You are not logged in.

#1 2014-09-23 11:52:45

docmanni
Member
Registered: 2014-09-23
Posts: 2

SSH Write failed: Broken Pipe [SOLVED]

Hi everyone,

I got a problem with sshd, it just won't let me connect after the latest update (this afternoon). Kernel was updated, I rebooted. I have switched off the sshd service: systemctl stop sshd.service, then started it by hand:

/usr/bin/sshd -Dddd

These are the last line of the output when I try to connect through ssh localhost:

...
debug1: trying public key file /home/xxx/.ssh/authorized_keys
debug1: Could not open authorized keys '/home/xxx/.ssh/authorized_keys': No such file or directory
debug1: restore_uid: 0/0
Failed publickey for xxx from ::1 port 44406 ssh2: DSA 66:6f:bd:11:93:e1:69:99:60:36:30:1d:0a:ef:66:24
debug3: mm_answer_keyallowed: key 0x7fd33cf25010 is not allowed
debug3: mm_request_send entering: type 23
debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss [preauth]
debug3: userauth_finish: failure partial=0 next methods="publickey,password" [preauth]
debug1: userauth-request for user xxx service ssh-connection method password [preauth]
debug1: attempt 3 failures 2 [preauth]
debug2: input_userauth_request: try method password [preauth]
debug3: mm_auth_password entering [preauth]
debug3: mm_request_send entering: type 12 [preauth]
debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD [preauth]
debug3: mm_request_receive_expect entering: type 13 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 12
debug3: PAM: sshpam_passwd_conv called with 1 messages
debug1: PAM: password authentication accepted for xxx
debug3: mm_answer_authpassword: sending result 1
debug3: mm_request_send entering: type 13
debug3: mm_request_receive_expect entering: type 102
debug3: mm_request_receive entering
debug1: do_pam_account: called
debug3: PAM: do_pam_account pam_acct_mgmt = 0 (Success)
debug3: mm_request_send entering: type 103
Accepted password for xxx from ::1 port 44406 ssh2
debug1: monitor_child_preauth: xxx has been authenticated by privileged process
debug3: mm_get_keystate: Waiting for new keys
debug3: mm_request_receive_expect entering: type 26
debug3: mm_request_receive entering
debug3: mm_newkeys_from_blob: 0x7fd33cf2c350(138)
debug2: mac_setup: setup hmac-md5-etm@openssh.com
debug3: mm_get_keystate: Waiting for second key
debug3: mm_newkeys_from_blob: 0x7fd33cf2c350(138)
debug2: mac_setup: setup hmac-md5-etm@openssh.com
debug3: mm_get_keystate: Getting compression state
debug3: mm_get_keystate: Getting Network I/O buffers
debug3: mm_auth_password: user authenticated [preauth]
debug3: mm_do_pam_account entering [preauth]
debug3: mm_request_send entering: type 102 [preauth]
debug3: mm_request_receive_expect entering: type 103 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_do_pam_account returning 1 [preauth]
debug3: mm_send_keystate: Sending new keys: 0x7fd33cf20090 0x7fd33cf176a0 [preauth]
debug3: mm_newkeys_to_blob: converting 0x7fd33cf20090 [preauth]
debug3: mm_newkeys_to_blob: converting 0x7fd33cf176a0 [preauth]
debug3: mm_send_keystate: New keys have been sent [preauth]
debug3: mm_send_keystate: Sending compression state [preauth]
debug3: mm_request_send entering: type 26 [preauth]
debug3: mm_send_keystate: Finished sending state [preauth]
debug1: monitor_read_log: child log fd closed
debug3: mm_share_sync: Share sync
debug3: mm_share_sync: Share sync end
privsep_preauth: preauth child terminated by signal 31
debug1: do_cleanup
debug3: PAM: sshpam_thread_cleanup entering

I have actually done a pacman -Rsn openssh && rm -rf /etc/ssh and reinstalled openssh: pacman -S openssh

Tried everything again, same problem as above.

This is my sshd_config:

#       $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# The default requires explicit activation of protocol 1
#Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Ciphers and keying
#RekeyLimit default none

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile      .ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no # pam does that
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation sandbox          # Default for new installations.
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem       sftp    /usr/lib/ssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       PermitTTY no
#       ForceCommand cvs server

... which is fairly standard, as I haven't edited anything.

