Debian Bug report logs - #849923
openssh-server: (default) UsePrivilegeSeparation sandbox broken on x32

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Thorsten Glaser <tg@mirbsd.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: openssh-server: no login possible after upgrade on x32

Date: Mon, 02 Jan 2017 11:36:55 +0100

Package: openssh-server
Version: 1:7.4p1-3
Severity: important

After upgrading from 1:7.3p1-5 to 1:7.4p1-3 I can no longer
'ssh localhost' on x32; switching to openssh-server:i386 with
the exact same configuration works, though.

Server log:

tglase@tglase:~ $ sudo cleanenv / /usr/sbin/sshd -ddddde
debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 366
debug2: parse_server_config: config /etc/ssh/sshd_config len 366
debug3: /etc/ssh/sshd_config:18 setting HostKey /etc/ssh/ssh_host_rsa_key
debug3: /etc/ssh/sshd_config:33 setting PermitRootLogin prohibit-password
debug3: /etc/ssh/sshd_config:42 setting AuthorizedKeysFile .ssh/authorized_keys
debug3: /etc/ssh/sshd_config:63 setting ChallengeResponseAuthentication no
debug3: /etc/ssh/sshd_config:86 setting UsePAM yes
debug3: /etc/ssh/sshd_config:91 setting X11Forwarding yes
debug3: /etc/ssh/sshd_config:95 setting PrintMotd no
debug3: /etc/ssh/sshd_config:115 setting AcceptEnv LANG LC_*
debug3: /etc/ssh/sshd_config:118 setting Subsystem sftp	/usr/lib/openssh/sftp-server
debug1: sshd version OpenSSH_7.4, OpenSSL 1.0.2j  26 Sep 2016
debug1: private host key #0: ssh-rsa SHA256:9ae2/1t8U30Savg3XisO1ZCDuaH8IXQm18FdLpW3g8M
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-ddddde'
debug3: oom_adjust_setup
debug1: Set /proc/self/oom_score_adj from 0 to -1000
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug2: fd 4 setting O_NONBLOCK
debug3: sock_set_v6only: set socket 4 IPV6_V6ONLY
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug3: fd 5 is not O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 8 config len 366
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug3: recv_rexec_state: entering fd = 5
debug3: ssh_msg_recv entering
debug3: recv_rexec_state: done
debug2: parse_server_config: config rexec len 366
debug3: rexec:18 setting HostKey /etc/ssh/ssh_host_rsa_key
debug3: rexec:33 setting PermitRootLogin prohibit-password
debug3: rexec:42 setting AuthorizedKeysFile .ssh/authorized_keys
debug3: rexec:63 setting ChallengeResponseAuthentication no
debug3: rexec:86 setting UsePAM yes
debug3: rexec:91 setting X11Forwarding yes
debug3: rexec:95 setting PrintMotd no
debug3: rexec:115 setting AcceptEnv LANG LC_*
debug3: rexec:118 setting Subsystem sftp	/usr/lib/openssh/sftp-server
debug1: sshd version OpenSSH_7.4, OpenSSL 1.0.2j  26 Sep 2016
debug1: private host key #0: ssh-rsa SHA256:9ae2/1t8U30Savg3XisO1ZCDuaH8IXQm18FdLpW3g8M
debug1: inetd sockets after dupping: 3, 3
Connection from 127.0.0.1 port 49750 on 127.0.0.1 port 22
debug1: Client protocol version 2.0; client software version OpenSSH_7.4p1 Debian-3
debug1: match: OpenSSH_7.4p1 Debian-3 pat OpenSSH* compat 0x04000000
debug1: Local version string SSH-2.0-OpenSSH_7.4p1 Debian-3
debug1: Enabling compatibility mode for protocol 2.0
