#36291 closed defect (fixed)
openssh sshd won't accept incoming connections
| Reported by: | beckettbt@… | Owned by: | neverpanic (Clemens Lang) |
|---|---|---|---|
| Priority: | Normal | Milestone: | |
| Component: | ports | Version: | 2.1.2 |
| Keywords: | Cc: | elelay (Eric Le Lay), joshua.newton@…, nonstop.server@…, BjarneDMat, thomas@…, khepler, jpo@… | |
| Port: | openssh |
Description (last modified by neverpanic (Clemens Lang))
After a fresh install of openssh @6.1p1_0 I receive the following error in the system log when I attempt to remotely ssh into the system:
sshd[38257]: fatal: ssh_sandbox_child: sandbox_init: dlopen(/usr/lib/libsandbox.1.dylib, 261): image not found [preauth]
and the connection is immediately dropped.
OS Mountain Lion 10.8.2
Change History (28)
comment:1 follow-up: 3 Changed 12 years ago by neverpanic (Clemens Lang)
| Owner: | changed from macports-tickets@… to jwa@… |
|---|
comment:2 Changed 12 years ago by neverpanic (Clemens Lang)
| Description: | modified (diff) |
|---|
comment:3 Changed 12 years ago by beckettbt@…
Replying to cal@…:
Please remember to Cc the maintainer when reporting tickets.
Does
/usr/lib/libsandbox.1.dylibexist on your system?
Yes. $ls /usr/lib/libsandbox.1.dylib
/usr/lib/libsandbox.1.dylib
comment:8 Changed 12 years ago by roxanna@…
I second this. I'm on OSX 10.7.5 (X86_64) and have this same problem.
Note: setting the UsePrivilegeSeparation modifier in sshd_config to "yes" instead of "sandbox" does clear the immediate problem of not being able to have clients connect:
sshd_config: UsePrivilegeSeparation yes #Instead of default 'sandbox'
It causes sshd to use an older, and less secure means of sandboxing.
But as "sandbox" is the default value, this is obviously just a workaround.
comment:11 Changed 12 years ago by BjarneDMat
is this a macports only problem -or- is it an upstream problem ???
comment:13 Changed 12 years ago by thomas@…
Replying to beckettbt@…:
After a fresh install of openssh @6.1p1_0 I receive the following error in the system log when I attempt to remotely ssh into the system:
sshd[38257]: fatal: ssh_sandbox_child: sandbox_init: dlopen(/usr/lib/libsandbox.1.dylib, 261): image not found [preauth]
and the connection is immediately dropped.
OS Mountain Lion 10.8.2
I have had luck simply disabling the "#UsePrivilegeSeparation sandbox" in the sshd "/opt/local/etc/ssh/sshd_config" config file for openSSH (Mac Port’s version) This works for me! Ref.: http://dyhr.com/2009/09/05/how-to-enable-x11-forwarding-with-ssh-on-mac-os-x-leopard/comment-page-1/#comment-21717
comment:14 Changed 11 years ago by ksze (Kal Sze)
This problem still exists with openssh @6.2p2_3, from MacPorts 2.2.0, under Mac OS X Lion.
comment:15 Changed 11 years ago by davidfavor (David Favor)
Problem also exists under Mavericks 10.9 and is fixed via the "UsePrivilegeSeparation yes" setting.
