[MacPorts] #36291: openssh sshd won't accept incoming connections
#36291: openssh sshd won't accept incoming connections -------------------------+-------------------------------- Reporter: beckettbt@… | Owner: macports-tickets@… Type: defect | Status: new Priority: Normal | Milestone: Component: ports | Version: 2.1.2 Keywords: | Port: openssh -------------------------+-------------------------------- After a fresh install of openssh @6.1p1_0 I receive the following error in the system log when I attempt to remotely ssh into the system: sshd[38257]: fatal: ssh_sandbox_child: sandbox_init: dlopen(/usr/lib/libsandbox.1.dylib, 261): image not found [preauth] and the connection is immediately dropped. OS Mountain Lion 10.8.2 -- Ticket URL: <https://trac.macports.org/ticket/36291> MacPorts <http://www.macports.org/> Ports system for Mac OS
#36291: openssh sshd won't accept incoming connections --------------------------+------------------- Reporter: beckettbt@… | Owner: jwa@… Type: defect | Status: new Priority: Normal | Milestone: Component: ports | Version: 2.1.2 Resolution: | Keywords: Port: openssh | --------------------------+------------------- Changes (by cal@…): * owner: macports-tickets@… => jwa@… Comment: Please remember to Cc the maintainer when reporting tickets. Does `/usr/lib/libsandbox.1.dylib` exist on your system? -- Ticket URL: <https://trac.macports.org/ticket/36291#comment:1> MacPorts <http://www.macports.org/> Ports system for Mac OS
#36291: openssh sshd won't accept incoming connections --------------------------+------------------- Reporter: beckettbt@… | Owner: jwa@… Type: defect | Status: new Priority: Normal | Milestone: Component: ports | Version: 2.1.2 Resolution: | Keywords: Port: openssh | --------------------------+------------------- Description changed by cal@…: Old description:
After a fresh install of openssh @6.1p1_0 I receive the following error in the system log when I attempt to remotely ssh into the system:
sshd[38257]: fatal: ssh_sandbox_child: sandbox_init: dlopen(/usr/lib/libsandbox.1.dylib, 261): image not found [preauth]
and the connection is immediately dropped.
OS Mountain Lion 10.8.2
New description: After a fresh install of openssh @6.1p1_0 I receive the following error in the system log when I attempt to remotely ssh into the system: sshd![38257]: fatal: ssh_sandbox_child: sandbox_init: dlopen(/usr/lib/libsandbox.1.dylib, 261): image not found [preauth] and the connection is immediately dropped. OS Mountain Lion 10.8.2 -- -- Ticket URL: <https://trac.macports.org/ticket/36291#comment:2> MacPorts <http://www.macports.org/> Ports system for Mac OS
#36291: openssh sshd won't accept incoming connections --------------------------+------------------- Reporter: beckettbt@… | Owner: jwa@… Type: defect | Status: new Priority: Normal | Milestone: Component: ports | Version: 2.1.2 Resolution: | Keywords: Port: openssh | --------------------------+------------------- Comment (by beckettbt@…): Replying to [comment:1 cal@…]:
Please remember to Cc the maintainer when reporting tickets.
Does `/usr/lib/libsandbox.1.dylib` exist on your system?
