Bug#934663: socket activated sshd sometimes complains about /run/sshd not being there

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#934663: socket activated sshd sometimes complains about /run/sshd not being there
From: Marc Haber <mh+debian-packages@zugschlus.de>
Date: Tue, 13 Aug 2019 07:37:29 +0200
Message-id: <[🔎] 156567464945.21495.12114711019606280436.reportbug@q.bofh.de>
Reply-to: Marc Haber <mh+debian-packages@zugschlus.de>, 934663@bugs.debian.org

Package: openssh-server
Version: 1:7.9p1-10
Severity: minor

Hi,

I am running sshd with systemd socket activation, which is a
non-standard configuration, hence severity: minor.

Since the buster upgrade, on a host that is hit by ssh brute force
attacks hundreds of times a day, I get "fatal: chroot("/run/sshd"): No
such file or directory [preauth]" log entries about three times a day.

When I look, /run/sshd is there. It is also confusing that the message
does happen so seldomly, only in a very small fraction of cases. So it
must be an exotic race condition.

sshd doesn't delete and recreate the privsep directory after a chrooted
daemon exits, does it?

What I notice is that this message soemtimes happens when two
connections come in together:

Exapmle 1:

syslog:
Aug 13 05:25:03 q systemd[1]: Started OpenBSD Secure Shell server per-connection daemon (176.31.172.40:44702).
Aug 13 05:25:07 q systemd[1]: Started OpenBSD Secure Shell server per-connection daemon (40.125.172.86:1088).
Aug 13 05:25:08 q systemd[1]: ssh@17885-85.214.213.124:22-176.31.172.40:44702.service: Succeeded.
Aug 13 05:25:08 q systemd[1]: ssh@17886-85.214.213.138:22-40.125.172.86:1088.service: Succeeded.

auth.log:
Aug 13 05:25:03 q sshd[13138]: Invalid user oracle from 176.31.172.40 port 44702
Aug 13 05:25:03 q sshd[13138]: pam_unix(sshd:auth): check pass; user unknown
Aug 13 05:25:03 q sshd[13138]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=176.31.172
Aug 13 05:25:05 q sshd[13138]: Failed password for invalid user oracle from 176.31.172.40 port 44702 ssh2
Aug 13 05:25:08 q sshd[13138]: Received disconnect from 176.31.172.40 port 44702:11: Bye Bye [preauth]
Aug 13 05:25:08 q sshd[13138]: Disconnected from invalid user oracle 176.31.172.40 port 44702 [preauth]
Aug 13 05:25:08 q sshd[13142]: fatal: chroot("/run/sshd"): No such file or directory [preauth]

there were no auth.log entries for the connection from 40.125.172.86.


Example 2:

syslog:
Aug 13 00:12:41 q systemd[1]: Started OpenBSD Secure Shell server per-connection daemon (192.117.186.215:34594).
Aug 13 00:12:45 q systemd[1]: Started OpenBSD Secure Shell server per-connection daemon (222.255.146.19:54636).
Aug 13 00:12:46 q systemd[1]: ssh@16199-85.214.213.124:22-192.117.186.215:34594.service: Succeeded.
Aug 13 00:12:46 q systemd[1]: ssh@16200-85.214.213.124:22-222.255.146.19:54636.service: Succeeded.

auth.log:
Aug 13 00:12:42 q sshd[28305]: Invalid user tez from 192.117.186.215 port 34594
Aug 13 00:12:42 q sshd[28305]: pam_unix(sshd:auth): check pass; user unknown
Aug 13 00:12:42 q sshd[28305]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.117.18
Aug 13 00:12:44 q sshd[28305]: Failed password for invalid user tez from 192.117.186.215 port 34594 ssh2
Aug 13 00:12:46 q sshd[28305]: Received disconnect from 192.117.186.215 port 34594:11: Bye Bye [preauth]
Aug 13 00:12:46 q sshd[28305]: Disconnected from invalid user tez 192.117.186.215 port 34594 [preauth]
Aug 13 00:12:46 q sshd[28308]: fatal: chroot("/run/sshd"): No such file or directory [preauth]

there were no auth.log entries for the connection from 222.255.146.19

This is not a big deal, but I'd really like to know that I am still
running the sshd with privilege separation.

Greetings
Marc

-- System Information:
Debian Release: 10.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.2.7-zgsrv20080 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8), LANGUAGE=en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages openssh-server depends on:
ii  adduser                3.118
ii  debconf [debconf-2.0]  1.5.71
ii  dpkg                   1.19.7
ii  libaudit1              1:2.8.4-3
ii  libc6                  2.28-10
ii  libcom-err2            1.44.5-1
ii  libgssapi-krb5-2       1.17-3
ii  libkrb5-3              1.17-3
ii  libpam-modules         1.3.1-5
ii  libpam-runtime         1.3.1-5
ii  libpam0g               1.3.1-5
ii  libselinux1            2.8-1+b1
ii  libssl1.1              1.1.1c-1
ii  libsystemd0            241-5
ii  libwrap0               7.6.q-28
ii  lsb-base               10.2019051400
ii  openssh-client         1:7.9p1-10
ii  openssh-sftp-server    1:7.9p1-10
ii  procps                 2:3.3.15-2
ii  ucf                    3.0038+nmu1
ii  zlib1g                 1:1.2.11.dfsg-1

Versions of packages openssh-server recommends:
ii  libpam-systemd  241-5
pn  ncurses-term    <none>
pn  xauth           <none>

Versions of packages openssh-server suggests:
ii  molly-guard   0.7.1
pn  monkeysphere  <none>
pn  rssh          <none>
pn  ssh-askpass   <none>
pn  ufw           <none>

-- debconf information:
* ssh/use_old_init_script: true
  ssh/encrypted_host_key_but_no_keygen:
* openssh-server/permit-root-login: true
  ssh/vulnerable_host_keys:
* openssh-server/password-authentication: true
  ssh/disable_cr_auth: false

Reply to:

Follow-Ups:
- Bug#934663: socket activated sshd sometimes complains about /run/sshd not being there
  - From: Marc Haber <mh+debian-bugs@zugschlus.de>

Prev by Date: Bug#933999: openssh-server: please provide a runscript for runit
Next by Date: Processed: Bug#933999 marked as pending in openssh
Previous by thread: openssh_7.4p1-10+deb9u7_amd64.changes ACCEPTED into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates
Next by thread: Bug#934663: socket activated sshd sometimes complains about /run/sshd not being there
Index(es):
- Date
- Thread