debug2: fd 3 setting O_NONBLOCK
debug3: ssh_sandbox_init: preparing seccomp filter sandbox
debug2: Network child is on pid 31321
debug3: preauth child monitor started
debug3: privsep user:group 111:65534 [preauth]
debug1: permanently_set_uid: 111/65534 [preauth]
debug3: ssh_sandbox_child: setting PR_SET_NO_NEW_PRIVS [preauth]
debug3: ssh_sandbox_child: attaching seccomp filter program [preauth]
debug1: list_hostkey_types: ssh-rsa,rsa-sha2-512,rsa-sha2-256 [preauth]
debug3: send packet: type 20 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug3: receive packet: type 20 [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug2: local server KEXINIT proposal [preauth]
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1 [preauth]
debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256 [preauth]
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com [preauth]
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com [preauth]
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
debug2: compression ctos: none,zlib@openssh.com [preauth]
debug2: compression stoc: none,zlib@openssh.com [preauth]
debug2: languages ctos:  [preauth]
debug2: languages stoc:  [preauth]
debug2: first_kex_follows 0  [preauth]
debug2: reserved 0  [preauth]
debug2: peer client KEXINIT proposal [preauth]
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c [preauth]
debug2: host key algorithms: ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519 [preauth]
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc [preauth]
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc [preauth]
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 [preauth]
debug2: compression ctos: none,zlib@openssh.com,zlib [preauth]
debug2: compression stoc: none,zlib@openssh.com,zlib [preauth]
debug2: languages ctos:  [preauth]
debug2: languages stoc:  [preauth]
debug2: first_kex_follows 0  [preauth]
debug2: reserved 0  [preauth]
debug1: kex: algorithm: curve25519-sha256 [preauth]
debug1: kex: host key algorithm: rsa-sha2-512 [preauth]
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none [preauth]
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none [preauth]
debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
debug3: receive packet: type 30 [preauth]
debug3: mm_key_sign entering [preauth]
debug3: mm_request_send entering: type 6 [preauth]
debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN [preauth]
debug3: mm_request_receive_expect entering: type 7 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 6
debug3: mm_answer_sign
debug3: mm_answer_sign: hostkey proof signature 0x2318cb0(276)
debug3: mm_request_send entering: type 7
debug2: monitor_read: 6 used once, disabling now
debug3: send packet: type 31 [preauth]
debug3: send packet: type 21 [preauth]
debug2: set_newkeys: mode 1 [preauth]
debug1: rekey after 134217728 blocks [preauth]
debug1: monitor_read_log: child log fd closed
debug3: mm_request_receive entering
debug1: do_cleanup
debug3: PAM: sshpam_thread_cleanup entering
debug1: Killing privsep child 31321
debug1: audit_event: unhandled event 12