Yes. $ls /usr/lib/libsandbox.1.dylib /usr/lib/libsandbox.1.dylib -- Ticket URL: <https://trac.macports.org/ticket/36291#comment:3> MacPorts <http://www.macports.org/> Ports system for Mac OS
#36291: openssh sshd won't accept incoming connections --------------------------+------------------- Reporter: beckettbt@… | Owner: jwa@… Type: defect | Status: new Priority: Normal | Milestone: Component: ports | Version: 2.1.2 Resolution: | Keywords: Port: openssh | --------------------------+------------------- Comment (by elelay@…): same problem here (10.6.8) -- Ticket URL: <https://trac.macports.org/ticket/36291#comment:4> MacPorts <http://www.macports.org/> Ports system for Mac OS
#36291: openssh sshd won't accept incoming connections --------------------------+------------------- Reporter: beckettbt@… | Owner: jwa@… Type: defect | Status: new Priority: Normal | Milestone: Component: ports | Version: 2.1.2 Resolution: | Keywords: Port: openssh | --------------------------+------------------- Comment (by joshua.newton@…): Confirmed on 10.8.2 x86_64. -- Ticket URL: <https://trac.macports.org/ticket/36291#comment:6> MacPorts <http://www.macports.org/> Ports system for Mac OS
#36291: openssh sshd won't accept incoming connections --------------------------+------------------- Reporter: beckettbt@… | Owner: jwa@… Type: defect | Status: new Priority: Normal | Milestone: Component: ports | Version: 2.1.2 Resolution: | Keywords: Port: openssh | --------------------------+------------------- Comment (by roxanna@…): I second this. I'm on OSX 10.7.5 (X86_64) and have this same problem. Note: setting the ''UsePrivilegeSeparation'' modifier in '''sshd_config''' to "''yes''" instead of "''sandbox''" does clear the immediate of not being able to have clients connect.[[BR]] {{{ sshd_config: UsePrivilegeSeparation yes #Instead of default 'sandbox' }}} It causes ''sshd'' to use an older, and less secure means of sandboxing. But as "''sandbox''" is the default value, this is obviously just a workaround. -- Ticket URL: <https://trac.macports.org/ticket/36291#comment:8> MacPorts <http://www.macports.org/> Ports system for Mac OS
#36291: openssh sshd won't accept incoming connections --------------------------+------------------- Reporter: beckettbt@… | Owner: jwa@… Type: defect | Status: new Priority: Normal | Milestone: Component: ports | Version: 2.1.2 Resolution: | Keywords: Port: openssh | --------------------------+------------------- Comment (by macintosh@…): is this a macports only problem -or- is it an upstream problem ??? -- Ticket URL: <https://trac.macports.org/ticket/36291#comment:11> MacPorts <http://www.macports.org/> Ports system for Mac OS
#36291: openssh sshd won't accept incoming connections --------------------------+------------------- Reporter: beckettbt@… | Owner: jwa@… Type: defect | Status: new Priority: Normal | Milestone: Component: ports | Version: 2.1.2 Resolution: | Keywords: Port: openssh | --------------------------+------------------- Comment (by thomas@…): Replying to [ticket:36291 beckettbt@…]:
After a fresh install of openssh @6.1p1_0 I receive the following error in the system log when I attempt to remotely ssh into the system:
sshd![38257]: fatal: ssh_sandbox_child: sandbox_init: dlopen(/usr/lib/libsandbox.1.dylib, 261): image not found [preauth]
and the connection is immediately dropped.
OS Mountain Lion 10.8.2
I have had luck simply disabling the "#UsePrivilegeSeparation sandbox" in the sshd "/opt/local/etc/ssh/sshd_config" config file for openSSH (Mac Port’s version) This works for me! Ref.: http://dyhr.com/2009/09/05/how- to-enable-x11-forwarding-with-ssh-on-mac-os-x-leopard/comment- page-1/#comment-21717 -- Ticket URL: <https://trac.macports.org/ticket/36291#comment:13> MacPorts <http://www.macports.org/> Ports system for OS X
