You are not logged in.

#1 2021-04-05 13:46:59

mgrimes
Member
Registered: 2012-08-16
Posts: 4

sshd frequently dumping core

On several different systems, I am seeing regular core dumps from sshd.  Something like:

Apr 05 05:31:13 wee audit[2726571]: SECCOMP auid=4294967295 uid=99 gid=99 ses=4294967295 pid=2726571 comm="sshd" exe="/usr/bin/sshd" sig=31 arch=c000003e syscall=41 compat=0 ip=0x7f47634e68fb code=0x0
Apr 05 05:31:13 wee audit[2726571]: ANOM_ABEND auid=4294967295 uid=99 gid=99 ses=4294967295 pid=2726571 comm="sshd" exe="/usr/bin/sshd" sig=31 res=1
Apr 05 05:31:13 wee sshd[2726570]: fatal: Timeout before authentication for 42.192.186.106 port 52710
Apr 05 05:31:13 wee kernel: audit: type=1326 audit(1617615073.628:201570): auid=4294967295 uid=99 gid=99 ses=4294967295 pid=2726571 comm="sshd" exe="/usr/bin/sshd" sig=31 arch=c000003e syscall=41 compat=0 ip=0x7f47634e68fb code=0x0
Apr 05 05:31:13 wee kernel: audit: type=1701 audit(1617615073.628:201571): auid=4294967295 uid=99 gid=99 ses=4294967295 pid=2726571 comm="sshd" exe="/usr/bin/sshd" sig=31 res=1
Apr 05 05:31:13 wee systemd[1]: Started Process Core Dump (PID 2727170/UID 0).
Apr 05 05:31:13 wee audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=systemd-coredump@48-2727170-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Apr 05 05:31:13 wee kernel: audit: type=1130 audit(1617615073.768:201572): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=systemd-coredump@48-2727170-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Apr 05 05:31:14 wee systemd-coredump[2727171]: Process 2726571 (sshd) of user 99 dumped core.

                                               Stack trace of thread 2726571:
                                               #0  0x00007f47634e68fb __socket (libc.so.6 + 0x1008fb)
                                               #1  0x00007f47634df013 openlog_internal (libc.so.6 + 0xf9013)
                                               #2  0x00007f47634df4f7 __vsyslog_internal (libc.so.6 + 0xf94f7)
                                               #3  0x00007f47634df803 __syslog_chk (libc.so.6 + 0xf9803)
                                               #4  0x0000563f51ea7d4c n/a (sshd + 0x65d4c)
                                               #5  0x0000563f51ea51ec n/a (sshd + 0x631ec)
                                               #6  0x0000563f51e75da9 n/a (sshd + 0x33da9)
                                               #7  0x0000563f51ea7cc5 n/a (sshd + 0x65cc5)
                                               #8  0x0000563f51ea80b1 n/a (sshd + 0x660b1)
                                               #9  0x0000563f51e51376 n/a (sshd + 0xf376)
                                               #10 0x00007f4763422f80 __restore_rt (libc.so.6 + 0x3cf80)
                                               #11 0x00007f47634dca67 __select (libc.so.6 + 0xf6a67)
                                               #12 0x0000563f51eae745 n/a (sshd + 0x6c745)
                                               #13 0x0000563f51eb46b3 n/a (sshd + 0x726b3)
                                               #14 0x0000563f51eb47b9 n/a (sshd + 0x727b9)
                                               #15 0x0000563f51e61411 n/a (sshd + 0x1f411)
                                               #16 0x0000563f51e4e903 n/a (sshd + 0xc903)
                                               #17 0x00007f476340db25 __libc_start_main (libc.so.6 + 0x27b25)
                                               #18 0x0000563f51e5109e n/a (sshd + 0xf09e)
Apr 05 05:31:14 wee kernel: audit: type=1131 audit(1617615074.398:201573): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=systemd-coredump@48-2727170-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Apr 05 05:31:14 wee audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=systemd-coredump@48-2727170-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Apr 05 05:31:14 wee systemd[1]: systemd-coredump@48-2727170-0.service: Succeeded.

It seems to be happening 1-5 times per day for the last several weeks (maybe months) on at least two different Arch systems (both relatively up-to-date).

I'm not having any issues connecting via ssh to these machines, but I'm concerned about the security implications.

Offline

#2 2021-04-05 13:55:10

seth
Member
Registered: 2012-09-03
Posts: 19,799

Re: sshd frequently dumping core

ssh tries t olog somethig and fails, likely due to seccomp, when trying to open a socket.
So check your seccomp config.

Offline

#3 2021-04-05 16:28:53

mgrimes
Member
Registered: 2012-08-16
Posts: 4

Re: sshd frequently dumping core

That makes me feel better about the security implications. Thanks!
Unfortunately, I don't know much about seccomp and Google is failing to point me to any seccomp config.

Offline

#4 2021-04-05 17:07:56

seth
Member
Registered: 2012-09-03
Posts: 19,799

Re: sshd frequently dumping core

What happens is that somebody from China (42.192.186.106) tries to connect but doesn't authenticate during the grace period.
That's fine and the child process is supposed to die but obviously not to SIGSYS.

This here looks related, do you have that (deprecated) key in your config?
https://lists.opensuse.org/opensuse-bug … 04234.html

Offline

#5 2021-04-06 22:02:05

krist
Member
Registered: 2007-09-27
Posts: 10

Re: sshd frequently dumping core

I'm seeing exactly the same. `UsePrivilegeSeparation` is not set in my sshd_config.

Offline

#6 2021-04-07 06:55:06

seth
Member
Registered: 2012-09-03
Posts: 19,799

Re: sshd frequently dumping core

https://github.com/openssh/openssh-port … p-filter.c has some recent action, esp. on socket access.
https://github.com/openssh/openssh-port … ecb6c3421a cannot be in the present package
It fixes https://bugzilla.mindrot.org/show_bug.cgi?id=3276 - which is a SIGSYS in relation with latest glibc

=> 99.9% cause

Edit: can you reliably ssh the machine in spite?

Last edited by seth (2021-04-07 06:58:12)

Offline

#7 2021-04-12 11:01:52

krist
Member
Registered: 2007-09-27
Posts: 10

Re: sshd frequently dumping core

Yes, ssh works fine other than that. The crashes only appear to happen on unsolicited login attempts with user 99 (nobody).

Offline

Board footer

Powered by FluxBB