The ssh client tells me: "Write failed: Broken pipe" after entering the password.

If it helps, here's some output from strace (letting sshd run in strace):

...
debug1: trying public key file /home/xxx/.ssh/authorized_keys
[pid 11519] open("/home/xxx/.ssh/authorized_keys", O_RDONLY|O_NONBLOCK) = -1 ENOENT (No such file or directory)
debug1: Could not open authorized keys '/home/xxx/.ssh/authorized_keys': No such file or directory
debug1: restore_uid: 0/0
Failed publickey for xxx from ::1 port 44428 ssh2: DSA 66:6f:bd:11:93:e1:69:99:60:36:30:1d:0a:ef:66:24
debug3: mm_answer_keyallowed: key 0x7f6294bd7000 is not allowed
debug3: mm_request_send entering: type 23
debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss [preauth]
debug3: userauth_finish: failure partial=0 next methods="publickey,password" [preauth]
debug1: userauth-request for user xxx service ssh-connection method password [preauth]
debug1: attempt 3 failures 2 [preauth]
debug2: input_userauth_request: try method password [preauth]
debug3: mm_auth_password entering [preauth]
debug3: mm_request_send entering: type 12 [preauth]
debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD [preauth]
debug3: mm_request_receive_expect entering: type 13 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 12
[pid 11519] open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 4
[pid 11519] open("/var/log/faillog", O_RDWR) = 4
[pid 11519] open("/var/log/faillog", O_RDONLY) = 4
[pid 11519] open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 4
[pid 11519] open("/etc/shells", O_RDONLY) = 4
[pid 11519] open("/var/run/nologin", O_RDONLY) = -1 ENOENT (No such file or directory)
[pid 11519] open("/etc/nologin", O_RDONLY) = -1 ENOENT (No such file or directory)
[pid 11519] open("/etc/login.defs", O_RDONLY) = 4
debug3: PAM: sshpam_passwd_conv called with 1 messages
[pid 11519] open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 4
[pid 11519] open("/etc/shadow", O_RDONLY|O_CLOEXEC) = 4
debug1: PAM: password authentication accepted for xxx
debug3: mm_answer_authpassword: sending result 1
debug3: mm_request_send entering: type 13
debug3: mm_request_receive_expect entering: type 102
debug3: mm_request_receive entering
debug1: do_pam_account: called
[pid 11519] open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 4
[pid 11519] open("/etc/security/access.conf", O_RDONLY) = 4
[pid 11519] open("/var/run/nologin", O_RDONLY) = -1 ENOENT (No such file or directory)
[pid 11519] open("/etc/nologin", O_RDONLY) = -1 ENOENT (No such file or directory)
[pid 11519] open("/etc/login.defs", O_RDONLY) = 4
[pid 11519] open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 4
[pid 11519] open("/etc/shadow", O_RDONLY|O_CLOEXEC) = 4
[pid 11519] open("/etc/security/time.conf", O_RDONLY) = 4
debug3: PAM: do_pam_account pam_acct_mgmt = 0 (Success)
debug3: mm_request_send entering: type 103
Accepted password for xxx from ::1 port 44428 ssh2
debug1: monitor_child_preauth: xxx has been authenticated by privileged process
debug3: mm_get_keystate: Waiting for new keys
debug3: mm_request_receive_expect entering: type 26
debug3: mm_request_receive entering
debug3: mm_newkeys_from_blob: 0x7f6294bde340(138)
debug2: mac_setup: setup hmac-md5-etm@openssh.com
debug3: mm_get_keystate: Waiting for second key
debug3: mm_newkeys_from_blob: 0x7f6294bde340(138)
debug2: mac_setup: setup hmac-md5-etm@openssh.com
debug3: mm_get_keystate: Getting compression state
debug3: mm_get_keystate: Getting Network I/O buffers
debug3: mm_auth_password: user authenticated [preauth]
[pid 11523] +++ killed by SIGSYS +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=11523, si_uid=99, si_status=SIGSYS, si_utime=1, si_stime=0} ---
debug3: mm_do_pam_account entering [preauth]
debug3: mm_request_send entering: type 102 [preauth]
debug3: mm_request_receive_expect entering: type 103 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_do_pam_account returning 1 [preauth]
debug3: mm_send_keystate: Sending new keys: 0x7f6294bc8350 0x7f6294bc8cb0 [preauth]
debug3: mm_newkeys_to_blob: converting 0x7f6294bc8350 [preauth]
debug3: mm_newkeys_to_blob: converting 0x7f6294bc8cb0 [preauth]
debug3: mm_send_keystate: New keys have been sent [preauth]
debug3: mm_send_keystate: Sending compression state [preauth]
debug3: mm_request_send entering: type 26 [preauth]
debug3: mm_send_keystate: Finished sending state [preauth]
debug1: monitor_read_log: child log fd closed
debug3: mm_share_sync: Share sync
debug3: mm_share_sync: Share sync end
privsep_preauth: preauth child terminated by signal 31
debug1: do_cleanup
debug3: PAM: sshpam_thread_cleanup entering
+++ exited with 255 +++