#36291: openssh sshd won't accept incoming connections --------------------------+------------------- Reporter: beckettbt@… | Owner: jwa@… Type: defect | Status: new Priority: Normal | Milestone: Component: ports | Version: 2.1.2 Resolution: | Keywords: Port: openssh | --------------------------+------------------- Comment (by swordangel@…): This problem still exists with openssh @6.2p2_3, from MacPorts 2.2.0, under Mac OS X Lion. -- Ticket URL: <https://trac.macports.org/ticket/36291#comment:14> MacPorts <http://www.macports.org/> Ports system for OS X
#36291: openssh sshd won't accept incoming connections --------------------------+------------------- Reporter: beckettbt@… | Owner: jwa@… Type: defect | Status: new Priority: Normal | Milestone: Component: ports | Version: 2.1.2 Resolution: | Keywords: Port: openssh | --------------------------+------------------- Comment (by david@…): Problem also exists under Mavericks 10.9 and is fixed via the "UsePrivilegeSeparation yes" setting. -- Ticket URL: <https://trac.macports.org/ticket/36291#comment:15> MacPorts <http://www.macports.org/> Ports system for OS X
#36291: openssh sshd won't accept incoming connections --------------------------+------------------- Reporter: beckettbt@… | Owner: jwa@… Type: defect | Status: new Priority: Normal | Milestone: Component: ports | Version: 2.1.2 Resolution: | Keywords: Port: openssh | --------------------------+------------------- Comment (by khepler@…): Here is debug output from a Macports OpenSSH server running on 10.8.4 x86_64: {{{ puadn:~ kris$ sudo /opt/local/sbin/sshd -ddd debug2: load_server_config: filename /opt/local/etc/ssh/sshd_config debug2: load_server_config: done config len = 253 debug2: parse_server_config: config /opt/local/etc/ssh/sshd_config len 253 debug3: /opt/local/etc/ssh/sshd_config:13 setting Port 6422 debug3: /opt/local/etc/ssh/sshd_config:50 setting AuthorizedKeysFile .ssh/authorized_keys debug3: /opt/local/etc/ssh/sshd_config:105 setting UsePrivilegeSeparation sandbox debug3: /opt/local/etc/ssh/sshd_config:121 setting Subsystem sftp /opt/local/libexec/sftp-server debug1: sshd version OpenSSH_6.2, OpenSSL 1.0.1e 11 Feb 2013 debug3: Incorrect RSA1 identifier debug1: read PEM private key done: type RSA debug1: private host key: #0 type 1 RSA debug3: Incorrect RSA1 identifier debug1: read PEM private key done: type DSA debug1: private host key: #1 type 2 DSA debug1: could not open key file '/opt/local/etc/ssh/ssh_host_ecdsa_key': No such file or directory Could not load host key: /opt/local/etc/ssh/ssh_host_ecdsa_key debug1: rexec_argv[0]='/opt/local/sbin/sshd' debug1: rexec_argv[1]='-ddd' debug2: fd 4 setting O_NONBLOCK debug1: Bind to port 6422 on 0.0.0.0. Server listening on 0.0.0.0 port 6422. debug2: fd 5 setting O_NONBLOCK debug3: sock_set_v6only: set socket 5 IPV6_V6ONLY debug1: Bind to port 6422 on ::. Server listening on :: port 6422. debug1: fd 6 clearing O_NONBLOCK debug1: Server will not fork when running in debugging mode. debug3: send_rexec_state: entering fd = 9 config len 253 debug3: ssh_msg_send: type 0 debug3: send_rexec_state: done debug1: rexec start in 6 out 6 newsock 6 pipe -1 sock 9 debug1: inetd sockets after dupping: 5, 5 Connection from x.x.x.x port 51775 debug1: Client protocol version 2.0; client software version OpenSSH_5.9p1-hpn13v11 debug1: match: OpenSSH_5.9p1-hpn13v11 pat OpenSSH_5* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.2 debug2: fd 5 setting O_NONBLOCK debug3: ssh_sandbox_init: preparing Darwin sandbox debug2: Network child is on pid 2892 debug3: preauth child monitor started debug3: privsep user:group 75:75 [preauth] debug1: permanently_set_uid: 75/75 [preauth] debug3: ssh_sandbox_child: starting Darwin sandbox [preauth] ssh_sandbox_child: sandbox_init: dlopen(/usr/lib/libsandbox.1.dylib, 261): image not found [preauth] debug1: do_cleanup [preauth] debug1: monitor_read_log: child log fd closed debug3: mm_request_receive entering debug1: do_cleanup debug1: Killing privsep child 2892 puadn:~ kris$ }}} -- Ticket URL: <https://trac.macports.org/ticket/36291#comment:16> MacPorts <http://www.macports.org/> Ports system for OS X
