fffaf183ee8 error:0 in libc-2.19.so[7f349cd6a000+19f000]" when PermitOpen=none
Package: openssh-server
Version: 1:6.7p1-3
Severity: important
Tags: upstream
Forwarded: https://bugzilla.mindrot.org/show_bug.cgi?id=2355
Hey.
I found a "special" situation in which ssh connections crash every few
tries and sometimes (but not always) one get's any of these along:
[527879.021049] traps: sshd[14583] general protection ip:7fbc7f04a664 sp:7fff3939fe58 error:0 in libc-2.19.so[7fbc7efce000+19f000]
[527945.727953] traps: sshd[14660] general protection ip:7f069558d664 sp:7fffc4223c88 error:0 in libc-2.19.so[7f0695511000+19f000]
[528046.264330] traps: sshd[14826] general protection ip:7f1b26eed664 sp:7fff521d7178 error:0 in libc-2.19.so[7f1b26e71000+19f000]
[536582.887955] traps: sshd[26078] general protection ip:7f96158b4664 sp:7fff2fef4a08 error:0 in libc-2.19.so[7f9615838000+19f000]
[536628.489940] traps: sshd[26206] general protection ip:7f9cc14a9664 sp:7fffdacfb478 error:0 in libc-2.19.so[7f9cc142d000+19f000]
[536734.550558] traps: sshd[26320] general protection ip:7f260fc18664 sp:7ffffb25be88 error:0 in libc-2.19.so[7f260fb9c000+19f000]
[536841.887230] traps: sshd[26513] general protection ip:7f168b350664 sp:7fff8a85a2c8 error:0 in libc-2.19.so[7f168b2d4000+19f000]
[536860.256030] traps: sshd[26572] general protection ip:7fba93937664 sp:7ffffcf18928 error:0 in libc-2.19.so[7fba938bb000+19f000]
[536949.787928] sshd[27137]: segfault at 8100000038 ip 00007f84523e666 sp 00007fff2cc1d908 error 4 in libc-2.19.so[7f845236a000+19f000]
[537088.405962] traps: sshd[27582] general protection ip:7f349cde6664 sp:7fffaf183ee8 error:0 in libc-2.19.so[7f349cd6a000+19f000]
What I do is basically the following:
Having sshd running (my sshd_config is attached), and gitolite3
(from sid) installed.
Gitolite (which I use with the "git" username) in turn has entries
like these:
command="/usr/share/gitolite3/gitolite-shell admin",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-ed25519 ...
in its authorized_key files
Then I repeatedly do:
$ ssh git@myserver info
Sometimes this works and I get:
> hello someName, this is git@myserver running gitolite3 3.6.1-3 (Debian) on git 2.1.4
But more than every 2nd time it fails and I get
> Write failed: Broken pipe
Sometimes (not always) with a general protection or segfault.
>From my sshd_config, which uses a Match block for the git
user (for reasons of hardening), I found that the
> PermitOpen none
line is the cause of the problem
When I comment it, then the connections *always* succeed (well at least
from about ~20 successive tries).
I should probably further notice: systemd/logind/PAM is used (not sure
if this could somehow interfere).
Also, I'm a bit unsure whether the "main" sshd is crashing or whethr
it's just the processes of the sessions.
I didn't manually restart sshd, but it might be that systemd does that
automatically? How would I find out?
So some bug is hidden there...
Cheers,
Chris
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_DE.utf8, LC_CTYPE=en_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages openssh-server depends on:
ii adduser 3.113+nmu3
ii debconf [debconf-2.0] 1.5.55
ii dpkg 1.17.23
ii init-system-helpers 1.22
ii libc6 2.19-15
ii libcomerr2 1.42.12-1
ii libgssapi-krb5-2 1.12.1+dfsg-18
ii libkrb5-3 1.12.1+dfsg-18
ii libpam-modules 1.1.8-3.1
ii libpam-runtime 1.1.8-3.1
ii libpam0g 1.1.8-3.1
ii libselinux1 2.3-2
ii libssl1.0.0 1.0.1k-1
ii libwrap0 7.6.q-25
ii lsb-base 4.1+Debian13+nmu1
ii openssh-client 1:6.7p1-3
ii openssh-sftp-server 1:6.7p1-3
ii procps 2:3.3.9-8
ii zlib1g 1:1.2.8.dfsg-2+b1
Versions of packages openssh-server recommends:
ii ncurses-term 5.9+20140913-1
ii xauth 1:1.0.9-1
Versions of packages openssh-server suggests:
pn molly-guard <none>
pn monkeysphere <none>
ii rssh 2.3.4-4+b1
pn ssh-askpass <none>
pn ufw <none>
-- debconf information excluded
#*******************************************************************************
#*** General ***
#*******************************************************************************
##LogLevel INFO
##SyslogFacility AUTH
##PidFile /var/run/sshd.pid
##StrictModes yes
#*******************************************************************************
#*** System Techniques ***
#*******************************************************************************
UsePrivilegeSeparation sandbox
#*******************************************************************************
#*** Networking ***
#*******************************************************************************
##AddressFamily any
##Port 22
ListenAddress localhost
ListenAddress ip6-localhost
ListenAddress foobar
TCPKeepAlive no
##IPQoS lowdelay throughput
##UseDNS yes
##MaxStartups 10:30:100
##MaxSessions 10
#*******************************************************************************
#*** Secure Shell (SSH) Protocol ***
#*******************************************************************************
Protocol 2
##VersionAddendum none
##DebianBanner yes
##Banner
Compression no
ClientAliveInterval 15
ClientAliveCountMax 8
GSSAPIKeyExchange no
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
ServerKeyBits 4096
KeyRegenerationInterval 10m
RekeyLimit default 1h
#*******************************************************************************
#*** Server Authentication ***
#*******************************************************************************
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_rsa_key
#Note: SSH Version 2 DSA host keys are implicitly disabled.
