openssh bugs - Aug 2022 - [Bug 3469] New: SSH from host is not getting connected to Beaglebone black board having openssh 9.0p1

https://bugzilla.mindrot.org/show_bug.cgi?id=3469

            Bug ID: 3469
           Summary: SSH from host is not getting connected to Beaglebone
                    black board having openssh 9.0p1
           Product: Portable OpenSSH
           Version: v9.0p1
          Hardware: ARM
                OS: Linux
            Status: NEW
          Severity: major
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: raviharavina at eaton.com

Need your help in addressing one of critical issue related to ssh
 connection from HOST. 

success Scenario 1: 
   With Toolchain having Glibc 2.33, Binutils 2.37 and appliation
Openssh 8.8p1 built the image for Beaglebone black (ARM) board. Able to
perform SSH to the device from HOST.

Failure Scenario 2:
   With Toolchain having Glibc 2.36, Binutils 2.38 and appliation
Openssh 8.8p1 built the image for BBB (ARM board). Not able to perform
the SSH to device (BBB) from HOST. 
Below are the logs from HOST and BBB.

==============================Debug Logs - ssh from HOST (Centos 7 VMWare) to
BBB (192.168.200.101).
==============================
[eaton at localhost ~]$ ssh -v admin at 192.168.200.101
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug1: Connecting to 192.168.200.101 [192.168.200.101] port 22.
debug1: Connection established.
debug1: identity file /home/eaton/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/eaton/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/eaton/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/eaton/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/eaton/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/eaton/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/eaton/.ssh/id_ed25519 type 4
debug1: key_load_public: No such file or directory
debug1: identity file /home/eaton/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version
OpenSSH_8.8
debug1: match: OpenSSH_8.8 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 192.168.200.101:22 as 'admin'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: rsa-sha2-512
debug1: kex: server->client cipher: aes128-ctr MAC:
umac-128-etm at openssh.com compression: none
debug1: kex: client->server cipher: aes128-ctr MAC:
umac-128-etm at openssh.com compression: none
debug1: kex: curve25519-sha256 need=16 dh_need=16
debug1: kex: curve25519-sha256 need=16 dh_need=16
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
Connection closed by 192.168.200.101 port 22


