From nobody Thu Jan 18 00:22:59 2024 X-Original-To: freebsd-arm@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TFk3k074nz5782d for ; Thu, 18 Jan 2024 00:22:58 +0000 (UTC) (envelope-from fbsd@www.zefox.net) Received: from www.zefox.net (www.zefox.net [50.1.20.27]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "www.zefox.com", Issuer "www.zefox.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4TFk3j3w3mz4SyY for ; Thu, 18 Jan 2024 00:22:57 +0000 (UTC) (envelope-from fbsd@www.zefox.net) Authentication-Results: mx1.freebsd.org; none Received: from www.zefox.net (localhost [127.0.0.1]) by www.zefox.net (8.17.1/8.15.2) with ESMTPS id 40I0N0ES040853 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO); Wed, 17 Jan 2024 16:23:00 -0800 (PST) (envelope-from fbsd@www.zefox.net) Received: (from fbsd@localhost) by www.zefox.net (8.17.1/8.15.2/Submit) id 40I0MxFS040852; Wed, 17 Jan 2024 16:22:59 -0800 (PST) (envelope-from fbsd) Date: Wed, 17 Jan 2024 16:22:59 -0800 From: bob prohaska To: Mark Millard Cc: freebsd-arm@freebsd.org Subject: Re: sshd signal 11 on -current Message-ID: References: <7EF12F55-70E4-4780-BF73-3C7B963C3781@yahoo.com> List-Id: Porting FreeBSD to ARM processors List-Archive: https://lists.freebsd.org/archives/freebsd-arm List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-arm@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Rspamd-Queue-Id: 4TFk3j3w3mz4SyY X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:7065, ipnet:50.1.16.0/20, country:US] On Wed, Jan 17, 2024 at 12:24:53PM -0800, Mark Millard wrote: > > Does connecting to ns2.zefox.net from the Mac workstation > also end up seeing "Corrupted MAC on input" eventually > when you then look at /various/log/messages somehow (more, > grep, . . .)? Ssh from the Mac workstation (10.7.5, so old) to ns2.zefox.net worked and produced normal output > > Does connecting to ns2.zefox.net from "pi4 RasPiOS workstation" > also end up seeing "Corrupted MAC on input" eventually? Ssh from Pi4 workstation to ns2.zefox.net is successful, but running grep triggers the "corrupted Mac..." error in mid-output. > Does connecting to ns2.zefox.net from "gateway.zefox.net" > also end up seeing "Corrupted MAC on input" eventually? > Gateway.zefox.net is the name of the router. Since RPi4 workstation and Mac workstation are both on the lan their traffic passes through the router. Mac works, the Pi4 doesn't. > Does connecting to ns2.zefox.net from "ns1.zefox.net" > also end up seeing "Corrupted MAC on input" eventually? > Yes, but see the puzzling observation below. > > Does connecting to ns2.zefox.net from "www.zefox.org" > also end up seeing "Corrupted MAC on input" eventually? > Yes > Which see the problem and which do not (if any)? > It appears that the (very old) Mac connects without a problem. The newer hosts have difficulties. Meanwhile the ssh connection from RasPiOS workstation to nemesis.zefox.com and tip session to the serial console of ns2.zefox.net stayed up with a login prompt. After logging in it was possible to view /var/log/messages with more and even use grep to search for instances of ssh in the file. Here's a puzzling observation: If I ssh from Mac to ns1 then ssh from ns1 to ns2, no corrupted MAC. If I ssh from RPi4 to ns1 then ssh to ns2, corrupted MAC is reported and the connection detaches leaving me at the rpi4 workstation. The workaround for CVE-2023-48795 was applied to the Raspberry Pi2v1.1 hosts (ns1.zefox.net, ns2.zefox.net and www.zefox.net) back in December. Might that be part of the trouble? I didn't notice any misbehavior then, but ssh attacks have increased since, at least in quantity. I'm becoming skeptical this is related to the sshd segfaults on nemesis.zefox.com. Thanks for reading! bob prohaska