sshd refusing connection problem

Sat Jun 14 18:05:44 PDT 2003

Richard Schilling wrote: 

Do you notice wether or not it takes a certain number of connections 
for the bug to show up?  I'm not seeing this problem with just a few 
people connecting via sftp (about 2-4 times per week).

--Richard

On 2003.06.13 22:36 Scott Lambert wrote:
> We have been having a problem with sshd on our shell server.
> 
> This has been happening since March 4, 2003 or before IIRC.  Initially 
> I thought the next OS upgrade, to 4.8 would fix this.  I am accustomed
> to
> haveing little things go away in a month or two.
> 
> I think we jumped to 4.7-STABLE on Feb 28, 2003.  Some exploit fix 
> wasn't being MFSd to RELENG_4_7 fast enough for my nerves (cvsd?).  It 
> was last upgraded to FreeBSD 4.8-RELEASE #8: Mon Mar 31 22:13:07 EST 
> 2003, RELENG_4_8.
> 
> sshd regularly stops accepting new connections.  There is never 
> anything in the logs.  This time the last connection before sshd 
> stopped taking new connections was the user, lets call him "bob" who 
> always manages to
> leave a lot of processes with the title of "sshd: bob [priv] (sshd)".
> Bob currently has 35 of those processes up.
> 
> Jun 13 19:17:55 shell sshd[39482]: Accepted password for bob from 
> 10.321.321.321 port 3616 Jun 13 20:28:01 shell sshd[72401]: Received 
> SIGHUP; restarting. Jun 13 20:28:02 shell sshd[41220]: Server 
> listening on 0.0.0.0 port 22.
> Jun 13 21:06:49 shell sshd[42072]: Accepted publickey for scott from
> 68.160.236.249
> 
> Obviously, I faked the IP for "bob".
> 
> I consoled in this time and hooked up truss to the server PID.  I was
> running:
> 
> while true ; do /usr/bin/ssh shell.example.com; done;
> 
> Thinking that if it were a file handle problem, I might accidentally 
> get in if I caught it as an active user logged out.  It was closing 
> the connection as soon as it was made (TCP handshake).  I have, umm, 
> lost the error messages I was seeing on my side.  Hopefully the truss
> output
> will be sufficient.  My ssh client never got far enough to negotiate a
> key with the server.
> 
> Truss output is at :
> 
> http://www.lambertfam.org/~lambert/sshd_problem/truss_sshd
> 
> netstat -an | grep '\.22   ' output is at :
> 
> http://www.lambertfam.org/~lambert/sshd_problem/netstat-an_sshd
> 
> Faked the first two octets of the other users' IPs.
> 
> Once I -HUP the sshd process and it forks a new daemon, everything is 
> ok for another week or two.
> 
> --
> Scott Lambert                    KC5MLE                       Unix

Could sshd be running out of resources? I've seen instances where sshd will 
fill up the internal kernel tables (kern.maxfilesperproc and so forth) and 
not accept new connections until either the server was rebooted or sshd was 
completely killed and restarted. 

Did you compile a custom kernel, or are you running on GENERIC? 

-Kyle