Bug#941663: marked as done (openssh-server: fatal: privsep_preauth: preauth child terminated by signal 31)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 12 Oct 2019 13:02:29 +0000
with message-id <E1iJH2T-0004yJ-Lp@fasolo.debian.org>
and subject line Bug#941663: fixed in openssh 1:7.9p1-10+deb10u1
has caused the Debian Bug report #941663,
regarding openssh-server: fatal: privsep_preauth: preauth child terminated by signal 31
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
941663: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941663
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: "submit@bugs.debian.org" <submit@bugs.debian.org>
• Subject: openssh-server: fatal: privsep_preauth: preauth child terminated by signal 31
• From: "Legato, John (NIH/NHLBI) [E]" <legatoj@nhlbi.nih.gov>
• Date: Thu, 3 Oct 2019 13:51:46 +0000
• Message-id: <[🔎] CH2PR09MB387925862053B355D04263C4F49F0@CH2PR09MB3879.namprd09.prod.outlook.com>

Package: openssh-server

Version: 1:7,9p1-10

We recently installed the latest openssl patches(https://www.debian.org/security/2019/dsa-4540 https://www.debian.org/security/2019/dsa-4539 ) on  a machine running Debian 10.1, since the upgrade, ssh connections are immediately dropped (below is an excerpt of auth.log with sshd LogLevel set to Debug)

Oct  3 08:50:24 debian sshd[8048]: debug1: Forked child 11290.

Oct  3 08:50:24 debian sshd[11290]: debug1: Set /proc/self/oom_score_adj to 0

Oct  3 08:50:24 debian sshd[11290]: debug1: rexec start in 6 out 6 newsock 6 pipe 8 sock 9

Oct  3 08:50:24 debian sshd[11290]: debug1: inetd sockets after dupping: 5, 5

Oct  3 08:50:24 debian sshd[11290]: Connection from 192.168.1.2 port 58940 on 165.112.184.218 port 22

Oct  3 08:50:24 debian sshd[11290]: debug1: Client protocol version 2.0; client software version OpenSSH_7.6p1 Ubuntu-4ubuntu0.3

Oct  3 08:50:24 debian sshd[11290]: debug1: match: OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002

Oct  3 08:50:24 debian sshd[11290]: debug1: Local version string SSH-2.0-OpenSSH_7.9p1 Debian-10

Oct  3 08:50:24 debian sshd[11290]: debug1: permanently_set_uid: 102/65534 [preauth]

Oct  3 08:50:24 debian sshd[11290]: debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]

Oct  3 08:50:24 debian sshd[11290]: debug1: SSH2_MSG_KEXINIT sent [preauth]

Oct  3 08:50:24 debian sshd[11290]: debug1: SSH2_MSG_KEXINIT received [preauth]

Oct  3 08:50:24 debian sshd[11290]: debug1: kex: algorithm: curve25519-sha256 [preauth]

Oct  3 08:50:24 debian sshd[11290]: debug1: kex: host key algorithm: ecdsa-sha2-nistp256 [preauth]

Oct  3 08:50:24 debian sshd[11290]: debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none [preauth]

Oct  3 08:50:24 debian sshd[11290]: debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none [preauth]

Oct  3 08:50:24 debian sshd[11290]: debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]

Oct  3 08:50:24 debian sshd[11290]: debug1: rekey after 134217728 blocks [preauth]

Oct  3 08:50:24 debian sshd[11290]: debug1: SSH2_MSG_NEWKEYS sent [preauth]

Oct  3 08:50:24 debian sshd[11290]: debug1: expecting SSH2_MSG_NEWKEYS [preauth]

Oct  3 08:50:24 debian sshd[11290]: debug1: SSH2_MSG_NEWKEYS received [preauth]

Oct  3 08:50:24 debian sshd[11290]: debug1: rekey after 134217728 blocks [preauth]

Oct  3 08:50:24 debian sshd[11290]: debug1: KEX done [preauth]

Oct  3 08:50:24 debian sshd[11290]: debug1: userauth-request for user user service ssh-connection method none [preauth]

Oct  3 08:50:24 debian sshd[11290]: debug1: attempt 0 failures 0 [preauth]

Oct  3 08:50:24 debian sshd[11290]: debug1: PAM: initializing for "user"

Oct  3 08:50:24 debian sshd[11290]: debug1: PAM: setting PAM_RHOST to "192.168.1.2"

Oct  3 08:50:24 debian sshd[11290]: debug1: PAM: setting PAM_TTY to "ssh"