==============================Debug logs at BBB side - 
==============================
debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 3292
debug2: parse_server_config_depth: config /etc/ssh/sshd_config len 3292
debug3: /etc/ssh/sshd_config:12 setting Protocol 2
debug2: /etc/ssh/sshd_config line 12: Deprecated option Protocol
debug3: /etc/ssh/sshd_config:18 setting HostKey
/etc/ssh/ssh_host_rsa_key
debug3: /etc/ssh/sshd_config:19 setting HostKey
/etc/ssh/ssh_host_dsa_key
debug3: /etc/ssh/sshd_config:32 setting PermitRootLogin no
debug3: /etc/ssh/sshd_config:33 setting AllowGroups sshusers
debug3: /etc/ssh/sshd_config:35 setting MaxAuthTries 6
debug3: /etc/ssh/sshd_config:42 setting KexAlgorithms
curve25519-sha256,curve25519-sha256 at
libssh.org,diffie-hellman-group-exchange-sha256
debug3: kex names ok:
[curve25519-sha256,curve25519-sha256 at
libssh.org,diffie-hellman-group-exchange-sha256]
debug3: /etc/ssh/sshd_config:43 setting Ciphers
aes256-ctr,aes192-ctr,aes128-ctr
debug3: /etc/ssh/sshd_config:44 setting MACs
hmac-sha2-512-etm at openssh.com,hmac-sha2-256-etm at openssh.com,umac-128-etm
at openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128 at openssh.com
debug3: /etc/ssh/sshd_config:82 setting UsePAM yes
debug3: /etc/ssh/sshd_config:97 setting ClientAliveInterval 900
debug3: /etc/ssh/sshd_config:98 setting ClientAliveCountMax 0
debug3: /etc/ssh/sshd_config:99 setting UseDNS no
debug3: /etc/ssh/sshd_config:108 setting Subsystem sftp
/libexec/sftp-server
debug1: sshd version OpenSSH_8.8, OpenSSL 1.1.1o  3 May 2022
debug1: private host key #0: ssh-rsa
SHA256:oeY2TPdubQnAxUhXloV65tmB8v2gDMg1lDxLpaghe+4
debug1: private host key #1: ssh-dss
SHA256:LTk/c4rfaxHzfTinsiAgfNRnIrvb91DvAeR7Byw6BBA
debug1: rexec_argv[0]='/sbin/sshd'
debug1: rexec_argv[1]='-f'
debug1: rexec_argv[2]='/etc/ssh/sshd_config'
debug1: rexec_argv[3]='-ddd'
debug3: oom_adjust_setup
debug1: Set /proc/self/oom_score_adj from 0 to -1000
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug2: fd 4 setting O_NONBLOCK
debug3: sock_set_v6only: set socket 4 IPV6_V6ONLY
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug3: fd 5 is not O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 8 config len 3292
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug3: recv_rexec_state: entering fd = 5
debug3: ssh_msg_recv entering
debug3: recv_rexec_state: done
debug2: parse_server_config_depth: config rexec len 3292
debug3: rexec:12 setting Protocol 2
debug2: rexec line 12: Deprecated option Protocol
debug3: rexec:18 setting HostKey /etc/ssh/ssh_host_rsa_key
debug3: rexec:19 setting HostKey /etc/ssh/ssh_host_dsa_key
debug3: rexec:32 setting PermitRootLogin no
debug3: rexec:33 setting AllowGroups sshusers
debug3: rexec:35 setting MaxAuthTries 6
debug3: rexec:42 setting KexAlgorithms
curve25519-sha256,curve25519-sha256 at
libssh.org,diffie-hellman-group-exchange-sha256
debug3: kex names ok:
[curve25519-sha256,curve25519-sha256 at
libssh.org,diffie-hellman-group-exchange-sha256]
debug3: rexec:43 setting Ciphers aes256-ctr,aes192-ctr,aes128-ctr
debug3: rexec:44 setting MACs
hmac-sha2-512-etm at openssh.com,hmac-sha2-256-etm at openssh.com,umac-128-etm
at openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128 at openssh.com
debug3: rexec:82 setting UsePAM yes
debug3: rexec:97 setting ClientAliveInterval 900
debug3: rexec:98 setting ClientAliveCountMax 0
debug3: rexec:99 setting UseDNS no
debug3: rexec:108 setting Subsystem sftp        /libexec/sftp-server
debug1: sshd version OpenSSH_8.8, OpenSSL 1.1.1o  3 May 2022
debug1: private host key #0: ssh-rsa
SHA256:oeY2TPdubQnAxUhXloV65tmB8v2gDMg1lDxLpaghe+4
debug1: private host key #1: ssh-dss
SHA256:LTk/c4rfaxHzfTinsiAgfNRnIrvb91DvAeR7Byw6BBA
debug1: inetd sockets after dupping: 3, 3
Connection from 192.168.200.1 port 54664 on 192.168.200.101 port 22
debug1: Local version string SSH-2.0-OpenSSH_8.8
debug1: Remote protocol version 2.0, remote software version
OpenSSH_7.4
debug1: compat_banner: match: OpenSSH_7.4 pat OpenSSH_7.4* compat
0x04000006
debug2: fd 3 setting O_NONBLOCK
debug3: ssh_sandbox_init: preparing seccomp filter sandbox
debug2: Network child is on pid 3762
debug3: preauth child monitor started
debug3: privsep user:group 98:98 [preauth]
debug1: permanently_set_uid: 98/98 [preauth]
debug3: ssh_sandbox_child: setting PR_SET_NO_NEW_PRIVS [preauth]
debug3: ssh_sandbox_child: attaching seccomp filter program [preauth]
debug3: append_hostkey_type: ssh-rsa key not permitted by
HostkeyAlgorithms [preauth]
debug3: append_hostkey_type: ssh-dss key not permitted by
HostkeyAlgorithms [preauth]
debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256 [preauth]
debug3: send packet: type 20 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug3: receive packet: type 20 [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug2: local server KEXINIT proposal [preauth]
debug2: KEX algorithms:
curve25519-sha256,curve25519-sha256 at
libssh.org,diffie-hellman-group-exchange-sha256
[preauth]
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256 [preauth]
debug2: ciphers ctos: aes256-ctr,aes192-ctr,aes128-ctr [preauth]
debug2: ciphers stoc: aes256-ctr,aes192-ctr,aes128-ctr [preauth]
debug2: MACs ctos:
hmac-sha2-512-etm at openssh.com,hmac-sha2-256-etm at openssh.com,umac-128-etm
at openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128 at openssh.com
[preauth]
debug2: MACs stoc:
hmac-sha2-512-etm at openssh.com,hmac-sha2-256-etm at openssh.com,umac-128-etm
at openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128 at openssh.com
[preauth]
debug2: compression ctos: none,zlib at openssh.com [preauth]
debug2: compression stoc: none,zlib at openssh.com [preauth]
debug2: languages ctos:  [preauth]
debug2: languages stoc:  [preauth]
debug2: first_kex_follows 0  [preauth]
debug2: reserved 0  [preauth]
debug2: peer client KEXINIT proposal [preauth]
debug2: KEX algorithms:
curve25519-sha256,curve25519-sha256 at
libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,ext-info-c
[preauth]
debug2: host key algorithms:
ssh-rsa-cert-v01 at
openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256-cert-v01 at
openssh.com,ecdsa-sha2-nistp384-cert-v01 at
openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ssh-ed25519-cert-v01 at
openssh.com,ssh-dss-cert-v01 at
openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-dss
[preauth]
debug2: ciphers ctos:
chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at
openssh.com,aes256-gcm at openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
[preauth]
debug2: ciphers stoc:
chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at
openssh.com,aes256-gcm at openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
[preauth]
debug2: MACs ctos:
umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at
openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at
openssh.com,umac-64 at openssh.com,umac-128 at
openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
[preauth]
debug2: MACs stoc:
umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at
openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at
openssh.com,umac-64 at openssh.com,umac-128 at
openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
[preauth]
debug2: compression ctos: none,zlib at openssh.com,zlib [preauth]
debug2: compression stoc: none,zlib at openssh.com,zlib [preauth]
debug2: languages ctos:  [preauth]
debug2: languages stoc:  [preauth]
debug2: first_kex_follows 0  [preauth]
debug2: reserved 0  [preauth]
debug1: kex: algorithm: curve25519-sha256 [preauth]
debug1: kex: host key algorithm: rsa-sha2-512 [preauth]
debug1: kex: client->server cipher: aes128-ctr MAC:
umac-128-etm at openssh.com compression: none [preauth]
debug1: kex: server->client cipher: aes128-ctr MAC:
umac-128-etm at openssh.com compression: none [preauth]
debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
debug3: receive packet: type 30 [preauth]
debug1: SSH2_MSG_KEX_ECDH_INIT received [preauth]
debug3: mm_sshkey_sign: entering [preauth]
debug3: mm_request_send: entering, type 6 [preauth]
debug3: mm_sshkey_sign: waiting for MONITOR_ANS_SIGN [preauth]
debug3: mm_request_receive_expect: entering, type 7 [preauth]
debug3: mm_request_receive: entering [preauth]
debug3: mm_request_receive: entering
debug3: monitor_read: checking request 6
debug3: mm_answer_sign: entering
debug3: mm_answer_sign: rsa-sha2-512 KEX signature len=276
debug3: mm_request_send: entering, type 7
debug2: monitor_read: 6 used once, disabling now
debug3: send packet: type 31 [preauth]
debug3: send packet: type 21 [preauth]
debug2: set_newkeys: mode 1 [preauth]
debug1: rekey out after 4294967296 blocks [preauth]
debug1: monitor_read_log: child log fd closed
debug3: mm_request_receive: entering
debug1: do_cleanup
debug3: PAM: sshpam_thread_cleanup entering
debug1: Killing privsep child 3762


