Bug 3469

Summary: SSH from host is not getting connected to Beaglebone black board having openssh 9.0p1
Product: Portable OpenSSH Reporter: Ravi Haravina N <raviharavina>
Component: sshdAssignee: Assigned to nobody <unassigned-bugs>
Status: NEW ---    
Severity: major CC: djm, dtucker
Priority: P5    
Version: 9.0p1   
Hardware: ARM   
OS: Linux   

Description Ravi Haravina N 2022-08-10 18:56:53 AEST 
Need your help in addressing one of critical issue related to ssh
 connection from HOST. 

success Scenario 1: 
   With Toolchain having Glibc 2.33, Binutils 2.37 and appliation Openssh 8.8p1 built the image for Beaglebone black (ARM) board. Able to perform SSH to the device from HOST.

Failure Scenario 2:
   With Toolchain having Glibc 2.36, Binutils 2.38 and appliation Openssh 8.8p1 built the image for BBB (ARM board). Not able to perform the SSH to device (BBB) from HOST. 
Below are the logs from HOST and BBB.

===============================
Debug Logs - ssh from HOST (Centos 7 VMWare) to BBB (192.168.200.101).
===============================

[eaton@localhost ~]$ ssh -v admin@192.168.200.101
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug1: Connecting to 192.168.200.101 [192.168.200.101] port 22.
debug1: Connection established.
debug1: identity file /home/eaton/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/eaton/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/eaton/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/eaton/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/eaton/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/eaton/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/eaton/.ssh/id_ed25519 type 4
debug1: key_load_public: No such file or directory
debug1: identity file /home/eaton/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.8
debug1: match: OpenSSH_8.8 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 192.168.200.101:22 as 'admin'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: rsa-sha2-512
debug1: kex: server->client cipher: aes128-ctr MAC: umac-128-etm@openssh.com compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: umac-128-etm@openssh.com compression: none
debug1: kex: curve25519-sha256 need=16 dh_need=16
debug1: kex: curve25519-sha256 need=16 dh_need=16
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
Connection closed by 192.168.200.101 port 22


===============================
Debug logs at BBB side - 
===============================

debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 3292
debug2: parse_server_config_depth: config /etc/ssh/sshd_config len 3292
debug3: /etc/ssh/sshd_config:12 setting Protocol 2
debug2: /etc/ssh/sshd_config line 12: Deprecated option Protocol
debug3: /etc/ssh/sshd_config:18 setting HostKey /etc/ssh/ssh_host_rsa_key
debug3: /etc/ssh/sshd_config:19 setting HostKey /etc/ssh/ssh_host_dsa_key
debug3: /etc/ssh/sshd_config:32 setting PermitRootLogin no
debug3: /etc/ssh/sshd_config:33 setting AllowGroups sshusers
debug3: /etc/ssh/sshd_config:35 setting MaxAuthTries 6
debug3: /etc/ssh/sshd_config:42 setting KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
debug3: kex names ok: [curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256]
debug3: /etc/ssh/sshd_config:43 setting Ciphers aes256-ctr,aes192-ctr,aes128-ctr
debug3: /etc/ssh/sshd_config:44 setting MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
debug3: /etc/ssh/sshd_config:82 setting UsePAM yes
debug3: /etc/ssh/sshd_config:97 setting ClientAliveInterval 900
debug3: /etc/ssh/sshd_config:98 setting ClientAliveCountMax 0
debug3: /etc/ssh/sshd_config:99 setting UseDNS no
debug3: /etc/ssh/sshd_config:108 setting Subsystem sftp /libexec/sftp-server
debug1: sshd version OpenSSH_8.8, OpenSSL 1.1.1o  3 May 2022
debug1: private host key #0: ssh-rsa SHA256:oeY2TPdubQnAxUhXloV65tmB8v2gDMg1lDxLpaghe+4
debug1: private host key #1: ssh-dss SHA256:LTk/c4rfaxHzfTinsiAgfNRnIrvb91DvAeR7Byw6BBA
debug1: rexec_argv[0]='/sbin/sshd'
debug1: rexec_argv[1]='-f'
debug1: rexec_argv[2]='/etc/ssh/sshd_config'
debug1: rexec_argv[3]='-ddd'
debug3: oom_adjust_setup
debug1: Set /proc/self/oom_score_adj from 0 to -1000
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug2: fd 4 setting O_NONBLOCK
debug3: sock_set_v6only: set socket 4 IPV6_V6ONLY
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug3: fd 5 is not O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 8 config len 3292
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug3: recv_rexec_state: entering fd = 5
debug3: ssh_msg_recv entering
debug3: recv_rexec_state: done
debug2: parse_server_config_depth: config rexec len 3292
debug3: rexec:12 setting Protocol 2
debug2: rexec line 12: Deprecated option Protocol
debug3: rexec:18 setting HostKey /etc/ssh/ssh_host_rsa_key
debug3: rexec:19 setting HostKey /etc/ssh/ssh_host_dsa_key
debug3: rexec:32 setting PermitRootLogin no
debug3: rexec:33 setting AllowGroups sshusers
debug3: rexec:35 setting MaxAuthTries 6
debug3: rexec:42 setting KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
debug3: kex names ok: [curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256]
debug3: rexec:43 setting Ciphers aes256-ctr,aes192-ctr,aes128-ctr
debug3: rexec:44 setting MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
debug3: rexec:82 setting UsePAM yes
debug3: rexec:97 setting ClientAliveInterval 900
debug3: rexec:98 setting ClientAliveCountMax 0
debug3: rexec:99 setting UseDNS no
debug3: rexec:108 setting Subsystem sftp        /libexec/sftp-server
debug1: sshd version OpenSSH_8.8, OpenSSL 1.1.1o  3 May 2022
debug1: private host key #0: ssh-rsa SHA256:oeY2TPdubQnAxUhXloV65tmB8v2gDMg1lDxLpaghe+4
debug1: private host key #1: ssh-dss SHA256:LTk/c4rfaxHzfTinsiAgfNRnIrvb91DvAeR7Byw6BBA
debug1: inetd sockets after dupping: 3, 3
Connection from 192.168.200.1 port 54664 on 192.168.200.101 port 22
debug1: Local version string SSH-2.0-OpenSSH_8.8
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: compat_banner: match: OpenSSH_7.4 pat OpenSSH_7.4* compat 0x04000006
debug2: fd 3 setting O_NONBLOCK
debug3: ssh_sandbox_init: preparing seccomp filter sandbox
debug2: Network child is on pid 3762
debug3: preauth child monitor started
debug3: privsep user:group 98:98 [preauth]
debug1: permanently_set_uid: 98/98 [preauth]
debug3: ssh_sandbox_child: setting PR_SET_NO_NEW_PRIVS [preauth]
debug3: ssh_sandbox_child: attaching seccomp filter program [preauth]
debug3: append_hostkey_type: ssh-rsa key not permitted by HostkeyAlgorithms [preauth]
debug3: append_hostkey_type: ssh-dss key not permitted by HostkeyAlgorithms [preauth]
debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256 [preauth]
debug3: send packet: type 20 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug3: receive packet: type 20 [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug2: local server KEXINIT proposal [preauth]
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 [preauth]
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256 [preauth]
debug2: ciphers ctos: aes256-ctr,aes192-ctr,aes128-ctr [preauth]
debug2: ciphers stoc: aes256-ctr,aes192-ctr,aes128-ctr [preauth]
debug2: MACs ctos: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com [preauth]
debug2: MACs stoc: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com [preauth]
debug2: compression ctos: none,zlib@openssh.com [preauth]
debug2: compression stoc: none,zlib@openssh.com [preauth]
debug2: languages ctos:  [preauth]
debug2: languages stoc:  [preauth]
debug2: first_kex_follows 0  [preauth]
debug2: reserved 0  [preauth]
debug2: peer client KEXINIT proposal [preauth]
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,ext-info-c [preauth]
debug2: host key algorithms: ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-dss [preauth]
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc [preauth]
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc [preauth]
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
debug2: compression ctos: none,zlib@openssh.com,zlib [preauth]
debug2: compression stoc: none,zlib@openssh.com,zlib [preauth]
debug2: languages ctos:  [preauth]
debug2: languages stoc:  [preauth]
debug2: first_kex_follows 0  [preauth]
debug2: reserved 0  [preauth]
debug1: kex: algorithm: curve25519-sha256 [preauth]
debug1: kex: host key algorithm: rsa-sha2-512 [preauth]
debug1: kex: client->server cipher: aes128-ctr MAC: umac-128-etm@openssh.com compression: none [preauth]
debug1: kex: server->client cipher: aes128-ctr MAC: umac-128-etm@openssh.com compression: none [preauth]
debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
debug3: receive packet: type 30 [preauth]
debug1: SSH2_MSG_KEX_ECDH_INIT received [preauth]
debug3: mm_sshkey_sign: entering [preauth]
debug3: mm_request_send: entering, type 6 [preauth]
debug3: mm_sshkey_sign: waiting for MONITOR_ANS_SIGN [preauth]
debug3: mm_request_receive_expect: entering, type 7 [preauth]
debug3: mm_request_receive: entering [preauth]
debug3: mm_request_receive: entering
debug3: monitor_read: checking request 6
debug3: mm_answer_sign: entering
debug3: mm_answer_sign: rsa-sha2-512 KEX signature len=276
debug3: mm_request_send: entering, type 7
debug2: monitor_read: 6 used once, disabling now
debug3: send packet: type 31 [preauth]
debug3: send packet: type 21 [preauth]
debug2: set_newkeys: mode 1 [preauth]
debug1: rekey out after 4294967296 blocks [preauth]
debug1: monitor_read_log: child log fd closed
debug3: mm_request_receive: entering
debug1: do_cleanup
debug3: PAM: sshpam_thread_cleanup entering
debug1: Killing privsep child 3762


