Re: sshd signal 11 on -current

From: bob prohaska <fbsd_at_www.zefox.net>
Date: Thu, 18 Jan 2024 00:22:59 UTC
On Wed, Jan 17, 2024 at 12:24:53PM -0800, Mark Millard wrote:
> 
> Does connecting to ns2.zefox.net from the Mac workstation
> also end up seeing "Corrupted MAC on input" eventually
> when you then look at /various/log/messages somehow (more,
> grep, . . .)?

Ssh from the Mac workstation (10.7.5, so old) to ns2.zefox.net
worked and produced normal output
> 
> Does connecting to ns2.zefox.net from "pi4 RasPiOS workstation"
> also end up seeing "Corrupted MAC on input" eventually?

Ssh from Pi4 workstation to ns2.zefox.net is successful,
but running grep triggers the "corrupted Mac..." error
in mid-output.
 
> Does connecting to ns2.zefox.net from "gateway.zefox.net"
> also end up seeing "Corrupted MAC on input" eventually?
> 
Gateway.zefox.net is the name of the router. Since RPi4
workstation and Mac workstation are both on the lan their
traffic passes through the router. Mac works, the Pi4 
doesn't.


> Does connecting to ns2.zefox.net from "ns1.zefox.net"
> also end up seeing "Corrupted MAC on input" eventually?
> 
Yes, but see the puzzling observation below. 
> 
> Does connecting to ns2.zefox.net from "www.zefox.org"
> also end up seeing "Corrupted MAC on input" eventually?
>
Yes 
> Which see the problem and which do not (if any)?
> 
It appears that the (very old) Mac connects without
a problem. The newer hosts have difficulties.

Meanwhile the ssh connection from RasPiOS workstation 
to nemesis.zefox.com and tip session to the serial console
of ns2.zefox.net stayed up with a login prompt. After logging
in it was possible to view /var/log/messages with more and
even use grep to search for instances of ssh in the file.

Here's a puzzling observation: 

If I ssh from Mac to ns1 then ssh from ns1 to ns2, no corrupted MAC.

If I ssh from RPi4 to ns1 then ssh to ns2, corrupted MAC is reported
and the connection detaches leaving me at the rpi4 workstation. 

The workaround for CVE-2023-48795 was applied to the Raspberry 
Pi2v1.1 hosts (ns1.zefox.net, ns2.zefox.net and www.zefox.net) back
in December. Might that be part of the trouble? I didn't notice
any misbehavior then, but ssh attacks have increased since, at
least in quantity. 

I'm becoming skeptical this is related to the sshd segfaults on 
nemesis.zefox.com.  

Thanks for reading!

bob prohaska