Bug#931272: openssh-server: incoming connections fail if openssl's afalg engine is enabled

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#931272: openssh-server: incoming connections fail if openssl's afalg engine is enabled
From: Emilio López <emilio@elopez.com.ar>
Date: Sun, 30 Jun 2019 05:25:42 -0300
Message-id: <[🔎] 156188314199.15202.17498691986254772249.reportbug@buffalonas.lan>
Reply-to: Emilio López <emilio@elopez.com.ar>, 931272@bugs.debian.org

Package: openssh-server
Version: 1:8.0p1-2
Severity: important

Dear Maintainer,

After enabling afalg engine on OpenSSL and configuring OpenSSH server to use the following
ciphers, incoming ssh connections stop working. When a client tries to connect, you can
observe the following message on the server's dmesg output:

    [271686.264598] audit: type=1326 audit(1561879548.303:14): auid=1000 uid=104 gid=65534 ses=99 subj==unconfined pid=8164 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=40000028 syscall=281 compat=0 ip=0xb6a5ee6c code=0x0

The device is a Buffalo Linkstation LS-WXL (armel, kirkwood). I would like to use the crypto
hardware accelerator (marvell_cesa) on SSH to get better performance out of it, that's why
I enabled the afalg engine.

This happens both with openssh-server from buster and experimental. Syscall 281 appears to be
socket(...) from what I could gather. Maybe it is necessary to add a few more allowed syscall
rules to the seccomp sandbox in OpenSSH?

Config changes I performed below:

Changes on /etc/ssh/sshd_config

    Ciphers aes128-cbc,aes192-cbc,aes256-cbc

Changes on /etc/ssl/openssl.cnf

    [default_conf]
    engines = openssl_engines

    [openssl_engines]
    afalg = afalg_engine

    [afalg_engine]
    default_algorithms = ALL

Thank you for your time,
Emilio

-- System Information:
Debian Release: 10.0
  APT prefers testing
  APT policy: (500, 'testing'), (1, 'experimental')
Architecture: armel (armv5tel)

Kernel: Linux 4.19.0-5-marvell
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages openssh-server depends on:
ii  adduser                3.118
ii  debconf [debconf-2.0]  1.5.71
ii  dpkg                   1.19.7
ii  libaudit1              1:2.8.4-3
ii  libc6                  2.28-10
ii  libcom-err2            1.44.5-1
ii  libgssapi-krb5-2       1.17-3
ii  libkrb5-3              1.17-3
ii  libpam-modules         1.3.1-5
ii  libpam-runtime         1.3.1-5
ii  libpam0g               1.3.1-5
ii  libselinux1            2.8-1+b1
ii  libssl1.1              1.1.1c-1
ii  libsystemd0            241-5
ii  libwrap0               7.6.q-28
ii  lsb-base               10.2019051400
ii  openssh-client         1:8.0p1-2
ii  openssh-sftp-server    1:8.0p1-2
ii  procps                 2:3.3.15-2
ii  ucf                    3.0038+nmu1
ii  zlib1g                 1:1.2.11.dfsg-1

Versions of packages openssh-server recommends:
pn  default-logind | logind | libpam-systemd  <none>
ii  ncurses-term                              6.1+20181013-2
pn  xauth                                     <none>

Versions of packages openssh-server suggests:
pn  molly-guard   <none>
pn  monkeysphere  <none>
pn  rssh          <none>
pn  ssh-askpass   <none>
pn  ufw           <none>

-- debconf information:
  openssh-server/permit-root-login: true
  openssh-server/password-authentication: true

Reply to:

Prev by Date: Bug#931187: motd not shown on multiplexed connections
Previous by thread: Bug#931187: motd not shown on multiplexed connections
Index(es):
- Date
- Thread