OpenSSH server not working - connection closed - problem solved
ast at enternet.hu
Mon Aug 22 05:02:51 PDT 2005
Dan Nicholson wrote:
> One thing that has me a bit grumpy is with the sshd debugging.
> Nothing in the debug output led me to believe that there was
> difficulty looking up domain names.
I just didn't want to give up, and I made some further experiments with
my system until I found a solution (that seems to be a solution instead
of being a workaround).
It turned out relatively quickly that a working DNS (at least that
appears to work) did not help, either. (Just for the record: I
configured dnsmasq with rp-pppoe, but dnsmasq is not part of blfs, so I
won't go into details here unless somebody is interested.)
Stracing sshd with the follow child option showed an interesting thing
(these are the last lines of the child strace output)::
open("/usr/lib/libnss_dns.so.2", O_RDONLY) = -1 EACCES (Permission denied)
stat64("/usr/lib", 0xbfffb8e4) = -1 EACCES (Permission denied)
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
As a further step I discovered two things:
1. This problem is only present if both UseDNS and
UsePrivilegeSeparation are set to yes (these are the defaults).
In the latter case a chrooted child makes e.g. the DNS checks, and since
it is supposed and enforced that this child has an empty root dir there
is no nice way to put there e.g. an etc directory with a hosts file.
2. Apart from that, it isn't a nice thing to get a segmentation fault.
Btw., this is why the sshd could not tell too many debug details, either.
Since the sshd child has no chance to generate a core dump I changed
sshd to leave the child to run as root, and I set ulimit -c unlimited.
The first lines of the core backtrace show that the segmentation fault
happens in glibc, that tries to load the libnss_dns.so library in runtime:
#0 open_path (name=0xbfffc7e0 "libnss_dns.so.2", namelen=16,
preloaded=0, sps=0xb8000f20, realname=0xffffffff, fbp=0xbfffc288)
#1 0xb7ff1fea in _dl_map_object (loader=0xb8001508, name=0xbfffc7e0
"libnss_dns.so.2", preloaded=0, type=2, trace_mode=0,
mode=-1879048191, nsid=0) at dl-load.c:1961
This error is a consequence of the completely empty (and nonexisting)
lib directory in the chrooted environment. This turned to be a known
error in glibc-2.3.4, and glibc-2.3.5 already contains the fix that can
be found here:
Instead of upgrading to 2.3.5 I simply copied the changed lines and
rebuilt glibc, and sshd works now with the default settings without any
Of course, it still cannot load libnss_dns.so in runtime, but the
resolver returns with a proper error code (instead of a segmentation
violation), and it seems to be enough.
More information about the blfs-support