#36291: openssh sshd won't accept incoming connections --------------------------+------------------- Reporter: beckettbt@… | Owner: jwa@… Type: defect | Status: new Priority: Normal | Milestone: Component: ports | Version: 2.1.2 Resolution: | Keywords: Port: openssh | --------------------------+------------------- Comment (by raimue@…): The proposed update to openssh 6.5p1 in #42333 contains the change from `UsePrivilegeSeparation sandbox` to `UsePrivilegeSeparation yes`. -- Ticket URL: <https://trac.macports.org/ticket/36291#comment:19> MacPorts <http://www.macports.org/> Ports system for OS X
#36291: openssh sshd won't accept incoming connections --------------------------+---------------------- Reporter: beckettbt@… | Owner: cal@… Type: defect | Status: assigned Priority: Normal | Milestone: Component: ports | Version: 2.1.2 Resolution: | Keywords: Port: openssh | --------------------------+---------------------- Changes (by cal@…): * status: new => assigned * owner: jwa@… => cal@… Comment: Should be fixed in r116989 without reverting to `UsePrivilegeSeparation yes` and preserving the sandboxing feature. -- Ticket URL: <https://trac.macports.org/ticket/36291#comment:20> MacPorts <http://www.macports.org/> Ports system for OS X
#36291: openssh sshd won't accept incoming connections --------------------------+-------------------- Reporter: beckettbt@… | Owner: cal@… Type: defect | Status: closed Priority: Normal | Milestone: Component: ports | Version: 2.1.2 Resolution: fixed | Keywords: Port: openssh | --------------------------+-------------------- Changes (by cal@…): * status: assigned => closed * resolution: => fixed -- Ticket URL: <https://trac.macports.org/ticket/36291#comment:21> MacPorts <http://www.macports.org/> Ports system for OS X
#36291: openssh sshd won't accept incoming connections --------------------------+-------------------- Reporter: beckettbt@… | Owner: cal@… Type: defect | Status: closed Priority: Normal | Milestone: Component: ports | Version: 2.1.2 Resolution: fixed | Keywords: Port: openssh | --------------------------+-------------------- Comment (by beckettbt@…): Installed this new version. (Note: Had to add "UsePAM yes" in my sshd.config, by default it is disabled but as noted in patch/version changelog is required.) Tried connecting: ssh 192.168.1.10 -p2222 Connection closed by 192.168.1.10 Log shows: sshd: fatal: ssh_sandbox_child: sandbox_init: dlopen(/usr/lib/libsandbox.1.dylib, 261): image not found [preauth] If I change UsePrivilegeSeparation back to yes, I can connect. But this appears to conflict with the purpose of the latest update. Please advise. -- Ticket URL: <https://trac.macports.org/ticket/36291#comment:22> MacPorts <http://www.macports.org/> Ports system for OS X
#36291: openssh sshd won't accept incoming connections --------------------------+-------------------- Reporter: beckettbt@… | Owner: cal@… Type: defect | Status: closed Priority: Normal | Milestone: Component: ports | Version: 2.1.2 Resolution: fixed | Keywords: Port: openssh | --------------------------+-------------------- Comment (by dluke@…): On my (soon to be retired) 10.5/ppc box, setting UsePrivilegeSeparation sandbox worked with openssh 6.4 but fails with 6.5: Feb 12 10:28:08 gandalf sshd[75376]: fatal: ssh_sandbox_child: sandbox_init: near line 14: Error: eval: unbound variable: file-chroot \\n [preauth] -- Ticket URL: <https://trac.macports.org/ticket/36291#comment:23> MacPorts <http://www.macports.org/> Ports system for OS X
