Ask / Submit
2

sshd fails after update to 1.1.4.29 from Openrepo sshd

asked 2015-05-10 01:52:32 +0200

dyraig gravatar image

updated 2015-05-11 01:48:35 +0200

I just updated to 1.1.4.29 which overall seems to have gone ok. I did encounter a strange side effect, though: After the update, I was no longer able to use ssh to connect to the Jolla. I then tried to restart sshd from a terminal, I got an error message in the log:

May 10 00:03:25 Jolla systemd[1]: Started OpenSSH server daemon.
May 10 00:03:25 Jolla sshd[2731]: /etc/ssh/sshd_config line 110: Bad yes/no argument: sandbox
May 10 00:03:25 Jolla systemd[1]: sshd.service: main process exited, code=exited, status=255/n/a
May 10 00:03:25 Jolla systemd[1]: Unit sshd.service entered failed state.
May 10 00:03:26 Jolla systemd[1]: sshd.service holdoff time over, scheduling restart.
May 10 00:03:26 Jolla systemd[1]: sshd.service start request repeated too quickly, refusing to start.
May 10 00:03:26 Jolla systemd[1]: Unit sshd.service entered failed state.

I proceeded to modify /etc/ssh/sshd_config and changed the line

UsePrivilegeSeparation sandbox

to

UsePrivilegeSeparation yes

After that change, sshd started normally and I could use ssh again to connect to the Jolla. I just don't have any idea why this occurred - as far as I remember I was running stock sshd before the update.

edit retag flag offensive close delete

Comments

I'm on OpenSSH_6.8p1 with OpenSSL 1.0.2a and have no issues whatsoever even with UsePrivilegeSeparation set to 'sandbox'

J4ZZ ( 2015-05-10 22:13:40 +0200 )edit

@J4ZZ Please be aware that OpenSSL 1.0.2 is not ABI compatible with 1.0.1 and at somepoint you might end up with lots of problems with it.

tigeli ( 2015-05-10 23:07:16 +0200 )edit

Are you sure?

First line in the release news says The OpenSSL project has released its second feature release of the OpenSSL 1.0 series, version 1.0.2 which is ABI compatible with the 1.0.0 and 1.0.1 series. It says "is"

J4ZZ ( 2015-05-10 23:56:09 +0200 )edit

@J4ZZ It's not 100% compatible. ;) See:

http://upstream-tracker.org/compat_reports/openssl/1.0.1m_to_1.0.2/abi_compat_report.html

Anyway I'm more worried issues like:

https://github.com/excon/excon/issues/467

which then causes things like: https://github.com/excon/excon/pull/490/files

tigeli ( 2015-05-11 01:23:04 +0200 )edit

I dont trust that upstream tracker ;) So far, ruby (2.1,1) didnt give me issues (used it to install metasploit.which is using many ruby modules) I assume different builds can cause different issues. Most likely to my best guess, ruby in those were not compiled against 1.0.2. Will keep an eye on this, and for sure update when needed . if needed.

Nieldk ( 2015-05-11 11:44:09 +0200 )edit

1 Answer

Sort by » oldest newest most voted
1

answered 2015-05-10 23:06:31 +0200

tigeli gravatar image

You have most probably installed 3rd party openssh from alternative repos like openrepos.net because Jolla-provided ssh does not have "UsePrivilegeSeparation sandbox" set by default (neither it does not support it).

edit flag offensive delete publish link more

Comments

Yes, you are right of course. I just checked the update history (/var/log/zypp/history) and from that I could make out that I was indeed running openssh-server 6.8p1-10.2.1.jolla from openrepos-NielDK before upgrading to 1.1.4.29. I no longer remember whether I did that explicitly or whether it got pulled in by another action on openrepo. Given, that this explains the problem I encountered, I'll mark this question as answered, modify the title and remove the bug tag (since it's not a bug in the Jolla upgrade)

dyraig ( 2015-05-11 01:47:02 +0200 )edit

Obviously. There can be no 100% saying openssh/openssl from my repo isnt somehow part of this issue. However, I note that at least one user have expressed not having this issue while upgrading. Likewise, I have two (2) devices that I have updated not being hit by this. I suspect the real reason is in conjunction with other software that was not installed on my devices. I did notice certain issues caused by other packages which contained script errors, and wouldnt uninstall properly. (openvpn being one).

Nieldk ( 2015-05-11 11:40:17 +0200 )edit

@Nieldk - if you can think of anything I can do now "after the fact" that could produce info you would like to have, please let me know.

dyraig ( 2015-05-11 12:01:31 +0200 )edit

Everything should go fine if you disable openrepos repositories before any update. This is in my opinion always advisable. I dont usually. Nut that is mainly because I want issues hehe-no, seriously, bit I need to track my packages that may fail. Mind you, that it is not always enough to disable repos (openrepos and mer ones), certain packages can contain faulty scripts that will fail when a package is being rpelaced by Jolla's packages. I have encountered a few of these myself (openvpn being one - my version on merproject). Basically, you might end up having to do a factory reset in certain scenarios. My openssh and openssl however, I didnt - so far see these issues. But I am looking into it.

Nieldk ( 2015-05-11 12:12:54 +0200 )edit

Interesting - I actually did disable all openrepos before upgrading, so that did not help here.

dyraig ( 2015-05-11 16:17:06 +0200 )edit
Login/Signup to Answer

Question tools

Follow
4 followers

Stats

Asked: 2015-05-10 01:52:32 +0200

Seen: 1,062 times

Last updated: May 11 '15