===============================
Openssh Version details at BBB
===============================
Debug logs at BBB side - Openssh version
/tmp $ ssh -v localhost
OpenSSH_8.8p1, OpenSSL 1.1.1o  3 May 2022
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 45: Deprecated option "useroaming"
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: connect to address 127.0.0.1 port 22: Connection refused
ssh: connect to host localhost port 22: Connection refused
Comment 1 Damien Miller 2022-08-11 09:01:44 AEST 
It's fairly likely that this is a sandbox violation. You can debug this using the instructions at the start of the sandbox-seccomp-filter.c file, though you may need to apply commit 2580916e4 to fix a couple of bugs in the debugging code.

Once you have identified the failing syscall, we can either permit or ignore it in the BPF filter.
Comment 2 Damien Miller 2022-08-11 09:04:09 AEST 
However, you should first try openssh-9.0 as it contains a number of fixes over openssh-8.8, including one in the sandbox that might be the culprit.
Comment 3 Ravi Haravina N 2022-08-12 01:07:22 AEST 
Thank you Miller for you suggestion. 

Now, I have used 9.0p1 version and updated changes as suggested in commit 2580916e4. Still ssh connection from HOST is not successful. But I see sandbox _violation message in debug output, as well as in /flash/log/message.
  
  ssh_sandbox_violation: unexpected system call (arch:0x40000028,syscall:403 @ 0xb6b3c74c) [preauth
  
As per syscall:403 number, it relates to "clock_gettime64" syscall which is an alias for "clock_gettime" (as per details in https://www.lurklurk.org/syscalls.html). Also this function is supported for i386 and generic type architecture but not for "arm". 

Question: How to fix this in OpenSSH?

=========================  
Below are debug messages from sshd on BBB 
=========================  

debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 3292
debug2: parse_server_config_depth: config /etc/ssh/sshd_config len 3292
debug3: /etc/ssh/sshd_config:12 setting Protocol 2
debug2: /etc/ssh/sshd_config line 12: Deprecated option Protocol
debug3: /etc/ssh/sshd_config:18 setting HostKey /etc/ssh/ssh_host_rsa_key
debug3: /etc/ssh/sshd_config:19 setting HostKey /etc/ssh/ssh_host_dsa_key
debug3: /etc/ssh/sshd_config:32 setting PermitRootLogin no
debug3: /etc/ssh/sshd_config:33 setting AllowGroups sshusers
debug3: /etc/ssh/sshd_config:35 setting MaxAuthTries 6
debug3: /etc/ssh/sshd_config:42 setting KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
debug3: kex names ok: [curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256]
debug3: /etc/ssh/sshd_config:43 setting Ciphers aes256-ctr,aes192-ctr,aes128-ctr
debug3: /etc/ssh/sshd_config:44 setting MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
debug3: /etc/ssh/sshd_config:82 setting UsePAM yes
debug3: /etc/ssh/sshd_config:97 setting ClientAliveInterval 900
debug3: /etc/ssh/sshd_config:98 setting ClientAliveCountMax 0
debug3: /etc/ssh/sshd_config:99 setting UseDNS no
debug3: /etc/ssh/sshd_config:108 setting Subsystem sftp /libexec/sftp-server
debug1: sshd version OpenSSH_9.0, OpenSSL 1.1.1q  5 Jul 2022
debug1: private host key #0: ssh-rsa SHA256:oeY2TPdubQnAxUhXloV65tmB8v2gDMg1lDxLpaghe+4
debug1: private host key #1: ssh-dss SHA256:LTk/c4rfaxHzfTinsiAgfNRnIrvb91DvAeR7Byw6BBA
debug1: rexec_argv[0]='/sbin/sshd'
debug1: rexec_argv[1]='-f'
debug1: rexec_argv[2]='/etc/ssh/sshd_config'
debug1: rexec_argv[3]='-ddd'
debug3: oom_adjust_setup
debug1: Set /proc/self/oom_score_adj from 0 to -1000
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug2: fd 4 setting O_NONBLOCK
debug3: sock_set_v6only: set socket 4 IPV6_V6ONLY
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug3: fd 5 is not O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 8 config len 3292
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug3: recv_rexec_state: entering fd = 5
debug3: ssh_msg_recv entering
debug3: recv_rexec_state: done
debug2: parse_server_config_depth: config rexec len 3292
debug3: rexec:12 setting Protocol 2
debug2: rexec line 12: Deprecated option Protocol
debug3: rexec:18 setting HostKey /etc/ssh/ssh_host_rsa_key
debug3: rexec:19 setting HostKey /etc/ssh/ssh_host_dsa_key
debug3: rexec:32 setting PermitRootLogin no
debug3: rexec:33 setting AllowGroups sshusers
debug3: rexec:35 setting MaxAuthTries 6
debug3: rexec:42 setting KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
debug3: kex names ok: [curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256]
debug3: rexec:43 setting Ciphers aes256-ctr,aes192-ctr,aes128-ctr
debug3: rexec:44 setting MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
debug3: rexec:82 setting UsePAM yes
debug3: rexec:97 setting ClientAliveInterval 900
debug3: rexec:98 setting ClientAliveCountMax 0
debug3: rexec:99 setting UseDNS no
debug3: rexec:108 setting Subsystem sftp        /libexec/sftp-server
debug1: sshd version OpenSSH_9.0, OpenSSL 1.1.1q  5 Jul 2022
debug1: private host key #0: ssh-rsa SHA256:oeY2TPdubQnAxUhXloV65tmB8v2gDMg1lDxLpaghe+4
debug1: private host key #1: ssh-dss SHA256:LTk/c4rfaxHzfTinsiAgfNRnIrvb91DvAeR7Byw6BBA
debug1: inetd sockets after dupping: 3, 3
Connection from 192.168.200.1 port 62187 on 192.168.200.101 port 22 rdomain ""
debug1: Local version string SSH-2.0-OpenSSH_9.0
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: compat_banner: match: OpenSSH_7.4 pat OpenSSH_7.4* compat 0x04000006
debug2: fd 3 setting O_NONBLOCK
debug3: ssh_sandbox_init: preparing seccomp filter sandbox
debug2: Network child is on pid 3240
debug3: preauth child monitor started
debug3: privsep user:group 98:98 [preauth]
debug1: permanently_set_uid: 98/98 [preauth]
debug3: ssh_sandbox_child_debugging: installing SIGSYS handler [preauth]
debug3: ssh_sandbox_child: setting PR_SET_NO_NEW_PRIVS [preauth]
debug3: ssh_sandbox_child: attaching seccomp filter program [preauth]
debug3: append_hostkey_type: ssh-rsa key not permitted by HostkeyAlgorithms [preauth]
debug3: append_hostkey_type: ssh-dss key not permitted by HostkeyAlgorithms [preauth]
debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256 [preauth]
debug3: send packet: type 20 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug3: receive packet: type 20 [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug2: local server KEXINIT proposal [preauth]
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 [preauth]
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256 [preauth]
debug2: ciphers ctos: aes256-ctr,aes192-ctr,aes128-ctr [preauth]
debug2: ciphers stoc: aes256-ctr,aes192-ctr,aes128-ctr [preauth]
debug2: MACs ctos: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com [preauth]
debug2: MACs stoc: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com [preauth]
debug2: compression ctos: none,zlib@openssh.com [preauth]
debug2: compression stoc: none,zlib@openssh.com [preauth]
debug2: languages ctos:  [preauth]
debug2: languages stoc:  [preauth]
debug2: first_kex_follows 0  [preauth]
debug2: reserved 0  [preauth]
debug2: peer client KEXINIT proposal [preauth]
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,ext-info-c [preauth]
debug2: host key algorithms: ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-dss [preauth]
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc [preauth]
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc [preauth]
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
debug2: compression ctos: none,zlib@openssh.com,zlib [preauth]
debug2: compression stoc: none,zlib@openssh.com,zlib [preauth]
debug2: languages ctos:  [preauth]
debug2: languages stoc:  [preauth]
debug2: first_kex_follows 0  [preauth]
debug2: reserved 0  [preauth]
debug1: kex: algorithm: curve25519-sha256 [preauth]
debug1: kex: host key algorithm: rsa-sha2-512 [preauth]
debug1: kex: client->server cipher: aes128-ctr MAC: umac-128-etm@openssh.com compression: none [preauth]
debug1: kex: server->client cipher: aes128-ctr MAC: umac-128-etm@openssh.com compression: none [preauth]
debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
debug3: receive packet: type 30 [preauth]
debug1: SSH2_MSG_KEX_ECDH_INIT received [preauth]
debug3: mm_sshkey_sign: entering [preauth]
debug3: mm_request_send: entering, type 6 [preauth]
debug3: mm_sshkey_sign: waiting for MONITOR_ANS_SIGN [preauth]
debug3: mm_request_receive_expect: entering, type 7 [preauth]
debug3: mm_request_receive: entering [preauth]
debug3: mm_request_receive: entering
debug3: monitor_read: checking request 6
debug3: mm_answer_sign: entering
debug3: mm_answer_sign: rsa-sha2-512 KEX signature len=276
debug3: mm_request_send: entering, type 7
debug2: monitor_read: 6 used once, disabling now
debug3: send packet: type 31 [preauth]
debug3: send packet: type 21 [preauth]
debug2: ssh_set_newkeys: mode 1 [preauth]
debug1: rekey out after 4294967296 blocks [preauth]
ssh_sandbox_violation: unexpected system call (arch:0x40000028,syscall:403 @ 0xb6b3c74c) [preauth]
debug1: monitor_read_log: child log fd closed
debug3: mm_request_receive: entering
debug1: do_cleanup
debug3: PAM: sshpam_thread_cleanup entering
debug1: Killing privsep child 3240
~ $

