# [RESOLVED][50%] ssh disconnects after upgrade

## manwe_

Hi *.

I did -uDN world on my server and… ssh stopped working. Reverting openssh didn't help. I can try downgrading package by package, but maybe some of you will be able to point the problem. 

Today's emerge:

```
     

     Mon Jun 27 11:16:47 2016 >>> media-libs/libpng-1.6.23

     Mon Jun 27 11:18:39 2016 >>> sys-libs/timezone-data-2016e

     Mon Jun 27 11:18:55 2016 >>> sys-apps/file-5.28

     Mon Jun 27 11:19:11 2016 >>> dev-libs/expat-2.2.0

     Mon Jun 27 11:19:25 2016 >>> dev-libs/gmp-6.1.1

     Mon Jun 27 11:21:29 2016 >>> media-libs/libjpeg-turbo-1.5.0

     Mon Jun 27 11:29:11 2016 >>> sys-apps/man-pages-4.06

     Mon Jun 27 11:29:47 2016 >>> dev-libs/openssl-1.0.2h-r2

     Mon Jun 27 11:33:05 2016 >>> dev-libs/libgcrypt-1.7.1

     Mon Jun 27 11:33:39 2016 >>> app-admin/eselect-1.4.6

     Mon Jun 27 11:36:56 2016 >>> app-shells/bash-4.3_p46

     Mon Jun 27 11:48:03 2016 >>> sys-devel/gettext-0.19.8.1

     Mon Jun 27 11:59:15 2016 >>> sys-devel/make-4.2.1

     Mon Jun 27 11:59:38 2016 >>> sys-devel/binutils-2.25.1-r1

     Mon Jun 27 12:03:02 2016 >>> app-crypt/gnupg-2.1.13

     Mon Jun 27 13:01:32 2016 >>> net-libs/nodejs-6.2.1

     Mon Jun 27 13:03:28 2016 >>> app-misc/screen-4.4.0

     Mon Jun 27 15:00:35 2016 >>> dev-libs/libpcre-8.39

     Mon Jun 27 15:08:19 2016 >>> dev-libs/glib-2.48.1

     Mon Jun 27 15:10:34 2016 >>> dev-util/desktop-file-utils-0.23

     Mon Jun 27 15:19:41 2016 >>> sys-libs/e2fsprogs-libs-1.43.1

     Mon Jun 27 15:19:56 2016 >>> net-misc/wget-1.18

     Mon Jun 27 15:20:45 2016 >>> dev-lang/python-3.4.4

     Mon Jun 27 15:21:27 2016 >>> dev-util/gdbus-codegen-2.48.1

     Mon Jun 27 15:23:04 2016 >>> sys-apps/portage-2.3.0

     Mon Jun 27 15:25:41 2016 >>> www-servers/nginx-1.11.1

     Mon Jun 27 15:26:32 2016 >>> app-text/aspell-0.60.6.1-r3

     Mon Jun 27 15:27:56 2016 >>> gnome-base/dconf-0.26.0

     Mon Jun 27 15:28:51 2016 >>> net-misc/dhcpcd-6.11.1

     Mon Jun 27 15:33:17 2016 >>> dev-vcs/git-2.9.0

     Mon Jun 27 15:33:33 2016 >>> sys-fs/e2fsprogs-1.43.1

     Mon Jun 27 15:33:52 2016 >>> net-misc/openssh-7.2_p2-r1

```

And later revert:

```

     Mon Jun 27 16:09:12 2016 >>> net-misc/openssh-7.2_p2

