Package: openssh-server
Version: 1:10.0p1-2
Severity: grave
Justification: renders package unusable
X-Debbugs-Cc: stittl@cuug.ab.ca

Hi. Since 10.0p1 came out, about half the time I try to connect to my
system it fails and on inspection there is a crash in the dmesg
output:

[419972.562415] sshd-session[189732]: segfault at 7ffceb533dbc ip 00007ff7dc95261d sp 00007ffceb533d70 error 6 in libc.so.6[6261d,7ff7dc918000+165000] likely on CPU 3 (core 3, socket 0)
[419972.562422] Code: 59 ec ff ff e8 a4 a5 0b 00 0f 1f 40 00 41 57 49 89 f7 41 56 49 89 d6 41 55 41 54 55 53 48 89 fb 4c 89 ff 48 81 ec f8 04 00 00 <89> 4c 24 4c 48 89 74 24 70 be 25 00 00 00 64 48 8b 04 25 28 00 00

Of course the addresses and cpu number vary, but the code is always
the same.

Since this started happening a few days ago, I wondered if it might be
because my system had been up for over a year and cthulhu knows how
many versions of libc6 were still pinned in core because a process
still depended on it after an upgrade, but rebooting had no
effect. libc has also upgraded twice since this started, also with no
effect.

Obviously this will require more investigation to debug. I am at your
disposal.

Ta.



-- System Information:
Debian Release: trixie/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.14.0 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages openssh-server depends on:
ii debconf [debconf-2.0] 1.5.91
ii init-system-helpers 1.68
ii libaudit1 1:4.0.2-2+b2
ii libc6 2.41-7
ii libcom-err2 1.47.2-1+b1
ii libcrypt1 1:4.4.38-1
ii libgssapi-krb5-2 1.21.3-5
ii libkrb5-3 1.21.3-5
ii libpam-modules 1.7.0-3
ii libpam-runtime 1.7.0-3
ii libpam0g 1.7.0-3
ii libselinux1 3.8.1-1
ii libssl3t64 3.5.0-1
ii libwrap0 7.6.q-36
ii libwtmpdb0 0.73.0-2
ii openssh-client 1:10.0p1-2
ii openssh-sftp-server 1:10.0p1-2
ii procps 2:4.0.4-8
ii runit-helper 2.16.4
ii systemd [systemd-sysusers] 257.5-2
ii sysvinit-utils [lsb-base] 3.14-4
ii ucf 3.0051
ii zlib1g 1:1.3.dfsg+really1.3.1-1+b1

Versions of packages openssh-server recommends:
ii libpam-systemd [logind] 257.5-2
ii ncurses-term 6.5+20250216-2
ii xauth 1:1.1.2-1.1

Versions of packages openssh-server suggests:
pn molly-guard <none>
pn monkeysphere <none>
pn ssh-askpass <none>
pn ufw <none>

-- debconf information:
openssh-server/permit-root-login: true
openssh-server/password-authentication: true

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, Apr 17, 2025 at 04:24:18AM -0600, Liam Stitt wrote:

Hi. Since 10.0p1 came out, about half the time I try to connect to my
system it fails and on inspection there is a crash in the dmesg
output:

[419972.562415] sshd-session[189732]: segfault at 7ffceb533dbc ip 00007ff7dc95261d sp 00007ffceb533d70 error 6 in libc.so.6[6261d,7ff7dc918000+165000] likely on CPU 3 (core 3, socket 0)
[419972.562422] Code: 59 ec ff ff e8 a4 a5 0b 00 0f 1f 40 00 41 57 49 89 f7 41 56 49 89 d6 41 55 41 54 55 53 48 89 fb 4c 89 ff 48 81 ec f8 04 00 00 <89> 4c 24 4c 48 89 74 24 70 be 25 00 00 00 64 48 8b 04 25 28 00 00

Of course the addresses and cpu number vary, but the code is always
the same.

Since this started happening a few days ago, I wondered if it might be >because my system had been up for over a year and cthulhu knows how
many versions of libc6 were still pinned in core because a process
still depended on it after an upgrade, but rebooting had no
effect. libc has also upgraded twice since this started, also with no
effect.

It won't be that, since a fresh sshd-session process is started each
time you connect.

Obviously this will require more investigation to debug. I am at your >disposal.

OK, so the log message just tells me that the crash in _IO_vfprintf,
which isn't very specific; we need to get a core dump. Assuming you're
running systemd, could you please:

* install the gdb and systemd-coredump packages
* get the crash to happen again
* run "sudo coredumpctl list" to check whether it's picked up the core
dump
* run "sudo DEBUGINFOD_URLS=https://debuginfod.debian.net/ coredumpctl
debug <pid>", where <pid> is the value in the PID column of
"coredumpctl list" corresponding to the process that crashed
* press "y" at the "Enable debuginfod for this session?" prompt
* type "bt" at the "(gdb)" prompt
* reply to this email with the output

There are other options if you aren't running systemd, but this is
probably the easiest to set up on a stock Debian system.

Thanks,

--
Colin Watson (he/him) [cjwatson@debian.org]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.

On Thu, 17 Apr 2025, Colin Watson wrote:

I got this far:

* install the gdb and systemd-coredump packages

Whereupon I discovered that, obviously enough, it's also necessary to
restart the sshd service. You may want to make note of that if these are
canned instructions.

This minor speedbump aside, I have attached the 'bt' output from gdb.


--
Liam Stitt
stittl@cuug.ab.ca

IzAgIDB4MDAwMDdmMWFkNGQwMzYxZCBpbiBfX3ByaW50Zl9idWZmZXIgKGJ1 Zj1idWZAZW50cnk9MHg3ZmZkMjgwYzExMTAsDQogICAgZm9ybWF0PTB4N2Yx YWQ0ODA5MDAwICIlcy8uZWNyeXB0ZnMvJXMiLCBhcD1hcEBlbnRyeT0weDdm ZmQyODBjMTI0MCwNCiAgICBtb2RlX2ZsYWdzPW1vZGVfZmxhZ3NAZW50cnk9 MikgYXQgLi9zdGRpby1jb21tb24vdmZwcmludGYtaW50ZXJuYWwuYzo2MDAN CiMxICAweDAwMDA3ZjFhZDRkMjhhNmIgaW4gX192YXNwcmludGZfaW50ZXJu YWwgKHJlc3VsdD0weDdmZmQyODBjMTMyOCwNCiAgICBmb3JtYXQ9PG9wdGlt aXplZCBvdXQ+LCBhcmdzPWFyZ3NAZW50cnk9MHg3ZmZkMjgwYzEyNDAsDQog ICAgbW9kZV9mbGFncz1tb2RlX2ZsYWdzQGVudHJ5PTIpIGF0IC4vbGliaW8v dmFzcHJpbnRmLmM6MTAyDQojMiAgMHgwMDAwN2YxYWQ0ZGJiYmVmIGluIF9f X2FzcHJpbnRmX2NoayAoDQogICAgcmVzdWx0X3B0cj1yZXN1bHRfcHRyQGVu dHJ5PTB4N2ZmZDI4MGMxMzI4LCBmbGFnPWZsYWdAZW50cnk9MSwNCiAgICBm b3JtYXQ9Zm9ybWF0QGVudHJ5PTB4N2YxYWQ0ODA5MDAwICIlcy8uZWNyeXB0 ZnMvJXMiKSBhdCAuL2RlYnVnL2FzcHJpbnRmX2Noay5jOjM0DQojMyAgMHgw MDAwN2YxYWQ0ODA3M2Q3IGluIGFzcHJpbnRmIChfX3B0cj0weDdmZmQyODBj MTMyOCwNCiAgICBfX2ZtdD0weDdmMWFkNDgwOTAwMCAiJXMvLmVjcnlwdGZz LyVzIikNCiAgICBhdCAvdXNyL2luY2x1ZGUveDg2XzY0LWxpbnV4LWdudS9i aXRzL3N0ZGlvMi5oOjIwNg0KIzQgIGZpbGVfZXhpc3RzX2RvdGVjcnlwdGZz IChob21lZGlyPWhvbWVkaXJAZW50cnk9MHg1NTliMjcyMmVlYzAgIi9ob21l L2ZyaW5rIiwNCiAgICBmaWxlbmFtZT1maWxlbmFtZUBlbnRyeT0weDdmMWFk NDgwOTAyNiAiYXV0by1tb3VudCIpDQogICAgYXQgLi9zcmMvcGFtX2Vjcnlw dGZzL3BhbV9lY3J5cHRmcy5jOjU1DQojNSAgMHgwMDAwN2YxYWQ0ODA3YWNl IGluIHBhbV9zbV9hdXRoZW50aWNhdGUgKHBhbWg9MHg1NTliMjcyNjAzZDAs DQogICAgZmxhZ3M9PG9wdGltaXplZCBvdXQ+LCBhcmdjPTxvcHRpbWl6ZWQg b3V0PiwgYXJndj08b3B0aW1pemVkIG91dD4pDQogICAgYXQgLi9zcmMvcGFt X2VjcnlwdGZzL3BhbV9lY3J5cHRmcy5jOjE2OQ0KIzYgIDB4MDAwMDdmMWFk NTY2MzRkZSBpbiBfcGFtX2Rpc3BhdGNoX2F1eCAocGFtaD0weDU1OWIyNzI4 MTFmMCwgZmxhZ3M9MSwNCiAgICBoPTB4NTU5YjI3MjgxMWYwLCByZXN1bWVk PTxvcHRpbWl6ZWQgb3V0PiwgdXNlX2NhY2hlZF9jaGFpbj08b3B0aW1pemVk IG91dD4pDQogICAgYXQgLi4vbGlicGFtL3BhbV9kaXNwYXRjaC5jOjExMA0K IzcgIF9wYW1fZGlzcGF0Y2ggKHBhbWg9cGFtaEBlbnRyeT0weDU1OWIyNzI2 MDNkMCwgZmxhZ3M9MSwgY2hvaWNlPWNob2ljZUBlbnRyeT0xKQ0KICAgIGF0 IC4uL2xpYnBhbS9wYW1fZGlzcGF0Y2guYzo0MTENCi0tVHlwZSA8UkVUPiBm b3IgbW9yZSwgcSB0byBxdWl0LCBjIHRvIGNvbnRpbnVlIHdpdGhvdXQgcGFn aW5nLS1jDQojOCAgMHgwMDAwN2YxYWQ1NjYyYmUzIGluIHBhbV9hdXRoZW50 aWNhdGUgKHBhbWg9MHg1NTliMjcyNjAzZDAsIGZsYWdzPWZsYWdzQGVudHJ5 PTEpDQogICAgYXQgLi4vbGlicGFtL3BhbV9hdXRoLmM6MzQNCiM5ICAweDAw MDA1NTlhZWU3NjFhNzAgaW4gc3NocGFtX2F1dGhfcGFzc3dkIChhdXRoY3R4 dD1hdXRoY3R4dEBlbnRyeT0weDU1OWIyNzI2YWU5MCwNCiAgICBwYXNzd29y ZD1wYXNzd29yZEBlbnRyeT0weDU1OWIyNzI4OGNiMCAibW1BaHBDcy0iKSBh dCAuLi8uLi9hdXRoLXBhbS5jOjEzNzgNCiMxMCAweDAwMDA1NTlhZWU3MmRh OGIgaW4gYXV0aF9wYXNzd29yZCAoc3NoPXNzaEBlbnRyeT0weDU1OWIyNzI2 NzQ4MCwNCiAgICBwYXNzd29yZD0weDU1OWIyNzI4OGNiMCAibW1BaHBDcy0i KSBhdCAuLi8uLi9hdXRoLXBhc3N3ZC5jOjExNg0KIzExIDB4MDAwMDU1OWFl ZTc0ZGFiNyBpbiBtbV9hbnN3ZXJfYXV0aHBhc3N3b3JkIChzc2g9MHg1NTli MjcyNjc0ODAsIHNvY2s9OSwNCiAgICBtPTB4NTU5YjI3MjZiMjIwKSBhdCAu Li8uLi9tb25pdG9yLmM6MTA1MA0KIzEyIDB4MDAwMDU1OWFlZTc1MDY2ZSBp biBtb25pdG9yX3JlYWQgKHNzaD1zc2hAZW50cnk9MHg1NTliMjcyNjc0ODAs DQogICAgcG1vbml0b3I9cG1vbml0b3JAZW50cnk9MHg1NTliMjcyNmFlNDAs DQogICAgZW50PTB4NTU5YWVlODJkMzUwIDxtb25fZGlzcGF0Y2hfcHJvdG8y MCsxMTI+LCBwZW50PXBlbnRAZW50cnk9MHg3ZmZkMjgxMDE2ZDApDQogICAg YXQgLi4vLi4vbW9uaXRvci5jOjU1MA0KIzEzIDB4MDAwMDU1OWFlZTc1M2I5 NiBpbiBtb25pdG9yX2NoaWxkX3ByZWF1dGggKHNzaD1zc2hAZW50cnk9MHg1 NTliMjcyNjc0ODAsDQogICAgcG1vbml0b3I9MHg1NTliMjcyNmFlNDApIGF0 IC4uLy4uL21vbml0b3IuYzozMTkNCiMxNCAweDAwMDA1NTlhZWU3MmI2MjEg aW4gcHJpdnNlcF9wcmVhdXRoIChzc2g9MHg1NTliMjcyNjc0ODApDQogICAg YXQgLi4vLi4vc3NoZC1zZXNzaW9uLmM6MzY3DQojMTUgbWFpbiAoYWM9PG9w dGltaXplZCBvdXQ+LCBhdj08b3B0aW1pemVkIG91dD4pIGF0IC4uLy4uL3Nz aGQtc2Vzc2lvbi5jOjEzMjANCg==