#36291: openssh sshd won't accept incoming connections --------------------------+-------------------- Reporter: beckettbt@… | Owner: cal@… Type: defect | Status: closed Priority: Normal | Milestone: Component: ports | Version: 2.1.2 Resolution: fixed | Keywords: Port: openssh | --------------------------+-------------------- Comment (by cal@…): Sounds like 10.5's sandbox mechanism doesn't yet support the keywords used by the sandbox file source:trunk/dports/net/openssh/files/org.openssh.sshd.sb. Feel free to find out which commands don't work and patch them yourself on 10.5, or switch back to calling `sandbox_init(3)` with a predefined sandbox (i.e. reverting source:trunk/dports/net/openssh/files/patch-sandbox-darwin.c -apple-sandbox-named-external.diff). I'm not going to work on 10.5 support. -- Ticket URL: <https://trac.macports.org/ticket/36291#comment:24> MacPorts <http://www.macports.org/> Ports system for OS X
#36291: openssh sshd won't accept incoming connections --------------------------+-------------------- Reporter: beckettbt@… | Owner: cal@… Type: defect | Status: closed Priority: Normal | Milestone: Component: ports | Version: 2.1.2 Resolution: fixed | Keywords: Port: openssh | --------------------------+-------------------- Comment (by dluke@…): Replying to [comment:24 cal@…]:
switch back to calling `sandbox_init(3)` with a predefined sandbox (i.e. reverting source:trunk/dports/net/openssh/files/patch-sandbox-darwin.c -apple-sandbox-named-external.diff).
I'll test this, as it should just restore the previous (6.4) behavior. If it works, will you accept a patch for it?
I'm not going to work on 10.5 support.
yeah, I don't expect you to. -- Ticket URL: <https://trac.macports.org/ticket/36291#comment:25> MacPorts <http://www.macports.org/> Ports system for OS X
#36291: openssh sshd won't accept incoming connections --------------------------+-------------------- Reporter: beckettbt@… | Owner: cal@… Type: defect | Status: closed Priority: Normal | Milestone: Component: ports | Version: 2.1.2 Resolution: fixed | Keywords: Port: openssh | --------------------------+-------------------- Comment (by dluke@…): Replying to [comment:25 dluke@…]:
Replying to [comment:24 cal@…]:
switch back to calling `sandbox_init(3)` with a predefined sandbox (i.e. reverting source:trunk/dports/net/openssh/files/patch-sandbox- darwin.c-apple-sandbox-named-external.diff).
I'll test this, as it should just restore the previous (6.4) behavior. If it works, will you accept a patch for it?
nevermind, it's nomaintainer, so I'll just commit a patch if it works ;-) -- Ticket URL: <https://trac.macports.org/ticket/36291#comment:26> MacPorts <http://www.macports.org/> Ports system for OS X
#36291: openssh sshd won't accept incoming connections --------------------------+-------------------- Reporter: beckettbt@… | Owner: cal@… Type: defect | Status: closed Priority: Normal | Milestone: Component: ports | Version: 2.1.2 Resolution: fixed | Keywords: Port: openssh | --------------------------+-------------------- Comment (by cal@…): Replying to [comment:26 dluke@…]:
nevermind, it's nomaintainer, so I'll just commit a patch if it works ;-)
Exactly. :) -- Ticket URL: <https://trac.macports.org/ticket/36291#comment:27> MacPorts <http://www.macports.org/> Ports system for OS X
#36291: openssh sshd won't accept incoming connections --------------------------+-------------------- Reporter: beckettbt@… | Owner: cal@… Type: defect | Status: closed Priority: Normal | Milestone: Component: ports | Version: 2.1.2 Resolution: fixed | Keywords: Port: openssh | --------------------------+-------------------- Comment (by dluke@…): Replying to [comment:26 dluke@…]:
nevermind, it's nomaintainer, so I'll just commit a patch if it works ;-)
r117010 -- Ticket URL: <https://trac.macports.org/ticket/36291#comment:28> MacPorts <http://www.macports.org/> Ports system for OS X
participants (1)
-
MacPorts