=========================================================
Also in config.log file of OpenSSH below message is there 
=========================================================

configure:12291: checking for library containing clock_gettime
configure:12322: arm-cortexa8-linux-gnueabi-gcc -o conftest -Og -fno-omit-frame-pointer -pipe -Wall -Wno-unused-local-typedefs -funwind-tables -ggdb  -Wno-psabi -msoft-float -g -rdynamic -mpoke-function-name -mapcs-frame -funwind-tables -Wno-unused-variable  -pipe -Wno-error=format-truncation -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -Wimplicit-fallthrough -Wmisleading-indentation -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -Og -fno-omit-frame-pointer -pipe -Wall -Wno-unused-local-typedefs -funwind-tables -ggdb  -Wno-psabi -msoft-float -g -rdynamic -mpoke-function-name -mapcs-frame -funwind-tables -Wno-unused-variable  -fPIE -I/home/eaton/px_red/edge-linux-prod-bbb/output/exported/include -U_FORTIFY_SOURCE  -funwind-tables -Wno-psabi -DTOOLKIT_VERSION="Non-EdgeX-Linux-4.7.4" -Wno-unused-variable -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -L/home/eaton/px_red/edge-linux-prod-bbb/output/exported/lib  -Wl,-rpath-link=/home/eaton/px_red/edge-linux-prod-bbb/output/exported/lib -Wl,--copy-dt-needed-entries  -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -pie conftest.c -lz  >&5
configure:12322: $? = 0
configure:12339: result: none required