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, Apr 17, 2025 at 11:08:08PM -0600, Liam Stitt wrote:

This minor speedbump aside, I have attached the 'bt' output from gdb.

Ugh, I didn't realize your password would show up in the backtrace!
Sorry about that - please change it as soon as possible.

That said, the backtrace is definitely useful, but inconclusive. It
shows that the crash is nominally inside pam_ecryptfs, but the asprintf
call that's crashing looks fine to me, and the backtrace shows that its arguments are valid. Therefore I think we must be dealing with action
at a distance from some previous memory corruption, which is going to be
a pain to track down. It might be in openssh-server, and the timing
suggests that it probably is; but it might also be in any other PAM
module used in the auth phase.

My next best plan is to try valgrind, which is usually good at spotting
these kinds of memory corruption errors. Setting this up is a little
involved in this case, but not too bad. Here are instructions I've
tested in a container:

* install the valgrind package
* as root, create /usr/local/bin/sshd-session-valgrind with the
following contents:

#! /bin/sh
exec valgrind /usr/lib/openssh/sshd-session "$@"

* sudo chmod +x /usr/local/bin/sshd-session-valgrind
* as root, create /etc/ssh/sshd_config.d/valgrind.conf with the
following contents:

SshdSessionPath /usr/local/bin/sshd-session-valgrind

* sudo systemctl restart ssh.service

Now try logging in again until you hit a crash, and then look in "sudo journalctl -u ssh.service | less" for the output of valgrind; each
instance of its output will start with a line saying "Memcheck, a memory
error detector", and each line will have "==PID==" in it for some
process ID. I don't think the output is likely to include your password
this time, but it will probably be worth checking it over just in case.

Separately, it might also be helpful for me to have a copy of your /etc/pam.d/common-auth file, so I can see which other modules are being
run in this phase. My guess is that this probably won't help me, but
it's easy to capture and it stands some chance of letting me reproduce
this locally, which would be a big help.

Thanks,

--
Colin Watson (he/him) [cjwatson@debian.org]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.

On Fri, 18 Apr 2025, Colin Watson wrote:

Ugh, I didn't realize your password would show up in the backtrace! Sorry about that - please change it as soon as possible.

Yeah, I caught that after I sent the message and already have. Ah well, it
was overdue for rotation anyway.

valid. Therefore I think we must be dealing with action at a distance from some previous memory corruption, which is going to be a pain to track down. It might be in openssh-server, and the timing suggests that it probably is; but it might also be in any other PAM module used in the auth phase.

Before I continue, I just remembered another issue (possibly PAM-related)
which had come up irregularly enough to forget about, but may be smoke
here.

Every so often, logging in normally behaves but also spits out:

"When trying to update a password, this return status indicates that the
value provided as the current password is not correct."

which is some sort of Samba error. Maybe there's an interaction here.


Now as to your new instructions:

Now try logging in again until you hit a crash, and then look in "sudo journalctl -u ssh.service | less" for the output of valgrind; each instance of its output will start with a line saying "Memcheck, a memory error detector", and each line will have "==PID==" in it for some process ID. I don't think the output is likely to include your password this time, but it will probably be worth checking it over just in case.

Typical such output attached.

Separately, it might also be helpful for me to have a copy of your /etc/pam.d/common-auth file, so I can see which other modules are being run

Attached. It should be the Sid default, modulo anything frobbing it during updates.
Iw0KIyAvZXRjL3BhbS5kL2NvbW1vbi1hdXRoIC0gYXV0aGVudGljYXRpb24g c2V0dGluZ3MgY29tbW9uIHRvIGFsbCBzZXJ2aWNlcw0KIw0KIyBUaGlzIGZp bGUgaXMgaW5jbHVkZWQgZnJvbSBvdGhlciBzZXJ2aWNlLXNwZWNpZmljIFBB TSBjb25maWcgZmlsZXMsDQojIGFuZCBzaG91bGQgY29udGFpbiBhIGxpc3Qg b2YgdGhlIGF1dGhlbnRpY2F0aW9uIG1vZHVsZXMgdGhhdCBkZWZpbmUNCiMg dGhlIGNlbnRyYWwgYXV0aGVudGljYXRpb24gc2NoZW1lIGZvciB1c2Ugb24g dGhlIHN5c3RlbQ0KIyAoZS5nLiwgL2V0Yy9zaGFkb3csIExEQVAsIEtlcmJl cm9zLCBldGMuKS4gIFRoZSBkZWZhdWx0IGlzIHRvIHVzZSB0aGUNCiMgdHJh ZGl0aW9uYWwgVW5peCBhdXRoZW50aWNhdGlvbiBtZWNoYW5pc21zLg0KIw0K IyBBcyBvZiBwYW0gMS4wLjEtNiwgdGhpcyBmaWxlIGlzIG1hbmFnZWQgYnkg cGFtLWF1dGgtdXBkYXRlIGJ5IGRlZmF1bHQuDQojIFRvIHRha2UgYWR2YW50 YWdlIG9mIHRoaXMsIGl0IGlzIHJlY29tbWVuZGVkIHRoYXQgeW91IGNvbmZp Z3VyZSBhbnkNCiMgbG9jYWwgbW9kdWxlcyBlaXRoZXIgYmVmb3JlIG9yIGFm dGVyIHRoZSBkZWZhdWx0IGJsb2NrLCBhbmQgdXNlDQojIHBhbS1hdXRoLXVw ZGF0ZSB0byBtYW5hZ2Ugc2VsZWN0aW9uIG9mIG90aGVyIG1vZHVsZXMuICBT ZWUNCiMgcGFtLWF1dGgtdXBkYXRlKDgpIGZvciBkZXRhaWxzLg0KDQojIGhl cmUgYXJlIHRoZSBwZXItcGFja2FnZSBtb2R1bGVzICh0aGUgIlByaW1hcnki IGJsb2NrKQ0KYXV0aAlbc3VjY2Vzcz0yIGRlZmF1bHQ9aWdub3JlXQlwYW1f dW5peC5zbyBudWxsb2sNCmF1dGgJW3N1Y2Nlc3M9MSBkZWZhdWx0PWlnbm9y ZV0JcGFtX3dpbmJpbmQuc28ga3JiNV9hdXRoIGtyYjVfY2NhY2hlX3R5cGU9 RklMRSBjYWNoZWRfbG9naW4gdHJ5X2ZpcnN0X3Bhc3MNCiMgaGVyZSdzIHRo ZSBmYWxsYmFjayBpZiBubyBtb2R1bGUgc3VjY2VlZHMNCmF1dGgJcmVxdWlz aXRlCQkJcGFtX2Rlbnkuc28NCiMgcHJpbWUgdGhlIHN0YWNrIHdpdGggYSBw b3NpdGl2ZSByZXR1cm4gdmFsdWUgaWYgdGhlcmUgaXNuJ3Qgb25lIGFscmVh ZHk7DQojIHRoaXMgYXZvaWRzIHVzIHJldHVybmluZyBhbiBlcnJvciBqdXN0 IGJlY2F1c2Ugbm90aGluZyBzZXRzIGEgc3VjY2VzcyBjb2RlDQojIHNpbmNl IHRoZSBtb2R1bGVzIGFib3ZlIHdpbGwgZWFjaCBqdXN0IGp1bXAgYXJvdW5k DQphdXRoCXJlcXVpcmVkCQkJcGFtX3Blcm1pdC5zbw0KIyBhbmQgaGVyZSBh cmUgbW9yZSBwZXItcGFja2FnZSBtb2R1bGVzICh0aGUgIkFkZGl0aW9uYWwi IGJsb2NrKQ0KYXV0aAlyZXF1aXJlZAlwYW1fZWNyeXB0ZnMuc28gdW53cmFw DQojIGVuZCBvZiBwYW0tYXV0aC11cGRhdGUgY29uZmlnDQo=

