Bug 1228323
| Summary: | SSH sessions fail when "GSSAPIKeyExchange yes" is in sshd_config | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Colin.Simpson |
| Component: | openssh | Assignee: | Jakub Jelen <jjelen> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 22 | CC: | jjelen, mattias.ellert, mgrepl, mjuszkie, plautrba, tmraz |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | openssh-6.8p1-8.fc22 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-06-11 18:37:01 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Colin.Simpson
2015-06-04 15:28:09 UTC
Hi, thank you for a report. It looks like sandbox issue for me. Can you give it a try without seccomp filter on server? Just try to set up "UsePrivilegeSeparation yes" instead of sandbox. If this would make the change, can you have a look into audit log and search for SECCOMP messages -- maybe gssapi is issuing some syscall that I missed and it is getting killed by kernel. Setting, UsePrivilegeSeparation yes Instead of sandbox does indeed allow this to work again. And do you have some messages related to sshd and seccomp in your audit log from the previous tries with sandbox? I currently don't have GSSAPI infrastructure with F22 set up so providing some more details would help me investigating this issue. Ok. Here we go. I found regression based on bz1195065. Maybe stat syscall is legacy, but it is still called from gssapi (legacy library Marcin?) For further reference, here is backtrace: #0 0x00007ffff526dc65 in __GI___xstat (vers=vers@entry=1, name=name@entry=0x709490 "/usr/lib64/gssproxy/proxymech.so", buf=buf@entry=0x7fffffffdae0) at ../sysdeps/unix/sysv/linux/wordsize-64/xstat.c:35 #1 0x00007ffff364c56b in stat (__statbuf=0x7fffffffdae0, __path=<optimized out>) at /usr/include/sys/stat.h:454 #2 krb5int_open_plugin (filepath=0x709490 "/usr/lib64/gssproxy/proxymech.so", h=h@entry=0x7fffffffdbf8, ep=ep@entry=0x7fffffffdc10) at plugins.c:183 #3 0x00007ffff5c716c7 in loadInterMech (minfo=0x707910) at g_initialize.c:872 #4 updateMechList () at g_initialize.c:476 #5 0x00007ffff5c71b3a in build_mechSet () at g_initialize.c:284 #6 gss_indicate_mechs (minorStatus=0x7fffffffdd04, mechSet_out=0x7fffffffdd10) at g_initialize.c:238 #7 0x00000000004395ae in ssh_gssapi_supported_oids (oidset=0x7fffffffdd30) at ../openssh-6.8p1/gss-serv.c:180 #8 0x000000000043948f in ssh_gssapi_server_mechanisms () at ../openssh-6.8p1/gss-serv.c:151 #9 0x000000000040f5cc in do_ssh2_kex () at ../openssh-6.8p1/sshd.c:2736 #10 0x000000000040e636 in main (ac=5, av=0x705d00) at ../openssh-6.8p1/sshd.c:2313 and error produced by sshd: ssh_sandbox_violation: unexpected system call (arch:0xc000003e,syscall:4 @ 0x7ffff526dc65) [preauth] I am returning stat back to syscall filter to avoid this problem. openssh-6.8p1-8.fc22 has been submitted as an update for Fedora 22. https://admin.fedoraproject.org/updates/openssh-6.8p1-8.fc22 Package openssh-6.8p1-8.fc22: * should fix your issue, * was pushed to the Fedora 22 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing openssh-6.8p1-8.fc22' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-9685/openssh-6.8p1-8.fc22 then log in and leave karma (feedback). openssh-6.8p1-8.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. |