Oct  3 08:50:24 debian sshd[11290]: debug1: userauth-request for user user service ssh-connection method publickey [preauth]

Oct  3 08:50:24 debian sshd[11290]: debug1: attempt 1 failures 0 [preauth]

Oct  3 08:50:24 debian sshd[11290]: debug1: userauth_pubkey: test pkalg rsa-sha2-512 pkblob RSA SHA256:4aUmJoZ6m0NnB1TB3RFIggMUaFbQe96aod3SohrLgfw [preauth]

Oct  3 08:50:24 debian sshd[11290]: debug1: temporarily_use_uid: 1003/1003 (e=0/0)

Oct  3 08:50:24 debian sshd[11290]: debug1: trying public key file /home/user/.ssh/authorized_keys

Oct  3 08:50:24 debian sshd[11290]: debug1: Could not open authorized keys '/home/user/.ssh/authorized_keys': No such file or directory

Oct  3 08:50:24 debian sshd[11290]: debug1: restore_uid: 0/0

Oct  3 08:50:24 debian sshd[11290]: Failed publickey for user from 192.168.1.2 port 58940 ssh2: RSA SHA256:L+JSUX+UtQA5J0GjsdbG1Su6Z9YgXb6EJA0KZ+AJuos

Oct  3 08:50:24 debian sshd[11290]: debug1: userauth-request for user user service ssh-connection method publickey [preauth]

Oct  3 08:50:24 debian sshd[11290]: debug1: attempt 3 failures 2 [preauth]

Oct  3 08:50:24 debian sshd[11290]: debug1: userauth_pubkey: test pkalg rsa-sha2-512 pkblob RSA SHA256:EdnXT/x3fRm1jl7Dpz2DWz8TUYphqEB71IuQtSkk/X0 [preauth]

Oct  3 08:50:24 debian sshd[11290]: debug1: temporarily_use_uid: 1003/1003 (e=0/0)

Oct  3 08:50:24 debian sshd[11290]: debug1: trying public key file /home/user/.ssh/authorized_keys

Oct  3 08:50:24 debian sshd[11290]: debug1: Could not open authorized keys '/home/user/.ssh/authorized_keys': No such file or directory

Oct  3 08:50:24 debian sshd[11290]: debug1: restore_uid: 0/0

Oct  3 08:50:24 debian sshd[11290]: debug1: temporarily_use_uid: 1003/1003 (e=0/0)

Oct  3 08:50:24 debian sshd[11290]: debug1: trying public key file /home/user/.ssh/authorized_keys2

Oct  3 08:50:24 debian sshd[11290]: debug1: Could not open authorized keys '/home/user/.ssh/authorized_keys2': No such file or directory

Oct  3 08:50:24 debian sshd[11290]: debug1: restore_uid: 0/0

Oct  3 08:50:24 debian sshd[11290]: Failed publickey for user from 192.168.1.2 port 58940 ssh2: RSA SHA256:EdnXT/x3fRm1jl7Dpz2DWz8TUYphqEB71IuQtSkk/X0

Oct  3 08:50:30 debian sshd[11290]: debug1: userauth-request for user user service ssh-connection method password [preauth]

Oct  3 08:50:30 debian sshd[11290]: debug1: attempt 4 failures 3 [preauth]

Oct  3 08:50:30 debian sshd[11290]: debug1: PAM: password authentication accepted for user

Oct  3 08:50:30 debian sshd[11290]: debug1: do_pam_account: called

Oct  3 08:50:30 debian sshd[11290]: Accepted password for user from 192.168.1.2 port 58940 ssh2

Oct  3 08:50:30 debian sshd[11290]: debug1: monitor_child_preauth: user has been authenticated by privileged process

Oct  3 08:50:30 debian sshd[11290]: debug1: monitor_read_log: child log fd closed

Oct  3 08:50:30 debian sshd[11290]: fatal: privsep_preauth: preauth child terminated by signal 31

Oct  3 08:50:30 debian sshd[11290]: debug1: do_cleanup

Is this a known issue? What else might we do to debug?