Client log:

tglase@tglase:~ $ ssh -F /dev/null -vvvvv localhost
OpenSSH_7.4p1 Debian-3, OpenSSL 1.0.2j  26 Sep 2016
debug1: Reading configuration data /dev/null
debug2: resolving "localhost" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /home/tglase/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/tglase/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/tglase/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/tglase/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/tglase/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/tglase/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/tglase/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/tglase/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4p1 Debian-3
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4p1 Debian-3
debug1: match: OpenSSH_7.4p1 Debian-3 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to localhost:22 as 'tglase'
debug3: hostkeys_foreach: reading file "/home/tglase/.ssh/known_hosts"
debug3: record_hostkey: found key type RSA in file /home/tglase/.ssh/known_hosts:2790
debug3: load_hostkeys: loaded 1 keys from localhost
debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: rsa-sha2-512
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
Connection closed by 127.0.0.1 port 22

Client log when successfully connecting to the i386 server:

tglase@tglase:~ $ ssh -F /dev/null -vvvvv localhost
OpenSSH_7.4p1 Debian-3, OpenSSL 1.0.2j  26 Sep 2016
debug1: Reading configuration data /dev/null
debug2: resolving "localhost" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /home/tglase/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/tglase/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/tglase/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/tglase/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/tglase/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/tglase/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/tglase/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/tglase/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4p1 Debian-3
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4p1 Debian-3
debug1: match: OpenSSH_7.4p1 Debian-3 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to localhost:22 as 'tglase'
debug3: hostkeys_foreach: reading file "/home/tglase/.ssh/known_hosts"
debug3: record_hostkey: found key type RSA in file /home/tglase/.ssh/known_hosts:2790
debug3: load_hostkeys: loaded 1 keys from localhost
debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: rsa-sha2-512
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ssh-rsa SHA256:9ae2/1t8U30Savg3XisO1ZCDuaH8IXQm18FdLpW3g8M
debug3: hostkeys_foreach: reading file "/home/tglase/.ssh/known_hosts"
debug3: record_hostkey: found key type RSA in file /home/tglase/.ssh/known_hosts:2790
debug3: load_hostkeys: loaded 1 keys from localhost
debug1: Host 'localhost' is known and matches the RSA host key.
debug1: Found key in /home/tglase/.ssh/known_hosts:2790
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug2: key: /home/tglase/.ssh/id_rsa (0xc7e9a0), agent
debug2: key: /home/tglase/.ssh/id_dsa ((nil))
debug2: key: /home/tglase/.ssh/id_ecdsa ((nil))
debug2: key: /home/tglase/.ssh/id_ed25519 ((nil))
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/tglase/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: pkalg ssh-rsa blen 405
debug2: input_userauth_pk_ok: fp SHA256:5P4HaUvrwJVP/5u1NpDEckku9RNwy9weOs+NPhgSdXI
debug3: sign_and_send_pubkey: RSA SHA256:5P4HaUvrwJVP/5u1NpDEckku9RNwy9weOs+NPhgSdXI
debug3: send packet: type 50
debug3: receive packet: type 52
debug1: Authentication succeeded (publickey).
Authenticated to localhost ([127.0.0.1]:22).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug3: send packet: type 90
debug1: Requesting no-more-sessions@openssh.com
debug3: send packet: type 80
debug1: Entering interactive session.
debug1: pledge: network
debug3: receive packet: type 80
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug3: receive packet: type 91
debug2: callback start
debug2: fd 3 setting TCP_NODELAY
debug3: ssh_packet_set_tos: set IP_TOS 0x10
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug3: send packet: type 98
debug2: channel 0: request shell confirm 1
debug3: send packet: type 98
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
Linux tglase.lan.tarent.de 4.8.0-1-amd64 #1 SMP Debian 4.8.5-1 (2016-10-28) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Jan  2 11:35:28 2017 from 127.0.0.1
tglase@tglase:~ $ debug3: receive packet: type 98
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug3: receive packet: type 98
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug2: channel 0: rcvd eow
debug2: channel 0: close_read
debug2: channel 0: input open -> closed
^D
debug3: receive packet: type 96
debug2: channel 0: rcvd eof
debug2: channel 0: output open -> drain
debug2: channel 0: obuf empty
debug2: channel 0: close_write
debug2: channel 0: output drain -> closed
debug3: receive packet: type 97
debug2: channel 0: rcvd close
debug3: channel 0: will not send data after close
debug2: channel 0: almost dead
debug2: channel 0: gc: notify user
debug2: channel 0: gc: user detached
debug2: channel 0: send close
debug3: send packet: type 97
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: client-session, nchannels 1
debug3: channel 0: status: The following connections are open:
  #0 client-session (t4 r0 i3/0 o3/0 fd -1/-1 cc -1)

debug3: send packet: type 1
Connection to localhost closed.
Transferred: sent 3444, received 3356 bytes, in 1.3 seconds
Bytes per second: sent 2746.0, received 2675.9
debug1: Exit status 0


-- System Information:
Debian Release: stretch/sid
  APT prefers unreleased
  APT policy: (500, 'unreleased'), (500, 'buildd-unstable'), (500, 'unstable')
Architecture: x32 (x86_64)
Foreign Architectures: i386, amd64

Kernel: Linux 4.8.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/lksh
Init: sysvinit (via /sbin/init)

Versions of packages openssh-server depends on:
ii  adduser                3.115
ii  debconf [debconf-2.0]  1.5.59
ii  dpkg                   1.18.18
ii  init-system-helpers    1.46
ii  libaudit1              1:2.6.7-1
ii  libc6                  2.24-8
ii  libcomerr2             1.43.3-1
ii  libgssapi-krb5-2       1.15-1
ii  libkrb5-3              1.15-1
ii  libpam-modules         1.1.8-3.4
ii  libpam-runtime         1.1.8-3.4
ii  libpam0g               1.1.8-3.4
ii  libselinux1            2.6-3
ii  libssl1.0.2            1.0.2j-5
ii  libsystemd0            232-8
ii  libwrap0               7.6.q-26
ii  lsb-base               9.20161125
ii  openssh-client         1:7.4p1-3
ii  openssh-sftp-server    1:7.4p1-3
ii  procps                 2:3.3.12-3
ii  ucf                    3.0036
ii  zlib1g                 1:1.2.8.dfsg-4

