Bug#934663: socket activated sshd sometimes complains about /run/sshd not being there
Package: openssh-server
Version: 1:7.9p1-10
Severity: minor
Hi,
I am running sshd with systemd socket activation, which is a
non-standard configuration, hence severity: minor.
Since the buster upgrade, on a host that is hit by ssh brute force
attacks hundreds of times a day, I get "fatal: chroot("/run/sshd"): No
such file or directory [preauth]" log entries about three times a day.
When I look, /run/sshd is there. It is also confusing that the message
does happen so seldomly, only in a very small fraction of cases. So it
must be an exotic race condition.
sshd doesn't delete and recreate the privsep directory after a chrooted
daemon exits, does it?
What I notice is that this message soemtimes happens when two
connections come in together:
Exapmle 1:
syslog:
Aug 13 05:25:03 q systemd[1]: Started OpenBSD Secure Shell server per-connection daemon (176.31.172.40:44702).
Aug 13 05:25:07 q systemd[1]: Started OpenBSD Secure Shell server per-connection daemon (40.125.172.86:1088).
Aug 13 05:25:08 q systemd[1]: ssh@17885-85.214.213.124:22-176.31.172.40:44702.service: Succeeded.
Aug 13 05:25:08 q systemd[1]: ssh@17886-85.214.213.138:22-40.125.172.86:1088.service: Succeeded.
auth.log:
Aug 13 05:25:03 q sshd[13138]: Invalid user oracle from 176.31.172.40 port 44702
Aug 13 05:25:03 q sshd[13138]: pam_unix(sshd:auth): check pass; user unknown
Aug 13 05:25:03 q sshd[13138]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=176.31.172
Aug 13 05:25:05 q sshd[13138]: Failed password for invalid user oracle from 176.31.172.40 port 44702 ssh2
Aug 13 05:25:08 q sshd[13138]: Received disconnect from 176.31.172.40 port 44702:11: Bye Bye [preauth]
Aug 13 05:25:08 q sshd[13138]: Disconnected from invalid user oracle 176.31.172.40 port 44702 [preauth]
Aug 13 05:25:08 q sshd[13142]: fatal: chroot("/run/sshd"): No such file or directory [preauth]
there were no auth.log entries for the connection from 40.125.172.86.
Example 2:
syslog:
Aug 13 00:12:41 q systemd[1]: Started OpenBSD Secure Shell server per-connection daemon (192.117.186.215:34594).
Aug 13 00:12:45 q systemd[1]: Started OpenBSD Secure Shell server per-connection daemon (222.255.146.19:54636).
Aug 13 00:12:46 q systemd[1]: ssh@16199-85.214.213.124:22-192.117.186.215:34594.service: Succeeded.
Aug 13 00:12:46 q systemd[1]: ssh@16200-85.214.213.124:22-222.255.146.19:54636.service: Succeeded.
auth.log:
Aug 13 00:12:42 q sshd[28305]: Invalid user tez from 192.117.186.215 port 34594
Aug 13 00:12:42 q sshd[28305]: pam_unix(sshd:auth): check pass; user unknown
Aug 13 00:12:42 q sshd[28305]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.117.18
Aug 13 00:12:44 q sshd[28305]: Failed password for invalid user tez from 192.117.186.215 port 34594 ssh2
Aug 13 00:12:46 q sshd[28305]: Received disconnect from 192.117.186.215 port 34594:11: Bye Bye [preauth]
Aug 13 00:12:46 q sshd[28305]: Disconnected from invalid user tez 192.117.186.215 port 34594 [preauth]
Aug 13 00:12:46 q sshd[28308]: fatal: chroot("/run/sshd"): No such file or directory [preauth]
there were no auth.log entries for the connection from 222.255.146.19
This is not a big deal, but I'd really like to know that I am still
running the sshd with privilege separation.
Greetings
Marc
-- System Information:
Debian Release: 10.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.2.7-zgsrv20080 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8), LANGUAGE=en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages openssh-server depends on:
ii adduser 3.118
ii debconf [debconf-2.0] 1.5.71
ii dpkg 1.19.7
ii libaudit1 1:2.8.4-3
ii libc6 2.28-10
ii libcom-err2 1.44.5-1
ii libgssapi-krb5-2 1.17-3
ii libkrb5-3 1.17-3
ii libpam-modules 1.3.1-5
ii libpam-runtime 1.3.1-5
ii libpam0g 1.3.1-5
ii libselinux1 2.8-1+b1
ii libssl1.1 1.1.1c-1
ii libsystemd0 241-5
ii libwrap0 7.6.q-28
ii lsb-base 10.2019051400
ii openssh-client 1:7.9p1-10
ii openssh-sftp-server 1:7.9p1-10
ii procps 2:3.3.15-2
ii ucf 3.0038+nmu1
ii zlib1g 1:1.2.11.dfsg-1
Versions of packages openssh-server recommends:
ii libpam-systemd 241-5
pn ncurses-term <none>
pn xauth <none>
Versions of packages openssh-server suggests:
ii molly-guard 0.7.1
pn monkeysphere <none>
pn rssh <none>
pn ssh-askpass <none>
pn ufw <none>
-- debconf information:
* ssh/use_old_init_script: true
ssh/encrypted_host_key_but_no_keygen:
* openssh-server/permit-root-login: true
ssh/vulnerable_host_keys:
* openssh-server/password-authentication: true
ssh/disable_cr_auth: false
Reply to: