3487 – "getentropy failed" after upgrade from 9.0

Bug 3487 - "getentropy failed" after upgrade from 9.0

Summary: "getentropy failed" after upgrade from 9.0

Status:	CLOSED FIXED

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	sshd (show other bugs)
Version:	9.1p1
Hardware:	ARM Linux

Importance:	P5 critical
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:	V_9_2
	Show dependency tree / graph

Reported:	2022-10-22 23:07 AEDT by InFerNo
Modified:	2023-03-18 02:23 AEDT (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description InFerNo 2022-10-22 23:07:40 AEDT

I have upgraded openssh from 9.0 to 9.1. After rebooting the system I found that I was no longer able to connect to the SSH server ("connection refused" and "status 255").

I have checked systemd logs and found the following relevant items:

```
Oct 21 02:41:19 orbb sshd[255]: getentropy failed
Oct 21 02:41:19 orbb systemd[1]: sshd.service: Main process exited, code=exited, status=255/EXCEPTION
Oct 21 02:41:19 orbb systemd[1]: sshd.service: Failed with result 'exit-code'.
```

When I ran `sshd -t` it also returned `getentropy failed`.

I inspected the upgraded packages and downgraded openssh-9.1p1-1-armv7h.pkg.tar.xz back to openssh-9.0p1-1-armv7h.pkg.tar.xz. I have restarted the service and was able to connect via SSH again.

System:
Linux orbb 3.10.107-5-ARCH #1 SMP PREEMPT Fri Mar 26 23:32:03 UTC 2021 armv7l GNU/Linux


Kind regards

Comment 1 Darren Tucker 2022-10-23 07:34:59 AEDT

(In reply to InFerNo from comment #0)
> I inspected the upgraded packages and downgraded
> openssh-9.1p1-1-armv7h.pkg.tar.xz back to
> openssh-9.0p1-1-armv7h.pkg.tar.xz.

Those are (probably modified) binaries supplied by your distro vendor.  Can you reproduce the problem with the stock code from openssh.com?  If that works, compare the config.h from the non-working one with the working one.

My guess is that the package was compiled on a system that has a native getentropy but deployed on a system that does not.

Comment 2 Darren Tucker 2022-11-07 11:35:08 AEDT

We've changed it so that the fallback code is always available even on platforms that claim to have getentropy:

https://github.com/openssh/openssh-portable/commit/da6038bd5cd55eb212eb2aec1fc8ae79bbf76156

Always use compat getentropy.
Have it call native getentropy and fall back as required.  Should fix
issues of platforms where libc has getentropy but it is not implemented
in the kernel.  Based on github PR#354 from simsergey.

This change will be in OpenSSH 9.2p1 and has been cherrypicked into the V_9_1 branch, so will be included if there is a 9.1p2 release.

Could you please confirm that this change fixes your problem?

Comment 3 Darren Tucker 2022-12-16 14:14:39 AEDT

We believe that his has been fixed, but if  not please reopen this bug.

Thanks for the report.

Comment 4 Damien Miller 2023-03-17 13:37:04 AEDT

OpenSSH 9.3 has been released. Close resolved bugs

Comment 5 InFerNo 2023-03-18 02:23:53 AEDT

I can confirm that this has been fixed since 9.2 on system Linux orbb 3.10.107-5-ARCH #1 SMP PREEMPT Fri Mar 26 23:32:03 UTC 2021 armv7l GNU/Linux

This is an Odroid C1 SBC.


ssh -V
OpenSSH_9.2p1, OpenSSL 3.0.8 7 Feb 2023


Many thanks!