--- End Message ---

--- Begin Message ---

• To: 941663-close@bugs.debian.org
• Subject: Bug#941663: fixed in openssh 1:7.9p1-10+deb10u1
• From: Colin Watson <cjwatson@debian.org>
• Date: Sat, 12 Oct 2019 13:02:29 +0000
• Message-id: <E1iJH2T-0004yJ-Lp@fasolo.debian.org>

Source: openssh
Source-Version: 1:7.9p1-10+deb10u1

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 941663@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 06 Oct 2019 19:18:07 +0100
Source: openssh
Architecture: source
Version: 1:7.9p1-10+deb10u1
Distribution: buster-security
Urgency: high
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Closes: 941663
Changes:
 openssh (1:7.9p1-10+deb10u1) buster-security; urgency=high
 .
   * Apply upstream patch to deny (non-fatally) shmget/shmat/shmdt in preauth
     privsep child, coping with changes in OpenSSL 1.1.1d that broke OpenSSH
     on Linux kernels before 3.19 (closes: #941663).
Checksums-Sha1:
 cdc30b0d42fc52321323ae6833db91d997d5d770 3197 openssh_7.9p1-10+deb10u1.dsc
 993aceedea8ecabb1d0dd7293508a361891c4eaa 1565384 openssh_7.9p1.orig.tar.gz
 e23d601363ab5ff0daae5714e77d06539a9aebe9 683 openssh_7.9p1.orig.tar.gz.asc
 6d672d2d43367d42e88ec8adb71cf08cdeceab20 173372 openssh_7.9p1-10+deb10u1.debian.tar.xz
 70bf2293a710bce315e6b235d6c28a3fca414571 15298 openssh_7.9p1-10+deb10u1_source.buildinfo
Checksums-Sha256:
 904df38d11470dbe3b8effc24123618e043f171c3889fdf2b1de365ed2c5fe8d 3197 openssh_7.9p1-10+deb10u1.dsc
 6b4b3ba2253d84ed3771c8050728d597c91cfce898713beb7b64a305b6f11aad 1565384 openssh_7.9p1.orig.tar.gz
 4fd584498595450d68f5514b3d79eb14425a3d6aa9e9021d9e928fdd7b4469eb 683 openssh_7.9p1.orig.tar.gz.asc
 83cfcd351dfc12739aad5855bcac43cd025e74d744977693904834eacb619611 173372 openssh_7.9p1-10+deb10u1.debian.tar.xz
 3b66b4885a3f55a2b0e85624547463b0ec120a8e02082a401e969e0b839e4405 15298 openssh_7.9p1-10+deb10u1_source.buildinfo
Files:
 da22c7d3628edd9c4aa647fe0f1d9212 3197 net standard openssh_7.9p1-10+deb10u1.dsc
 c6af50b7a474d04726a5aa747a5dce8f 1565384 net standard openssh_7.9p1.orig.tar.gz
 36f798ff56b24004e16c08bf4a5fc021 683 net standard openssh_7.9p1.orig.tar.gz.asc
 1b872f92d6b6bf878a592043debcbfcc 173372 net standard openssh_7.9p1-10+deb10u1.debian.tar.xz
 9ed3cf52a776f2d1c554a93c6e6656b0 15298 net standard openssh_7.9p1-10+deb10u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAl2aOQwACgkQOTWH2X2G
UAso2w//bQxd9nRn2aQNIlY+B5QmrioIXrWLohulXFJtsKBKytSbxtmIn2DdU4lb
jnLWu9uh2+OwVdfrVzPK8/MFywra9DAuNkUqk+B219MLIPfqtYoCYBTVBkxKEMgv
Y81jhO5xcdhb6cYxDBEu0MqnFI+FygbCT53RfpgzoDm4A+XapgUv/eQeSqcxa3bB
fFoD7KXKlfLJkiFR7N1e097S1gFj7qNgh3onfeZ2mStqlA4Cb6TJu0VhsoRSTvy5
ANVrmmEzcNWKKuWXwZAcrZ1WGC/klGhHisStaNgWXIFWQV2UTeBzaaQIFKc4N12r
KkaB1Bz5nOOK99jRcGL+/TkUEiCOuREvTsZRzxYhSB8GDnUAh6upozw14V2cobyV
3maQEdJM230v8NJA4G5DhzBrsbtmSrWtNkL/ChzFLVip49+kOSkgJ+3JOL/NvWCk
8roYxUTMd/SCCHVFtv1x/zeGCYD7bAKpDYkXq1YSQXU0QEsy8L2VVQ+lM0Yzwgph
MTQ2n1HWO2Ge88oTq8a29vHvBM6vxkrKngQriydz2mIQTY+PNXuQ/f4TwAsZEx/d
6Ie9IxywrWkXugEuJoApo/f+Di6GbvwHcH1Fc2AXFfS+TcOF6RyaHe+kW8hCSuRv
co7ocNaNkxxXZwUuDsdVTeS1/DgfKnoxR5/UaIecOsqyMNynG3k=
=egvB
-----END PGP SIGNATURE-----

--- End Message ---