Question: result "none required" - does it mean that it couldn't find the library which has clock_gettime? Or is it required for me to make some changes in configuration file to reach to this library. Request your help here.

In the same file for other macro declaration check, result says as "yes" 

	configure:12350: checking whether localtime_r is declared
	configure:12350: arm-cortexa8-linux-gnueabi-gcc -c -Og -fno-omit-frame-pointer -pipe -Wall -Wno-unused-local-typedefs -funwind-tables -ggdb  -Wno-psabi -msoft-float -g -rdynamic -mpoke-function-name -mapcs-frame -funwind-tables -Wno-unused-variable  -pipe -Wno-error=format-truncation -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -Wimplicit-fallthrough -Wmisleading-indentation -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -Og -fno-omit-frame-pointer -pipe -Wall -Wno-unused-local-typedefs -funwind-tables -ggdb  -Wno-psabi -msoft-float -g -rdynamic -mpoke-function-name -mapcs-frame -funwind-tables -Wno-unused-variable  -fPIE -I/home/eaton/px_red/edge-linux-prod-bbb/output/exported/include -U_FORTIFY_SOURCE  -funwind-tables -Wno-psabi -DTOOLKIT_VERSION="Non-EdgeX-Linux-4.7.4" -Wno-unused-variable -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE conftest.c >&5
configure:12350: $? = 0
configure:12350: result: yes

===============================
In Glibc 2.36
===============================
In Glibc 2.36 version (may be from 2.34 onwards) there is a flag __USE_TIME_BITS64 used for time related functions. I didn't find a place where they are setting this flag, so, I think its by default false and considers it as 32 bit time. Correct me if I'm wrong. 

Do I need to make any changes in Glibc to make OpenSSH accept connection?
Comment 4 Darren Tucker 2022-08-12 09:25:40 AEST 
(In reply to Ravi Haravina N from comment #3)
[...]
>   ssh_sandbox_violation: unexpected system call
> (arch:0x40000028,syscall:403 @ 0xb6b3c74c) [preauth
>   
> As per syscall:403 number, it relates to "clock_gettime64" syscall
> which is an alias for "clock_gettime" (as per details in
> https://www.lurklurk.org/syscalls.html). Also this function is
> supported for i386 and generic type architecture but not for "arm". 

Both clock_gettime and clock_gettime64 are permitted in sandbox-seccomp-filter.c:

#ifdef __NR_clock_gettime
        SC_ALLOW(__NR_clock_gettime),
#endif
#ifdef __NR_clock_gettime64
        SC_ALLOW(__NR_clock_gettime64),
#endif

HOWEVER this in contingent on the corresponding symbol being defined in the system headers.  If you are building against headers from an older glibc you might not have all the required symbols (most likely __NR_clock_gettime64 is missing).

> Question: How to fix this in OpenSSH?

Fix your headers.

[...]
> Question: result "none required" - does it mean that it couldn't
> find the library which has clock_gettime? Or is it required for me
> to make some changes in configuration file to reach to this library.
> Request your help here.

It means no additional libraries are needed to find clock_gettime, ie it's almost certainly in libc.
Comment 5 Ravi Haravina N 2022-08-13 00:43:32 AEST 
Hi Miller,
Thanks for your reply. Found the place in Openssh where we call clock_gettime - in packet.c->ssh_packet_send2 line#1293 (state->rekey_time = monotime();) which in turn calls clock_gettime.

Analysing the header file of usr/include/time.h (in toolchain having glibc 2.36 version) seems there is a flag __USE_TIME_BITS64 which defines, which function(APIs) to be used. 

Analysis is in progress. I will update once I have some info to this issue. 
Thankyou for directing me to right path.