Need your help in addressing one of critical issue related to ssh connection from HOST. success Scenario 1: With Toolchain having Glibc 2.33, Binutils 2.37 and appliation Openssh 8.8p1 built the image for Beaglebone black (ARM) board. Able to perform SSH to the device from HOST. Failure Scenario 2: With Toolchain having Glibc 2.36, Binutils 2.38 and appliation Openssh 8.8p1 built the image for BBB (ARM board). Not able to perform the SSH to device (BBB) from HOST. Below are the logs from HOST and BBB. =============================== Debug Logs - ssh from HOST (Centos 7 VMWare) to BBB (192.168.200.101). =============================== [eaton@localhost ~]$ ssh -v admin@192.168.200.101 OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 58: Applying options for * debug1: Connecting to 192.168.200.101 [192.168.200.101] port 22. debug1: Connection established. debug1: identity file /home/eaton/.ssh/id_rsa type 1 debug1: key_load_public: No such file or directory debug1: identity file /home/eaton/.ssh/id_rsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/eaton/.ssh/id_dsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/eaton/.ssh/id_dsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/eaton/.ssh/id_ecdsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/eaton/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/eaton/.ssh/id_ed25519 type 4 debug1: key_load_public: No such file or directory debug1: identity file /home/eaton/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.4 debug1: Remote protocol version 2.0, remote software version OpenSSH_8.8 debug1: match: OpenSSH_8.8 pat OpenSSH* compat 0x04000000 debug1: Authenticating to 192.168.200.101:22 as 'admin' debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: curve25519-sha256 debug1: kex: host key algorithm: rsa-sha2-512 debug1: kex: server->client cipher: aes128-ctr MAC: umac-128-etm@openssh.com compression: none debug1: kex: client->server cipher: aes128-ctr MAC: umac-128-etm@openssh.com compression: none debug1: kex: curve25519-sha256 need=16 dh_need=16 debug1: kex: curve25519-sha256 need=16 dh_need=16 debug1: expecting SSH2_MSG_KEX_ECDH_REPLY Connection closed by 192.168.200.101 port 22 =============================== Debug logs at BBB side - =============================== debug2: load_server_config: filename /etc/ssh/sshd_config debug2: load_server_config: done config len = 3292 debug2: parse_server_config_depth: config /etc/ssh/sshd_config len 3292 debug3: /etc/ssh/sshd_config:12 setting Protocol 2 debug2: /etc/ssh/sshd_config line 12: Deprecated option Protocol debug3: /etc/ssh/sshd_config:18 setting HostKey /etc/ssh/ssh_host_rsa_key debug3: /etc/ssh/sshd_config:19 setting HostKey /etc/ssh/ssh_host_dsa_key debug3: /etc/ssh/sshd_config:32 setting PermitRootLogin no debug3: /etc/ssh/sshd_config:33 setting AllowGroups sshusers debug3: /etc/ssh/sshd_config:35 setting MaxAuthTries 6 debug3: /etc/ssh/sshd_config:42 setting KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 debug3: kex names ok: [curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256] debug3: /etc/ssh/sshd_config:43 setting Ciphers aes256-ctr,aes192-ctr,aes128-ctr debug3: /etc/ssh/sshd_config:44 setting MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com debug3: /etc/ssh/sshd_config:82 setting UsePAM yes debug3: /etc/ssh/sshd_config:97 setting ClientAliveInterval 900 debug3: /etc/ssh/sshd_config:98 setting ClientAliveCountMax 0 debug3: /etc/ssh/sshd_config:99 setting UseDNS no debug3: /etc/ssh/sshd_config:108 setting Subsystem sftp /libexec/sftp-server debug1: sshd version OpenSSH_8.8, OpenSSL 1.1.1o 3 May 2022 debug1: private host key #0: ssh-rsa SHA256:oeY2TPdubQnAxUhXloV65tmB8v2gDMg1lDxLpaghe+4 debug1: private host key #1: ssh-dss SHA256:LTk/c4rfaxHzfTinsiAgfNRnIrvb91DvAeR7Byw6BBA debug1: rexec_argv[0]='/sbin/sshd' debug1: rexec_argv[1]='-f' debug1: rexec_argv[2]='/etc/ssh/sshd_config' debug1: rexec_argv[3]='-ddd' debug3: oom_adjust_setup debug1: Set /proc/self/oom_score_adj