==============================Openssh Version details at BBB
==============================Debug logs at BBB side - Openssh version
/tmp $ ssh -v localhost
OpenSSH_8.8p1, OpenSSL 1.1.1o  3 May 2022
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 45: Deprecated option "useroaming"
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve;
disabling
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: connect to address 127.0.0.1 port 22: Connection refused
ssh: connect to host localhost port 22: Connection refused

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3469

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
It's fairly likely that this is a sandbox violation. You can debug this
using the instructions at the start of the sandbox-seccomp-filter.c
file, though you may need to apply commit 2580916e4 to fix a couple of
bugs in the debugging code.

Once you have identified the failing syscall, we can either permit or
ignore it in the BPF filter.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3469

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
However, you should first try openssh-9.0 as it contains a number of
fixes over openssh-8.8, including one in the sandbox that might be the
culprit.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3469

--- Comment #3 from Ravi Haravina N <raviharavina at eaton.com> ---
Thank you Miller for you suggestion. 

Now, I have used 9.0p1 version and updated changes as suggested in
commit 2580916e4. Still ssh connection from HOST is not successful. But
I see sandbox _violation message in debug output, as well as in
/flash/log/message.

  ssh_sandbox_violation: unexpected system call
(arch:0x40000028,syscall:403 @ 0xb6b3c74c) [preauth

As per syscall:403 number, it relates to "clock_gettime64" syscall
which is an alias for "clock_gettime" (as per details in
https://www.lurklurk.org/syscalls.html). Also this function is
supported for i386 and generic type architecture but not for "arm". 

Question: How to fix this in OpenSSH?

=========================  
Below are debug messages from sshd on BBB 
=========================  

debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 3292
debug2: parse_server_config_depth: config /etc/ssh/sshd_config len 3292
debug3: /etc/ssh/sshd_config:12 setting Protocol 2
debug2: /etc/ssh/sshd_config line 12: Deprecated option Protocol
debug3: /etc/ssh/sshd_config:18 setting HostKey
/etc/ssh/ssh_host_rsa_key
debug3: /etc/ssh/sshd_config:19 setting HostKey
/etc/ssh/ssh_host_dsa_key
debug3: /etc/ssh/sshd_config:32 setting PermitRootLogin no
debug3: /etc/ssh/sshd_config:33 setting AllowGroups sshusers
debug3: /etc/ssh/sshd_config:35 setting MaxAuthTries 6
debug3: /etc/ssh/sshd_config:42 setting KexAlgorithms
curve25519-sha256,curve25519-sha256 at
libssh.org,diffie-hellman-group-exchange-sha256
debug3: kex names ok:
[curve25519-sha256,curve25519-sha256 at
libssh.org,diffie-hellman-group-exchange-sha256]
debug3: /etc/ssh/sshd_config:43 setting Ciphers
aes256-ctr,aes192-ctr,aes128-ctr
debug3: /etc/ssh/sshd_config:44 setting MACs
hmac-sha2-512-etm at openssh.com,hmac-sha2-256-etm at openssh.com,umac-128-etm
at openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128 at openssh.com
debug3: /etc/ssh/sshd_config:82 setting UsePAM yes
debug3: /etc/ssh/sshd_config:97 setting ClientAliveInterval 900
debug3: /etc/ssh/sshd_config:98 setting ClientAliveCountMax 0
debug3: /etc/ssh/sshd_config:99 setting UseDNS no
debug3: /etc/ssh/sshd_config:108 setting Subsystem sftp
/libexec/sftp-server
debug1: sshd version OpenSSH_9.0, OpenSSL 1.1.1q  5 Jul 2022
debug1: private host key #0: ssh-rsa
SHA256:oeY2TPdubQnAxUhXloV65tmB8v2gDMg1lDxLpaghe+4
debug1: private host key #1: ssh-dss
SHA256:LTk/c4rfaxHzfTinsiAgfNRnIrvb91DvAeR7Byw6BBA
debug1: rexec_argv[0]='/sbin/sshd'
debug1: rexec_argv[1]='-f'
debug1: rexec_argv[2]='/etc/ssh/sshd_config'
debug1: rexec_argv[3]='-ddd'
debug3: oom_adjust_setup
debug1: Set /proc/self/oom_score_adj from 0 to -1000
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug2: fd 4 setting O_NONBLOCK
debug3: sock_set_v6only: set socket 4 IPV6_V6ONLY
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug3: fd 5 is not O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 8 config len 3292
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug3: recv_rexec_state: entering fd = 5
debug3: ssh_msg_recv entering
debug3: recv_rexec_state: done
debug2: parse_server_config_depth: config rexec len 3292
debug3: rexec:12 setting Protocol 2
debug2: rexec line 12: Deprecated option Protocol
debug3: rexec:18 setting HostKey /etc/ssh/ssh_host_rsa_key
debug3: rexec:19 setting HostKey /etc/ssh/ssh_host_dsa_key
debug3: rexec:32 setting PermitRootLogin no
debug3: rexec:33 setting AllowGroups sshusers
debug3: rexec:35 setting MaxAuthTries 6
debug3: rexec:42 setting KexAlgorithms
curve25519-sha256,curve25519-sha256 at
libssh.org,diffie-hellman-group-exchange-sha256
debug3: kex names ok:
[curve25519-sha256,curve25519-sha256 at
libssh.org,diffie-hellman-group-exchange-sha256]
debug3: rexec:43 setting Ciphers aes256-ctr,aes192-ctr,aes128-ctr
debug3: rexec:44 setting MACs
hmac-sha2-512-etm at openssh.com,hmac-sha2-256-etm at openssh.com,umac-128-etm
at openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128 at openssh.com
debug3: rexec:82 setting UsePAM yes
debug3: rexec:97 setting ClientAliveInterval 900
debug3: rexec:98 setting ClientAliveCountMax 0
debug3: rexec:99 setting UseDNS no
debug3: rexec:108 setting Subsystem sftp        /libexec/sftp-server
debug1: sshd version OpenSSH_9.0, OpenSSL 1.1.1q  5 Jul 2022
debug1: private host key #0: ssh-rsa
SHA256:oeY2TPdubQnAxUhXloV65tmB8v2gDMg1lDxLpaghe+4
debug1: private host key #1: ssh-dss
SHA256:LTk/c4rfaxHzfTinsiAgfNRnIrvb91DvAeR7Byw6BBA
debug1: inetd sockets after dupping: 3, 3
Connection from 192.168.200.1 port 62187 on 192.168.200.101 port 22
rdomain ""
debug1: Local version string SSH-2.0-OpenSSH_9.0
debug1: Remote protocol version 2.0, remote software version
OpenSSH_7.4
debug1: compat_banner: match: OpenSSH_7.4 pat OpenSSH_7.4* compat
0x04000006
debug2: fd 3 setting O_NONBLOCK
debug3: ssh_sandbox_init: preparing seccomp filter sandbox
debug2: Network child is on pid 3240
debug3: preauth child monitor started
debug3: privsep user:group 98:98 [preauth]
debug1: permanently_set_uid: 98/98 [preauth]
debug3: ssh_sandbox_child_debugging: installing SIGSYS handler
[preauth]
debug3: ssh_sandbox_child: setting PR_SET_NO_NEW_PRIVS [preauth]
debug3: ssh_sandbox_child: attaching seccomp filter program [preauth]
debug3: append_hostkey_type: ssh-rsa key not permitted by
