After updating openssh to version 8.9p1 and restarting sshd it is unable to complete connection/login process: remote: debug1: Local version string SSH-2.0-OpenSSH_8.8p1-hpn15v2 debug1: Remote protocol version 2.0, remote software version OpenSSH_8.9p1-hpn15v2 debug1: compat_banner: match: OpenSSH_8.9p1-hpn15v2 pat OpenSSH* compat 0x04000000 ... debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: AUTH STATE IS 0 debug1: kex: algorithm: curve25519-sha256 debug1: kex: host key algorithm: ecdsa-sha2-nistp256 debug1: REQUESTED ENC.NAME is 'aes128-ctr' debug1: REQUESTED MAC.NAME is 'umac-64-etm@openssh.com' debug1: kex: server->client cipher: aes128-ctr MAC: umac-64-etm@openssh.com compression: zlib@openssh.com debug1: REQUESTED ENC.NAME is 'aes128-ctr' debug1: REQUESTED MAC.NAME is 'umac-64-etm@openssh.com' debug1: kex: client->server cipher: aes128-ctr MAC: umac-64-etm@openssh.com compression: zlib@openssh.com debug1: expecting SSH2_MSG_KEX_ECDH_REPLY disconnect. local dmesg: [682483.482239] audit: type=1326 audit(1645779265.254:7): auid=0 uid=22 gid=22 ses=6 pid=6030 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=40000003 syscall=414 compat=0 ip=0xb7f2d549 code=0x0 Initially reported vs Gentoo bugzilla https://bugs.gentoo.org/834019 and been confirmed there (Also you might want to see build environment basic details). Affected - x86 (i686) architecture. 32 bit kernel+32 bit userland and 64 bit kernel with 32bit userland 64bit (amd64) arch is not affected. Tested with HPN patch and without it, does not matter - the problem persists.
Created attachment 3574 [details] Allow ppoll_time64 in seccomp filter This should fix it, I have no way to test since I am on amd64, which does not seem to be affected.
This was also reported as https://bugs.debian.org/1006445, with a very similar patch. https://bugs.debian.org/1006463 reports that (as I expected) armhf is also affected; I think it'll be on most or all 32-bit Linux architectures.
Thanks for the report. I have committed the patch and cherry picked it into the V_8_9 branch, so it will be in the next release. (In reply to Colin Watson from comment #2) > I think it'll be on most or all 32-bit Linux architectures. Sigh. I actually have a 32bit ARM SBC running Debian in the test systems in an attempt to catch this kind of thing, but it didn't. (I suspect it's too old). Anyway I've added a Debian i386 VM to the test set.
Patrick's patch suggested above works for me. Also see https://bugs.gentoo.org/834019#c11
closing bug resolved during openssh-9.0 release cycle