[Bug 3469] SSH from host is not getting connected to Beaglebone black board having openssh 9.0p1

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Fri Aug 12 01:07:22 AEST 2022 

https://bugzilla.mindrot.org/show_bug.cgi?id=3469

--- Comment #3 from Ravi Haravina N <raviharavina at eaton.com> ---
Thank you Miller for you suggestion. 

Now, I have used 9.0p1 version and updated changes as suggested in
commit 2580916e4. Still ssh connection from HOST is not successful. But
I see sandbox _violation message in debug output, as well as in
/flash/log/message.

  ssh_sandbox_violation: unexpected system call
(arch:0x40000028,syscall:403 @ 0xb6b3c74c) [preauth

As per syscall:403 number, it relates to "clock_gettime64" syscall
which is an alias for "clock_gettime" (as per details in
https://www.lurklurk.org/syscalls.html). Also this function is
supported for i386 and generic type architecture but not for "arm". 

Question: How to fix this in OpenSSH?

=========================  
Below are debug messages from sshd on BBB 
=========================  

debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 3292
debug2: parse_server_config_depth: config /etc/ssh/sshd_config len 3292
debug3: /etc/ssh/sshd_config:12 setting Protocol 2
debug2: /etc/ssh/sshd_config line 12: Deprecated option Protocol
debug3: /etc/ssh/sshd_config:18 setting HostKey
/etc/ssh/ssh_host_rsa_key
debug3: /etc/ssh/sshd_config:19 setting HostKey
/etc/ssh/ssh_host_dsa_key
debug3: /etc/ssh/sshd_config:32 setting PermitRootLogin no
debug3: /etc/ssh/sshd_config:33 setting AllowGroups sshusers
debug3: /etc/ssh/sshd_config:35 setting MaxAuthTries 6
debug3: /etc/ssh/sshd_config:42 setting KexAlgorithms
curve25519-sha256,curve25519-sha256 at libssh.org,diffie-hellman-group-exchange-sha256
debug3: kex names ok:
[curve25519-sha256,curve25519-sha256 at libssh.org,diffie-hellman-group-exchange-sha256]
debug3: /etc/ssh/sshd_config:43 setting Ciphers
aes256-ctr,aes192-ctr,aes128-ctr
debug3: /etc/ssh/sshd_config:44 setting MACs
hmac-sha2-512-etm at openssh.com,hmac-sha2-256-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128 at openssh.com
debug3: /etc/ssh/sshd_config:82 setting UsePAM yes
debug3: /etc/ssh/sshd_config:97 setting ClientAliveInterval 900
debug3: /etc/ssh/sshd_config:98 setting ClientAliveCountMax 0
debug3: /etc/ssh/sshd_config:99 setting UseDNS no
debug3: /etc/ssh/sshd_config:108 setting Subsystem sftp
/libexec/sftp-server
debug1: sshd version OpenSSH_9.0, OpenSSL 1.1.1q  5 Jul 2022
debug1: private host key #0: ssh-rsa
SHA256:oeY2TPdubQnAxUhXloV65tmB8v2gDMg1lDxLpaghe+4
debug1: private host key #1: ssh-dss
SHA256:LTk/c4rfaxHzfTinsiAgfNRnIrvb91DvAeR7Byw6BBA
debug1: rexec_argv[0]='/sbin/sshd'
debug1: rexec_argv[1]='-f'
debug1: rexec_argv[2]='/etc/ssh/sshd_config'
debug1: rexec_argv[3]='-ddd'
debug3: oom_adjust_setup
debug1: Set /proc/self/oom_score_adj from 0 to -1000
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug2: fd 4 setting O_NONBLOCK
debug3: sock_set_v6only: set socket 4 IPV6_V6ONLY
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug3: fd 5 is not O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 8 config len 3292
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug3: recv_rexec_state: entering fd = 5
debug3: ssh_msg_recv entering
debug3: recv_rexec_state: done
debug2: parse_server_config_depth: config rexec len 3292
debug3: rexec:12 setting Protocol 2
debug2: rexec line 12: Deprecated option Protocol
debug3: rexec:18 setting HostKey /etc/ssh/ssh_host_rsa_key
debug3: rexec:19 setting HostKey /etc/ssh/ssh_host_dsa_key
debug3: rexec:32 setting PermitRootLogin no
debug3: rexec:33 setting AllowGroups sshusers
debug3: rexec:35 setting MaxAuthTries 6
debug3: rexec:42 setting KexAlgorithms
curve25519-sha256,curve25519-sha256 at libssh.org,diffie-hellman-group-exchange-sha256
debug3: kex names ok:
[curve25519-sha256,curve25519-sha256 at libssh.org,diffie-hellman-group-exchange-sha256]
debug3: rexec:43 setting Ciphers aes256-ctr,aes192-ctr,aes128-ctr
debug3: rexec:44 setting MACs
hmac-sha2-512-etm at openssh.com,hmac-sha2-256-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128 at openssh.com
debug3: rexec:82 setting UsePAM yes
debug3: rexec:97 setting ClientAliveInterval 900
debug3: rexec:98 setting ClientAliveCountMax 0
debug3: rexec:99 setting UseDNS no
debug3: rexec:108 setting Subsystem sftp        /libexec/sftp-server
debug1: sshd version OpenSSH_9.0, OpenSSL 1.1.1q  5 Jul 2022
debug1: private host key #0: ssh-rsa
SHA256:oeY2TPdubQnAxUhXloV65tmB8v2gDMg1lDxLpaghe+4
debug1: private host key #1: ssh-dss
SHA256:LTk/c4rfaxHzfTinsiAgfNRnIrvb91DvAeR7Byw6BBA
debug1: inetd sockets after dupping: 3, 3
