#1529 Issue `closed`: Not able to connect with SSH to rescue image¶

Labels: bug, fixed / solved / done

schabrolles opened issue at 2017-10-10 10:52:¶

Relax-and-Recover (ReaR) Issue Template¶

Fill in the following items before submitting a new issue
(quick response is not guaranteed with free support):

rear version (/usr/sbin/rear -V): Relax-and-Recover 2.2 / Git (9 oct 2017)
OS version (cat /etc/rear/os.conf or lsb_release -a): ubuntu 16.04 / redhat 7.3
rear configuration files (cat /etc/rear/site.conf or cat /etc/rear/local.conf):
Are you using legacy BIOS or UEFI boot? BIOS PowerPC
Brief description of the issue:
On RedHat or ubuntu, cannot connect to the rescue system with ssh (sshd is not running on the rescue system after boot).
When trying to start it up manually (via console) I got the following message

  (RedHat) Missing privilege separation: /var/empty/sshd/etc
  (Ubuntu) Missing privilege separation: /var/run/sshd

Suse seems to not being affected.
May be a bug coming from the recent changes around ssh. (#1513, #1512)

Work-around, if any
create the missing directory requested and restart sshd with /bin/sshd -D in rescue mode

schlomo commented at 2017-10-10 10:54:¶

Thanks for reporting this. I already suspected that #1513 was not yet done but unfortunately I will only be able to work on this tomorrow or Sunday.

schabrolles commented at 2017-10-10 11:24:¶

For information, on the original system, /var/empty/sshd is chmod 711 (for RedHat)

(RedHat) drwx--x--x. 2 root root 6 May 22 15:44 /var/empty/sshd/

jsmeix commented at 2017-10-10 13:11:¶

@schabrolles
many thanks for your careful testing!
I will have a look.

I also think SUSE seems to not being affected
because for my use case it still "just works"
with https://github.com/rear/rear/pull/1513 merged.

FYI:
Currently I am working on https://github.com/rear/rear/issues/1512

jsmeix commented at 2017-10-10 13:15:¶

@schabrolles
I need more precise information which exact directory
or directories are missing in the recovery system.

On my SLES12 system I have only

# find /var | grep sshd
/var/lib/systemd/migrated/sshd
/var/lib/sshd

schabrolles commented at 2017-10-10 13:46:¶

@jsmeix As I said previously

  (RedHat) Missing privilege separation: /var/empty/sshd/etc
  (Ubuntu) Missing privilege separation: /var/run/sshd

If I create the missing dir (chmod 711 for /var/empty/sshd/etc rhel), I can run /bin/sshd -D without error and connect to the rescue system via ssh

jsmeix commented at 2017-10-10 14:43:¶

In https://github.com/rear/rear/pull/1530 I added
https://github.com/rear/rear/pull/1530/commits/3958aa4adc6bbe297155d358f95e7bcdae0b3fc8
so that I get now in the recovery system:

# find /tmp/rear.Abflj1IRPkWj2FD/rootfs/var -ls | grep 'sshd'
141315    4 drwxr-xr-x   3 root     root         4096 Oct 10 16:38 /tmp/rear.Abflj1IRPkWj2FD/rootfs/var/empty/sshd
141316    4 drwx--x--x   2 root     root         4096 Oct 10 16:38 /tmp/rear.Abflj1IRPkWj2FD/rootfs/var/empty/sshd/etc
141317    4 drwxr-xr-x   2 root     root         4096 Oct 10 16:38 /tmp/rear.Abflj1IRPkWj2FD/rootfs/var/run/sshd

I have neither of them on SLES12 and my current code
creates them if not exists, see my comments in the code.
For me recovery with SLES12 still works.

schabrolles commented at 2017-10-10 14:57:¶

Ok, I restart non-regression test on POWER and keep you informed

schabrolles commented at 2017-10-10 18:10:¶

@jsmeix,

I tested http://github.com/jsmaix/rear
branch : empower_the_user_to_specify_what_ssh_files_get_included_in_his_recovery_system_issue1512

It is working now.

Thanks

jsmeix commented at 2017-10-11 11:55:¶

@schabrolles
many thanks for testing and confirmation.

Later I will try to find out what the root cause is
because some missing stuff in the recovery system
could indicate we have a bigger problem somewhere
(much more stuff could be accidentally missing).

jsmeix commented at 2017-10-12 13:13:¶

As far as I tried to find out what the root cause is
it is not coming from the recent changes around ssh.

I created on my SLES12 test system the directories
/var/empty/sshd/etc and /var/run/sshd

I went back to the ReaR 2.2 release, i.e. I did a

git checkout fd13be8f1bb091e1d324d35d3be527b34346a38e

back to https://github.com/rear/rear/commit/fd13be8f1bb091e1d324d35d3be527b34346a38e
and did a "rear mkrescue"
and further back to ReaR 2.1 via

git checkout fd4336609da10388a9de0c0bc927d9b3f72e2fae

back to https://github.com/rear/rear/commit/fd4336609da10388a9de0c0bc927d9b3f72e2fae
and did a "rear mkrescue"
but in neither of them I got /var/empty/sshd/etc
or /var/run/sshd in the recovery system.

I cannot find in those older git checkouts
in the code 'empty' together with 'sshd'
or 'run' together with 'sshd'.

Currently I have no idea how that ever had worked.

schabrolles commented at 2017-10-13 05:44:¶

@jsmeix I should make the test with previous ReaR version on a RHEL (where I got the issue).
I’ll do that when I will be back to the office and let you know.

jsmeix commented at 2017-10-13 07:22:¶

@schabrolles
many thanks in advance for your exhaustive testing!

jsmeix commented at 2017-10-17 13:59:¶

With https://github.com/rear/rear/pull/1530 merged
I think this issue is sufficiently fixed.

[Export of Github issue for rear/rear.]

#1529 Issue closed: Not able to connect with SSH to rescue image¶