Opened 12 years ago

Closed 11 years ago

Last modified 11 years ago

#36291 closed defect (fixed)

openssh sshd won't accept incoming connections

Reported by: beckettbt@… Owned by: neverpanic (Clemens Lang)
Priority: Normal Milestone:
Component: ports Version: 2.1.2
Keywords: Cc: elelay (Eric Le Lay), joshua.newton@…, nonstop.server@…, BjarneDMat, thomas@…, khepler, jpo@…
Port: openssh

Description (last modified by neverpanic (Clemens Lang))

After a fresh install of openssh @6.1p1_0 I receive the following error in the system log when I attempt to remotely ssh into the system:

sshd[38257]: fatal: ssh_sandbox_child: sandbox_init: dlopen(/usr/lib/libsandbox.1.dylib, 261): image not found [preauth]

and the connection is immediately dropped.

OS Mountain Lion 10.8.2

Change History (28)

comment:1 Changed 12 years ago by neverpanic (Clemens Lang)

Owner: changed from macports-tickets@… to jwa@…

Please remember to Cc the maintainer when reporting tickets.

Does /usr/lib/libsandbox.1.dylib exist on your system?

comment:2 Changed 12 years ago by neverpanic (Clemens Lang)

Description: modified (diff)

comment:3 in reply to:  1 Changed 12 years ago by beckettbt@…

Replying to cal@…:

Please remember to Cc the maintainer when reporting tickets.

Does /usr/lib/libsandbox.1.dylib exist on your system?

Yes. $ls /usr/lib/libsandbox.1.dylib /usr/lib/libsandbox.1.dylib

Version 0, edited 12 years ago by beckettbt@… (next)

comment:4 Changed 12 years ago by elelay (Eric Le Lay)

same problem here (10.6.8 x86_64)

Last edited 12 years ago by elelay (Eric Le Lay) (previous) (diff)

comment:5 Changed 12 years ago by elelay (Eric Le Lay)

Cc: elelay@… added

Cc Me!

comment:6 Changed 12 years ago by joshua.newton@…

Confirmed on 10.8.2 x86_64.

comment:7 Changed 12 years ago by joshua.newton@…

Cc: joshua.newton@… added

Cc Me!

comment:8 Changed 12 years ago by roxanna@…

I second this. I'm on OSX 10.7.5 (X86_64) and have this same problem.

Note: setting the UsePrivilegeSeparation modifier in sshd_config to "yes" instead of "sandbox" does clear the immediate problem of not being able to have clients connect:

sshd_config:

UsePrivilegeSeparation yes #Instead of default 'sandbox'

It causes sshd to use an older, and less secure means of sandboxing.

But as "sandbox" is the default value, this is obviously just a workaround.

Last edited 12 years ago by roxanna@… (previous) (diff)

comment:9 Changed 12 years ago by nonstop.server@…

Cc: nonstop.server@… added

Cc Me!

comment:10 Changed 12 years ago by BjarneDMat

Cc: macintosh@… added

Cc Me!

comment:11 Changed 12 years ago by BjarneDMat

is this a macports only problem -or- is it an upstream problem ???

comment:12 Changed 12 years ago by thomas@…

Cc: thomas@… added

Cc Me!

comment:13 in reply to:  description Changed 12 years ago by thomas@…

Replying to beckettbt@…:

After a fresh install of openssh @6.1p1_0 I receive the following error in the system log when I attempt to remotely ssh into the system:

sshd[38257]: fatal: ssh_sandbox_child: sandbox_init: dlopen(/usr/lib/libsandbox.1.dylib, 261): image not found [preauth]

and the connection is immediately dropped.

OS Mountain Lion 10.8.2

I have had luck simply disabling the "#UsePrivilegeSeparation sandbox" in the sshd "/opt/local/etc/ssh/sshd_config" config file for openSSH (Mac Port’s version) This works for me! Ref.: http://dyhr.com/2009/09/05/how-to-enable-x11-forwarding-with-ssh-on-mac-os-x-leopard/comment-page-1/#comment-21717

comment:14 Changed 11 years ago by ksze (Kal Sze)

This problem still exists with openssh @6.2p2_3, from MacPorts 2.2.0, under Mac OS X Lion.

comment:15 Changed 11 years ago by davidfavor (David Favor)

Problem also exists under Mavericks 10.9 and is fixed via the "UsePrivilegeSeparation yes" setting.

comment:16 Changed 11 years ago by khepler

Here is debug output from a Macports OpenSSH server running on 10.8.4 x86_64:

