openssh bugs - Oct 2022 - [Bug 3487] New: "getentropy failed" after upgrade from 9.0

https://bugzilla.mindrot.org/show_bug.cgi?id=3487

            Bug ID: 3487
           Summary: "getentropy failed" after upgrade from 9.0
           Product: Portable OpenSSH
           Version: 9.1p1
          Hardware: ARM
                OS: Linux
            Status: NEW
          Severity: critical
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: mindrot.org at felixvandyck.be

I have upgraded openssh from 9.0 to 9.1. After rebooting the system I
found that I was no longer able to connect to the SSH server
("connection refused" and "status 255").

I have checked systemd logs and found the following relevant items:

```
Oct 21 02:41:19 orbb sshd[255]: getentropy failed
Oct 21 02:41:19 orbb systemd[1]: sshd.service: Main process exited,
code=exited, status=255/EXCEPTION
Oct 21 02:41:19 orbb systemd[1]: sshd.service: Failed with result
'exit-code'.
```

When I ran `sshd -t` it also returned `getentropy failed`.

I inspected the upgraded packages and downgraded
openssh-9.1p1-1-armv7h.pkg.tar.xz back to
openssh-9.0p1-1-armv7h.pkg.tar.xz. I have restarted the service and was
able to connect via SSH again.

System:
Linux orbb 3.10.107-5-ARCH #1 SMP PREEMPT Fri Mar 26 23:32:03 UTC 2021
armv7l GNU/Linux


Kind regards

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3487

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at dtucker.net

--- Comment #1 from Darren Tucker <dtucker at dtucker.net> ---
(In reply to InFerNo from comment #0)
> I inspected the upgraded packages and downgraded
> openssh-9.1p1-1-armv7h.pkg.tar.xz back to
> openssh-9.0p1-1-armv7h.pkg.tar.xz.
Those are (probably modified) binaries supplied by your distro vendor. 
Can you reproduce the problem with the stock code from openssh.com?  If
that works, compare the config.h from the non-working one with the
working one.

My guess is that the package was compiled on a system that has a native
getentropy but deployed on a system that does not.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3487

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |3480

--- Comment #2 from Darren Tucker <dtucker at dtucker.net> ---
We've changed it so that the fallback code is always available even on
platforms that claim to have getentropy:

https://github.com/openssh/openssh-portable/commit/da6038bd5cd55eb212eb2aec1fc8ae79bbf76156

Always use compat getentropy.
Have it call native getentropy and fall back as required.  Should fix
issues of platforms where libc has getentropy but it is not implemented
in the kernel.  Based on github PR#354 from simsergey.

This change will be in OpenSSH 9.2p1 and has been cherrypicked into the
V_9_1 branch, so will be included if there is a 9.1p2 release.

Could you please confirm that this change fixes your problem?


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=3480
[Bug 3480] tracking bug for openssh-9.2
-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3487

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #3 from Darren Tucker <dtucker at dtucker.net> ---
We believe that his has been fixed, but if  not please reopen this bug.

Thanks for the report.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3487

Sam James <sam at gentoo.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |sam at gentoo.org

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3487

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #4 from Damien Miller <djm at mindrot.org> ---
OpenSSH 9.3 has been released. Close resolved bugs

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3487

--- Comment #5 from InFerNo <mindrot.org at felixvandyck.be> ---
I can confirm that this has been fixed since 9.2 on system Linux orbb
3.10.107-5-ARCH #1 SMP PREEMPT Fri Mar 26 23:32:03 UTC 2021 armv7l
GNU/Linux

This is an Odroid C1 SBC.


ssh -V
OpenSSH_9.2p1, OpenSSL 3.0.8 7 Feb 2023


Many thanks!

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.