Versions of packages openssh-server recommends:
pn  libpam-systemd  <none>
pn  ncurses-term    <none>
ii  xauth           1:1.0.9-1

Versions of packages openssh-server suggests:
ii  kwalletcli [ssh-askpass]  3.00-1
ii  molly-guard               0.6.4
pn  monkeysphere              <none>
pn  rssh                      <none>
pn  ufw                       <none>

-- debconf information:
* ssh/use_old_init_script: true
  ssh/vulnerable_host_keys:
  ssh/disable_cr_auth: false
  openssh-server/permit-root-login: true
  ssh/new_config: true
  ssh/encrypted_host_key_but_no_keygen:

-- debsums errors found:
debsums: package openssh-server is not installed

Message #10 received at 849923@bugs.debian.org (full text, mbox, reply):

From: Thorsten Glaser <t.glaser@tarent.de>

To: 849923@bugs.debian.org

Cc: control@bugs.debian.org

Subject: Re: Bug#849923: openssh-server: no login possible after upgrade on x32

Date: Mon, 2 Jan 2017 12:33:51 +0100 (CET)

retitle 849923 openssh-server: (default) UsePrivilegeSeparation sandbox broken on x32
thanks

On Mon, 2 Jan 2017, Thorsten Glaser wrote:

> After upgrading from 1:7.3p1-5 to 1:7.4p1-3 I can no longer
> 'ssh localhost' on x32; switching to openssh-server:i386 with
> the exact same configuration works, though.

I can get the x32 package working by adding…
	UsePrivilegeSeparation yes
… instead of sandbox to /etc/ssh/sshd_config and restarting.

bye,
//mirabilos
-- 
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-235
HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941
Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg

Message #17 received at 849923@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: Thorsten Glaser <tg@mirbsd.de>, 849923@bugs.debian.org

Cc: debian-glibc@lists.debian.org

Subject: Re: Bug#849923: openssh-server: no login possible after upgrade on x32

Date: Mon, 2 Jan 2017 17:49:43 +0000

On Mon, Jan 02, 2017 at 11:36:55AM +0100, Thorsten Glaser wrote:
> After upgrading from 1:7.3p1-5 to 1:7.4p1-3 I can no longer
> 'ssh localhost' on x32; switching to openssh-server:i386 with
> the exact same configuration works, though.

sshd's seccomp sandbox is denying a clock_gettime call.  But it's more
interesting than that: its seccomp filter allows clock_gettime; but the
actual syscall being used is not the x32 clock_gettime (with bit 30
set), but the x86-64 variant instead.

You can see a similar effect like this in an x32 environment:

  strace dmesg -e

... and buried in the output you'll find something like:

  strace: syscall_228(...) in unsupported 64-bit mode of process PID=19943

Neither sshd nor dmesg is using anything like manual syscall(2) here,
just the glibc wrappers.

This feels like a glibc bug to me.  Shouldn't it be using x32 syscalls
consistently?  The x86-64 variants work, but that's not very
seccomp-friendly.  (And if necessary I can hack around it in sshd, but
if you agree that it's a glibc bug then I think it should simply be
fixed there.)

Thanks,

-- 
Colin Watson                                       [cjwatson@debian.org]

Message #22 received at 849923@bugs.debian.org (full text, mbox, reply):

From: Aurelien Jarno <aurelien@aurel32.net>

To: Thorsten Glaser <tg@mirbsd.de>, 849923@bugs.debian.org, debian-glibc@lists.debian.org

Subject: Re: Bug#849923: openssh-server: no login possible after upgrade on x32

Date: Mon, 2 Jan 2017 23:09:13 +0100

On 2017-01-02 17:49, Colin Watson wrote:
> On Mon, Jan 02, 2017 at 11:36:55AM +0100, Thorsten Glaser wrote:
> > After upgrading from 1:7.3p1-5 to 1:7.4p1-3 I can no longer
> > 'ssh localhost' on x32; switching to openssh-server:i386 with
> > the exact same configuration works, though.
> 
> sshd's seccomp sandbox is denying a clock_gettime call.  But it's more
> interesting than that: its seccomp filter allows clock_gettime; but the
> actual syscall being used is not the x32 clock_gettime (with bit 30
> set), but the x86-64 variant instead.
> 
> You can see a similar effect like this in an x32 environment:
> 
>   strace dmesg -e
> 
> ... and buried in the output you'll find something like:
> 
>   strace: syscall_228(...) in unsupported 64-bit mode of process PID=19943
> 
> Neither sshd nor dmesg is using anything like manual syscall(2) here,
> just the glibc wrappers.
> 
> This feels like a glibc bug to me.  Shouldn't it be using x32 syscalls
> consistently?  The x86-64 variants work, but that's not very
> seccomp-friendly.  (And if necessary I can hack around it in sshd, but
> if you agree that it's a glibc bug then I think it should simply be
> fixed there.)