puadn:~ kris$ sudo /opt/local/sbin/sshd -ddd
debug2: load_server_config: filename /opt/local/etc/ssh/sshd_config
debug2: load_server_config: done config len = 253
debug2: parse_server_config: config /opt/local/etc/ssh/sshd_config len 253
debug3: /opt/local/etc/ssh/sshd_config:13 setting Port 6422
debug3: /opt/local/etc/ssh/sshd_config:50 setting AuthorizedKeysFile .ssh/authorized_keys
debug3: /opt/local/etc/ssh/sshd_config:105 setting UsePrivilegeSeparation sandbox		
debug3: /opt/local/etc/ssh/sshd_config:121 setting Subsystem sftp	/opt/local/libexec/sftp-server
debug1: sshd version OpenSSH_6.2, OpenSSL 1.0.1e 11 Feb 2013
debug3: Incorrect RSA1 identifier
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug3: Incorrect RSA1 identifier
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: could not open key file '/opt/local/etc/ssh/ssh_host_ecdsa_key': No such file or directory
Could not load host key: /opt/local/etc/ssh/ssh_host_ecdsa_key
debug1: rexec_argv[0]='/opt/local/sbin/sshd'
debug1: rexec_argv[1]='-ddd'
debug2: fd 4 setting O_NONBLOCK
debug1: Bind to port 6422 on 0.0.0.0.
Server listening on 0.0.0.0 port 6422.
debug2: fd 5 setting O_NONBLOCK
debug3: sock_set_v6only: set socket 5 IPV6_V6ONLY
debug1: Bind to port 6422 on ::.
Server listening on :: port 6422.
debug1: fd 6 clearing O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 9 config len 253
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 6 out 6 newsock 6 pipe -1 sock 9
debug1: inetd sockets after dupping: 5, 5
Connection from x.x.x.x port 51775
debug1: Client protocol version 2.0; client software version OpenSSH_5.9p1-hpn13v11
debug1: match: OpenSSH_5.9p1-hpn13v11 pat OpenSSH_5*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug2: fd 5 setting O_NONBLOCK
debug3: ssh_sandbox_init: preparing Darwin sandbox
debug2: Network child is on pid 2892
debug3: preauth child monitor started
debug3: privsep user:group 75:75 [preauth]
debug1: permanently_set_uid: 75/75 [preauth]
debug3: ssh_sandbox_child: starting Darwin sandbox [preauth]
ssh_sandbox_child: sandbox_init: dlopen(/usr/lib/libsandbox.1.dylib, 261): image not found [preauth]
debug1: do_cleanup [preauth]
debug1: monitor_read_log: child log fd closed
debug3: mm_request_receive entering
debug1: do_cleanup
debug1: Killing privsep child 2892
puadn:~ kris$ 

comment:17 Changed 11 years ago by khepler

Cc: khepler@… added

Cc Me!

comment:18 Changed 11 years ago by jpo@…

Cc: jpo@… added

Cc Me!

comment:19 Changed 11 years ago by raimue (Rainer Müller)

The proposed update to openssh 6.5p1 in #42333 contains the change from UsePrivilegeSeparation sandbox to UsePrivilegeSeparation yes.

comment:20 Changed 11 years ago by neverpanic (Clemens Lang)

Owner: changed from jwa@… to cal@…
Status: newassigned

Should be fixed in r116989 without reverting to UsePrivilegeSeparation yes and preserving the sandboxing feature.

comment:21 Changed 11 years ago by neverpanic (Clemens Lang)

Resolution: fixed
Status: assignedclosed

comment:22 Changed 11 years ago by beckettbt@…

(Error report retracted. Port selfupdate did not immediately pull @6.5p1_2.)

Last edited 11 years ago by beckettbt@… (previous) (diff)

comment:23 Changed 11 years ago by danielluke (Daniel J. Luke)

On my (soon to be retired) 10.5/ppc box, setting UsePrivilegeSeparation sandbox worked with openssh 6.4 but fails with 6.5:

Feb 12 10:28:08 gandalf sshd[75376]: fatal: ssh_sandbox_child: sandbox_init: near line 14: Error: eval: unbound variable: file-chroot
n [preauth]

comment:24 Changed 11 years ago by neverpanic (Clemens Lang)

Sounds like 10.5's sandbox mechanism doesn't yet support the keywords used by the sandbox file source:trunk/dports/net/openssh/files/org.openssh.sshd.sb. Feel free to find out which commands don't work and patch them yourself on 10.5, or switch back to calling sandbox_init(3) with a predefined sandbox (i.e. reverting source:trunk/dports/net/openssh/files/patch-sandbox-darwin.c-apple-sandbox-named-external.diff).

I'm not going to work on 10.5 support.

comment:25 in reply to:  24 ; Changed 11 years ago by danielluke (Daniel J. Luke)

Replying to cal@…:

switch back to calling sandbox_init(3) with a predefined sandbox (i.e. reverting source:trunk/dports/net/openssh/files/patch-sandbox-darwin.c-apple-sandbox-named-external.diff).

I'll test this, as it should just restore the previous (6.4) behavior. If it works, will you accept a patch for it?

I'm not going to work on 10.5 support.

yeah, I don't expect you to.

comment:26 in reply to:  25 ; Changed 11 years ago by danielluke (Daniel J. Luke)

Replying to dluke@…:

Replying to cal@…:

switch back to calling sandbox_init(3) with a predefined sandbox (i.e. reverting source:trunk/dports/net/openssh/files/patch-sandbox-darwin.c-apple-sandbox-named-external.diff).

I'll test this, as it should just restore the previous (6.4) behavior. If it works, will you accept a patch for it?

nevermind, it's nomaintainer, so I'll just commit a patch if it works ;-)

comment:27 in reply to:  26 Changed 11 years ago by neverpanic (Clemens Lang)

Replying to dluke@…:

nevermind, it's nomaintainer, so I'll just commit a patch if it works ;-)

Exactly. :)

comment:28 in reply to:  26 Changed 11 years ago by danielluke (Daniel J. Luke)

Replying to dluke@…:

nevermind, it's nomaintainer, so I'll just commit a patch if it works ;-)

r117010

Note: See TracTickets for help on using tickets.