Hi OpenSSH devs, I noticed that openssh 7.1 does not work when compiled with dietlibc. It does build properly, and sshd runs and accepts connections, but every connection attempt immediately fails. The root cause is that dietlibc implements some OpenBSD interfaces (getentropy and arc4random) so openssh can use the new getrandom syscall that Linux provices. OpenSSH configure detects those APIs and uses them, but the seccomp filter sandbox code does not yet allow the getrandom syscall. Here's the trivial patch that makes it work: diff -ur openssh-7.1p1/sandbox-seccomp-filter.c openssh-7.1p1-fefe/sandbox-seccomp-filter.c --- openssh-7.1p1/sandbox-seccomp-filter.c 2015-08-21 06:49:03.000000000 +0200 +++ openssh-7.1p1-fefe/sandbox-seccomp-filter.c 2015-09-09 14:51:04.071681323 +0200 @@ -198,6 +198,9 @@ #ifdef __NR_socketcall SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN), #endif +#ifdef __NR_getrandom + SC_ALLOW(getrandom), +#endif /* Default deny */ BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL), Since this syscall will also be needed when the compat code for glibc is updated, I see no obvious downside in applying this patch now. Thanks, Felix _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