from 0 to -1000 debug2: fd 3 setting O_NONBLOCK debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. debug2: fd 4 setting O_NONBLOCK debug3: sock_set_v6only: set socket 4 IPV6_V6ONLY debug1: Bind to port 22 on ::. Server listening on :: port 22. debug3: fd 5 is not O_NONBLOCK debug1: Server will not fork when running in debugging mode. debug3: send_rexec_state: entering fd = 8 config len 3292 debug3: ssh_msg_send: type 0 debug3: send_rexec_state: done debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8 debug3: recv_rexec_state: entering fd = 5 debug3: ssh_msg_recv entering debug3: recv_rexec_state: done debug2: parse_server_config_depth: config rexec len 3292 debug3: rexec:12 setting Protocol 2 debug2: rexec line 12: Deprecated option Protocol debug3: rexec:18 setting HostKey /etc/ssh/ssh_host_rsa_key debug3: rexec:19 setting HostKey /etc/ssh/ssh_host_dsa_key debug3: rexec:32 setting PermitRootLogin no debug3: rexec:33 setting AllowGroups sshusers debug3: rexec:35 setting MaxAuthTries 6 debug3: rexec:42 setting KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 debug3: kex names ok: [curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256] debug3: rexec:43 setting Ciphers aes256-ctr,aes192-ctr,aes128-ctr debug3: rexec:44 setting MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com debug3: rexec:82 setting UsePAM yes debug3: rexec:97 setting ClientAliveInterval 900 debug3: rexec:98 setting ClientAliveCountMax 0 debug3: rexec:99 setting UseDNS no debug3: rexec:108 setting Subsystem sftp /libexec/sftp-server debug1: sshd version OpenSSH_8.8, OpenSSL 1.1.1o 3 May 2022 debug1: private host key #0: ssh-rsa SHA256:oeY2TPdubQnAxUhXloV65tmB8v2gDMg1lDxLpaghe+4 debug1: private host key #1: ssh-dss SHA256:LTk/c4rfaxHzfTinsiAgfNRnIrvb91DvAeR7Byw6BBA debug1: inetd sockets after dupping: 3, 3 Connection from 192.168.200.1 port 54664 on 192.168.200.101 port 22 debug1: Local version string SSH-2.0-OpenSSH_8.8 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4 debug1: compat_banner: match: OpenSSH_7.4 pat OpenSSH_7.4* compat 0x04000006 debug2: fd 3 setting O_NONBLOCK debug3: ssh_sandbox_init: preparing seccomp filter sandbox debug2: Network child is on pid 3762 debug3: preauth child monitor started debug3: privsep user:group 98:98 [preauth] debug1: permanently_set_uid: 98/98 [preauth] debug3: ssh_sandbox_child: setting PR_SET_NO_NEW_PRIVS [preauth] debug3: ssh_sandbox_child: attaching seccomp filter program [preauth] debug3: append_hostkey_type: ssh-rsa key not permitted by HostkeyAlgorithms [preauth] debug3: append_hostkey_type: ssh-dss key not permitted by HostkeyAlgorithms [preauth] debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256 [preauth] debug3: send packet: type 20 [preauth] debug1: SSH2_MSG_KEXINIT sent [preauth] debug3: receive packet: type 20 [preauth] debug1: SSH2_MSG_KEXINIT received [preauth] debug2: local server KEXINIT proposal [preauth] debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 [preauth] debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256 [preauth] debug2: ciphers ctos: aes256-ctr,aes192-ctr,aes128-ctr [preauth] debug2: ciphers stoc: aes256-ctr,aes192-ctr,aes128-ctr [preauth] debug2: MACs ctos: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com [preauth] debug2: MACs stoc: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com [preauth] debug2: compression ctos: none,zlib@openssh.com [preauth] debug2: compression stoc: none,zlib@openssh.com [preauth] debug2: languages ctos: [preauth] debug2: languages stoc: [preauth] debug2: first_kex_follows 0 [preauth] debug2: reserved 0 [preauth] debug2: peer client KEXINIT proposal [preauth] debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,ext-info-c [preauth] debug2: host key algorithms: ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-dss [preauth] debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc [preauth] debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc [preauth] debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth] debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth] debug2: compression ctos: none,zlib@openssh.com,zlib [preauth] debug2: compression stoc: none,zlib@openssh.com,zlib [preauth] debug2: languages ctos: [preauth] debug2: languages stoc: [preauth] debug2: first_kex_follows 0 [preauth] debug2: reserved 0 [preauth] debug1: kex: algorithm: curve25519-sha256 [preauth] debug1: kex: host key algorithm: rsa-sha2-512 [preauth] debug1: kex: client->server cipher: aes128-ctr MAC: umac-128-etm@openssh.com compression: none [preauth] debug1: kex: server->client cipher: aes128-ctr MAC: umac-128-etm@openssh.com compression: none [preauth] debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth] debug3: receive packet: type 30 [preauth] debug1: SSH2_MSG_KEX_ECDH_INIT received [preauth] debug3: mm_sshkey_sign: entering [preauth] debug3: mm_request_send: entering, type 6 [preauth] debug3: mm_sshkey_sign: waiting for MONITOR_ANS_SIGN [preauth] debug3: mm_request_receive_expect: entering, type 7 [preauth] debug3: mm_request_receive: entering [preauth] debug3: mm_request_receive: entering debug3: monitor_read: checking request 6 debug3: mm_answer_sign: entering debug3: mm_answer_sign: rsa-sha2-512 KEX signature len=276 debug3: mm_request_send: entering, type 7 debug2: monitor_read: 6 used once, disabling now debug3: send packet: type 31 [preauth] debug3: send packet: type 21 [preauth] debug2: set_newkeys: mode 1 [preauth] debug1: rekey out after 4294967296 blocks [preauth] debug1: monitor_read_log: child log fd closed debug3: mm_request_receive: entering debug1: do_cleanup debug3: PAM: sshpam_thread_cleanup entering debug1: Killing privsep child 3762 =============================== Openssh Version details at BBB =============================== Debug logs at BBB side - Openssh version /tmp $ ssh -v localhost OpenSSH_8.8p1, OpenSSL 1.1.1o 3 May 2022 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 45: Deprecated option "useroaming" debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling debug1: Connecting to localhost [127.0.0.1] port 22. debug1: connect to address 127.0.0.1 port 22: Connection refused ssh: connect to host localhost port 22: Connection refused
It's fairly likely that this is a sandbox violation. You can debug this using the instructions at the start of the sandbox-seccomp-filter.c file, though you may need to apply commit 2580916e4 to fix a couple of bugs in the debugging code. Once you have identified the failing syscall, we can either permit or ignore it in the BPF filter.
However, you should first try openssh-9.0 as it contains a number of fixes over openssh-8.8, including one in the sandbox that might be the culprit.
Thank you Miller for you suggestion. Now, I have used 9.0p1 version and updated changes as suggested in commit 2580916e4. Still ssh connection from HOST is not successful. But I see sandbox _violation message in debug output, as well as in /flash/log/message. ssh_sandbox_violation: unexpected system call (arch:0x40000028,syscall:403 @ 0xb6b3c74c) [preauth As per syscall:403 number, it relates to "clock_gettime64" syscall which is an alias for "clock_gettime" (as per details in https://www.lurklurk.org/syscalls.html). Also this function is supported for i386 and generic type architecture but not for "arm". Question: How to fix this in OpenSSH? ========================= Below are debug messages from sshd on BBB ========================= debug2: load_server_config: filename /etc/ssh/sshd_config debug2: load_server_config: done config len = 3292 debug2: parse_server_config_depth: config /etc/ssh/sshd_config len 3292 debug3: /etc/ssh/sshd_config:12 setting Protocol 2 debug2: /etc/ssh/sshd_config line 12: Deprecated option Protocol debug3: /etc/ssh/sshd_config:18 setting HostKey /etc/ssh/ssh_host_rsa_key debug3: /etc/ssh/sshd_config:19 setting HostKey /etc/ssh/ssh_host_dsa_key debug3: /etc/ssh/sshd_config:32 setting PermitRootLogin no debug3: /etc/ssh/sshd_config:33 setting AllowGroups sshusers debug3: /etc/ssh/sshd_config:35 setting MaxAuthTries 6 debug3: /etc/ssh/sshd_config:42 setting KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 debug3: kex names ok: [curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256] debug3: /etc/ssh/sshd_config:43 setting Ciphers aes256-ctr,aes192-ctr,aes128-ctr debug3: /etc/ssh/sshd_config:44 setting MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com debug3: /etc/ssh/sshd_config:82 setting UsePAM yes debug3: /etc/ssh/sshd_config:97 setting ClientAliveInterval 900 debug3: /etc/ssh/sshd_config:98 setting ClientAliveCountMax 0 debug3: /etc/ssh/sshd_config:99 setting UseDNS no debug3: /etc/ssh/sshd_config:108 setting Subsystem sftp /libexec/sftp-server debug1: sshd version OpenSSH_9.0, OpenSSL 1.1.1q 5 Jul 2022 debug1: private host key #0: ssh-rsa SHA256:oeY2TPdubQnAxUhXloV65tmB8v2gDMg1lDxLpaghe+4 debug1: private host key #1: ssh-dss SHA256:LTk/c4rfaxHzfTinsiAgfNRnIrvb91DvAeR7Byw6BBA debug1: rexec_argv[0]='/sbin/sshd' debug1: rexec_argv[1]='-f' debug1: rexec_argv[2]='/etc/ssh/sshd_config' debug1: rexec_argv[3]='-ddd' debug3: oom_adjust_setup debug1: Set /proc/self/oom_score_adj from 0 to -1000 debug2: fd 3 setting O_NONBLOCK debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. debug2: fd 4 setting O_NONBLOCK debug3: sock_set_v6only: set socket 4 IPV6_V6ONLY debug1: Bind to port 22 on ::. Server listening on :: port 22. debug3: fd 5 is not O_NONBLOCK debug1: Server will not fork when running in debugging mode. debug3: send_rexec_state: entering fd = 8 config len 3292 debug3: ssh_msg_send: type 0 debug3: send_rexec_state: done debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8 debug3: recv_rexec_state: entering fd = 5 debug3: ssh_msg_recv entering debug3: recv_rexec_state: done debug2: parse_server_config_depth: config rexec len 3292 debug3: rexec:12 setting Protocol 2 debug2: rexec line 12: Deprecated option Protocol debug3: rexec:18 setting HostKey /etc/ssh/ssh_host_rsa_key debug3: rexec:19 setting HostKey /etc/ssh/ssh_host_dsa_key debug3: rexec:32 setting PermitRootLogin no debug3: rexec:33 setting AllowGroups sshusers debug3: rexec:35 setting MaxAuthTries 6 debug3: rexec:42 setting KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 debug3: kex names ok: [curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256] debug3: rexec:43 setting Ciphers aes256-ctr,aes192-ctr,aes128-ctr debug3: rexec:44 setting MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com debug3: rexec:82 setting UsePAM yes debug3: rexec:97 setting ClientAliveInterval 900 debug3: rexec:98 setting ClientAliveCountMax 0 debug3: rexec:99 setting UseDNS no debug3: rexec:108 setting Subsystem sftp /libexec/sftp-server debug1: sshd version OpenSSH_9.0, OpenSSL 1.1.1q 5 Jul 2022 debug1: private host key #0: ssh-rsa SHA256:oeY2TPdubQnAxUhXloV65tmB8v2gDMg1lDxLpaghe+4 debug1: private host key #1: ssh-dss SHA256:LTk/c4rfaxHzfTinsiAgfNRnIrvb91DvAeR7Byw6BBA debug1: inetd sockets after dupping: 3, 3 Connection from 192.168.200.1 port 62187 on 192.168.200.101 port 22 rdomain "" debug1: Local version string SSH-2.0-OpenSSH_9.0 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4 debug1: compat_banner: match: OpenSSH_7.4 pat OpenSSH_7.4* compat 0x04000006 debug2: fd 3 setting O_NONBLOCK debug3: ssh_sandbox_init: preparing seccomp filter sandbox debug2: Network child is on pid 3240 debug3: preauth child monitor started debug3: privsep user:group 98:98 [preauth] debug1: permanently_set_uid: 98/98 [preauth] debug3: ssh_sandbox_child_debugging: installing SIGSYS handler [preauth] debug3: ssh_sandbox_child: setting PR_SET_NO_NEW_PRIVS [preauth] debug3: ssh_sandbox_child: attaching seccomp filter program [preauth] debug3: append_hostkey_type: ssh-rsa key not permitted by HostkeyAlgorithms [preauth] debug3: append_hostkey_type: ssh-dss key not permitted by HostkeyAlgorithms [preauth] debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256 [preauth] debug3: send packet: type 20 [preauth] debug1: SSH2_MSG_KEXINIT sent [preauth] debug3: receive packet: type 20 [preauth] debug1: SSH2_MSG_KEXINIT received [preauth] debug2: local server KEXINIT proposal [preauth] debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 [preauth] debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256 [preauth] debug2: ciphers ctos: aes256-ctr,aes192-ctr,aes128-ctr [preauth] debug2: ciphers stoc: aes256-ctr,aes192-ctr,aes128-ctr [preauth] debug2: MACs ctos: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com [preauth] debug2: MACs stoc: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com [preauth] debug2: compression ctos: none,zlib@openssh.com [preauth] debug2: compression stoc: none,zlib@openssh.com [preauth] debug2: languages ctos: [preauth] debug2: languages stoc: [preauth] debug2: first_kex_follows 0 [preauth] debug2: reserved 0 [preauth] debug2: peer client KEXINIT proposal [preauth] debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,ext-info-c [preauth] debug2: host key algorithms: ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-dss [preauth] debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc [preauth] debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc [preauth] debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth] debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth] debug2: compression ctos: none,zlib@openssh.com,zlib [preauth] debug2: compression stoc: none,zlib@openssh.com,zlib [preauth] debug2: languages ctos: [preauth] debug2: languages stoc: [preauth] debug2: first_kex_follows 0 [preauth] debug2: reserved 0 [preauth] debug1: kex: algorithm: curve25519-sha256 [preauth] debug1: kex: host key algorithm: rsa-sha2-512 [preauth] debug1: kex: client->server cipher: aes128-ctr MAC: umac-128-etm@openssh.com compression: none [preauth] debug1: kex: server->client cipher: aes128-ctr MAC: umac-128-etm@openssh.com compression: none [preauth] debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth] debug3: receive packet: type 30 [preauth] debug1: SSH2_MSG_KEX_ECDH_INIT received [preauth] debug3: mm_sshkey_sign: entering [preauth] debug3: mm_request_send: entering, type 6 [preauth] debug3: mm_sshkey_sign: waiting for MONITOR_ANS_SIGN [preauth] debug3: mm_request_receive_expect: entering, type 7 [preauth] debug3: mm_request_receive: entering [preauth] debug3: mm_request_receive: entering debug3: monitor_read: checking request 6 debug3: mm_answer_sign: entering debug3: mm_answer_sign: rsa-sha2-512 KEX signature len=276 debug3: mm_request_send: entering, type 7 debug2: monitor_read: 6 used once, disabling now debug3: send packet: type 31 [preauth] debug3: send packet: type 21 [preauth] debug2: ssh_set_newkeys: mode 1 [preauth] debug1: rekey out after 4294967296 blocks [preauth] ssh_sandbox_violation: unexpected system call (arch:0x40000028,syscall:403 @ 0xb6b3c74c) [preauth] debug1: monitor_read_log: child log fd closed debug3: mm_request_receive: entering debug1: do_cleanup debug3: PAM: sshpam_thread_cleanup entering debug1: Killing privsep child 3240 ~ $ ========================================================= Also in config.log file of OpenSSH below message is there ========================================================= configure:12291: checking for library containing clock_gettime configure:12322: arm-cortexa8-linux-gnueabi-gcc -o conftest -Og -fno-omit-frame-pointer -pipe -Wall -Wno-unused-local-typedefs -funwind-tables -ggdb -Wno-psabi -msoft-float -g -rdynamic -mpoke-function-name -mapcs-frame -funwind-tables -Wno-unused-variable -pipe -Wno-error=format-truncation -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -Wimplicit-fallthrough -Wmisleading-indentation -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -Og -fno-omit-frame-pointer -pipe -Wall -Wno-unused-local-typedefs -funwind-tables -ggdb -Wno-psabi -msoft-float -g -rdynamic -mpoke-function-name -mapcs-frame -funwind-tables -Wno-unused-variable -fPIE -I/home/eaton/px_red/edge-linux-prod-bbb/output/exported/include -U_FORTIFY_SOURCE -funwind-tables -Wno-psabi -DTOOLKIT_VERSION="Non-EdgeX-Linux-4.7.4" -Wno-unused-variable -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -L/home/eaton/px_red/edge-linux-prod-bbb/output/exported/lib -Wl,-rpath-link=/home/eaton/px_red/edge-linux-prod-bbb/output/exported/lib -Wl,--copy-dt-needed-entries -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -pie conftest.c -lz >&5 configure:12322: $? = 0 configure:12339: result: none required Question: result "none required" - does it mean that it couldn't find the library which has clock_gettime? Or is it required for me to make some changes in configuration file to reach to this library. Request your help here. In the same file for other macro declaration check, result says as "yes" configure:12350: checking whether localtime_r is declared configure:12350: arm-cortexa8-linux-gnueabi-gcc -c -Og -fno-omit-frame-pointer -pipe -Wall -Wno-unused-local-typedefs -funwind-tables -ggdb -Wno-psabi -msoft-float -g -rdynamic -mpoke-function-name -mapcs-frame -funwind-tables -Wno-unused-variable -pipe -Wno-error=format-truncation -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -Wimplicit-fallthrough -Wmisleading-indentation -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -Og -fno-omit-frame-pointer -pipe -Wall -Wno-unused-local-typedefs -funwind-tables -ggdb -Wno-psabi -msoft-float -g -rdynamic -mpoke-function-name -mapcs-frame -funwind-tables -Wno-unused-variable -fPIE -I/home/eaton/px_red/edge-linux-prod-bbb/output/exported/include -U_FORTIFY_SOURCE -funwind-tables -Wno-psabi -DTOOLKIT_VERSION="Non-EdgeX-Linux-4.7.4" -Wno-unused-variable -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE conftest.c >&5 configure:12350: $? = 0 configure:12350: result: yes =============================== In Glibc 2.36 =============================== In Glibc 2.36 version (may be from 2.34 onwards) there is a flag __USE_TIME_BITS64 used for time related functions. I didn't find a place where they are setting this flag, so, I think its by default false and considers it as 32 bit time. Correct me if I'm wrong. Do I need to make any changes in Glibc to make OpenSSH accept connection?
(In reply to Ravi Haravina N from comment #3) [...] > ssh_sandbox_violation: unexpected system call > (arch:0x40000028,syscall:403 @ 0xb6b3c74c) [preauth > > As per syscall:403 number, it relates to "clock_gettime64" syscall > which is an alias for "clock_gettime" (as per details in > https://www.lurklurk.org/syscalls.html). Also this function is > supported for i386 and generic type architecture but not for "arm". Both clock_gettime and clock_gettime64 are permitted in sandbox-seccomp-filter.c: #ifdef __NR_clock_gettime SC_ALLOW(__NR_clock_gettime), #endif #ifdef __NR_clock_gettime64 SC_ALLOW(__NR_clock_gettime64), #endif HOWEVER this in contingent on the corresponding symbol being defined in the system headers. If you are building against headers from an older glibc you might not have all the required symbols (most likely __NR_clock_gettime64 is missing). > Question: How to fix this in OpenSSH? Fix your headers. [...] > Question: result "none required" - does it mean that it couldn't > find the library which has clock_gettime? Or is it required for me > to make some changes in configuration file to reach to this library. > Request your help here. It means no additional libraries are needed to find clock_gettime, ie it's almost certainly in libc.
Hi Miller, Thanks for your reply. Found the place in Openssh where we call clock_gettime - in packet.c->ssh_packet_send2 line#1293 (state->rekey_time = monotime();) which in turn calls clock_gettime. Analysing the header file of usr/include/time.h (in toolchain having glibc 2.36 version) seems there is a flag __USE_TIME_BITS64 which defines, which function(APIs) to be used. Analysis is in progress. I will update once I have some info to this issue. Thankyou for directing me to right path.