[REDHAT] Re: OpenSSH bug workaround *NOT NEEDED* (fwd)

John Chambers jc at trillian.mit.edu
Thu Jun 27 09:19:38 EDT 2002 

Brian J. Conway wrote:
| > Another reason you might want to wait:  I tried installing 3.3 on  my
| > home  machine.   I  can now ssh out, but incoming connections all get
| > "Permission denied" after I type the password, and  /var/log/messages
| > gets a "Failed password for jc from 64.28.81.46 port 46127 ssh2" type
| > message.  This fails the same way for all the outside machines that I
| > have accounts on.  So far, I haven't found any clues about how to get
| > it to work again.  I hope I don't have to enable telnet and ftp ...
|
| Did you set up privilege separation correctly?  It's now enabled by
| default and requires setting up an sshd user (instructions are in
| README.privsep).  Just a shot in the dark.

Of course, I'm assuming that I did  something  wrong.   The
problem is discovering what.  I did discover the sshd user,
and I think I followed the instructions.  Maybe  it's  time
for some more sanity checking ...

One curiosity is that, which the sshd user and group exist,
I  don't seem to see ~sshd, i.e., /home/sshd/.  I wonder if
that could be a problem.  Usually you get a "no  directory"
message in such cases, not "Failed password" or "Permission
denied", but I suppose that could be screwed up.  I'll  try
wiping  out the sshd user and group, repeat the commands in
README.privsep, and see what happens ...

Well, that did change things. Now I don't even get prompted
for a password.  The ssh command instandly says "Connection
closed" and /var/log/messages says:

Jun 27 09:10:06 kendy sshd[2328]: fatal: mmap(65536): Invalid argument

Since this has to do with  UsePrivilegeSeparation,  I  went
into  sshd_config  and turned that off.  Now instead of the
mmap invalid argument message,  I'm  back  to  the  earlier
failure.   The  ssh command gets "Permission denied, please
try again", and /var/log/messages has  a  "Failed  password
for jc from ..." message.

I wonder where I might find some more clues?

I think I might start warning people that installing  3.3p1
might mean that you've disabled all logins ...

More information about the Discuss mailing list