Looking at the issue, it actually appears in __vdso_clock_gettime, which
is provided by the kernel. This code handle the simple cases (REALTIME, 
MONOTONIC, REALTIME_COARSE and _MONOTONIC_COARSE) and fallbacks to 
the syscall in otherwise, CLOCK_BOOTTIME in the case of sshd.

This therefore looks like a kernel issue to me.

Aurelien

-- 
Aurelien Jarno                          GPG: 4096R/1DDD8C9B
aurelien@aurel32.net                 http://www.aurel32.net

Message #27 received at 849923@bugs.debian.org (full text, mbox, reply):

From: Thorsten Glaser <t.glaser@tarent.de>

To: Colin Watson <cjwatson@debian.org>, 849923@bugs.debian.org, debian-glibc@lists.debian.org

Subject: Re: Bug#849923: openssh-server: no login possible after upgrade on x32

Date: Tue, 3 Jan 2017 14:31:35 +0100 (CET)

On Mon, 2 Jan 2017, Aurelien Jarno wrote:

> Looking at the issue, it actually appears in __vdso_clock_gettime, which
> is provided by the kernel. This code handle the simple cases (REALTIME, 
> MONOTONIC, REALTIME_COARSE and _MONOTONIC_COARSE) and fallbacks to 
> the syscall in otherwise, CLOCK_BOOTTIME in the case of sshd.

Ouch – and the kernel probably thinks it’s getting away with this as
the kernel architecture is amd64…

Can you please forward this to someone at the kernel side (either Debian
or upstream) who can have a look? In the meantime, I’ll point this issue
out in #debian-x32 on IRC, so the other porters can also look.

> On 2017-01-02 17:49, Colin Watson wrote:

> > sshd's seccomp sandbox is denying a clock_gettime call.  But it's more

Probably a stupid idea, but a short-term stopgap: can we disable seccomp
on x32 for now? That needs:

• in debian/rules:
	+confflags += --host=${DEB_HOST_GNU_TYPE}
  This sets $host to x86_64-pc-linux-gnux32 instead of the
  auto-detected x86_64-pc-linux-gnu (which is amd64)

• in configure.ac:
	 AC_MSG_CHECKING([for seccomp architecture])
	 seccomp_audit_arch=
	 case "$host" in
	+x86_64-*-gnux32)
	+	# disabled for now, see Debian #849923
	+	;;
	 x86_64-*)
	 	seccomp_audit_arch=AUDIT_ARCH_X86_64
	 	;;

With this, we can then also later fix the architecture, should
the kernel be fixed.

Thanks,
//mirabilos
-- 
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-235
HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941
Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg

Message #32 received at 849923@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: Thorsten Glaser <t.glaser@tarent.de>

Cc: 849923@bugs.debian.org, debian-glibc@lists.debian.org, linux@packages.debian.org

Subject: Re: Bug#849923: openssh-server: no login possible after upgrade on x32

Date: Tue, 3 Jan 2017 14:43:15 +0000

clone 849923 -1
reassign -1 linux
retitle -1 linux: x32 __vdso_clock_gettime falls back to x86-64 syscall
thanks

On Tue, Jan 03, 2017 at 02:31:35PM +0100, Thorsten Glaser wrote:
> On Mon, 2 Jan 2017, Aurelien Jarno wrote:
> > Looking at the issue, it actually appears in __vdso_clock_gettime, which
> > is provided by the kernel. This code handle the simple cases (REALTIME, 
> > MONOTONIC, REALTIME_COARSE and _MONOTONIC_COARSE) and fallbacks to 
> > the syscall in otherwise, CLOCK_BOOTTIME in the case of sshd.
> 
> Ouch – and the kernel probably thinks it’s getting away with this as
> the kernel architecture is amd64…
> 
> Can you please forward this to someone at the kernel side (either Debian
> or upstream) who can have a look? In the meantime, I’ll point this issue
> out in #debian-x32 on IRC, so the other porters can also look.