QXByIDE5IDAzOjE2OjU2IHNvbGlkLXN0YXRlLWVudGl0eSBzc2hkWzI1Mjgz NF06ID09MjUyODM0PT0gTWVtY2hlY2ssIGEgbWVtb3J5IGVycm9yIGRldGVj dG9yDQpBcHIgMTkgMDM6MTY6NTYgc29saWQtc3RhdGUtZW50aXR5IHNzaGRb MjUyODM0XTogPT0yNTI4MzQ9PSBDb3B5cmlnaHQgKEMpIDIwMDItMjAyNCwg YW5kIEdOVSBHUEwnZCwgYnkgSnVsaWFuIFNld2FyZCBldCBhbC4NCkFwciAx OSAwMzoxNjo1NiBzb2xpZC1zdGF0ZS1lbnRpdHkgc3NoZFsyNTI4MzRdOiA9 PTI1MjgzND09IFVzaW5nIFZhbGdyaW5kLTMuMjQuMCBhbmQgTGliVkVYOyBy ZXJ1biB3aXRoIC1oIGZvciBjb3B5cmlnaHQgaW5mbw0KQXByIDE5IDAzOjE2 OjU2IHNvbGlkLXN0YXRlLWVudGl0eSBzc2hkWzI1MjgzNF06ID09MjUyODM0 PT0gQ29tbWFuZDogL3Vzci9saWIvb3BlbnNzaC9zc2hkLXNlc3Npb24gLUQg LVINCkFwciAxOSAwMzoxNjo1NiBzb2xpZC1zdGF0ZS1lbnRpdHkgc3NoZFsy NTI4MzRdOiA9PTI1MjgzND09DQpBcHIgMTkgMDM6MTY6NTkgc29saWQtc3Rh dGUtZW50aXR5IHVuaXhfY2hrcHdkWzI1MjgzNl06IHBhc3N3b3JkIGNoZWNr IGZhaWxlZCBmb3IgdXNlciAoZnJpbmspDQpBcHIgMTkgMDM6MTc6MDAgc29s aWQtc3RhdGUtZW50aXR5IHNzaGQtc2Vzc2lvblsyNTI4MzRdOiBwYW1fdW5p eChzc2hkOmF1dGgpOiBhdXRoZW50aWNhdGlvbiBmYWlsdXJlOyBsb2duYW1l PSB1aWQ9MCBldWlkPTAgdHR5PXNzaCBydXNlcj0gcmhvc3Q9MTkyLjE2OC4x LjkwICB1c2VyPWZyaW5rDQpBcHIgMTkgMDM6MTc6MDAgc29saWQtc3RhdGUt ZW50aXR5IHNzaGQtc2Vzc2lvblsyNTI4MzRdOiBwYW1fd2luYmluZChzc2hk OmF1dGgpOiBnZXR0aW5nIHBhc3N3b3JkICgweDAwMDAwMzg4KQ0KQXByIDE5 IDAzOjE3OjAwIHNvbGlkLXN0YXRlLWVudGl0eSBzc2hkLXNlc3Npb25bMjUy ODM0XTogcGFtX3dpbmJpbmQoc3NoZDphdXRoKTogcGFtX2dldF9pdGVtIHJl dHVybmVkIGEgcGFzc3dvcmQNCkFwciAxOSAwMzoxNzowMCBzb2xpZC1zdGF0 ZS1lbnRpdHkgc3NoZC1zZXNzaW9uWzI1MjgzNF06IHBhbV93aW5iaW5kKHNz aGQ6YXV0aCk6IHVzZXIgJ2ZyaW5rJyBncmFudGVkIGFjY2Vzcw0KQXByIDE5 IDAzOjE3OjAwIHNvbGlkLXN0YXRlLWVudGl0eSBzc2hkLXNlc3Npb25bMjUy ODM0XTogcGFtX3VuaXgoc3NoZDphY2NvdW50KTogY291bGQgbm90IGlkZW50 aWZ5IHVzZXIgKGZyb20gZ2V0cHduYW0oU1NFXGZyaW5rKSkNCkFwciAxOSAw MzoxNzowMCBzb2xpZC1zdGF0ZS1lbnRpdHkgc3NoZC1zZXNzaW9uWzI1Mjgz NF06IEZhaWxlZCBwYXNzd29yZCBmb3IgZnJpbmsgZnJvbSAxOTIuMTY4LjEu OTAgcG9ydCA1MjA1NiBzc2gyDQpBcHIgMTkgMDM6MTc6MDAgc29saWQtc3Rh dGUtZW50aXR5IHNzaGQtc2Vzc2lvblsyNTI4MzRdOiBmYXRhbDogQWNjZXNz IGRlbmllZCBmb3IgdXNlciBmcmluayBieSBQQU0gYWNjb3VudCBjb25maWd1 cmF0aW9uIFtwcmVhdXRoXQ0KQXByIDE5IDAzOjE3OjAwIHNvbGlkLXN0YXRl LWVudGl0eSBzc2hkWzI1MjgzNF06ID09MjUyODM0PT0NCkFwciAxOSAwMzox NzowMCBzb2xpZC1zdGF0ZS1lbnRpdHkgc3NoZFsyNTI4MzRdOiA9PTI1Mjgz ND09IEhFQVAgU1VNTUFSWToNCkFwciAxOSAwMzoxNzowMCBzb2xpZC1zdGF0 ZS1lbnRpdHkgc3NoZFsyNTI4MzRdOiA9PTI1MjgzND09ICAgICBpbiB1c2Ug YXQgZXhpdDogNDc4LDI1NiBieXRlcyBpbiA1LDIwNSBibG9ja3MNCkFwciAx OSAwMzoxNzowMCBzb2xpZC1zdGF0ZS1lbnRpdHkgc3NoZFsyNTI4MzRdOiA9 PTI1MjgzND09ICAgdG90YWwgaGVhcCB1c2FnZTogOCw5OTMgYWxsb2NzLCAz LDc4OCBmcmVlcywgMSw1MjQsMTU3IGJ5dGVzIGFsbG9jYXRlZA0KQXByIDE5 IDAzOjE3OjAwIHNvbGlkLXN0YXRlLWVudGl0eSBzc2hkWzI1MjgzNF06ID09 MjUyODM0PT0NCkFwciAxOSAwMzoxNzowMCBzb2xpZC1zdGF0ZS1lbnRpdHkg c3NoZFsyNTI4MzRdOiA9PTI1MjgzND09IExFQUsgU1VNTUFSWToNCkFwciAx OSAwMzoxNzowMCBzb2xpZC1zdGF0ZS1lbnRpdHkgc3NoZFsyNTI4MzRdOiA9 PTI1MjgzND09ICAgIGRlZmluaXRlbHkgbG9zdDogMjU2IGJ5dGVzIGluIDMg YmxvY2tzDQpBcHIgMTkgMDM6MTc6MDAgc29saWQtc3RhdGUtZW50aXR5IHNz aGRbMjUyODM0XTogPT0yNTI4MzQ9PSAgICBpbmRpcmVjdGx5IGxvc3Q6IDUs MzI5IGJ5dGVzIGluIDE3IGJsb2Nrcw0KQXByIDE5IDAzOjE3OjAwIHNvbGlk LXN0YXRlLWVudGl0eSBzc2hkWzI1MjgzNF06ID09MjUyODM0PT0gICAgICBw b3NzaWJseSBsb3N0OiAwIGJ5dGVzIGluIDAgYmxvY2tzDQpBcHIgMTkgMDM6 MTc6MDAgc29saWQtc3RhdGUtZW50aXR5IHNzaGRbMjUyODM0XTogPT0yNTI4 MzQ9PSAgICBzdGlsbCByZWFjaGFibGU6IDQ0NiwyNTEgYnl0ZXMgaW4gNSwx ODIgYmxvY2tzDQpBcHIgMTkgMDM6MTc6MDAgc29saWQtc3RhdGUtZW50aXR5 IHNzaGRbMjUyODM0XTogPT0yNTI4MzQ9PSAgICAgICAgIHN1cHByZXNzZWQ6 IDI2LDQyMCBieXRlcyBpbiAzIGJsb2Nrcw0KQXByIDE5IDAzOjE3OjAwIHNv bGlkLXN0YXRlLWVudGl0eSBzc2hkWzI1MjgzNF06ID09MjUyODM0PT0gUmVy dW4gd2l0aCAtLWxlYWstY2hlY2s9ZnVsbCB0byBzZWUgZGV0YWlscyBvZiBs ZWFrZWQgbWVtb3J5DQpBcHIgMTkgMDM6MTc6MDAgc29saWQtc3RhdGUtZW50 aXR5IHNzaGRbMjUyODM0XTogPT0yNTI4MzQ9PQ0KQXByIDE5IDAzOjE3OjAw IHNvbGlkLXN0YXRlLWVudGl0eSBzc2hkWzI1MjgzNF06ID09MjUyODM0PT0g Rm9yIGxpc3RzIG9mIGRldGVjdGVkIGFuZCBzdXBwcmVzc2VkIGVycm9ycywg cmVydW4gd2l0aDogLXMNCkFwciAxOSAwMzoxNzowMCBzb2xpZC1zdGF0ZS1l bnRpdHkgc3NoZFsyNTI4MzRdOiA9PTI1MjgzND09IEVSUk9SIFNVTU1BUlk6 IDAgZXJyb3JzIGZyb20gMCBjb250ZXh0cyAoc3VwcHJlc3NlZDogMCBmcm9t
IDApDQo=

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hello Liam, Colin,

given that nobody confirmed this issue for more than a week and it seems
to be a rather particular case: does this really need to have "grave"
severity? It deters users from updating their systems.

Best reagrds, Andreas.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hello,
Same problem here since 1:10.0p1-2 was migrated to testing yesterday.

sshd-session crashes with SIGSEGV at "random" intervals (but many times
in a row, sometimes)
I've tried logging from different systems and openssh versions (Debian
testing, stable, Mint 22.1, Connectbot on Android), and authentication
methods (password, pubkey), all crashed sometimes but I couldn't find a pattern.

It seems (but I'm' not sure) that there is less chances to crash when
using password authentication (PubkeyAuthentication=no).
Also, on mys system it's easier to cause a crash when logging from the
server itself (either by loopback or ethernet IP address)

Reconfiguring libpam-runtime to exclude ecryptfs doesn't make any
difference, it still crashes

From the client view (-vvv) the connection is reset at different points, sometimes after the local version string is shown, with an error message:

debug1: Local version string SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u5
debug1: kex_exchange_identification: banner line 0: Not allowed at
this time
kex_exchange_identification: Connection closed by remote host
Connection closed by fe80::... port 22

Sometimes after sending public key

debug1: Next authentication method: publickey
debug1: Offering public key: /home/michel/.ssh/id_rsa RSA SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
Connection closed by fe80::... port 22

As advised I tried installing systemd-coredump, valgrind and also
debuginfod, then modified the script
/usr/local/bin/sshd-session-valgrind like this

DEBUGINFOD_URLS=https://debuginfod.debian.net/ exec valgrind
--leak-check=full --enable-debuginfod=yes /usr/lib/openssh/sshd-session "$@"

Now valgrind shows the name of a function

avril 29 19:57:25 odysseus sshd[4019365]: ==4019365== Cannot map
memory to grow the stack for thread #1 to 0x1ffeffc000
avril 29 19:57:25 odysseus sshd[4019365]: ==4019365==
avril 29 19:57:25 odysseus sshd[4019365]: ==4019365== Process
terminating with default action of signal 11 (SIGSEGV): dumping core
avril 29 19:57:25 odysseus sshd[4019365]: ==4019365== Access not
within mapped region at address 0x1FFEFFCD78
avril 29 19:57:25 odysseus sshd[4019365]: ==4019365== Cannot map
memory to grow the stack for thread #1 to 0x1ffeffc000
avril 29 19:57:25 odysseus sshd[4019365]: ==4019365== at
0x1BCBC9: glob0 (glob.c:476)

Unfortunately I couldn't get a coredump

avril 29 19:57:25 odysseus systemd[1]: Started systemd-coredump@15-4019403-0.service - Process Core Dump (PID
4019403/UID 0).
avril 29 19:57:25 odysseus systemd-coredump[4019404]: Resource
limits disable core dumping for process 4019365 (memcheck-amd64-).
avril 29 19:57:25 odysseus systemd-coredump[4019404]: [🡕] Process 4019365 (memcheck-amd64-) of user 0 terminated abnormally without
generating a coredump.
avril 29 19:57:25 odysseus systemd[1]: systemd-coredump@15-4019403-0.service: Deactivated successfully.

No idea why, I thought installing systemd-coredump pushed the limits

Please let me know if you want more tests / logs

Thanks!