comment:16 Changed 11 years ago by khepler
Here is debug output from a Macports OpenSSH server running on 10.8.4 x86_64:
puadn:~ kris$ sudo /opt/local/sbin/sshd -ddd debug2: load_server_config: filename /opt/local/etc/ssh/sshd_config debug2: load_server_config: done config len = 253 debug2: parse_server_config: config /opt/local/etc/ssh/sshd_config len 253 debug3: /opt/local/etc/ssh/sshd_config:13 setting Port 6422 debug3: /opt/local/etc/ssh/sshd_config:50 setting AuthorizedKeysFile .ssh/authorized_keys debug3: /opt/local/etc/ssh/sshd_config:105 setting UsePrivilegeSeparation sandbox debug3: /opt/local/etc/ssh/sshd_config:121 setting Subsystem sftp /opt/local/libexec/sftp-server debug1: sshd version OpenSSH_6.2, OpenSSL 1.0.1e 11 Feb 2013 debug3: Incorrect RSA1 identifier debug1: read PEM private key done: type RSA debug1: private host key: #0 type 1 RSA debug3: Incorrect RSA1 identifier debug1: read PEM private key done: type DSA debug1: private host key: #1 type 2 DSA debug1: could not open key file '/opt/local/etc/ssh/ssh_host_ecdsa_key': No such file or directory Could not load host key: /opt/local/etc/ssh/ssh_host_ecdsa_key debug1: rexec_argv[0]='/opt/local/sbin/sshd' debug1: rexec_argv[1]='-ddd' debug2: fd 4 setting O_NONBLOCK debug1: Bind to port 6422 on 0.0.0.0. Server listening on 0.0.0.0 port 6422. debug2: fd 5 setting O_NONBLOCK debug3: sock_set_v6only: set socket 5 IPV6_V6ONLY debug1: Bind to port 6422 on ::. Server listening on :: port 6422. debug1: fd 6 clearing O_NONBLOCK debug1: Server will not fork when running in debugging mode. debug3: send_rexec_state: entering fd = 9 config len 253 debug3: ssh_msg_send: type 0 debug3: send_rexec_state: done debug1: rexec start in 6 out 6 newsock 6 pipe -1 sock 9 debug1: inetd sockets after dupping: 5, 5 Connection from x.x.x.x port 51775 debug1: Client protocol version 2.0; client software version OpenSSH_5.9p1-hpn13v11 debug1: match: OpenSSH_5.9p1-hpn13v11 pat OpenSSH_5* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.2 debug2: fd 5 setting O_NONBLOCK debug3: ssh_sandbox_init: preparing Darwin sandbox debug2: Network child is on pid 2892 debug3: preauth child monitor started debug3: privsep user:group 75:75 [preauth] debug1: permanently_set_uid: 75/75 [preauth] debug3: ssh_sandbox_child: starting Darwin sandbox [preauth] ssh_sandbox_child: sandbox_init: dlopen(/usr/lib/libsandbox.1.dylib, 261): image not found [preauth] debug1: do_cleanup [preauth] debug1: monitor_read_log: child log fd closed debug3: mm_request_receive entering debug1: do_cleanup debug1: Killing privsep child 2892 puadn:~ kris$
comment:19 Changed 11 years ago by raimue (Rainer Müller)
The proposed update to openssh 6.5p1 in #42333 contains the change from UsePrivilegeSeparation sandbox to UsePrivilegeSeparation yes.
comment:20 Changed 11 years ago by neverpanic (Clemens Lang)
| Owner: | changed from jwa@… to cal@… |
|---|---|
| Status: | new → assigned |
Should be fixed in r116989 without reverting to UsePrivilegeSeparation yes and preserving the sandboxing feature.
comment:21 Changed 11 years ago by neverpanic (Clemens Lang)
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
comment:23 Changed 11 years ago by danielluke (Daniel J. Luke)
On my (soon to be retired) 10.5/ppc box, setting UsePrivilegeSeparation sandbox worked with openssh 6.4 but fails with 6.5:
Feb 12 10:28:08 gandalf sshd[75376]: fatal: ssh_sandbox_child: sandbox_init: near line 14: Error: eval: unbound variable: file-chroot
n [preauth]
comment:24 follow-up: 25 Changed 11 years ago by neverpanic (Clemens Lang)
Sounds like 10.5's sandbox mechanism doesn't yet support the keywords used by the sandbox file source:trunk/dports/net/openssh/files/org.openssh.sshd.sb. Feel free to find out which commands don't work and patch them yourself on 10.5, or switch back to calling sandbox_init(3) with a predefined sandbox (i.e. reverting source:trunk/dports/net/openssh/files/patch-sandbox-darwin.c-apple-sandbox-named-external.diff).
I'm not going to work on 10.5 support.
comment:25 follow-up: 26 Changed 11 years ago by danielluke (Daniel J. Luke)
Replying to cal@…:
switch back to calling
sandbox_init(3)with a predefined sandbox (i.e. reverting source:trunk/dports/net/openssh/files/patch-sandbox-darwin.c-apple-sandbox-named-external.diff).
I'll test this, as it should just restore the previous (6.4) behavior. If it works, will you accept a patch for it?
I'm not going to work on 10.5 support.
yeah, I don't expect you to.
comment:26 follow-ups: 27 28 Changed 11 years ago by danielluke (Daniel J. Luke)
Replying to dluke@…:
Replying to cal@…:
switch back to calling
sandbox_init(3)with a predefined sandbox (i.e. reverting source:trunk/dports/net/openssh/files/patch-sandbox-darwin.c-apple-sandbox-named-external.diff).I'll test this, as it should just restore the previous (6.4) behavior. If it works, will you accept a patch for it?
nevermind, it's nomaintainer, so I'll just commit a patch if it works ;-)
comment:27 Changed 11 years ago by neverpanic (Clemens Lang)
Replying to dluke@…:
nevermind, it's nomaintainer, so I'll just commit a patch if it works ;-)
Exactly. :)
Please remember to Cc the maintainer when reporting tickets.
Does
/usr/lib/libsandbox.1.dylibexist on your system?