I've cloned a kernel bug for this with this message.

> > On 2017-01-02 17:49, Colin Watson wrote:
> 
> > > sshd's seccomp sandbox is denying a clock_gettime call.  But it's more
> 
> Probably a stupid idea, but a short-term stopgap: can we disable seccomp
> on x32 for now? That needs:

Here's a better stopgap that lets us keep the sandbox enabled:

  https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/commit/?id=e346421ca6852fbf9f95cf0e764ecc345e5ce21d

> • in debian/rules:
> 	+confflags += --host=${DEB_HOST_GNU_TYPE}
>   This sets $host to x86_64-pc-linux-gnux32 instead of the
>   auto-detected x86_64-pc-linux-gnu (which is amd64)

Unnecessary: the default is --build=x86_64-linux-gnux32, and --host
shouldn't be passed when not cross-compiling.

You're probably being misled by config.guess's default, but that's
already overridden appropriately by dpkg/debhelper.

Cheers,

-- 
Colin Watson                                       [cjwatson@debian.org]

Message #39 received at 849923@bugs.debian.org (full text, mbox, reply):

From: Thorsten Glaser <t.glaser@tarent.de>

To: Colin Watson <cjwatson@debian.org>, 849923@bugs.debian.org

Subject: Re: Bug#849923: openssh-server: no login possible after upgrade on x32

Date: Tue, 3 Jan 2017 15:51:03 +0100 (CET)

On Tue, 3 Jan 2017, Colin Watson wrote:

> > Can you please forward this to someone at the kernel side (either Debian
> > or upstream) who can have a look? In the meantime, I’ll point this issue
> > out in #debian-x32 on IRC, so the other porters can also look.
> 
> I've cloned a kernel bug for this with this message.

Thanks!

> Here's a better stopgap that lets us keep the sandbox enabled:
> 
>   https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/commit/?id=e346421ca6852fbf9f95cf0e764ecc345e5ce21d

Oooh, that looks promising… did you upload, or should I test beforehand?
I have about half an hour remaining here in which I can test…

> You're probably being misled by config.guess's default, but that's
> already overridden appropriately by dpkg/debhelper.

Ouch, too much magic… I had d/rules spew out confflags, but apparently
some dh7 magic adds even more flags then. I hand-patched configure to
debug $host, so I had to invoke it manually, and I knew from other pak‐
kages that build/host had to be added.

> Unnecessary: the default is --build=x86_64-linux-gnux32, and --host
> shouldn't be passed when not cross-compiling.

Helmut Grohne suggests to always pass both, even if equal. Probably
to eliminate an entire error class, even if not necessary. *shrug*
If this works, all the better.

Thanks again,
//mirabilos
-- 
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-235
HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941
Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg

Message #44 received at 849923-close@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: 849923-close@bugs.debian.org

Subject: Bug#849923: fixed in openssh 1:7.4p1-5

Date: Tue, 03 Jan 2017 15:06:21 +0000

Source: openssh
Source-Version: 1:7.4p1-5

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 849923@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 03 Jan 2017 14:43:28 +0000
Source: openssh
Binary: openssh-client openssh-client-ssh1 openssh-server openssh-sftp-server ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb
Architecture: source
Version: 1:7.4p1-5
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
 openssh-client - secure shell (SSH) client, for secure access to remote machines
 openssh-client-ssh1 - secure shell (SSH) client for legacy SSH1 protocol
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell (SSH) server, for secure access from remote machines
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot
 ssh        - secure shell client and server (metapackage)
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
 ssh-krb5   - secure shell client and server (transitional package)
Closes: 849923
Changes:
 openssh (1:7.4p1-5) unstable; urgency=medium
 .
   * Create mux socket for regression tests in a temporary directory.
   * Work around clock_gettime kernel bug on Linux x32 (closes: #849923).
Checksums-Sha1:
 4c821110e475e857ba49d5271eec27c93f167917 2956 openssh_7.4p1-5.dsc
 4b49d5343fbbca3e0268558c7827ac4e8157ff84 157404 openssh_7.4p1-5.debian.tar.xz
Checksums-Sha256:
 4db3672c393dc69944a68e82773519d37c31d67c5f003fb03516e038347a7427 2956 openssh_7.4p1-5.dsc
 7cd48ba265be55eac54956ee2cb94c265f1885c74af328e2eadd73ce44357955 157404 openssh_7.4p1-5.debian.tar.xz
Files:
 28ba6f6a4e274c23f684a90b0ed83c58 2956 net standard openssh_7.4p1-5.dsc
 6f07a6e5c9db2c8115d81949936cc0df 157404 net standard openssh_7.4p1-5.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer

iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAlhruMYACgkQOTWH2X2G
UAsNLA/9FyeDPbkQiY4mhtqxFdDo3D4VEyg95Xp41bwqLv5mvhNn72+4Vrrfev2c
7+agp3WAoHp2+dsjO0/l9ActHQDtDN3xPKHJqIc5vVvX5fwBgMaUqV6uZHy44NUB
ioKtGcWoWTTN2/bYz7QGYe1Qc8hcTxO1T5LqyvrWya/GmHaiqPodX2ejtOqDH9FM
vTuhnS3KOS5lpR5FhYJUrXl5TPjQMAWfwi6CRTcwgBbsH8gRcnrIkAfx0mILD/CW
P70NCphlJV+Zs0p9YiMyFDhmFbpyghaK7f/5zwf86OFBmd7/DofsRYd/CjuV2EA4
BexMohSpcrUjf9YQwv+I/42WVwz7AYUtxVIqp7/gmgTuZl3vL78vz/qFIwpfrTyP
25nF9jdpn4DEpdCRj/8340zNUev1Oydj3bvMatqhxnrabc9HRT3nyN6CtNGUS2mu
ZGgByLQlkQyd+mUpwlfrcLs+N80ZZEY/EhovCqsAKXeOTHXYN2oquQ6Z+CkfcKkA
a9O+iHiQmO4wE2d1A6jfP5x8lc3+H80HuRqS0XhYcDY1D21uYj90UTwskXSWqTSI
ImUA9w1VgmLU5f/KC16X1vUgiy/j6V4bdHX6hxJRtLF1UBTPYaLj3uwBL3kkVyWG
Oqo4v51GI/HVAkmq6MlVh+rv/nIDoJtKfNbsGItoWBBlwLY2BqI=
=1TU0
-----END PGP SIGNATURE-----

Message #49 received at 849923@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: Thorsten Glaser <t.glaser@tarent.de>

Cc: 849923@bugs.debian.org

Subject: Re: Bug#849923: openssh-server: no login possible after upgrade on x32

Date: Tue, 3 Jan 2017 15:30:46 +0000

On Tue, Jan 03, 2017 at 03:51:03PM +0100, Thorsten Glaser wrote:
> On Tue, 3 Jan 2017, Colin Watson wrote:
> > Here's a better stopgap that lets us keep the sandbox enabled:
> > 
> >   https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/commit/?id=e346421ca6852fbf9f95cf0e764ecc345e5ce21d
> 
> Oooh, that looks promising… did you upload, or should I test beforehand?
> I have about half an hour remaining here in which I can test…

I tested locally and then uploaded (1:7.4p1-5).

> > You're probably being misled by config.guess's default, but that's
> > already overridden appropriately by dpkg/debhelper.
> 
> Ouch, too much magic… I had d/rules spew out confflags, but apparently
> some dh7 magic adds even more flags then.

It's handled by
/usr/share/perl5/Debian/Debhelper/Buildsystem/autoconf.pm.  If you need
to see what commands it runs, it's simplest to just set DH_VERBOSE=1.

> > Unnecessary: the default is --build=x86_64-linux-gnux32, and --host
> > shouldn't be passed when not cross-compiling.
> 
> Helmut Grohne suggests to always pass both, even if equal. Probably
> to eliminate an entire error class, even if not necessary. *shrug*
> If this works, all the better.

/usr/share/doc/autotools-dev/README.Debian.gz claims that it causes
modern autoconf to switch to cross-compiling mode even if the values are
equal (though I haven't tracked down the exact details of this).
Helmut's advice was certainly valid with old autoconf ...

-- 
Colin Watson                                       [cjwatson@debian.org]

Message #54 received at 849923@bugs.debian.org (full text, mbox, reply):

From: Sven Joachim <svenjoac@gmx.de>

To: Colin Watson <cjwatson@debian.org>

Cc: Thorsten Glaser <t.glaser@tarent.de>, 849923@bugs.debian.org

Subject: Re: Bug#849923: openssh-server: no login possible after upgrade on x32

Date: Tue, 03 Jan 2017 17:23:21 +0100

On 2017-01-03 15:30 +0000, Colin Watson wrote:

> On Tue, Jan 03, 2017 at 03:51:03PM +0100, Thorsten Glaser wrote:
>> On Tue, 3 Jan 2017, Colin Watson wrote:
>> 
>> Helmut Grohne suggests to always pass both, even if equal. Probably
>> to eliminate an entire error class, even if not necessary. *shrug*
>> If this works, all the better.
>
> /usr/share/doc/autotools-dev/README.Debian.gz claims that it causes
> modern autoconf to switch to cross-compiling mode even if the values are
> equal (though I haven't tracked down the exact details of this).

That's not quite correct, but many people have been wondering about it.
You can see my own ramblings in #682780[1], on the upstream mailing I
received a reply stating that cross-compiling mode is not to be entered
in this case[2].

Cheers,
       Sven


1. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=682780
2. https://lists.gnu.org/archive/html/autoconf/2012-07/msg00014.html

Message #59 received at 849923@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: Sven Joachim <svenjoac@gmx.de>

Cc: Thorsten Glaser <t.glaser@tarent.de>, 849923@bugs.debian.org

Subject: Re: Bug#849923: openssh-server: no login possible after upgrade on x32

Date: Tue, 3 Jan 2017 16:43:08 +0000

On Tue, Jan 03, 2017 at 05:23:21PM +0100, Sven Joachim wrote:
> On 2017-01-03 15:30 +0000, Colin Watson wrote:
> > On Tue, Jan 03, 2017 at 03:51:03PM +0100, Thorsten Glaser wrote:
> >> Helmut Grohne suggests to always pass both, even if equal. Probably
> >> to eliminate an entire error class, even if not necessary. *shrug*
> >> If this works, all the better.
> >
> > /usr/share/doc/autotools-dev/README.Debian.gz claims that it causes
> > modern autoconf to switch to cross-compiling mode even if the values are
> > equal (though I haven't tracked down the exact details of this).
> 
> That's not quite correct, but many people have been wondering about it.
> You can see my own ramblings in #682780[1], on the upstream mailing I
> received a reply stating that cross-compiling mode is not to be entered
> in this case[2].

Thanks for the clarification!  I'm still happy to leave this up to
debhelper rather than specifically overriding it in individual packages,
I think.

-- 
Colin Watson                                       [cjwatson@debian.org]

Message #64 received at 849923@bugs.debian.org (full text, mbox, reply):

From: Thorsten Glaser <t.glaser@tarent.de>

To: Sven Joachim <svenjoac@gmx.de>

Cc: Colin Watson <cjwatson@debian.org>, 849923@bugs.debian.org

Subject: Re: Bug#849923: openssh-server: no login possible after upgrade on x32

Date: Tue, 3 Jan 2017 18:45:06 +0100 (CET)

On Tue, 3 Jan 2017, Sven Joachim wrote:

> On 2017-01-03 15:30 +0000, Colin Watson wrote:
> 
> > On Tue, Jan 03, 2017 at 03:51:03PM +0100, Thorsten Glaser wrote:
> >> On Tue, 3 Jan 2017, Colin Watson wrote:

> >> > Here's a better stopgap that lets us keep the sandbox enabled:

Thanks, this works now.

> >> Helmut Grohne suggests to always pass both, even if equal. Probably
> >> to eliminate an entire error class, even if not necessary. *shrug*
> >> If this works, all the better.
> >
> > /usr/share/doc/autotools-dev/README.Debian.gz claims that it causes
> > modern autoconf to switch to cross-compiling mode even if the values are
> > equal (though I haven't tracked down the exact details of this).
> 
> That's not quite correct, but many people have been wondering about it.
> You can see my own ramblings in #682780[1], on the upstream mailing I
> received a reply stating that cross-compiling mode is not to be entered
> in this case[2].

Oh okay, thanks for the references!

> 1. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=682780
> 2. https://lists.gnu.org/archive/html/autoconf/2012-07/msg00014.html

bye,
//mirabilos
-- 
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-235
HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941
Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg

Send a report that this bug log contains spam.