```

Log for sshd with DEBUG3:

```
Jun 27 18:39:36 {host} sshd[4653]: debug3: fd 5 is not O_NONBLOCK

Jun 27 18:39:36 {host} sshd[4653]: debug1: Forked child 4724.

Jun 27 18:39:36 {host} sshd[4653]: debug3: send_rexec_state: entering fd = 8 config len 298

Jun 27 18:39:36 {host} sshd[4653]: debug3: ssh_msg_send: type 0

Jun 27 18:39:36 {host} sshd[4724]: debug3: oom_adjust_restore

Jun 27 18:39:36 {host} sshd[4653]: debug3: send_rexec_state: done

Jun 27 18:39:36 {host} sshd[4724]: debug1: Set /proc/self/oom_score_adj to 0

Jun 27 18:39:36 {host} sshd[4724]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8

Jun 27 18:39:36 {host} sshd[4724]: debug1: inetd sockets after dupping: 3, 3

Jun 27 18:39:36 {host} sshd[4724]: Connection from {A.B.C.D} port 34556 on {E.F.G.H} port 22

Jun 27 18:39:36 {host} sshd[4724]: debug1: Client protocol version 2.0; client software version OpenSSH_7.2

Jun 27 18:39:36 {host} sshd[4724]: debug1: match: OpenSSH_7.2 pat OpenSSH* compat 0x04000000

Jun 27 18:39:36 {host} sshd[4724]: debug1: Enabling compatibility mode for protocol 2.0

Jun 27 18:39:36 {host} sshd[4724]: debug1: Local version string SSH-2.0-OpenSSH_7.2

Jun 27 18:39:36 {host} sshd[4724]: debug2: fd 3 setting O_NONBLOCK

Jun 27 18:39:36 {host} sshd[4724]: debug3: ssh_sandbox_init: preparing seccomp filter sandbox

Jun 27 18:39:36 {host} sshd[4724]: debug2: Network child is on pid 4726

Jun 27 18:39:36 {host} sshd[4724]: debug3: preauth child monitor started

Jun 27 18:39:36 {host} sshd[4724]: debug3: privsep user:group 22:22 [preauth]

Jun 27 18:39:36 {host} sshd[4724]: debug1: permanently_set_uid: 22/22 [preauth]

Jun 27 18:39:36 {host} sshd[4724]: debug3: ssh_sandbox_child: setting PR_SET_NO_NEW_PRIVS [preauth]

Jun 27 18:39:36 {host} sshd[4724]: debug3: ssh_sandbox_child: attaching seccomp filter program [preauth]

Jun 27 18:39:36 {host} sshd[4724]: debug1: monitor_read_log: child log fd closed

Jun 27 18:39:36 {host} sshd[4724]: debug3: mm_request_receive entering

Jun 27 18:39:36 {host} sshd[4724]: debug1: do_cleanup

Jun 27 18:39:36 {host} sshd[4724]: debug3: PAM: sshpam_thread_cleanup entering

Jun 27 18:39:36 {host} sshd[4724]: debug1: Killing privsep child 4726
```

And log for ssh client:

```
OpenSSH_7.2p2, OpenSSL 1.0.2h  3 May 2016

debug1: Reading configuration data /home/manwe/.ssh/config

debug3: kex names ok: [diffie-hellman-group1-sha1]

debug3: kex names ok: [diffie-hellman-group1-sha1]

debug3: kex names ok: [diffie-hellman-group1-sha1]

debug3: kex names ok: [diffie-hellman-group1-sha1]

debug1: Reading configuration data /etc/ssh/ssh_config

debug2: resolving "{server.domain.com.}" port 22

debug2: ssh_connect_direct: needpriv 0

debug1: Connecting to {server.domain.com.} [{E.F.G.H}] port 22.

debug1: Connection established.

debug1: key_load_public: No such file or directory

debug1: identity file /home/manwe/.ssh/id_rsa type -1

debug1: key_load_public: No such file or directory

debug1: identity file /home/manwe/.ssh/id_rsa-cert type -1

debug1: key_load_public: No such file or directory

debug1: identity file /home/manwe/.ssh/id_dsa type -1

debug1: key_load_public: No such file or directory

debug1: identity file /home/manwe/.ssh/id_dsa-cert type -1

debug1: key_load_public: No such file or directory

debug1: identity file /home/manwe/.ssh/id_ecdsa type -1

debug1: key_load_public: No such file or directory

debug1: identity file /home/manwe/.ssh/id_ecdsa-cert type -1

debug1: identity file /home/manwe/.ssh/id_ed25519 type 4

debug1: key_load_public: No such file or directory

debug1: identity file /home/manwe/.ssh/id_ed25519-cert type -1

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_7.2

debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2

debug1: match: OpenSSH_7.2 pat OpenSSH* compat 0x04000000

debug2: fd 3 setting O_NONBLOCK

debug1: Authenticating to {server.domain.com.}:22 as 'root'

debug3: hostkeys_foreach: reading file "/home/manwe/.ssh/known_hosts"

debug3: send packet: type 20

debug1: SSH2_MSG_KEXINIT sent

Connection closed by {E.F.G.H} port 22

```

Config for sshd:

```
# grep -Ev '^($|#)' /etc/ssh/sshd_config 

AllowGroups root users

LogLevel DEBUG3

PasswordAuthentication no

UsePAM yes

PrintMotd no

PrintLastLog no

Subsystem       sftp    /usr/lib64/misc/sftp-server

AcceptEnv LANG LC_*
```