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

* Michel Casabona <michel.casabona@free.fr> [250430 00:36]:

Reconfiguring libpam-runtime to exclude ecryptfs doesn't make any
difference, it still crashes

Could you maybe post your full PAM configuration? That would be
/etc/pam.d/sshd and also all of /etc/pam.d/common-*

Chris

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This is a multi-part message in MIME format.
Le 30/04/2025 à 11:06, Chris Hofstaedtler a écrit :

* Michel Casabona <michel.casabona@free.fr> [250430 00:36]:

Reconfiguring libpam-runtime to exclude ecryptfs doesn't make any
difference, it still crashes

Could you maybe post your full PAM configuration? That would be /etc/pam.d/sshd and also all of /etc/pam.d/common-*

The files are attached. There is no "local mods", only files dropped in
pam.d by debian packages, or configured through
"dpkg-reconfigure libpam-runtime"

IwojIC9ldGMvcGFtLmQvY29tbW9uLWFjY291bnQgLSBhdXRob3JpemF0aW9uIHNldHRpbmdz IGNvbW1vbiB0byBhbGwgc2VydmljZXMKIwojIFRoaXMgZmlsZSBpcyBpbmNsdWRlZCBmcm9t IG90aGVyIHNlcnZpY2Utc3BlY2lmaWMgUEFNIGNvbmZpZyBmaWxlcywKIyBhbmQgc2hvdWxk IGNvbnRhaW4gYSBsaXN0IG9mIHRoZSBhdXRob3JpemF0aW9uIG1vZHVsZXMgdGhhdCBkZWZp bmUKIyB0aGUgY2VudHJhbCBhY2Nlc3MgcG9saWN5IGZvciB1c2Ugb24gdGhlIHN5c3RlbS4g IFRoZSBkZWZhdWx0IGlzIHRvCiMgb25seSBkZW55IHNlcnZpY2UgdG8gdXNlcnMgd2hvc2Ug YWNjb3VudHMgYXJlIGV4cGlyZWQgaW4gL2V0Yy9zaGFkb3cuCiMKIyBBcyBvZiBwYW0gMS4w LjEtNiwgdGhpcyBmaWxlIGlzIG1hbmFnZWQgYnkgcGFtLWF1dGgtdXBkYXRlIGJ5IGRlZmF1 bHQuCiMgVG8gdGFrZSBhZHZhbnRhZ2Ugb2YgdGhpcywgaXQgaXMgcmVjb21tZW5kZWQgdGhh dCB5b3UgY29uZmlndXJlIGFueQojIGxvY2FsIG1vZHVsZXMgZWl0aGVyIGJlZm9yZSBvciBh ZnRlciB0aGUgZGVmYXVsdCBibG9jaywgYW5kIHVzZQojIHBhbS1hdXRoLXVwZGF0ZSB0byBt YW5hZ2Ugc2VsZWN0aW9uIG9mIG90aGVyIG1vZHVsZXMuICBTZWUKIyBwYW0tYXV0aC11cGRh dGUoOCkgZm9yIGRldGFpbHMuCiMKCiMgaGVyZSBhcmUgdGhlIHBlci1wYWNrYWdlIG1vZHVs ZXMgKHRoZSAiUHJpbWFyeSIgYmxvY2spCmFjY291bnQJW3N1Y2Nlc3M9MSBuZXdfYXV0aHRv a19yZXFkPWRvbmUgZGVmYXVsdD1pZ25vcmVdCXBhbV91bml4LnNvIAojIGhlcmUncyB0aGUg ZmFsbGJhY2sgaWYgbm8gbW9kdWxlIHN1Y2NlZWRzCmFjY291bnQJcmVxdWlzaXRlCQkJcGFt X2Rlbnkuc28KIyBwcmltZSB0aGUgc3RhY2sgd2l0aCBhIHBvc2l0aXZlIHJldHVybiB2YWx1 ZSBpZiB0aGVyZSBpc24ndCBvbmUgYWxyZWFkeTsKIyB0aGlzIGF2b2lkcyB1cyByZXR1cm5p bmcgYW4gZXJyb3IganVzdCBiZWNhdXNlIG5vdGhpbmcgc2V0cyBhIHN1Y2Nlc3MgY29kZQoj IHNpbmNlIHRoZSBtb2R1bGVzIGFib3ZlIHdpbGwgZWFjaCBqdXN0IGp1bXAgYXJvdW5kCmFj Y291bnQJcmVxdWlyZWQJCQlwYW1fcGVybWl0LnNvCiMgYW5kIGhlcmUgYXJlIG1vcmUgcGVy LXBhY2thZ2UgbW9kdWxlcyAodGhlICJBZGRpdGlvbmFsIiBibG9jaykKIyBlbmQgb2YgcGFt LWF1dGgtdXBkYXRlIGNvbmZpZwo= IwojIC9ldGMvcGFtLmQvY29tbW9uLWF1dGggLSBhdXRoZW50aWNhdGlvbiBzZXR0aW5ncyBj b21tb24gdG8gYWxsIHNlcnZpY2VzCiMKIyBUaGlzIGZpbGUgaXMgaW5jbHVkZWQgZnJvbSBv dGhlciBzZXJ2aWNlLXNwZWNpZmljIFBBTSBjb25maWcgZmlsZXMsCiMgYW5kIHNob3VsZCBj b250YWluIGEgbGlzdCBvZiB0aGUgYXV0aGVudGljYXRpb24gbW9kdWxlcyB0aGF0IGRlZmlu ZQojIHRoZSBjZW50cmFsIGF1dGhlbnRpY2F0aW9uIHNjaGVtZSBmb3IgdXNlIG9uIHRoZSBz eXN0ZW0KIyAoZS5nLiwgL2V0Yy9zaGFkb3csIExEQVAsIEtlcmJlcm9zLCBldGMuKS4gIFRo ZSBkZWZhdWx0IGlzIHRvIHVzZSB0aGUKIyB0cmFkaXRpb25hbCBVbml4IGF1dGhlbnRpY2F0 aW9uIG1lY2hhbmlzbXMuCiMKIyBBcyBvZiBwYW0gMS4wLjEtNiwgdGhpcyBmaWxlIGlzIG1h bmFnZWQgYnkgcGFtLWF1dGgtdXBkYXRlIGJ5IGRlZmF1bHQuCiMgVG8gdGFrZSBhZHZhbnRh Z2Ugb2YgdGhpcywgaXQgaXMgcmVjb21tZW5kZWQgdGhhdCB5b3UgY29uZmlndXJlIGFueQoj IGxvY2FsIG1vZHVsZXMgZWl0aGVyIGJlZm9yZSBvciBhZnRlciB0aGUgZGVmYXVsdCBibG9j aywgYW5kIHVzZQojIHBhbS1hdXRoLXVwZGF0ZSB0byBtYW5hZ2Ugc2VsZWN0aW9uIG9mIG90 aGVyIG1vZHVsZXMuICBTZWUKIyBwYW0tYXV0aC11cGRhdGUoOCkgZm9yIGRldGFpbHMuCgoj IGhlcmUgYXJlIHRoZSBwZXItcGFja2FnZSBtb2R1bGVzICh0aGUgIlByaW1hcnkiIGJsb2Nr KQphdXRoCVtzdWNjZXNzPTEgZGVmYXVsdD1pZ25vcmVdCXBhbV91bml4LnNvIG51bGxvawoj IGhlcmUncyB0aGUgZmFsbGJhY2sgaWYgbm8gbW9kdWxlIHN1Y2NlZWRzCmF1dGgJcmVxdWlz aXRlCQkJcGFtX2Rlbnkuc28KIyBwcmltZSB0aGUgc3RhY2sgd2l0aCBhIHBvc2l0aXZlIHJl dHVybiB2YWx1ZSBpZiB0aGVyZSBpc24ndCBvbmUgYWxyZWFkeTsKIyB0aGlzIGF2b2lkcyB1 cyByZXR1cm5pbmcgYW4gZXJyb3IganVzdCBiZWNhdXNlIG5vdGhpbmcgc2V0cyBhIHN1Y2Nl c3MgY29kZQojIHNpbmNlIHRoZSBtb2R1bGVzIGFib3ZlIHdpbGwgZWFjaCBqdXN0IGp1bXAg YXJvdW5kCmF1dGgJcmVxdWlyZWQJCQlwYW1fcGVybWl0LnNvCiMgYW5kIGhlcmUgYXJlIG1v cmUgcGVyLXBhY2thZ2UgbW9kdWxlcyAodGhlICJBZGRpdGlvbmFsIiBibG9jaykKIyBlbmQg b2YgcGFtLWF1dGgtdXBkYXRlIGNvbmZpZwo= IwojIC9ldGMvcGFtLmQvY29tbW9uLXBhc3N3b3JkIC0gcGFzc3dvcmQtcmVsYXRlZCBtb2R1 bGVzIGNvbW1vbiB0byBhbGwgc2VydmljZXMKIwojIFRoaXMgZmlsZSBpcyBpbmNsdWRlZCBm cm9tIG90aGVyIHNlcnZpY2Utc3BlY2lmaWMgUEFNIGNvbmZpZyBmaWxlcywKIyBhbmQgc2hv dWxkIGNvbnRhaW4gYSBsaXN0IG9mIG1vZHVsZXMgdGhhdCBkZWZpbmUgdGhlIHNlcnZpY2Vz IHRvIGJlCiMgdXNlZCB0byBjaGFuZ2UgdXNlciBwYXNzd29yZHMuICBUaGUgZGVmYXVsdCBp cyBwYW1fdW5peC4KCiMgRXhwbGFuYXRpb24gb2YgcGFtX3VuaXggb3B0aW9uczoKIyBUaGUg Inllc2NyeXB0IiBvcHRpb24gZW5hYmxlcwojaGFzaGVkIHBhc3N3b3JkcyB1c2luZyB0aGUg eWVzY3J5cHQgYWxnb3JpdGhtLCBpbnRyb2R1Y2VkIGluIERlYmlhbgojMTEuICBXaXRob3V0 IHRoaXMgb3B0aW9uLCB0aGUgZGVmYXVsdCBpcyBVbml4IGNyeXB0LiAgUHJpb3IgcmVsZWFz ZXMKI3VzZWQgdGhlIG9wdGlvbiAic2hhNTEyIjsgaWYgYSBzaGFkb3cgcGFzc3dvcmQgaGFz aCB3aWxsIGJlIHNoYXJlZAojYmV0d2VlbiBEZWJpYW4gMTEgYW5kIG9sZGVyIHJlbGVhc2Vz IHJlcGxhY2UgInllc2NyeXB0IiB3aXRoICJzaGE1MTIiCiNmb3IgY29tcGF0aWJpbGl0eSAu ICBUaGUgIm9ic2N1cmUiIG9wdGlvbiByZXBsYWNlcyB0aGUgb2xkCiNgT0JTQ1VSRV9DSEVD S1NfRU5BQicgb3B0aW9uIGluIGxvZ2luLmRlZnMuICBTZWUgdGhlIHBhbV91bml4IG1hbnBh Z2UKI2ZvciBvdGhlciBvcHRpb25zLgoKIyBBcyBvZiBwYW0gMS4wLjEtNiwgdGhpcyBmaWxl IGlzIG1hbmFnZWQgYnkgcGFtLWF1dGgtdXBkYXRlIGJ5IGRlZmF1bHQuCiMgVG8gdGFrZSBh ZHZhbnRhZ2Ugb2YgdGhpcywgaXQgaXMgcmVjb21tZW5kZWQgdGhhdCB5b3UgY29uZmlndXJl IGFueQojIGxvY2FsIG1vZHVsZXMgZWl0aGVyIGJlZm9yZSBvciBhZnRlciB0aGUgZGVmYXVs dCBibG9jaywgYW5kIHVzZQojIHBhbS1hdXRoLXVwZGF0ZSB0byBtYW5hZ2Ugc2VsZWN0aW9u IG9mIG90aGVyIG1vZHVsZXMuICBTZWUKIyBwYW0tYXV0aC11cGRhdGUoOCkgZm9yIGRldGFp bHMuCgojIGhlcmUgYXJlIHRoZSBwZXItcGFja2FnZSBtb2R1bGVzICh0aGUgIlByaW1hcnki IGJsb2NrKQpwYXNzd29yZAlbc3VjY2Vzcz0xIGRlZmF1bHQ9aWdub3JlXQlwYW1fdW5peC5z byBvYnNjdXJlIHllc2NyeXB0CiMgaGVyZSdzIHRoZSBmYWxsYmFjayBpZiBubyBtb2R1bGUg c3VjY2VlZHMKcGFzc3dvcmQJcmVxdWlzaXRlCQkJcGFtX2Rlbnkuc28KIyBwcmltZSB0aGUg c3RhY2sgd2l0aCBhIHBvc2l0aXZlIHJldHVybiB2YWx1ZSBpZiB0aGVyZSBpc24ndCBvbmUg YWxyZWFkeTsKIyB0aGlzIGF2b2lkcyB1cyByZXR1cm5pbmcgYW4gZXJyb3IganVzdCBiZWNh dXNlIG5vdGhpbmcgc2V0cyBhIHN1Y2Nlc3MgY29kZQojIHNpbmNlIHRoZSBtb2R1bGVzIGFi b3ZlIHdpbGwgZWFjaCBqdXN0IGp1bXAgYXJvdW5kCnBhc3N3b3JkCXJlcXVpcmVkCQkJcGFt X3Blcm1pdC5zbwojIGFuZCBoZXJlIGFyZSBtb3JlIHBlci1wYWNrYWdlIG1vZHVsZXMgKHRo