HostkeyAlgorithms [preauth]
debug3: append_hostkey_type: ssh-dss key not permitted by
HostkeyAlgorithms [preauth]
debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256 [preauth]
debug3: send packet: type 20 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug3: receive packet: type 20 [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug2: local server KEXINIT proposal [preauth]
debug2: KEX algorithms:
curve25519-sha256,curve25519-sha256 at
libssh.org,diffie-hellman-group-exchange-sha256
[preauth]
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256 [preauth]
debug2: ciphers ctos: aes256-ctr,aes192-ctr,aes128-ctr [preauth]
debug2: ciphers stoc: aes256-ctr,aes192-ctr,aes128-ctr [preauth]
debug2: MACs ctos:
hmac-sha2-512-etm at openssh.com,hmac-sha2-256-etm at openssh.com,umac-128-etm
at openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128 at openssh.com
[preauth]
debug2: MACs stoc:
hmac-sha2-512-etm at openssh.com,hmac-sha2-256-etm at openssh.com,umac-128-etm
at openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128 at openssh.com
[preauth]
debug2: compression ctos: none,zlib at openssh.com [preauth]
debug2: compression stoc: none,zlib at openssh.com [preauth]
debug2: languages ctos:  [preauth]
debug2: languages stoc:  [preauth]
debug2: first_kex_follows 0  [preauth]
debug2: reserved 0  [preauth]
debug2: peer client KEXINIT proposal [preauth]
debug2: KEX algorithms:
curve25519-sha256,curve25519-sha256 at
libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,ext-info-c
[preauth]
debug2: host key algorithms:
ssh-rsa-cert-v01 at
openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256-cert-v01 at
openssh.com,ecdsa-sha2-nistp384-cert-v01 at
openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ssh-ed25519-cert-v01 at
openssh.com,ssh-dss-cert-v01 at
openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-dss
[preauth]
debug2: ciphers ctos:
chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at
openssh.com,aes256-gcm at openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
[preauth]
debug2: ciphers stoc:
chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at
openssh.com,aes256-gcm at openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
[preauth]
debug2: MACs ctos:
umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at
openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at
openssh.com,umac-64 at openssh.com,umac-128 at
openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
[preauth]
debug2: MACs stoc:
umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at
openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at
openssh.com,umac-64 at openssh.com,umac-128 at
openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
[preauth]
debug2: compression ctos: none,zlib at openssh.com,zlib [preauth]
debug2: compression stoc: none,zlib at openssh.com,zlib [preauth]
debug2: languages ctos:  [preauth]
debug2: languages stoc:  [preauth]
debug2: first_kex_follows 0  [preauth]
debug2: reserved 0  [preauth]
debug1: kex: algorithm: curve25519-sha256 [preauth]
debug1: kex: host key algorithm: rsa-sha2-512 [preauth]
debug1: kex: client->server cipher: aes128-ctr MAC:
umac-128-etm at openssh.com compression: none [preauth]
debug1: kex: server->client cipher: aes128-ctr MAC:
umac-128-etm at openssh.com compression: none [preauth]
debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
debug3: receive packet: type 30 [preauth]
debug1: SSH2_MSG_KEX_ECDH_INIT received [preauth]
debug3: mm_sshkey_sign: entering [preauth]
debug3: mm_request_send: entering, type 6 [preauth]
debug3: mm_sshkey_sign: waiting for MONITOR_ANS_SIGN [preauth]
debug3: mm_request_receive_expect: entering, type 7 [preauth]
debug3: mm_request_receive: entering [preauth]
debug3: mm_request_receive: entering
debug3: monitor_read: checking request 6
debug3: mm_answer_sign: entering
debug3: mm_answer_sign: rsa-sha2-512 KEX signature len=276
debug3: mm_request_send: entering, type 7
debug2: monitor_read: 6 used once, disabling now
debug3: send packet: type 31 [preauth]
debug3: send packet: type 21 [preauth]
debug2: ssh_set_newkeys: mode 1 [preauth]
debug1: rekey out after 4294967296 blocks [preauth]
ssh_sandbox_violation: unexpected system call
(arch:0x40000028,syscall:403 @ 0xb6b3c74c) [preauth]
debug1: monitor_read_log: child log fd closed
debug3: mm_request_receive: entering
debug1: do_cleanup
debug3: PAM: sshpam_thread_cleanup entering
debug1: Killing privsep child 3240
~ $

