Bug#868009: Immediate disconnect after successful authentication when "UsePrivilegeSeparation sandbox" is used

To: 868009@bugs.debian.org
Cc: Colin Watson <cjwatson@debian.org>
Subject: Bug#868009: Immediate disconnect after successful authentication when "UsePrivilegeSeparation sandbox" is used
From: Simon Kainz <skainz@debian.org>
Date: Wed, 12 Jul 2017 08:56:42 +0200
Message-id: <[🔎] 591093d0-5836-2c44-0a4c-dbc908c7839c@debian.org>
Reply-to: Simon Kainz <skainz@debian.org>, 868009@bugs.debian.org
In-reply-to: <[🔎] 20170711083726.plguvyeyergdd5ys@riva.ucam.org>
References: <[🔎] e1d059af-a3bd-79e8-ea38-31e2eb58f29e@debian.org> <[🔎] 20170711083726.plguvyeyergdd5ys@riva.ucam.org>

Hello,

Some more info:

The described behavior happened on a machine with ~100 days uptime, out
of the blue, with no update whatsoever.


I enabled audit logs and get the following entries:

type=USER_AUTH msg=audit(1499842045.292:124): pid=5780 uid=0 auid=0
ses=28127 msg='op=PAM:authentication acct="root" exe="/usr/sbin/sshd"
hostname=xxx.xxx.xxx.xxx addr=xxx.xxx.xxx.xxx terminal=ssh res=success'
type=USER_ACCT msg=audit(1499842045.292:125): pid=5780 uid=0 auid=0
ses=28127 msg='op=PAM:accounting acct="root" exe="/usr/sbin/sshd"
hostname=xxx.xxx.xxx.xxx addr=xxx.xxx.xxx.xxx terminal=ssh res=success'
type=SECCOMP msg=audit(1499842045.292:126): auid=0 uid=107 gid=65534
ses=28127 pid=5824 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=c000003e
syscall=41 compat=0 ip=0x7f85b3ef3d07 code=0x0


One more thing: Using UsePrivilegeSeparation=yes, on trying to log in
(intentionally) with a non-existing user, i get 3 passwort prompts
(which is expected, the same with an existing user + wrong password, so
PAM is working). When i use the sandbox setting, i get disconnected
after the first try.

Regards,

Simon




Am 2017-07-11 um 10:37 schrieb Colin Watson:
> On Tue, Jul 11, 2017 at 08:43:58AM +0200, Simon Kainz wrote:
>> When using the default
>>
>> UsePrivilegeSeparation sandbox
>>
>> i am unable to connect via SSH.
>>
>> This even does not work when i try it locally, eg.
>>
>> ssh skainz@127.0.0.1
>>
>>
>> SSH fails right after pre-authentication. Systme log tells me, the
>> authentication itself works correctly, but i get disconnected afterwards.
>>
>> If i set
>>
>> UsePrivilegeSeparation yes
>>
>>
>> it works.
>>
>>
>> Please see the attached ssh -vvv log.
> 
> Can you also get an sshd -ddd log from the server side, or at the very
> least look at /var/log/auth.log?  The client log is unlikely to be of
> much use in tracking this sort of thing down.
> 
> Thanks,
> 

-- 
ᘓ Debian Developer
  4096R/ED98D2D344641A6859A0864F1CB4F0F78DECAFE9
  Get my key:  finger skainz/key@db.debian.org
               http://blog.familiekainz.at/static/gpg/8DECAFE9.asc

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

References:
- Bug#868009: Immediate disconnect after successful authentication when "UsePrivilegeSeparation sandbox" is used
  - From: Simon Kainz <skainz@debian.org>
- Bug#868009: Immediate disconnect after successful authentication when "UsePrivilegeSeparation sandbox" is used
  - From: Colin Watson <cjwatson@debian.org>

Prev by Date: Re: Shipping non-OpenSSH scp(1) binary
Next by Date: Re: Shipping non-OpenSSH scp(1) binary
Previous by thread: Bug#868009: Immediate disconnect after successful authentication when "UsePrivilegeSeparation sandbox" is used
Next by thread: Bug#868149: openssh-server: clean up legacy ssh-session-cleanup.service
Index(es):
- Date
- Thread