My pam is also a standard installation without having edited any config files.

What is going on here? Is this a bug in openssh or am I doing something awfully wrong? I can just say that I have updated my system and after that it didn't work anymore (yes, before it did and I can guarantee that I haven't touched anything...).

Any help is greatly appreciated!

Thanks a lot in advance!

Manfred

EDIT:
I solved this error by commenting "UsePrivilegeSeparation" in sshd_config so that the default "yes" applies but not the "sandbox" as in the config files. Now it works...

Last edited by docmanni (2014-09-23 17:02:05)

Offline

#2 2015-03-03 11:59:01

woznme
Member
From: Gold Coast, AU
Registered: 2013-01-13
Posts: 22

Re: SSH Write failed: Broken Pipe [SOLVED]

Thanks for the fix. This happened to me sometime over the past 2 days on both my machines, strange casue it has been running just fine daily for maybe 18 mnths since my last reinstall.

fatal: privsep_preauth: preauth child terminated by signal 31

Your solution worked for me also, i wonder if there is any cons to losing the sandbox? or doesn't it really matter if its not sandbox

Offline

#3 2017-05-11 12:59:20

tellmi
Member
Registered: 2012-12-03
Posts: 13

Re: SSH Write failed: Broken Pipe [SOLVED]

Since some weeks I'm having the same problem. My logs look as above. Everything looks fine, until authentification is done. Both seem to work, password and key, but then suddenly the error:

...
debug3: PAM: do_pam_account pam_acct_mgmt = 0 (Success)
debug3: mm_request_send entering: type 103
Accepted password for eder from 10.0.0.76 port 40898 ssh2
debug1: monitor_child_preauth: eder has been authenticated by privileged process
debug3: mm_get_keystate: Waiting for new keys
debug3: mm_request_receive_expect entering: type 26
debug3: mm_request_receive entering
debug3: mm_get_keystate: GOT new keys
debug3: mm_auth_password: user authenticated [preauth]
debug3: mm_do_pam_account entering [preauth]
debug3: mm_request_send entering: type 102 [preauth]
debug3: mm_request_receive_expect entering: type 103 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_do_pam_account returning 1 [preauth]
debug3: send packet: type 52 [preauth]
debug3: mm_request_send entering: type 26 [preauth]
debug3: mm_send_keystate: Finished sending state [preauth]
debug1: monitor_read_log: child log fd closed
privsep_preauth: preauth child terminated by signal 31
debug1: do_cleanup
debug3: PAM: sshpam_thread_cleanup entering

The same error as mentioned here 2 years ago.
My /etc/ssh/sshd.conf is 100% original, as it comes from the installation package. And there is no line "UsePrivilegeSeparation" anymore.

What is it now?

Offline

#4 2017-05-11 13:28:06

WorMzy
Administrator
From: Scotland
Registered: 2010-06-16
Posts: 13,028
Website

Re: SSH Write failed: Broken Pipe [SOLVED]

Please don't necrobump, tellmi.

https://wiki.archlinux.org/index.php/Co … bumping.22

Closing.


Sakura:-
Mobo: MSI MAG X570S TORPEDO MAX // Processor: AMD Ryzen 9 5950X @4.9GHz // GFX: AMD Radeon RX 5700 XT // RAM: 32GB (4x 8GB) Corsair DDR4 (@ 3000MHz) // Storage: 1x 3TB HDD, 6x 1TB SSD, 2x 120GB SSD, 1x 275GB M2 SSD

Making lemonade from lemons since 2015.

Offline

Board footer

Powered by FluxBB