========================================================Also in config.log file
of OpenSSH below message is there
========================================================
configure:12291: checking for library containing clock_gettime
configure:12322: arm-cortexa8-linux-gnueabi-gcc -o conftest -Og
-fno-omit-frame-pointer -pipe -Wall -Wno-unused-local-typedefs
-funwind-tables -ggdb  -Wno-psabi -msoft-float -g -rdynamic
-mpoke-function-name -mapcs-frame -funwind-tables -Wno-unused-variable 
-pipe -Wno-error=format-truncation -Wall -Wpointer-arith
-Wuninitialized -Wsign-compare -Wformat-security
-Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result
-Wimplicit-fallthrough -Wmisleading-indentation -fno-strict-aliasing
-D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -Og
-fno-omit-frame-pointer -pipe -Wall -Wno-unused-local-typedefs
-funwind-tables -ggdb  -Wno-psabi -msoft-float -g -rdynamic
-mpoke-function-name -mapcs-frame -funwind-tables -Wno-unused-variable 
-fPIE -I/home/eaton/px_red/edge-linux-prod-bbb/output/exported/include
-U_FORTIFY_SOURCE  -funwind-tables -Wno-psabi
-DTOOLKIT_VERSION="Non-EdgeX-Linux-4.7.4" -Wno-unused-variable
-D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE
-L/home/eaton/px_red/edge-linux-prod-bbb/output/exported/lib 
-Wl,-rpath-link=/home/eaton/px_red/edge-linux-prod-bbb/output/exported/lib
-Wl,--copy-dt-needed-entries  -Wl,-z,relro -Wl,-z,now
-Wl,-z,noexecstack -pie conftest.c -lz  >&5
configure:12322: $? = 0
configure:12339: result: none required

Question: result "none required" - does it mean that it couldn't
find
the library which has clock_gettime? Or is it required for me to make
some changes in configuration file to reach to this library. Request
your help here.

In the same file for other macro declaration check, result says as
"yes" 

        configure:12350: checking whether localtime_r is declared
        configure:12350: arm-cortexa8-linux-gnueabi-gcc -c -Og
-fno-omit-frame-pointer -pipe -Wall -Wno-unused-local-typedefs
-funwind-tables -ggdb  -Wno-psabi -msoft-float -g -rdynamic
-mpoke-function-name -mapcs-frame -funwind-tables -Wno-unused-variable 
-pipe -Wno-error=format-truncation -Wall -Wpointer-arith
-Wuninitialized -Wsign-compare -Wformat-security
-Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result
-Wimplicit-fallthrough -Wmisleading-indentation -fno-strict-aliasing
-D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -Og
-fno-omit-frame-pointer -pipe -Wall -Wno-unused-local-typedefs
-funwind-tables -ggdb  -Wno-psabi -msoft-float -g -rdynamic
-mpoke-function-name -mapcs-frame -funwind-tables -Wno-unused-variable 
-fPIE -I/home/eaton/px_red/edge-linux-prod-bbb/output/exported/include
-U_FORTIFY_SOURCE  -funwind-tables -Wno-psabi
-DTOOLKIT_VERSION="Non-EdgeX-Linux-4.7.4" -Wno-unused-variable
-D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE conftest.c >&5
configure:12350: $? = 0
configure:12350: result: yes

==============================In Glibc 2.36
==============================In Glibc 2.36 version (may be from 2.34 onwards)
there is a flag
__USE_TIME_BITS64 used for time related functions. I didn't find a
place where they are setting this flag, so, I think its by default
false and considers it as 32 bit time. Correct me if I'm wrong. 

Do I need to make any changes in Glibc to make OpenSSH accept
connection?

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3469

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at dtucker.net

--- Comment #4 from Darren Tucker <dtucker at dtucker.net> ---
(In reply to Ravi Haravina N from comment #3)
[...]
>   ssh_sandbox_violation: unexpected system call
> (arch:0x40000028,syscall:403 @ 0xb6b3c74c) [preauth
>   
> As per syscall:403 number, it relates to "clock_gettime64"
syscall
> which is an alias for "clock_gettime" (as per details in
> https://www.lurklurk.org/syscalls.html). Also this function is
> supported for i386 and generic type architecture but not for
"arm".
Both clock_gettime and clock_gettime64 are permitted in
sandbox-seccomp-filter.c:

#ifdef __NR_clock_gettime
        SC_ALLOW(__NR_clock_gettime),
#endif
#ifdef __NR_clock_gettime64
        SC_ALLOW(__NR_clock_gettime64),
#endif

HOWEVER this in contingent on the corresponding symbol being defined in
the system headers.  If you are building against headers from an older
glibc you might not have all the required symbols (most likely
__NR_clock_gettime64 is missing).
> Question: How to fix this in OpenSSH?
Fix your headers.

[...]
> Question: result "none required" - does it mean that it
couldn't
> find the library which has clock_gettime? Or is it required for me
> to make some changes in configuration file to reach to this library.
> Request your help here.
It means no additional libraries are needed to find clock_gettime, ie
it's almost certainly in libc.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3469

--- Comment #5 from Ravi Haravina N <raviharavina at eaton.com> ---
Hi Miller,
Thanks for your reply. Found the place in Openssh where we call
clock_gettime - in packet.c->ssh_packet_send2 line#1293
(state->rekey_time = monotime();) which in turn calls clock_gettime.

Analysing the header file of usr/include/time.h (in toolchain having
glibc 2.36 version) seems there is a flag __USE_TIME_BITS64 which
defines, which function(APIs) to be used. 

Analysis is in progress. I will update once I have some info to this
issue. 
Thankyou for directing me to right path.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.