Connection from 192.168.200.1 port 62187 on 192.168.200.101 port 22
rdomain ""
debug1: Local version string SSH-2.0-OpenSSH_9.0
debug1: Remote protocol version 2.0, remote software version
OpenSSH_7.4
debug1: compat_banner: match: OpenSSH_7.4 pat OpenSSH_7.4* compat
0x04000006
debug2: fd 3 setting O_NONBLOCK
debug3: ssh_sandbox_init: preparing seccomp filter sandbox
debug2: Network child is on pid 3240
debug3: preauth child monitor started
debug3: privsep user:group 98:98 [preauth]
debug1: permanently_set_uid: 98/98 [preauth]
debug3: ssh_sandbox_child_debugging: installing SIGSYS handler
[preauth]
debug3: ssh_sandbox_child: setting PR_SET_NO_NEW_PRIVS [preauth]
debug3: ssh_sandbox_child: attaching seccomp filter program [preauth]
debug3: append_hostkey_type: ssh-rsa key not permitted by
HostkeyAlgorithms [preauth]
debug3: append_hostkey_type: ssh-dss key not permitted by
HostkeyAlgorithms [preauth]
debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256 [preauth]
debug3: send packet: type 20 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug3: receive packet: type 20 [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug2: local server KEXINIT proposal [preauth]
debug2: KEX algorithms:
curve25519-sha256,curve25519-sha256 at libssh.org,diffie-hellman-group-exchange-sha256
[preauth]
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256 [preauth]
debug2: ciphers ctos: aes256-ctr,aes192-ctr,aes128-ctr [preauth]
debug2: ciphers stoc: aes256-ctr,aes192-ctr,aes128-ctr [preauth]
debug2: MACs ctos:
hmac-sha2-512-etm at openssh.com,hmac-sha2-256-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128 at openssh.com
[preauth]
debug2: MACs stoc:
hmac-sha2-512-etm at openssh.com,hmac-sha2-256-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128 at openssh.com
[preauth]
debug2: compression ctos: none,zlib at openssh.com [preauth]
debug2: compression stoc: none,zlib at openssh.com [preauth]
debug2: languages ctos:  [preauth]
debug2: languages stoc:  [preauth]
debug2: first_kex_follows 0  [preauth]
debug2: reserved 0  [preauth]
debug2: peer client KEXINIT proposal [preauth]
debug2: KEX algorithms:
curve25519-sha256,curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,ext-info-c
[preauth]
debug2: host key algorithms:
ssh-rsa-cert-v01 at openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ssh-ed25519-cert-v01 at openssh.com,ssh-dss-cert-v01 at openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-dss
[preauth]
debug2: ciphers ctos:
chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.com,aes256-gcm at openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
[preauth]
debug2: ciphers stoc:
chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.com,aes256-gcm at openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
[preauth]
debug2: MACs ctos:
umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
[preauth]
debug2: MACs stoc:
umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
[preauth]
debug2: compression ctos: none,zlib at openssh.com,zlib [preauth]
debug2: compression stoc: none,zlib at openssh.com,zlib [preauth]
debug2: languages ctos:  [preauth]
debug2: languages stoc:  [preauth]
debug2: first_kex_follows 0  [preauth]
debug2: reserved 0  [preauth]
debug1: kex: algorithm: curve25519-sha256 [preauth]
debug1: kex: host key algorithm: rsa-sha2-512 [preauth]
debug1: kex: client->server cipher: aes128-ctr MAC:
umac-128-etm at openssh.com compression: none [preauth]
debug1: kex: server->client cipher: aes128-ctr MAC:
umac-128-etm at openssh.com compression: none [preauth]
debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
debug3: receive packet: type 30 [preauth]
debug1: SSH2_MSG_KEX_ECDH_INIT received [preauth]
debug3: mm_sshkey_sign: entering [preauth]
debug3: mm_request_send: entering, type 6 [preauth]
debug3: mm_sshkey_sign: waiting for MONITOR_ANS_SIGN [preauth]
debug3: mm_request_receive_expect: entering, type 7 [preauth]
debug3: mm_request_receive: entering [preauth]
debug3: mm_request_receive: entering
debug3: monitor_read: checking request 6
debug3: mm_answer_sign: entering
debug3: mm_answer_sign: rsa-sha2-512 KEX signature len=276
debug3: mm_request_send: entering, type 7
debug2: monitor_read: 6 used once, disabling now
debug3: send packet: type 31 [preauth]
debug3: send packet: type 21 [preauth]
debug2: ssh_set_newkeys: mode 1 [preauth]
debug1: rekey out after 4294967296 blocks [preauth]
ssh_sandbox_violation: unexpected system call
(arch:0x40000028,syscall:403 @ 0xb6b3c74c) [preauth]
debug1: monitor_read_log: child log fd closed
debug3: mm_request_receive: entering
debug1: do_cleanup
debug3: PAM: sshpam_thread_cleanup entering
debug1: Killing privsep child 3240
~ $