ZSAiQWRkaXRpb25hbCIgYmxvY2spCnBhc3N3b3JkCW9wdGlvbmFsCXBhbV9nbm9tZV9rZXly aW5nLnNvIAojIGVuZCBvZiBwYW0tYXV0aC11cGRhdGUgY29uZmlnCg== IwojIC9ldGMvcGFtLmQvY29tbW9uLXNlc3Npb24gLSBzZXNzaW9uLXJlbGF0ZWQgbW9kdWxl cyBjb21tb24gdG8gYWxsIHNlcnZpY2VzCiMKIyBUaGlzIGZpbGUgaXMgaW5jbHVkZWQgZnJv bSBvdGhlciBzZXJ2aWNlLXNwZWNpZmljIFBBTSBjb25maWcgZmlsZXMsCiMgYW5kIHNob3Vs ZCBjb250YWluIGEgbGlzdCBvZiBtb2R1bGVzIHRoYXQgZGVmaW5lIHRhc2tzIHRvIGJlIHBl cmZvcm1lZAojIGF0IHRoZSBzdGFydCBhbmQgZW5kIG9mIGludGVyYWN0aXZlIHNlc3Npb25z LgojCiMgQXMgb2YgcGFtIDEuMC4xLTYsIHRoaXMgZmlsZSBpcyBtYW5hZ2VkIGJ5IHBhbS1h dXRoLXVwZGF0ZSBieSBkZWZhdWx0LgojIFRvIHRha2UgYWR2YW50YWdlIG9mIHRoaXMsIGl0 IGlzIHJlY29tbWVuZGVkIHRoYXQgeW91IGNvbmZpZ3VyZSBhbnkKIyBsb2NhbCBtb2R1bGVz IGVpdGhlciBiZWZvcmUgb3IgYWZ0ZXIgdGhlIGRlZmF1bHQgYmxvY2ssIGFuZCB1c2UKIyBw YW0tYXV0aC11cGRhdGUgdG8gbWFuYWdlIHNlbGVjdGlvbiBvZiBvdGhlciBtb2R1bGVzLiAg U2VlCiMgcGFtLWF1dGgtdXBkYXRlKDgpIGZvciBkZXRhaWxzLgoKIyBoZXJlIGFyZSB0aGUg cGVyLXBhY2thZ2UgbW9kdWxlcyAodGhlICJQcmltYXJ5IiBibG9jaykKc2Vzc2lvbglbZGVm YXVsdD0xXQkJCXBhbV9wZXJtaXQuc28KIyBoZXJlJ3MgdGhlIGZhbGxiYWNrIGlmIG5vIG1v ZHVsZSBzdWNjZWVkcwpzZXNzaW9uCXJlcXVpc2l0ZQkJCXBhbV9kZW55LnNvCiMgcHJpbWUg dGhlIHN0YWNrIHdpdGggYSBwb3NpdGl2ZSByZXR1cm4gdmFsdWUgaWYgdGhlcmUgaXNuJ3Qg b25lIGFscmVhZHk7CiMgdGhpcyBhdm9pZHMgdXMgcmV0dXJuaW5nIGFuIGVycm9yIGp1c3Qg YmVjYXVzZSBub3RoaW5nIHNldHMgYSBzdWNjZXNzIGNvZGUKIyBzaW5jZSB0aGUgbW9kdWxl cyBhYm92ZSB3aWxsIGVhY2gganVzdCBqdW1wIGFyb3VuZApzZXNzaW9uCXJlcXVpcmVkCQkJ cGFtX3Blcm1pdC5zbwojIHJlc2V0IHRoZSB1bWFzayBmb3IgbmV3IHNlc3Npb25zCnNlc3Np b24gb3B0aW9uYWwJCQlwYW1fdW1hc2suc28KIyBhbmQgaGVyZSBhcmUgbW9yZSBwZXItcGFj a2FnZSBtb2R1bGVzICh0aGUgIkFkZGl0aW9uYWwiIGJsb2NrKQpzZXNzaW9uCXJlcXVpcmVk CXBhbV91bml4LnNvIApzZXNzaW9uCW9wdGlvbmFsCQkJcGFtX3d0bXBkYi5zbyBza2lwX2lm PXNzaGQKc2Vzc2lvbglvcHRpb25hbAlwYW1fc3lzdGVtZC5zbyAKIyBlbmQgb2YgcGFtLWF1 dGgtdXBkYXRlIGNvbmZpZwo= IwojIC9ldGMvcGFtLmQvY29tbW9uLXNlc3Npb24tbm9uaW50ZXJhY3RpdmUgLSBzZXNzaW9u LXJlbGF0ZWQgbW9kdWxlcwojIGNvbW1vbiB0byBhbGwgbm9uLWludGVyYWN0aXZlIHNlcnZp Y2VzCiMKIyBUaGlzIGZpbGUgaXMgaW5jbHVkZWQgZnJvbSBvdGhlciBzZXJ2aWNlLXNwZWNp ZmljIFBBTSBjb25maWcgZmlsZXMsCiMgYW5kIHNob3VsZCBjb250YWluIGEgbGlzdCBvZiBt b2R1bGVzIHRoYXQgZGVmaW5lIHRhc2tzIHRvIGJlIHBlcmZvcm1lZAojIGF0IHRoZSBzdGFy dCBhbmQgZW5kIG9mIGFsbCBub24taW50ZXJhY3RpdmUgc2Vzc2lvbnMuCiMKIyBBcyBvZiBw YW0gMS4wLjEtNiwgdGhpcyBmaWxlIGlzIG1hbmFnZWQgYnkgcGFtLWF1dGgtdXBkYXRlIGJ5 IGRlZmF1bHQuCiMgVG8gdGFrZSBhZHZhbnRhZ2Ugb2YgdGhpcywgaXQgaXMgcmVjb21tZW5k ZWQgdGhhdCB5b3UgY29uZmlndXJlIGFueQojIGxvY2FsIG1vZHVsZXMgZWl0aGVyIGJlZm9y ZSBvciBhZnRlciB0aGUgZGVmYXVsdCBibG9jaywgYW5kIHVzZQojIHBhbS1hdXRoLXVwZGF0 ZSB0byBtYW5hZ2Ugc2VsZWN0aW9uIG9mIG90aGVyIG1vZHVsZXMuICBTZWUKIyBwYW0tYXV0 aC11cGRhdGUoOCkgZm9yIGRldGFpbHMuCgojIGhlcmUgYXJlIHRoZSBwZXItcGFja2FnZSBt b2R1bGVzICh0aGUgIlByaW1hcnkiIGJsb2NrKQpzZXNzaW9uCVtkZWZhdWx0PTFdCQkJcGFt X3Blcm1pdC5zbwojIGhlcmUncyB0aGUgZmFsbGJhY2sgaWYgbm8gbW9kdWxlIHN1Y2NlZWRz CnNlc3Npb24JcmVxdWlzaXRlCQkJcGFtX2Rlbnkuc28KIyBwcmltZSB0aGUgc3RhY2sgd2l0 aCBhIHBvc2l0aXZlIHJldHVybiB2YWx1ZSBpZiB0aGVyZSBpc24ndCBvbmUgYWxyZWFkeTsK IyB0aGlzIGF2b2lkcyB1cyByZXR1cm5pbmcgYW4gZXJyb3IganVzdCBiZWNhdXNlIG5vdGhp bmcgc2V0cyBhIHN1Y2Nlc3MgY29kZQojIHNpbmNlIHRoZSBtb2R1bGVzIGFib3ZlIHdpbGwg ZWFjaCBqdXN0IGp1bXAgYXJvdW5kCnNlc3Npb24JcmVxdWlyZWQJCQlwYW1fcGVybWl0LnNv CiMgcmVzZXQgdGhlIHVtYXNrIGZvciBuZXcgc2Vzc2lvbnMKc2Vzc2lvbiBvcHRpb25hbAkJ CXBhbV91bWFzay5zbwojIGFuZCBoZXJlIGFyZSBtb3JlIHBlci1wYWNrYWdlIG1vZHVsZXMg KHRoZSAiQWRkaXRpb25hbCIgYmxvY2spCnNlc3Npb24JcmVxdWlyZWQJcGFtX3VuaXguc28g CiMgZW5kIG9mIHBhbS1hdXRoLXVwZGF0ZSBjb25maWcK IyBQQU0gY29uZmlndXJhdGlvbiBmb3IgdGhlIFNlY3VyZSBTaGVsbCBzZXJ2aWNlCgojIFN0 YW5kYXJkIFVuKnggYXV0aGVudGljYXRpb24uCkBpbmNsdWRlIGNvbW1vbi1hdXRoCgojIERp c2FsbG93IG5vbi1yb290IGxvZ2lucyB3aGVuIC9ldGMvbm9sb2dpbiBleGlzdHMuCmFjY291 bnQgICAgcmVxdWlyZWQgICAgIHBhbV9ub2xvZ2luLnNvCgojIFVuY29tbWVudCBhbmQgZWRp dCAvZXRjL3NlY3VyaXR5L2FjY2Vzcy5jb25mIGlmIHlvdSBuZWVkIHRvIHNldCBjb21wbGV4 CiMgYWNjZXNzIGxpbWl0cyB0aGF0IGFyZSBoYXJkIHRvIGV4cHJlc3MgaW4gc3NoZF9jb25m aWcuCiMgYWNjb3VudCAgcmVxdWlyZWQgICAgIHBhbV9hY2Nlc3Muc28KCiMgU3RhbmRhcmQg VW4qeCBhdXRob3JpemF0aW9uLgpAaW5jbHVkZSBjb21tb24tYWNjb3VudAoKIyBTRUxpbnV4 IG5lZWRzIHRvIGJlIHRoZSBmaXJzdCBzZXNzaW9uIHJ1bGUuICBUaGlzIGVuc3VyZXMgdGhh dCBhbnkKIyBsaW5nZXJpbmcgY29udGV4dCBoYXMgYmVlbiBjbGVhcmVkLiAgV2l0aG91dCB0 aGlzIGl0IGlzIHBvc3NpYmxlIHRoYXQgYQojIG1vZHVsZSBjb3VsZCBleGVjdXRlIGNvZGUg aW4gdGhlIHdyb25nIGRvbWFpbi4Kc2Vzc2lvbiBbc3VjY2Vzcz1vayBpZ25vcmU9aWdub3Jl IG1vZHVsZV91bmtub3duPWlnbm9yZSBkZWZhdWx0PWJhZF0gICAgICAgIHBhbV9zZWxpbnV4 LnNvIGNsb3NlCgojIFNldCB0aGUgbG9naW51aWQgcHJvY2VzcyBhdHRyaWJ1dGUuCnNlc3Np b24gICAgcmVxdWlyZWQgICAgIHBhbV9sb2dpbnVpZC5zbwoKIyBDcmVhdGUgYSBuZXcgc2Vz c2lvbiBrZXlyaW5nLgpzZXNzaW9uICAgIG9wdGlvbmFsICAgICBwYW1fa2V5aW5pdC5zbyBm b3JjZSByZXZva2UKCiMgU3RhbmRhcmQgVW4qeCBzZXNzaW9uIHNldHVwIGFuZCB0ZWFyZG93 bi4KQGluY2x1ZGUgY29tbW9uLXNlc3Npb24KCiMgUHJpbnQgdGhlIG1lc3NhZ2Ugb2YgdGhl IGRheSB1cG9uIHN1Y2Nlc3NmdWwgbG9naW4uCiMgVGhpcyBpbmNsdWRlcyBhIGR5bmFtaWNh bGx5IGdlbmVyYXRlZCBwYXJ0IGZyb20gL3J1bi9tb3RkLmR5bmFtaWMKIyBhbmQgYSBzdGF0 aWMgKGFkbWluLWVkaXRhYmxlKSBwYXJ0IGZyb20gL2V0Yy9tb3RkLgpzZXNzaW9uICAgIG9w dGlvbmFsICAgICBwYW1fbW90ZC5zbyAgbW90ZD0vcnVuL21vdGQuZHluYW1pYwpzZXNzaW9u ICAgIG9wdGlvbmFsICAgICBwYW1fbW90ZC5zbyBub3VwZGF0ZQoKIyBQcmludCB0aGUgc3Rh dHVzIG9mIHRoZSB1c2VyJ3MgbWFpbGJveCB1cG9uIHN1Y2Nlc3NmdWwgbG9naW4uCnNlc3Np b24gICAgb3B0aW9uYWwgICAgIHBhbV9tYWlsLnNvIHN0YW5kYXJkIG5vZW52ICMgWzFdCgoj IFNldCB1cCB1c2VyIGxpbWl0cyBmcm9tIC9ldGMvc2VjdXJpdHkvbGltaXRzLmNvbmYuCnNl c3Npb24gICAgcmVxdWlyZWQgICAgIHBhbV9saW1pdHMuc28KCiMgUmVhZCBlbnZpcm9ubWVu dCB2YXJpYWJsZXMgZnJvbSAvZXRjL2Vudmlyb25tZW50IGFuZAojIC9ldGMvc2VjdXJpdHkv cGFtX2Vudi5jb25mLgpzZXNzaW9uICAgIHJlcXVpcmVkICAgICBwYW1fZW52LnNvICMgWzFd CiMgSW4gRGViaWFuIDQuMCAoZXRjaCksIGxvY2FsZS1yZWxhdGVkIGVudmlyb25tZW50IHZh cmlhYmxlcyB3ZXJlIG1vdmVkIHRvCiMgL2V0Yy9kZWZhdWx0L2xvY2FsZSwgc28gcmVhZCB0 aGF0IGFzIHdlbGwuCnNlc3Npb24gICAgcmVxdWlyZWQgICAgIHBhbV9lbnYuc28gZW52Zmls ZT0vZXRjL2RlZmF1bHQvbG9jYWxlCgojIFNFTGludXggbmVlZHMgdG8gaW50ZXJ2ZW5lIGF0 IGxvZ2luIHRpbWUgdG8gZW5zdXJlIHRoYXQgdGhlIHByb2Nlc3Mgc3RhcnRzCiMgaW4gdGhl IHByb3BlciBkZWZhdWx0IHNlY3VyaXR5IGNvbnRleHQuICBPbmx5IHNlc3Npb25zIHdoaWNo IGFyZSBpbnRlbmRlZAojIHRvIHJ1biBpbiB0aGUgdXNlcidzIGNvbnRleHQgc2hvdWxkIGJl IHJ1biBhZnRlciB0aGlzLgpzZXNzaW9uIFtzdWNjZXNzPW9rIGlnbm9yZT1pZ25vcmUgbW9k dWxlX3Vua25vd249aWdub3JlIGRlZmF1bHQ9YmFkXSAgICAgICAgcGFtX3NlbGludXguc28g b3BlbgoKIyBTdGFuZGFyZCBVbip4IHBhc3N3b3JkIHVwZGF0aW5nLgpAaW5jbHVkZSBjb21t b24tcGFzc3dvcmQK