Log for sshd start:

```
Jun 27 18:47:05 {host} sshd[4828]: debug3: oom_adjust_setup

Jun 27 18:47:05 {host} sshd[4828]: debug1: Set /proc/self/oom_score_adj from 0 to -1000

Jun 27 18:47:05 {host} sshd[4828]: debug2: fd 3 setting O_NONBLOCK

Jun 27 18:47:05 {host} sshd[4828]: debug1: Bind to port 22 on 0.0.0.0.

Jun 27 18:47:05 {host} sshd[4828]: Server listening on 0.0.0.0 port 22.

Jun 27 18:47:05 {host} sshd[4828]: debug2: fd 4 setting O_NONBLOCK

Jun 27 18:47:05 {host} sshd[4828]: debug3: sock_set_v6only: set socket 4 IPV6_V6ONLY

Jun 27 18:47:05 {host} sshd[4828]: debug1: Bind to port 22 on ::.

Jun 27 18:47:05 {host} sshd[4828]: Server listening on :: port 22.
```

Last edited by manwe_ on Sun Aug 28, 2016 2:05 pm; edited 2 times in total

----------

## manwe_

OK, found it. Changing UsePrivilegeSeparation from default "sandbox" to "yes" worked. Any ideas what changed?

----------

## khayyam

 *manwe_ wrote:*   

> OK, found it. Changing UsePrivilegeSeparation from default "sandbox" to "yes" worked. Any ideas what changed?

 

manwe_ ... in the above grep of sshd_config that wasn't enabled.

 *manwe_ wrote:*   

> 
> 
> ```
> debug1: Authenticating to {server.domain.com.}:22 as 'root'
> ```
> ...

 

Well, as root (and with 'PasswordAuthentication no') you would need 'PermitRootLogin prohibit-password'. I expect you can set this and revert UsePrivilegeSeparation to sandbox and all should be well.

best ... khay

----------

## manwe_

UsePrivilegeSeparation wasn't "enabled" because "sandbox" is the default value. Also, PermitRootLogin is by default set to "prohibit-password", and today's problem wasn't related to root. 

Prove with non-root user, and with UsePrivilegeSeparation back to default "sandbox" (by #).

```
OpenSSH_7.2p2, OpenSSL 1.0.2h  3 May 2016

debug1: Reading configuration data /home/manwe/.ssh/config

debug3: kex names ok: [diffie-hellman-group1-sha1]

debug3: kex names ok: [diffie-hellman-group1-sha1]

debug3: kex names ok: [diffie-hellman-group1-sha1]

debug3: kex names ok: [diffie-hellman-group1-sha1]

debug1: Reading configuration data /etc/ssh/ssh_config

debug2: resolving "{server.domain.com.}" port 22

debug2: ssh_connect_direct: needpriv 0

debug1: Connecting to {server.domain.com.} [{E.F.G.H}] port 22.

debug1: Connection established.

debug1: key_load_public: No such file or directory

debug1: identity file /home/manwe/.ssh/id_rsa type -1

debug1: key_load_public: No such file or directory

debug1: identity file /home/manwe/.ssh/id_rsa-cert type -1

debug1: key_load_public: No such file or directory

debug1: identity file /home/manwe/.ssh/id_dsa type -1

debug1: key_load_public: No such file or directory

debug1: identity file /home/manwe/.ssh/id_dsa-cert type -1

debug1: key_load_public: No such file or directory

debug1: identity file /home/manwe/.ssh/id_ecdsa type -1

debug1: key_load_public: No such file or directory

debug1: identity file /home/manwe/.ssh/id_ecdsa-cert type -1

debug1: identity file /home/manwe/.ssh/id_ed25519 type 4

debug1: key_load_public: No such file or directory

debug1: identity file /home/manwe/.ssh/id_ed25519-cert type -1

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_7.2

debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2

debug1: match: OpenSSH_7.2 pat OpenSSH* compat 0x04000000

debug2: fd 3 setting O_NONBLOCK

debug1: Authenticating to {server.domain.com.}:22 as 'manwe'

debug3: hostkeys_foreach: reading file "/home/manwe/.ssh/known_hosts"

debug3: record_hostkey: found key type ECDSA in file /home/manwe/.ssh/known_hosts:113

debug3: load_hostkeys: loaded 1 keys from {server.domain.com.}

debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521

debug3: send packet: type 20

debug1: SSH2_MSG_KEXINIT sent

Connection closed by {E.F.G.H} port 22

```

----------