=========================================================
Also in config.log file of OpenSSH below message is there 
=========================================================

configure:12291: checking for library containing clock_gettime
configure:12322: arm-cortexa8-linux-gnueabi-gcc -o conftest -Og
-fno-omit-frame-pointer -pipe -Wall -Wno-unused-local-typedefs
-funwind-tables -ggdb  -Wno-psabi -msoft-float -g -rdynamic
-mpoke-function-name -mapcs-frame -funwind-tables -Wno-unused-variable 
-pipe -Wno-error=format-truncation -Wall -Wpointer-arith
-Wuninitialized -Wsign-compare -Wformat-security
-Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result
-Wimplicit-fallthrough -Wmisleading-indentation -fno-strict-aliasing
-D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -Og
-fno-omit-frame-pointer -pipe -Wall -Wno-unused-local-typedefs
-funwind-tables -ggdb  -Wno-psabi -msoft-float -g -rdynamic
-mpoke-function-name -mapcs-frame -funwind-tables -Wno-unused-variable 
-fPIE -I/home/eaton/px_red/edge-linux-prod-bbb/output/exported/include
-U_FORTIFY_SOURCE  -funwind-tables -Wno-psabi
-DTOOLKIT_VERSION="Non-EdgeX-Linux-4.7.4" -Wno-unused-variable
-D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE
-L/home/eaton/px_red/edge-linux-prod-bbb/output/exported/lib 
-Wl,-rpath-link=/home/eaton/px_red/edge-linux-prod-bbb/output/exported/lib
-Wl,--copy-dt-needed-entries  -Wl,-z,relro -Wl,-z,now
-Wl,-z,noexecstack -pie conftest.c -lz  >&5
configure:12322: $? = 0
configure:12339: result: none required

Question: result "none required" - does it mean that it couldn't find
the library which has clock_gettime? Or is it required for me to make
some changes in configuration file to reach to this library. Request
your help here.

In the same file for other macro declaration check, result says as
"yes" 

        configure:12350: checking whether localtime_r is declared
        configure:12350: arm-cortexa8-linux-gnueabi-gcc -c -Og
-fno-omit-frame-pointer -pipe -Wall -Wno-unused-local-typedefs
-funwind-tables -ggdb  -Wno-psabi -msoft-float -g -rdynamic
-mpoke-function-name -mapcs-frame -funwind-tables -Wno-unused-variable 
-pipe -Wno-error=format-truncation -Wall -Wpointer-arith
-Wuninitialized -Wsign-compare -Wformat-security
-Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result
-Wimplicit-fallthrough -Wmisleading-indentation -fno-strict-aliasing
-D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -Og
-fno-omit-frame-pointer -pipe -Wall -Wno-unused-local-typedefs
-funwind-tables -ggdb  -Wno-psabi -msoft-float -g -rdynamic
-mpoke-function-name -mapcs-frame -funwind-tables -Wno-unused-variable 
-fPIE -I/home/eaton/px_red/edge-linux-prod-bbb/output/exported/include
-U_FORTIFY_SOURCE  -funwind-tables -Wno-psabi
-DTOOLKIT_VERSION="Non-EdgeX-Linux-4.7.4" -Wno-unused-variable
-D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE conftest.c >&5
configure:12350: $? = 0
configure:12350: result: yes

===============================
In Glibc 2.36
===============================
In Glibc 2.36 version (may be from 2.34 onwards) there is a flag
__USE_TIME_BITS64 used for time related functions. I didn't find a
place where they are setting this flag, so, I think its by default
false and considers it as 32 bit time. Correct me if I'm wrong. 

Do I need to make any changes in Glibc to make OpenSSH accept
connection?

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list