Re: sshd signal 11 on -current

On Jan 17, 2024, at 16:22, bob prohaska <fbsd@www.zefox.net> wrote:

> On Wed, Jan 17, 2024 at 12:24:53PM -0800, Mark Millard wrote:
>> 
>> Does connecting to ns2.zefox.net from the Mac workstation
>> also end up seeing "Corrupted MAC on input" eventually
>> when you then look at /various/log/messages somehow (more,
>> grep, . . .)?
> 
> Ssh from the Mac workstation (10.7.5, so old) to ns2.zefox.net
> worked and produced normal output
>> 
>> Does connecting to ns2.zefox.net from "pi4 RasPiOS workstation"
>> also end up seeing "Corrupted MAC on input" eventually?
> 
> Ssh from Pi4 workstation to ns2.zefox.net is successful,
> but running grep triggers the "corrupted Mac..." error
> in mid-output.
> 
>> Does connecting to ns2.zefox.net from "gateway.zefox.net"
>> also end up seeing "Corrupted MAC on input" eventually?
>> 
> Gateway.zefox.net is the name of the router. Since RPi4
> workstation and Mac workstation are both on the lan their
> traffic passes through the router. Mac works, the Pi4 
> doesn't.

You have published material indicating the prior login
was from gateway.zefox.net . That was why I referenced
it.

>> Does connecting to ns2.zefox.net from "ns1.zefox.net"
>> also end up seeing "Corrupted MAC on input" eventually?

Was pi4 RasPiOS workstation involved in the sequence?
If yes, what happens if you use the mac for that stage
instead of pi4 RasPiOS workstation?

A question is if you ever get the problem when
pi4 RasPiOS workstation is not involved at all.

> Yes, but see the puzzling observation below.
>> 
>> Does connecting to ns2.zefox.net from "www.zefox.org"
>> also end up seeing "Corrupted MAC on input" eventually?
>> 
> Yes
>> Which see the problem and which do not (if any)?
>> 
> It appears that the (very old) Mac connects without
> a problem. The newer hosts have difficulties.

Did all the "newer hosts" tests involve using
pi4 RasPiOS workstation ? If yes, what happens
if you avoid involving pi4 RasPiOS workstation ?

> Meanwhile the ssh connection from RasPiOS workstation 
> to nemesis.zefox.com and tip session to the serial console
> of ns2.zefox.net stayed up with a login prompt. After logging
> in it was possible to view /var/log/messages with more and
> even use grep to search for instances of ssh in the file.
> 
> Here's a puzzling observation: 
> 
> If I ssh from Mac to ns1 then ssh from ns1 to ns2, no corrupted MAC.
> 
> If I ssh from RPi4 to ns1 then ssh to ns2, corrupted MAC is reported
> and the connection detaches leaving me at the rpi4 workstation.

So you started experiments I suggest above relative to
pi4 RasPiOS workstation use.

So far it sounds like the problem requires pi4 RasPiOS
workstation behavior to be involved to get the problem.
Can you do something to avoid all use of RasPiOS, possibly
using a different OS on that RPi4B for some experiments?

> The workaround for CVE-2023-48795 was applied to the Raspberry 
> Pi2v1.1 hosts (ns1.zefox.net, ns2.zefox.net and www.zefox.net) back
> in December. Might that be part of the trouble?

No clue. But, right now the common point seems to be
pi4 RasPiOS workstation being involved. It might be
the OS or the hardware if its involvement is
essential to the problem. Thus the suggested test
of avoiding RasPiOS on that RPi4B for some experiments,
using another OS.

> I didn't notice
> any misbehavior then, but ssh attacks have increased since, at
> least in quantity. 
> 
> I'm becoming skeptical this is related to the sshd segfaults on 
> nemesis.zefox.com.  

Agreed: At this point we have nothing tying the corrupted
MAC issue with the segfaults issue.




===
Mark Millard
marklmi at yahoo.com