Bug#931272: openssh-server: incoming connections fail if openssl's afalg engine is enabled
On Sun, Jun 30, 2019 at 05:25:42AM -0300, Emilio López wrote:
> After enabling afalg engine on OpenSSL and configuring OpenSSH server to use the following
> ciphers, incoming ssh connections stop working. When a client tries to connect, you can
> observe the following message on the server's dmesg output:
> [271686.264598] audit: type=1326 audit(1561879548.303:14): auid=1000 uid=104 gid=65534 ses=99 subj==unconfined pid=8164 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=40000028 syscall=281 compat=0 ip=0xb6a5ee6c code=0x0
> The device is a Buffalo Linkstation LS-WXL (armel, kirkwood). I would like to use the crypto
> hardware accelerator (marvell_cesa) on SSH to get better performance out of it, that's why
> I enabled the afalg engine.
> This happens both with openssh-server from buster and experimental. Syscall 281 appears to be
> socket(...) from what I could gather. Maybe it is necessary to add a few more allowed syscall
> rules to the seccomp sandbox in OpenSSH?
Thanks for your report. Would you mind filing this directly upstream?
This is the sort of thing I'd much rather get upstream review of.
Colin Watson [email@example.com]