Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  nodelist  faq  login

Multics is security spelled sideways.


computers / comp.security.ssh / FreeBSD 11.3 openssh-portable-8.9.p1_3,1 ssh_dispatch_run_fatal: Connection Not permitted in capability mode [preauth]

SubjectAuthor
o FreeBSD 11.3 openssh-portable-8.9.p1_3,1 ssh_dispatch_run_fatal:David Gessel

1
Subject: FreeBSD 11.3 openssh-portable-8.9.p1_3,1 ssh_dispatch_run_fatal: Connection Not permitted in capability mode [preauth]
From: David Gessel
Newsgroups: comp.security.ssh
Date: Thu, 28 Apr 2022 11:32 UTC
X-Received: by 2002:a37:a98f:0:b0:69f:8666:cf6b with SMTP id s137-20020a37a98f000000b0069f8666cf6bmr6697949qke.691.1651145557384;
Thu, 28 Apr 2022 04:32:37 -0700 (PDT)
X-Received: by 2002:a4a:94cc:0:b0:332:9bdf:8176 with SMTP id
l12-20020a4a94cc000000b003329bdf8176mr11826517ooi.63.1651145557119; Thu, 28
Apr 2022 04:32:37 -0700 (PDT)
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!news.misty.com!border2.nntp.dca1.giganews.com!nntp.giganews.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.security.ssh
Date: Thu, 28 Apr 2022 04:32:36 -0700 (PDT)
Injection-Info: google-groups.googlegroups.com; posting-host=185.106.28.50; posting-account=KMRojwoAAAAVp1Cz-eNm72-SdbCO_2Eo
NNTP-Posting-Host: 185.106.28.50
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <316fbd44-9bd9-4d58-9316-affe68914210n@googlegroups.com>
Subject: FreeBSD 11.3 openssh-portable-8.9.p1_3,1 ssh_dispatch_run_fatal:
Connection Not permitted in capability mode [preauth]
From: dges...@gmail.com (David Gessel)
Injection-Date: Thu, 28 Apr 2022 11:32:37 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Lines: 37
View all headers
This is a cross post from https://forums.freebsd.org/threads/openssh-portable-8-9-p1_3-1-ssh_dispatch_run_fatal-connection-not-permitted-in-capability-mode-preauth.84966/

Updating from openssh-portable from 8.8.p1_1,1 to 8.9.p1_3,1 broke it on my boxes. It seems to be related to capsicum based on the error message but I'm not finding any obvious clues in the usual places.

FreeBSD 11.3-RELEASE-p8 #0 r360490
(Unsupported I know, but, sadly, not practical to do an OS update at this time due to being very remote)

openssh-portable options:
(X) FIDO_U2F
(X) LDNS
(X) LIBEDIT
(X) PAM
(X) TCP_WRAPPERS

Setting identical DEBUG3 for jails running 8.8 vs. 8.9 there's no differences in the setup preamble, including both logging "debug3: ssh_sandbox_init: preparing capsicum sandbox" but the similarities end with "debug1: SSH2_MSG_KEXINIT sent [preauth]" and 8.9 then logs to /var/log/debug.log as it fails:
debug1: do_cleanup [preauth]
debug1: monitor_read_log: child log fd closed
debug3: mm_request_receive: entering
debug1: do_cleanup
debug1: Killing privsep child 62090

and to /var/log/auth.log
ssh_dispatch_run_fatal: Connection from ip.add.re.ss port 33492: Not permitted in capability mode [preauth]

I'm at a loss. I do not have remotely efficient hands-on should something go off the rails. I have jexec and (emergency only) telnet, so I'm not dead, but dreading the next network drop that breaks the live SSH connections I have left.


1
rocksolid light 0.7.2
clearneti2ptor