Bug 653

Created attachment 409 [details]
SSH login attempt verbose log

I have exactly same experience. I compiled now 3.6.1p2 and 3.7.1p1 with same
configure commandline and got same problem. Connectio breaks right after
"SSH2_MSG_KEXINIT sent"


$ ssh -v -v -v -l root -p 443 serow
OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x009060af
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug2: ssh_connect: needpriv 0
debug1: Connecting to serow [146.107.217.72] port 443.
debug1: Connection established.
debug1: identity file /home/mokrejs/.ssh/identity type 0
debug1: identity file /home/mokrejs/.ssh/id_rsa type 0
debug3: Not a RSA1 key file /home/mokrejs/.ssh/id_dsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/mokrejs/.ssh/id_dsa type 2
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.7.1p1
debug1: match: OpenSSH_3.7.1p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.6.1p2
debug1: SSH2_MSG_KEXINIT sent
Connection closed by 146.107.217.72
debug1: Calling cleanup 0x8062440(0x0)
mokrejs@vrapenec$ 



$ ./configure --prefix=/usr/local --with-tcp-wrappers
--with-ssl-dir=/software/@sys/usr/openssl --with-prngd-socket=/var/run/egd-p
ool
--with-default-path=/software/@sys/usr/bin:/software/@sys/usr/sbin:/usr/afs/bin:/software/@sys/usr/openssl/bin:/usr/local/bin:/us
r/local/sbin:/usr/bin:/bin:/sbin:/usr/sbin:/usr/opt/svr4/bin:/usr/opt/svr4/sbin
--with-xauth=/usr/bin/X11/xauth --with-zlib --with-osfsia
--with-login=/usr/bin/login --without-privsep



The server says:

# ./sshd -p 443 -D -d -d -d
debug2: read_server_config: filename /usr/local/etc/sshd_config
debug1: sshd version OpenSSH_3.7.1p1
debug1: private host key: #0 type 0 RSA1
debug3: Not a RSA1 key file /usr/local/etc/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug3: Not a RSA1 key file /usr/local/etc/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
debug1: Bind to port 443 on 0.0.0.0.
Server listening on 0.0.0.0 port 443.
Generating 768 bit RSA key.
RSA key generation complete.
debug1: Server will not fork when running in debugging mode.
Connection from 146.107.217.207 port 34077
debug1: Client protocol version 2.0; client software version OpenSSH_3.6.1p2
debug1: match: OpenSSH_3.6.1p2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-1.99-OpenSSH_3.7.1p1
debug2: Network child is on pid 34085
debug3: preauth child monitor started
debug3: mm_request_receive entering
debug3: privsep user:group 15:22
debug1: permanently_set_uid: 15/22
permanently_set_uid: was able to restore old [e]gid
debug1: Calling cleanup 0x12006ff40(0x0)
#

I suspect inability to read RAND data(below is truss snippet from ./sshd -D -d
-d -d execution).

33868:  fork()                                          = 33871
33871:  fork()          (returning as child ...)        = 33871
debug2: Network child is on pid 33871
33868:  write(2, " d e b u g 2 :   N e t w".., 39)      = 39
33871:  getsysinfo(67, 0x000000011FFFB0F0, 4, 0x00000000, 0x00000000,
0x00000000) = 1
33868:  close(3)                                        = 0
33871:  close(7)                                        = 0
debug3: preauth child monitor started
33868:  write(2, " d e b u g 3 :   p r e a".., 39)      = 39
33871:  getuid()                                        = 0  [ 0 ]
debug3: mm_request_receive entering
33868:  write(2, " d e b u g 3 :   m m _ r".., 37)      = 37
33871:  fstat(0, 0x000000011FFFB0F8)                    = 0
33871:  fstat(1, 0x000000011FFFB0F8)                    = 0
33871:  fstat(2, 0x000000011FFFB0F8)                    = 0
33871:  open("/etc/passwd.pag", O_RDONLY, 00)           Err#2  No such file or
directory
33871:  open("/etc/passwd", O_RDONLY, 0666)             = 7
33871:  fstat(7, 0x000000011FFFB010)                    = 0
33871:  ioctl(7, 0x2000745E, 0x00000000)                Err#25 Not a typewriter
33871:  read(7, " r o o t : 5 1 A B 3 Y B".., 8192)     = 891
33871:  lseek(7, 0xFFFFFFFF, SEEK_CUR)                  = 888
33871:  close(7)                                        = 0
33871:  fstat(0, 0x000000011FFFB0F8)                    = 0
33871:  fstat(1, 0x000000011FFFB0F8)                    = 0
33871:  fstat(2, 0x000000011FFFB0F8)                    = 0
33871:  chroot("/var/empty")                            = 0
33871:  chdir("/")                                      = 0
debug3: privsep user:group 15:22
33871:  write(2, " d e b u g 3 :   p r i v".., 34)      = 34
33871:  setgroups(1, 0x000000011FFFB340)                = 0
33871:  getuid()                                        = 0  [ 0 ]
33871:  getgid()                                        = 1  [ 1 ]
debug1: permanently_set_uid: 15/22
33871:  write(2, " d e b u g 1 :   p e r m".., 36)      = 36
33871:  setregid(22, 22)                                = 0
33871:  setreuid(15, 15)                                = 0
33871:  setgid(1)                                       = 0
permanently_set_uid: was able to restore old [e]gid
33871:  write(2, " p e r m a n e n t l y _".., 53)      = 53
debug1: Calling cleanup 0x12006ff40(0x0)
33871:  write(2, " d e b u g 1 :   C a l l".., 42)      = 42
33871:  shutdown(4, SHUT_RDWR)                          = 0
33871:  close(4)                                        = 0


Could the output of sshd and ssh be enhanced so that it tells which EGD is it using?

OK, I stole the idea from http://bugzilla.mindrot.org/show_bug.cgi?id=659

Edit openssh-3.7.1p1/config.h to have as follows:

/* Define if your platform breaks doing a seteuid before a setuid */
#define SETEUID_BREAKS_SETUID

/* Define if your setreuid() is broken */
#define BROKEN_SETREUID

/* Define if your setregid() is broken */
#define BROKEN_SETREGID

That fixes our problem.

I have tried Martin Mokrejs' workaround:

Edit openssh-3.7.1p1/config.h to have as follows:

/* Define if your platform breaks doing a seteuid before a setuid */
#define SETEUID_BREAKS_SETUID

/* Define if your setreuid() is broken */
#define BROKEN_SETREUID

/* Define if your setregid() is broken */
#define BROKEN_SETREGID

This solves the problem on our systems as well (Tru64 UNIX 5.1A and 4.0F) !
One mustn't edit acconfig.h and then run configure; it's required to edit
config.h as above *after* the configure step.

To the developers:
The final bugfix seemingly needs to define the 3 above lines for the OSF/1
operating system (Tru64 UNIX).  I wonder why this wasn't necessary
prior to version 3.7 ?

Created attachment 436 [details]
Add defines to configure for Digital Unix

Please try the attached patch.	You will need to run "autoconf" to rebuild
configure.

Thanks for the report, this has been fixed (in HEAD and the 3.7 branch).  Please
test tomorrow's snapshot.

I downloaded OpenSSH 3.7.1p2 and installed it on Tru64 UNIX v4.0F.
I can confirm that this bug is fixed now.

Another bug exists (will be reported separately):
When sshd should be started from /etc/inittab, no sshd process
is running upon a reboot.  If I start sshd from the command-line it's OK.

Mass change of RESOLVED bugs to CLOSED