Description of problem: With the latest sshd in Rawhide, you can no longer log in over ssh. The client side dies with: $ ssh -v mustang OpenSSH_6.6.1, OpenSSL 1.0.1k-fips 8 Jan 2015 [...] debug1: match: OpenSSH_6.7 pat OpenSSH* compat 0x04000000 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-sha1-etm none debug1: kex: client->server aes128-ctr hmac-sha1-etm none debug1: sending SSH2_MSG_KEX_ECDH_INIT debug1: expecting SSH2_MSG_KEX_ECDH_REPLY Write failed: Connection reset by peer I straced the server, and the sshd subprocess dies with SIGSYS: [...] 1651 chroot("/var/empty/sshd") = 0 1651 chdir("/") = 0 1651 setgroups(1, [74]) = 0 1651 getuid() = 0 1651 getgid() = 0 1651 setresgid(74, 74, 74) = 0 1651 setresuid(74, 74, 74) = 0 1651 setgid(0) = -1 EPERM (Operation not permitted) 1651 setresgid(-1, 0, -1) = -1 EPERM (Operation not permitted) 1651 getgid() = 74 1651 getegid() = 74 1651 setuid(0) = -1 EPERM (Operation not permitted) 1651 setresuid(-1, 0, -1) = -1 EPERM (Operation not permitted) 1651 getuid() = 74 1651 geteuid() = 74 1651 setrlimit(RLIMIT_FSIZE, {rlim_cur=0, rlim_max=0}) = 0 1651 setrlimit(RLIMIT_NOFILE, {rlim_cur=0, rlim_max=0}) = 0 1651 setrlimit(RLIMIT_NPROC, {rlim_cur=0, rlim_max=0}) = 0 1651 prctl(PR_SET_NO_NEW_PRIVS, 0x1, 0, 0, 0) = 0 1651 prctl(PR_SET_SECCOMP, 0x2, 0x3ffa849d6b8, 0, 0) = 0 1651 write(3, "\0\0\3\254\4\24\374\237\241\311s\317\177\320\376V\324J\r\350\301 \243\0\0\0\226curve25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384 ,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14- sha1\0\0\0'ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519\0\0\0laes128-ctr,aes192-ctr,a es256-ctr,aes128-gcm,aes256-gcm,chacha20-poly1305@openss h.com\0\0\0laes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm,aes256-gcm@o penssh.com,chacha20-poly1305\0\0\0\325umac-64-etm,umac-1 28-etm,hmac-sha2-256-etm,hmac-sha2-512-etm,h mac-sha1-etm,umac-64,umac-128,hmac-sha2-256, hmac-sha2-512,hmac-sha1\0\0\0\325umac-64-etm,umac-128-etm m,hmac-sha2-256-etm,hmac-sha2-512-etm,hmac-sha1-etm@open ssh.com,umac-64,umac-128,hmac-sha2-256,hmac-sha2-512,hma c-sha1\0\0\0\25none,zlib\0\0\0\25none,zlib\0\0\0\0\0\0\0 \0\0\0\0\0\0\0\0\0\0", 944) = 944 1650 <... ppoll resumed> ) = 1 ([{fd=6, revents=POLLIN|POLLHUP}]) 1651 +++ killed by SIGSYS +++ 1650 read(6, "", 4) = 0 1650 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=1651, si_uid=74, si_status=SIGSYS, si_utime=0, si_stime=0} --- I have no idea what SIGSYS means. Version-Release number of selected component (if applicable): Fails with: openssh-server-6.7p1-8.fc23.aarch64 Works with: openssh-server-6.7p1-7.fc23.aarch64 How reproducible: 100% Steps to Reproduce: 1. Install openssh-server -8 package. 2. Try to ssh to the machine from another.
Apparently SIGSYS is caused by seccomp. Maybe something to do with enabling seccomp recently on aarch64. Peter?
(In reply to Richard W.M. Jones from comment #1) > Apparently SIGSYS is caused by seccomp. Maybe something > to do with enabling seccomp recently on aarch64. Peter? Possibly, Marcin actually wrote that code [rhbz 1195065] so he's likely the best to comment (it doesn't use libseccomp but the kernel API/feature directly)
SIGSYS signal is violation of seccomp filter which was enabled during -8 release for aarch64. Can you have a look also into audit log for message SECCOMP? There should be mentioned at least syscall number which could help us. This is related to open bug #1195065. This patch was introduced by Marcin, I tested seccomp filter on aarch64 and it worked for me somehow but there will be still some glitches probably. I will have a look. As a workaround you can turn of sandboxing using option "UsePrivilegeSeparation yes".
type=SECCOMP msg=audit(1425041219.124:279): auid=4294967295 uid=74 gid=74 ses=4294967295 subj=system_u:system_r:sshd_net_t:s0-s0:c0.c1023 pid=819 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=c00000b7 syscall=72 compat=0 ip=0x3ffa7fbc268 code=0x0 Which is pselect6() syscall.
Created attachment 996013 [details] grep -i seccomp /var/log/audit/audit.log See attachment for SECCOMP logs.
openssh-6.7p1-9.fc22 has been submitted as an update for Fedora 22. https://admin.fedoraproject.org/updates/openssh-6.7p1-9.fc22
Package openssh-6.7p1-9.fc22: * should fix your issue, * was pushed to the Fedora 22 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing openssh-6.7p1-9.fc22' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-2786/openssh-6.7p1-9.fc22 then log in and leave karma (feedback).
openssh-6.7p1-9.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.