From owner-freebsd-stable@FreeBSD.ORG Fri Jun 13 22:36:21 2003 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E53ED37B401 for ; Fri, 13 Jun 2003 22:36:21 -0700 (PDT) Received: from mail.lambertfam.org (www.lambertfam.org [216.223.208.55]) by mx1.FreeBSD.org (Postfix) with ESMTP id 430D143FCB for ; Fri, 13 Jun 2003 22:36:21 -0700 (PDT) (envelope-from lambert@lambertfam.org) Received: from laptop.lambertfam.org (laptop.int.lambertfam.org [10.1.0.2]) by mail.lambertfam.org (Postfix) with ESMTP id 8BFB034D1F for ; Sat, 14 Jun 2003 01:36:19 -0400 (EDT) Received: by laptop.lambertfam.org (Postfix, from userid 1000) id 6B34A89DD; Sat, 14 Jun 2003 01:36:08 -0400 (EDT) Date: Sat, 14 Jun 2003 01:36:08 -0400 From: Scott Lambert To: FreeBSD STABLE Message-ID: <20030614053608.GB8466@laptop.lambertfam.org> Mail-Followup-To: FreeBSD STABLE Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i Subject: sshd refusing connections problem X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Jun 2003 05:36:22 -0000 We have been having a problem with sshd on our shell server. This has been happening since March 4, 2003 or before IIRC. Initially I thought the next OS upgrade, to 4.8 would fix this. I am accustomed to haveing little things go away in a month or two. I think we jumped to 4.7-STABLE on Feb 28, 2003. Some exploit fix wasn't being MFSd to RELENG_4_7 fast enough for my nerves (cvsd?). It was last upgraded to FreeBSD 4.8-RELEASE #8: Mon Mar 31 22:13:07 EST 2003, RELENG_4_8. sshd regularly stops accepting new connections. There is never anything in the logs. This time the last connection before sshd stopped taking new connections was the user, lets call him "bob" who always manages to leave a lot of processes with the title of "sshd: bob [priv] (sshd)". Bob currently has 35 of those processes up. Jun 13 19:17:55 shell sshd[39482]: Accepted password for bob from 10.321.321.321 port 3616 Jun 13 20:28:01 shell sshd[72401]: Received SIGHUP; restarting. Jun 13 20:28:02 shell sshd[41220]: Server listening on 0.0.0.0 port 22. Jun 13 21:06:49 shell sshd[42072]: Accepted publickey for scott from 68.160.236.249 Obviously, I faked the IP for "bob". I consoled in this time and hooked up truss to the server PID. I was running: while true ; do /usr/bin/ssh shell.example.com; done; Thinking that if it were a file handle problem, I might accidentally get in if I caught it as an active user logged out. It was closing the connection as soon as it was made (TCP handshake). I have, umm, lost the error messages I was seeing on my side. Hopefully the truss output will be sufficient. My ssh client never got far enough to negotiate a key with the server. Truss output is at : http://www.lambertfam.org/~lambert/sshd_problem/truss_sshd netstat -an | grep '\.22 ' output is at : http://www.lambertfam.org/~lambert/sshd_problem/netstat-an_sshd Faked the first two octets of the other users' IPs. Once I -HUP the sshd process and it forks a new daemon, everything is ok for another week or two. -- Scott Lambert KC5MLE Unix SysAdmin lambert@lambertfam.org