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, Apr 30, 2025 at 12:32:33AM +0200, Michel Casabona wrote:

Same problem here since 1:10.0p1-2 was migrated to testing yesterday.

Thanks for chiming in - it's very helpful to have more data.

It seems (but I'm' not sure) that there is less chances to crash when
using password authentication (PubkeyAuthentication=no).
Also, on mys system it's easier to cause a crash when logging from the
server itself (either by loopback or ethernet IP address)

Reconfiguring libpam-runtime to exclude ecryptfs doesn't make any
difference, it still crashes

From the client view (-vvv) the connection is reset at different points, >sometimes after the local version string is shown, with an error message:

This sort of thing points to memory corruption somewhere, which is what
I suspected, though it unfortunately doesn't really narrow it down.

As advised I tried installing systemd-coredump, valgrind and also
debuginfod, then modified the script
/usr/local/bin/sshd-session-valgrind like this

DEBUGINFOD_URLS=https://debuginfod.debian.net/ exec valgrind >--leak-check=full --enable-debuginfod=yes
/usr/lib/openssh/sshd-session "$@"

Now valgrind shows the name of a function

avril 29 19:57:25 odysseus sshd[4019365]: ==4019365== Cannot map
memory to grow the stack for thread #1 to 0x1ffeffc000
avril 29 19:57:25 odysseus sshd[4019365]: ==4019365==
avril 29 19:57:25 odysseus sshd[4019365]: ==4019365== Process
terminating with default action of signal 11 (SIGSEGV): dumping core
avril 29 19:57:25 odysseus sshd[4019365]: ==4019365== Access not
within mapped region at address 0x1FFEFFCD78
avril 29 19:57:25 odysseus sshd[4019365]: ==4019365== Cannot map
memory to grow the stack for thread #1 to 0x1ffeffc000
avril 29 19:57:25 odysseus sshd[4019365]: ==4019365== at
0x1BCBC9: glob0 (glob.c:476)

Is that the complete output from valgrind, or did you edit it down?
It's tantalizingly close to being useful, but it really feels like there
should be more of it. Could I have all of the lines matching
"==4019365=="?

Unfortunately I couldn't get a coredump

avril 29 19:57:25 odysseus systemd[1]: Started
systemd-coredump@15-4019403-0.service - Process Core Dump (PID
4019403/UID 0).
avril 29 19:57:25 odysseus systemd-coredump[4019404]: Resource
limits disable core dumping for process 4019365 (memcheck-amd64-).
avril 29 19:57:25 odysseus systemd-coredump[4019404]: [🡕] Process
4019365 (memcheck-amd64-) of user 0 terminated abnormally without
generating a coredump.
avril 29 19:57:25 odysseus systemd[1]:
systemd-coredump@15-4019403-0.service: Deactivated successfully.

No idea why, I thought installing systemd-coredump pushed the limits

/etc/security/limits.d/20-coredump-debian.conf raises soft limits, but
there might be something else in play that's reducing them again. But hopefully more complete valgrind output will be more useful anyway ...

Thanks,

--
Colin Watson (he/him) [cjwatson@debian.org]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, Apr 30, 2025 at 02:08:47PM +0200, Michel Casabona wrote:

Le 30/04/2025 à 13:42, Colin Watson a écrit :

Is that the complete output from valgrind, or did you edit it down?
It's tantalizingly close to being useful, but it really feels like
there should be more of it.  Could I have all of the lines matching >>"==4019365=="?

Yes, I pasted a few line to post, sorry. The full log is attached below.

Thanks. The leak stuff is basically all noise - I think you can drop --leak-check=full as it doesn't really help here. The interesting bit
is why sshd-session apparently needs more than the default stack. The
lack of a stack trace there makes it difficult to work out context, but
I think it's probably one of the glob() calls in auth2-pubkey.c. It
might be innocent and just be an artifact of running under valgrind; or
it might point to a deeper problem.

Could you drop --leak-check=full from the valgrind call, and instead add --main-stacksize=67108864 (i.e. eight times the current value)? Then
provoke the bug again and send me the new valgrind output. Let's see if
that tells us something different.

Could I also get your /etc/ssh/sshd_config and /etc/ssh/sshd_config.d/*
files (of course you can edit out anything secret, but if you do then
please at least keep the structure)?

Thanks,

--
Colin Watson (he/him) [cjwatson@debian.org]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This is a multi-part message in MIME format.
Le 30/04/2025 à 14:48, Colin Watson a écrit :

Could you drop --leak-check=full from the valgrind call, and instead add --main-stacksize=67108864 (i.e. eight times the current value)? Then provoke the bug again and send me the new valgrind output. Let's see if that tells us something different.

Same output :-( Log attached.

Could I also get your /etc/ssh/sshd_config and /etc/ssh/sshd_config.d/* files (of course you can edit out anything secret, but if you do then
please at least keep the structure)?