##HostKey /etc/ssh/ssh_host_dsa_key
#Note: SSH Version 1 RSA host keys are implicitly disabled.
##HostKey /etc/ssh/ssh_host_key
##HostKeyAgent
##HostCertificate
#*******************************************************************************
#*** Client Authentication Methods ***
#*******************************************************************************
PasswordAuthentication no
PermitEmptyPasswords no
KbdInteractiveAuthentication no
ChallengeResponseAuthentication no
RhostsRSAAuthentication no
HostbasedAuthentication no
HostbasedUsesNameFromPacketOnly no
KerberosAuthentication no
KerberosOrLocalPasswd no
##KerberosGetAFSToken no
##KerberosTicketCleanup yes
GSSAPIAuthentication no
GSSAPIStrictAcceptorCheck yes
##GSSAPIStoreCredentialsOnRekey no
##GSSAPICleanupCredentials yes
RSAAuthentication no
PubkeyAuthentication yes
IgnoreUserKnownHosts yes
IgnoreRhosts yes
#*******************************************************************************
#*** Client Authentication And Authorisation ***
#*******************************************************************************
AuthenticationMethods publickey
LoginGraceTime 60
MaxAuthTries 4
##RevokedKeys
##AuthorizedKeysCommand none
AuthorizedKeysCommandUser invalid
AuthorizedKeysFile .ssh/authorized_keys
##TrustedUserCAKeys
##AuthorizedPrincipalsFile
#Note: These directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, AllowGroups
##DenyUsers
AllowUsers root git
##DenyGroups
##AllowGroups *
PermitRootLogin without-password
#*******************************************************************************
#*** Session ***
#*******************************************************************************
UsePAM yes
##UseLogin no
##PermitTTY yes
##AllowAgentForwarding yes
##PermitUserRC yes
AcceptEnv LANG LC_ALL LC_ADDRESS LC_COLLATE LC_CTYPE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME
PermitUserEnvironment no
##PrintLastLog yes
PrintMotd no
##ChrootDirectory
##ForceCommand
#*******************************************************************************
#*** Forwarding ***
#*******************************************************************************
##AllowStreamLocalForwarding yes
StreamLocalBindMask 0177
StreamLocalBindUnlink no
##AllowTcpForwarding yes
##PermitOpen any
PermitTunnel no
X11Forwarding yes
X11UseLocalhost yes
##X11DisplayOffset 10
##XAuthLocation /usr/bin/xauth
GatewayPorts no
#*******************************************************************************
#*** Subsystems ***
#*******************************************************************************
Subsystem sftp /usr/lib/openssh/sftp-server
#*******************************************************************************
#*** Conditional Directive Blocks ***
#*******************************************************************************
#for the user “git” used with Gitolite
Match User git
#Note: Gitolite via SSH must only be used with the public key authentication method, therefore the following completely disables all others. However, the former isn’t explicitily enabled here, but rather “inherited” from the “global” configuration.
PasswordAuthentication no
PermitEmptyPasswords no
KbdInteractiveAuthentication no
RhostsRSAAuthentication no
HostbasedAuthentication no
HostbasedUsesNameFromPacketOnly no
KerberosAuthentication no
GSSAPIAuthentication no
RSAAuthentication no
###PubkeyAuthentication yes
AuthenticationMethods publickey
#Note: As of now, Gitolite doesn’t make use of an “authorized keys command”. It could have been “inherited” from the “global” configuration, therefore the following disables it explicitly.
AuthorizedKeysCommand none
AuthorizedKeysCommandUser invalid
#Note: Gitolite always expects the authorized keys to be found at “~/.ssh/authorized_keys”. A different value could have been “inherited” from the “global” configuration, therefore the following sets it explicitly.
AuthorizedKeysFile .ssh/authorized_keys
#Note: The following makes sure that it is really the user “git” which is used and that it isn’t an “alias for root” (in other words: any user name having the user ID 0).
AllowUsers git
PermitRootLogin no
#Note: The following restricts miscellaneous things which shouldn’t be necessary for respectively used with git or Gitolite.
PermitTTY no
AllowAgentForwarding no
PermitUserRC no
AcceptEnv LANG LC_ALL LC_ADDRESS LC_COLLATE LC_CTYPE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME
AllowStreamLocalForwarding no
StreamLocalBindMask 0777
StreamLocalBindUnlink no
AllowTcpForwarding no
PermitOpen none
PermitTunnel no
X11Forwarding no
X11UseLocalhost yes
GatewayPorts no
#Note: The following effectively forbids SSH channel multiplexing, which might have security implications (simplified: further channels “inherit” some parameters from the initiating one) if allowed.
MaxSessions 1
#TODO: Consider running Gitolite from within a chroot.
#ChrootDirectory
#TODO: Currently, “ForceCommand” cannot be used with Gitolite, but reconsider this once it should become possible.
#ForceCommand
Reply to: