This morning I applied the 13 or so new updates to my servers. On one of them the ssh service and clients stopped working immediately after the update. I restarted the server in anticipation that there might be some instability introduced by updating on a system with active ssh connections. However, this has not cleared the problem. The packages in question are: openssh.i386 0:4.3p2-41.el5_5.1 openssh-askpass.i386 0:4.3p2-41.el5_5.1 openssh-clients.i386 0:4.3p2-41.el5_5.1 openssh-server.i386 0:4.3p2-41.el5_5.1 The error I am getting when attempting to start the sshd service is this: Starting sshd: Auto configuration failed 6486:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:629:line 207 [FAILED] Can anyone reading this inform me as to what this means, what the likely cause is, and how it may be repaired? I have webmin access to the server and, as it is inside our firewall I can probably enable telnet to get a terminal window do carry out modifications. But I need to know what it is that I need to modify. Alternatively, can anyone point me to a reference regarding removing the current version of openssh and reverting to the prior version, which worked with presumably the same user configuration that the present version does not accept. The only references that I can find respecting this error message are all several years old and some of them suggest that their is a problem with accessing or using /dev/random or /dev/urandom. This matter is somewhat urgent. I have temporarily routed essential ssh connections through a spare host but the box affected sits in front of our legacy systems providing secure access to them as their native OSs and telecom protocols do not support encryption. It is very important that the SSHD service be restored on this host as soon as is possible. Any help with this is gratefully appreciated. -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
On Mon, September 13, 2010 11:01, James B. Byrne wrote:> This morning I applied the 13 or so new updates to my servers. On > one of them the ssh service and clients stopped working immediately > after the update.. . .> The error I am getting when attempting to start the sshd service is > this: > > > Starting sshd: Auto configuration failed > 6486:error:0E065068:configuration file routines:STR_COPY:variable > has no value:conf_def.c:629:line 207 > [FAILED] >I replaced the sshd_config on the affected server with a copy of that which came with the package and the same error occurs. Whatever is causing this, it does not seem to be related the the sshd_config file. -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
On: Mon Sep 13 11:41:17 EDT 2010, Joseph L. Casale jcasale at activenetwerx.com wrote:> Selinux enabled?Yes. -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
Set selinux=permissive in /etc/selinux/config Rebooted system tried to restart sshd Starting sshd: Auto configuration failed 3600:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:629:line 207 [FAILED] Same error. I point out at that the other servers that were updated and which show no error all have selinux enabled as well. -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
James B. Byrne wrote:> This morning I applied the 13 or so new updates to my servers. On > one of them the ssh service and clients stopped working immediately > after the update. I restarted the server in anticipation that there > might be some instability introduced by updating on a system with > active ssh connections. However, this has not cleared the problem. > > The packages in question are: > openssh.i386 0:4.3p2-41.el5_5.1 > openssh-askpass.i386 0:4.3p2-41.el5_5.1 > openssh-clients.i386 0:4.3p2-41.el5_5.1 > openssh-server.i386 0:4.3p2-41.el5_5.1 > > > The error I am getting when attempting to start the sshd service is > this: > > > Starting sshd: Auto configuration failed > 6486:error:0E065068:configuration file routines:STR_COPY:variable > has no value:conf_def.c:629:line 207 > [FAILED][ What I'm about to write is just the result of a google search. Nevertheless, it may help ] Searching google for "configuration file routines:STR_COPY:variable has no value:conf_def.c" seems to point at openssl as the culprit (mainly, something wrong with pkcs11 and cert "handshaking": the message apears associated with in certain bind9 and openvpn similar crashes). Are you sure nothing tanked on this package at the time of this machine's upgrade (see Joseph L. Casale's sugestion) ? HTH, M?rio
On Mon Sep 13 12:34:49 EDT 2010, Joseph L. Casale jcasale at activenetwerx.com wrote:> Run an `rpm -Va` maybe the ssh package or a one it needs had > something tank in the upgrade...Did that via webmin's command interface and nothing changed insofar as I can see. Same error obtained when starting sshd. What is the procedure to remove the latest openssh packages and replace them with the previous ones? -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
On 09/13/2010 04:01 PM, James B. Byrne wrote:> Starting sshd: Auto configuration failed > 6486:error:0E065068:configuration file routines:STR_COPY:variable > has no value:conf_def.c:629:line 207 > [FAILED]...> This matter is somewhat urgent.Totally! broken sshd could cause non-trivial issues for a lot of people. However, I can confirm that: * prov-kickstart-c5.5-i386 : sshd tests PASS * yum -y update : sshd tests PASS [1] * yum install latest updates : sshd tests PASS [1]: the yum update runs against what is already on mirrors.centos.org, so would not have considered this latest set of new packages. Also, the process is repeated for x86_64 and on both ipv4 and v6. However, machine and resource contrains mean that the tests are only ever run on Xen DomU's rather than real iron. The tests themselves are fairly simple: - ensure iptables blocks port :22, test connection from localhost to localhost: - ensure iptables allows port :22 test connection from localhost to localhost: - repeat for real ipv4 IP, and IPv6 IP. - repat the whole set of tests for scp. The connections are tested using 'ssh-keygen -t dsa -b 1024' so that tends to get tested as well ( ideally it would be cool to retain a set of keys from previous builds to make sure they still work, but I've not come up with any clean way of preserving test artifacts ). So, I'm quite keen on finding out what is it that is causing the breakage for you. - KB
From: James B. Byrne <byrnejb at harte-lyne.ca>> Starting sshd: Auto configuration failed > 6486:error:0E065068:configuration file routines:STR_COPY:variable > has no value:conf_def.c:629:line 207 > [FAILED]Maybe did you check line 207 of sshd_config...? JD