The (unedited) config files are attached too

YXZyaWwgMzAgMTc6MDQ6MDUgb2R5c3NldXMgc3lzdGVtZFsxXTogU3RhcnRlZCBzc2guc2Vy dmljZSAtIE9wZW5CU0QgU2VjdXJlIFNoZWxsIHNlcnZlci4KYXZyaWwgMzAgMTc6MDQ6MTYg b2R5c3NldXMgc3NoZFsxMDY1NTI5XTogPT0xMDY1NTI5PT0gTWVtY2hlY2ssIGEgbWVtb3J5 IGVycm9yIGRldGVjdG9yCmF2cmlsIDMwIDE3OjA0OjE2IG9keXNzZXVzIHNzaGRbMTA2NTUy OV06ID09MTA2NTUyOT09IENvcHlyaWdodCAoQykgMjAwMi0yMDI0LCBhbmQgR05VIEdQTCdk LCBieSBKdWxpYW4gU2V3YXJkIGV0IGFsLgphdnJpbCAzMCAxNzowNDoxNiBvZHlzc2V1cyBz c2hkWzEwNjU1MjldOiA9PTEwNjU1Mjk9PSBVc2luZyBWYWxncmluZC0zLjI0LjAgYW5kIExp YlZFWDsgcmVydW4gd2l0aCAtaCBmb3IgY29weXJpZ2h0IGluZm8KYXZyaWwgMzAgMTc6MDQ6 MTYgb2R5c3NldXMgc3NoZFsxMDY1NTI5XTogPT0xMDY1NTI5PT0gQ29tbWFuZDogL3Vzci9s aWIvb3BlbnNzaC9zc2hkLXNlc3Npb24gLUQgLVIKYXZyaWwgMzAgMTc6MDQ6MTYgb2R5c3Nl dXMgc3NoZFsxMDY1NTI5XTogPT0xMDY1NTI5PT0KYXZyaWwgMzAgMTc6MDQ6MTcgb2R5c3Nl dXMgc3NoZC1zZXNzaW9uWzEwNjU1MjldOiBDb25uZWN0aW9uIGZyb20gMTI3LjAuMC4xIHBv cnQgNDEwODAgb24gMTI3LjAuMC4xIHBvcnQgMjIgcmRvbWFpbiAiIgphdnJpbCAzMCAxNzow NDoxNyBvZHlzc2V1cyBzc2hkWzEwNjU1MjldOiA9PTEwNjU1Mjk9PSBDYW5ub3QgbWFwIG1l bW9yeSB0byBncm93IHRoZSBzdGFjayBmb3IgdGhyZWFkICMxIHRvIDB4MWZmZWZmYzAwMAph dnJpbCAzMCAxNzowNDoxNyBvZHlzc2V1cyBzc2hkWzEwNjU1MjldOiA9PTEwNjU1Mjk9PQph dnJpbCAzMCAxNzowNDoxNyBvZHlzc2V1cyBzc2hkWzEwNjU1MjldOiA9PTEwNjU1Mjk9PSBQ cm9jZXNzIHRlcm1pbmF0aW5nIHdpdGggZGVmYXVsdCBhY3Rpb24gb2Ygc2lnbmFsIDExIChT SUdTRUdWKTogZHVtcGluZyBjb3JlCmF2cmlsIDMwIDE3OjA0OjE3IG9keXNzZXVzIHNzaGRb MTA2NTUyOV06ID09MTA2NTUyOT09ICBBY2Nlc3Mgbm90IHdpdGhpbiBtYXBwZWQgcmVnaW9u IGF0IGFkZHJlc3MgMHgxRkZFRkZDRDc4CmF2cmlsIDMwIDE3OjA0OjE3IG9keXNzZXVzIHNz aGRbMTA2NTUyOV06ID09MTA2NTUyOT09IENhbm5vdCBtYXAgbWVtb3J5IHRvIGdyb3cgdGhl IHN0YWNrIGZvciB0aHJlYWQgIzEgdG8gMHgxZmZlZmZjMDAwCmF2cmlsIDMwIDE3OjA0OjE3 IG9keXNzZXVzIHNzaGRbMTA2NTUyOV06ID09MTA2NTUyOT09ICAgIGF0IDB4MUJDQkM5OiBn bG9iMCAoZ2xvYi5jOjQ3NikKYXZyaWwgMzAgMTc6MDQ6MTcgb2R5c3NldXMgc3NoZFsxMDY1 NTI5XTogPT0xMDY1NTI5PT0gIElmIHlvdSBiZWxpZXZlIHRoaXMgaGFwcGVuZWQgYXMgYSBy ZXN1bHQgb2YgYSBzdGFjawphdnJpbCAzMCAxNzowNDoxNyBvZHlzc2V1cyBzc2hkWzEwNjU1 MjldOiA9PTEwNjU1Mjk9PSAgb3ZlcmZsb3cgaW4geW91ciBwcm9ncmFtJ3MgbWFpbiB0aHJl YWQgKHVubGlrZWx5IGJ1dAphdnJpbCAzMCAxNzowNDoxNyBvZHlzc2V1cyBzc2hkWzEwNjU1 MjldOiA9PTEwNjU1Mjk9PSAgcG9zc2libGUpLCB5b3UgY2FuIHRyeSB0byBpbmNyZWFzZSB0 aGUgc2l6ZSBvZiB0aGUKYXZyaWwgMzAgMTc6MDQ6MTcgb2R5c3NldXMgc3NoZFsxMDY1NTI5 XTogPT0xMDY1NTI5PT0gIG1haW4gdGhyZWFkIHN0YWNrIHVzaW5nIHRoZSAtLW1haW4tc3Rh Y2tzaXplPSBmbGFnLgphdnJpbCAzMCAxNzowNDoxNyBvZHlzc2V1cyBzc2hkWzEwNjU1Mjld OiA9PTEwNjU1Mjk9PSAgVGhlIG1haW4gdGhyZWFkIHN0YWNrIHNpemUgdXNlZCBpbiB0aGlz IHJ1biB3YXMgNjcxMDg4NjQuCmF2cmlsIDMwIDE3OjA0OjE3IG9keXNzZXVzIHNzaGRbMTA2 NTUyOV06ID09MTA2NTUyOT09CmF2cmlsIDMwIDE3OjA0OjE3IG9keXNzZXVzIHNzaGRbMTA2 NTUyOV06ID09MTA2NTUyOT09IEhFQVAgU1VNTUFSWToKYXZyaWwgMzAgMTc6MDQ6MTcgb2R5 c3NldXMgc3NoZFsxMDY1NTI5XTogPT0xMDY1NTI5PT0gICAgIGluIHVzZSBhdCBleGl0OiA1 MTgsNzQ1IGJ5dGVzIGluIDUsNTU3IGJsb2NrcwphdnJpbCAzMCAxNzowNDoxNyBvZHlzc2V1 cyBzc2hkWzEwNjU1MjldOiA9PTEwNjU1Mjk9PSAgIHRvdGFsIGhlYXAgdXNhZ2U6IDgsNTUy IGFsbG9jcywgMiw5OTUgZnJlZXMsIDEsMjMyLDY1MSBieXRlcyBhbGxvY2F0ZWQKYXZyaWwg MzAgMTc6MDQ6MTcgb2R5c3NldXMgc3NoZFsxMDY1NTI5XTogPT0xMDY1NTI5PT0KYXZyaWwg MzAgMTc6MDQ6MTcgb2R5c3NldXMgc3NoZFsxMDY1NTI5XTogPT0xMDY1NTI5PT0gTEVBSyBT VU1NQVJZOgphdnJpbCAzMCAxNzowNDoxNyBvZHlzc2V1cyBzc2hkWzEwNjU1MjldOiA9PTEw NjU1Mjk9PSAgICBkZWZpbml0ZWx5IGxvc3Q6IDEyOCBieXRlcyBpbiAyIGJsb2NrcwphdnJp bCAzMCAxNzowNDoxNyBvZHlzc2V1cyBzc2hkWzEwNjU1MjldOiA9PTEwNjU1Mjk9PSAgICBp bmRpcmVjdGx5IGxvc3Q6IDUsNjMyIGJ5dGVzIGluIDIgYmxvY2tzCmF2cmlsIDMwIDE3OjA0 OjE3IG9keXNzZXVzIHNzaGRbMTA2NTUyOV06ID09MTA2NTUyOT09ICAgICAgcG9zc2libHkg bG9zdDogNCw2MDggYnl0ZXMgaW4gMiBibG9ja3MKYXZyaWwgMzAgMTc6MDQ6MTcgb2R5c3Nl dXMgc3NoZFsxMDY1NTI5XTogPT0xMDY1NTI5PT0gICAgc3RpbGwgcmVhY2hhYmxlOiA1MDgs MjY5IGJ5dGVzIGluIDUsNTUwIGJsb2NrcwphdnJpbCAzMCAxNzowNDoxNyBvZHlzc2V1cyBz c2hkWzEwNjU1MjldOiA9PTEwNjU1Mjk9PSAgICAgICAgIHN1cHByZXNzZWQ6IDEwOCBieXRl cyBpbiAxIGJsb2NrcwphdnJpbCAzMCAxNzowNDoxNyBvZHlzc2V1cyBzc2hkWzEwNjU1Mjld OiA9PTEwNjU1Mjk9PSBSZXJ1biB3aXRoIC0tbGVhay1jaGVjaz1mdWxsIHRvIHNlZSBkZXRh aWxzIG9mIGxlYWtlZCBtZW1vcnkKYXZyaWwgMzAgMTc6MDQ6MTcgb2R5c3NldXMgc3NoZFsx MDY1NTI5XTogPT0xMDY1NTI5PT0KYXZyaWwgMzAgMTc6MDQ6MTcgb2R5c3NldXMgc3NoZFsx MDY1NTI5XTogPT0xMDY1NTI5PT0gRm9yIGxpc3RzIG9mIGRldGVjdGVkIGFuZCBzdXBwcmVz c2VkIGVycm9ycywgcmVydW4gd2l0aDogLXMKYXZyaWwgMzAgMTc6MDQ6MTcgb2R5c3NldXMg c3NoZFsxMDY1NTI5XTogPT0xMDY1NTI5PT0gRVJST1IgU1VNTUFSWTogMCBlcnJvcnMgZnJv bSAwIGNvbnRleHRzIChzdXBwcmVzc2VkOiAwIGZyb20gMCkKYXZyaWwgMzAgMTc6MDQ6MTcg b2R5c3NldXMgc3NoZFsxMDY1NTI5XTogPT0xMDY1NTI5PT0gY291bGQgbm90IHVubGluayAv dG1wL3ZnZGItcGlwZS1mcm9tLXZnZGItdG8tMTA2NTUyOS1ieS1yb290LW9uLT8/PwphdnJp bCAzMCAxNzowNDoxNyBvZHlzc2V1cyBzc2hkWzEwNjU1MjldOiA9PTEwNjU1Mjk9PSBjb3Vs ZCBub3QgdW5saW5rIC90bXAvdmdkYi1waXBlLXRvLXZnZGItZnJvbS0xMDY1NTI5LWJ5LXJv b3Qtb24tPz8/CmF2cmlsIDMwIDE3OjA0OjE3IG9keXNzZXVzIHNzaGRbMTA2NTUyOV06ID09 MTA2NTUyOT09IGNvdWxkIG5vdCB1bmxpbmsgL3RtcC92Z2RiLXBpcGUtc2hhcmVkLW1lbS12 Z2RiLTEwNjU1MjktYnktcm9vdC1vbi0/Pz8KYXZyaWwgMzAgMTc6MDQ6MTcgb2R5c3NldXMg c3lzdGVtZC1jb3JlZHVtcFsxMDY1NTY4XTogUHJvY2VzcyAxMDY1NTI5IChtZW1jaGVjay1h bWQ2NC0pIG9mIHVzZXIgMCB0ZXJtaW5hdGVkIGFibm9ybWFsbHkgd2l0aCBzaWduYWwgMTEv U0VHViwgcHJvY2Vzc2luZy4uLgphdnJpbCAzMCAxNzowNDoxNyBvZHlzc2V1cyBzeXN0ZW1k WzFdOiBTdGFydGVkIHN5c3RlbWQtY29yZWR1bXBAMTktMTA2NTU2OC0wLnNlcnZpY2UgLSBQ cm9jZXNzIENvcmUgRHVtcCAoUElEIDEwNjU1NjgvVUlEIDApLgphdnJpbCAzMCAxNzowNDox OCBvZHlzc2V1cyBzeXN0ZW1kLWNvcmVkdW1wWzEwNjU1NjldOiBSZXNvdXJjZSBsaW1pdHMg ZGlzYWJsZSBjb3JlIGR1bXBpbmcgZm9yIHByb2Nlc3MgMTA2NTUyOSAobWVtY2hlY2stYW1k NjQtKS4KYXZyaWwgMzAgMTc6MDQ6MTggb2R5c3NldXMgc3lzdGVtZC1jb3JlZHVtcFsxMDY1 NTY5XTogW/CfoZVdIFByb2Nlc3MgMTA2NTUyOSAobWVtY2hlY2stYW1kNjQtKSBvZiB1c2Vy IDAgdGVybWluYXRlZCBhYm5vcm1hbGx5IHdpdGhvdXQgZ2VuZXJhdGluZyBhIGNvcmVkdW1w LgphdnJpbCAzMCAxNzowNDoxOCBvZHlzc2V1cyBzeXN0ZW1kWzFdOiBzeXN0ZW1kLWNvcmVk dW1wQDE5LTEwNjU1NjgtMC5zZXJ2aWNlOiBEZWFjdGl2YXRlZCBzdWNjZXNzZnVsbHkuCmF2 cmlsIDMwIDE3OjA0OjE4IG9keXNzZXVzIHNzaGRbMTA2NTMzNl06IGVycm9yOiBzZXNzaW9u IHByb2Nlc3MgMTA2NTUyOSBmb3IgY29ubmVjdGlvbiBmcm9tIDEyNy4wLjAuMSB0byAxMjcu MC4wLjEga2lsbGVkIGJ5IHNpZ25hbCAxMQphdnJpbCAzMCAxNzowNDoxOCBvZHlzc2V1cyBz c2hkWzEwNjUzMzZdOiBzcmNsaW1pdF9wZW5hbGlzZTogaXB2NDogbmV3IDEyNy4wLjAuMS8z MiBhY3RpdmUgcGVuYWx0eSBvZiA5MCBzZWNvbmRzIGZvciBwZW5hbHR5OiBjYXVzZWQgY3Jh c2gKCg== H4sIAAAAAAAAA+1Z3VIjuxHmFj+FAhecc4Lt8S8VqnLhNb8Fu1DYeyq5ouQZeawwlqYkjY1z kefJe+TF8rVkez0cLyRVu2ydxIIqZqRWd6v76x8N1k6Sx1irsUz3vteIMLrttv+L8fJvt9OO 9hqdKGp1u61WE3SNxslJe49F302jjVFYxw1je0Zr9xrdW+u/01E5ZMOJtAy/biKYBRyYFWYm DLML68S0OpeJYAEhheFOasXGMhM1xgZCYLv9gqCfOj+zsTZsqo1gUuFx6jfUKisxnv+cWzCc 5uCCF+km7L43vPpzvbCmnumYZ/WRVKf+1T+s31I+FTbwgqoO2oh0wQoLNiRW5yQMZ1H+LIkY 8yJzmwoyO5F5vpQKPne5UIPBlT+9ZjYXsRwv1ny8auAkzZrXjGeFYPOJMHT0XFsrR5k4ZqPC sUzwmSD6KZ1uKpQTCaz0Wa3f1pw17GvIrqAGnxJ3GOtaxVmB1bpwcR3q1zeOUEvqv9ToEXa4 18axZrNy2EsSI6y94FOZLRhXi8rhrYT31HKBRTX/83L69BRcrrR1N2JRkvY4weSjsfzxSSxe IxFx8h8QJc1Op/EnT4bj9mUOA1romTBMSZVWDh8Enm7lVLq1NZRWgshvdZp6msHCZjq94LHM pFuw3ufhFQ6k01sxExm7/nRxR+S9AkZVTsYeenRAkEh1aXgshnIqWHMKywkDUQ+Iab/IcqMn ciRdNefWzrVJIM0ZGbuPOhGWLQC7w4/8mXgPjcRM178PYETv0EZE7ihGOERZvt8Krc6fAS7H amQXDgpt5N9FQhaxTcLeCHiV1oiUmwRAGS3WZoB248IVBsA47K13wtD2AgG0v43jdjGVzf33 RqpY5jzzXFa2LvPvA7fkI7+4fe0zcgXWRzrxnr1AFLpJiCZY8YktdIEwyjIGQZopgaMRIpjX EicrYeVJ6bnyiLEBTSOO0H5hT6UJQROuUkFSYF4mx15OotWRY84go7N/1L0JNjhShsDOr7Ct HF6nClmLznNDm678Hi/szPM1gic+rSDdmCNLEkxgTCYieUsxMKddsXsIc0sMDDX5mCNhMFco JSj9xcgasJl4dmwFPXvM4vX5DpQ+YJRu/gB8LQm2IGwJ6PNp7hYrMq9+yVgHID2gB6G8FvDC SANwVYnshPhwEgmMl7gjgZ0JZMkEEcjITqFM+NJwZMt14Tj4fsoXcO1MZ2BWPlOWCWhSRerJ ETTiGNwAraqjqFxTMmDI6inVnCkyfzijHpNcK7yxNR5RZATwmFhEBfsg5pwqjrWFWKZtz+G+ 9xG1KCngEb/RTciL2HIzSq6/HPm3CAPPG2FGwmi7ytmVw9XMFkCulu7MLdUv74EkOGa1NJTx k3B9uFsVeXnpUrjexWCon8RK+OVg0Lu//iI6vG8RHBaWXPtGJLSOWAsCwmpIZL04FrnTpj8R 8dPmMqL5/HkJuCB9INw6io9AebQBGTJpGSHHjMexLpSjJBpTQlQpeZYMbkN+3FipsetxYI7f wDM53sLVZw1wQV4EbPRceO/pIvUVmb3qQEjGzu3R8gLPlDiMF19GMu3/rU4zyV+XTNAfLQjK q0ARznlJY3bwZs05ICxfh2T2N8pic66cZ+N1WVp5064xOdP7yRTKA18XbqvuFJuA19KL3gHU s0C/rxhq6cFXj0v4UPqoVkHaJJEhz/XIX70UdCgHCExvag84vzKM85fzl2jk5nxB7YxPWn9p NF6SYOpM2jzji7vxmLRGxaVJSPYh56vKRiYcDv/qX6nOoYi7xIeLf7vlljwQqIf9+xsh8l5G qW9jPxWCczWTRivq3fxu1LzcLC2fCKgigLN+JrHu93tDoYdjUWm6T25Ds8BalUOwPfs0CLrI xJfeOlznG7xaLpPQVeBG4oqcuorTVnTaiKL1qXzZCMpM6EZyJg3aCm0WyyL9K/oqqIf+DhAv puseSul1PzHi4GGQb6kD/hBeVmTeQahJpDt5l5DJfEseMm+sM2RnsWGXGTeSIGUrIcHAZuy2 9+mS3fYff2H9u9u7h+H5w0f26e7Rv5CUdfe7UgnRAQVtMQp1xVYGq8d9O3b5frgZyFFdI3J9 t4DZarimhOaKT3OoCD5L3oSbZexZCnPOcmGqVLpxfit9N+fiCfP9C8fx4xnm9svAIzPvb8Gs n/8CM/+K5VisGiYwW16iKj/6fvfWKN8svo8MuuSfdDpfu//7Z7r/t9utbrvRwP2/2ew291jn +6hTHv/n9/+y/0Pkc8pa/o75bWS88f0narS6e412o91sRq12i/zfaTd333/eZfyXBWwbcTeq bCOmK/GPPt1uvDXK8Z/6zzVxKGPCfKMc8Fb8N6PmHnJAq9NsRB0f/93mSWcX/+8xqM0P9/6Z FJK+06Sa6ZHV2b/+6XArp+vRpW+u+ytUMOq+WJ4VdIn5Ca142NlTidEyqdVqP1duxHMPjAwu JFPL/pjI8ViK6kRkGVhUU9zj8ka7aie8scsRP3aU4z/TaUYfU79h8d97O/6jdnNd/1voBaJG +wR/dvH/DuPlB/T126/nDx/uBue7+PzfHuX4RzuXGqmSd47/bifc/3AV6DZaIf6jXfy/xxjA /8v/Yt1zN2Hlf8L671LV5dfG6godu5SwG7uxG7uxG7vx+x7/BriotW8AKAAA

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, Apr 30, 2025 at 05:23:19PM +0200, Michel Casabona wrote:

Le 30/04/2025 à 14:48, Colin Watson a écrit :

Could you drop --leak-check=full from the valgrind call, and instead add
--main-stacksize=67108864 (i.e. eight times the current value)? Then
provoke the bug again and send me the new valgrind output. Let's see if
that tells us something different.

Same output :-( Log attached.

So mysterious!

Could I also get your /etc/ssh/sshd_config and /etc/ssh/sshd_config.d/*
files (of course you can edit out anything secret, but if you do then
please at least keep the structure)?

The (unedited) config files are attached too

I'm trying to get my test system closer to yours, but no luck so far.
The best I've been able to come up with is an overlap between source and destination in a strlcpy call, which should probably be fixed, but
there's no sign of it in your output. I'm trying to provoke a
similar-ish segfault manually to experiment with coredumps, but haven't
quite had enough time so far.

What's the username you're trying to ssh to? (This is surely very
unlikely to matter, but you never know.)

What does "ls -l ~TARGET_USERNAME/.ssh/" for the appropriate target
username _on the server_ say?

Can I confirm that you're on amd64, just as the original reporter was?

Is there anything else at all unusual about your system? Antivirus, any
other system-wide LD_PRELOADs, any locally-modified packages that aren't
from Debian testing, ...?

--
Colin Watson (he/him) [cjwatson@debian.org]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, Apr 30, 2025 at 09:52:18PM +0100, Colin Watson wrote:

I'm trying to get my test system closer to yours, but no luck so far.
The best I've been able to come up with is an overlap between source
and destination in a strlcpy call, which should probably be fixed,

I filed https://bugzilla.mindrot.org/show_bug.cgi?id=3819 upstream with
a patch for that. I wouldn't bet on it being the cause here, but if you
happen to have time and ability to recompile with that patch, I don't
suppose it would hurt to try.

(If you do have time and ability to recompile, trying with unpatched
upstream source might also be worthwhile; it would be good to narrow
down whether a Debian patch is at fault.)

--
Colin Watson (he/him) [cjwatson@debian.org]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Package: openssh-server
Version: 1:10.0p1-2
Followup-For: Bug #1103418
X-Debbugs-Cc: lucio@sulweb.org

I can reproduce this on my system. In my case it works when I issue `ssh localhost` (same user), but
it reliably crashes when I issue `ssh lucio@localhost`. Please note
that my username is `lucio`.


*** Reporter, please consider answering these questions, where appropriate ***

* What led up to the situation?
* What exactly did you do (or not do) that was effective (or
ineffective)?
* What was the outcome of this action?
* What outcome did you expect instead?

*** End of the template - remove these template lines ***


-- System Information:
Debian Release: trixie/sid
APT prefers testing
APT policy: (900, 'testing'), (800, 'stable'), (700, 'unstable'), (500, 'stable-updates'), (500, 'stable-security')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.14.0 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages openssh-server depends on:
ii debconf [debconf-2.0] 1.5.91
ii init-system-helpers 1.68
ii libaudit1 1:4.0.2-2+b2
ii libc6 2.41-7
ii libcom-err2 1.47.2-1+b1
ii libcrypt1 1:4.4.38-1
ii libgssapi-krb5-2 1.21.3-5
ii libkrb5-3 1.21.3-5
ii libpam-modules 1.7.0-3
ii libpam-runtime 1.7.0-3
ii libpam0g 1.7.0-3
ii libselinux1 3.8.1-1
ii libssl3t64 3.5.0-1
ii libwrap0 7.6.q-36
ii libwtmpdb0 0.73.0-2
ii lsb-base 11.6
ii openssh-client 1:10.0p1-2
ii openssh-sftp-server 1:10.0p1-2
ii procps 2:4.0.4-8
ii runit-helper 2.16.4
ii systemd [systemd-sysusers] 257.5-2
ii sysvinit-utils [lsb-base] 3.14-4
ii ucf 3.0051
ii zlib1g 1:1.3.dfsg+really1.3.1-1+b1

Versions of packages openssh-server recommends:
ii libpam-systemd [logind] 257.5-2
ii ncurses-term 6.5+20250216-2
ii xauth 1:1.1.2-1.1

Versions of packages openssh-server suggests:
pn molly-guard <none>
pn monkeysphere <none>
pn ssh-askpass <none>
pn ufw <none>

-- debconf information:
openssh-server/password-authentication: true
openssh-server/permit-root-login: true

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, May 01, 2025 at 10:07:07AM +0200, Lucio Crusca wrote:

I can reproduce this on my system. In my case it works when I issue `ssh localhost` (same user), but
it reliably crashes when I issue `ssh lucio@localhost`. Please note
that my username is `lucio`.

Is your username on the client side also "lucio"? If so, those should
be literally identical in terms of what the server sees ...

Could I please get the output of both "ssh -vvv localhost" (in a case
where it works) and "ssh -vvv lucio@localhost" (in a case where it
crashes)? Also whatever server logs you can find.

--
Colin Watson (he/him) [cjwatson@debian.org]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)