View Issue Details

IDProjectCategoryView StatusLast Update
0007812CentOS-6openssh-serverpublic2014-12-14 17:32
Reporterlgilbert 
PriorityhighSeverityblockReproducibilityalways
Status newResolutionopen 
Platformx86_64 VMWareOSCentOS OS Version6.6
Product Version6.6 
Target VersionFixed in Version 
Summary0007812: rsyslog or syslog-ng while running stop ssh access to server
DescriptionAfter updating from 6.5 to 6.6 centos i was unable to ssh into the server or log in from the console. i first disabled selinux and was able to log into the server at the console but not remotly. I then tried running sshd with $(wich sshd) -Ddp 10222 an open port same result. I then stopped rsyslog and ssh worked as normal. I re-enabled selinux and it was still fine i then set up syslog-ng and started it, again i could not ssh into the server. i get the following while logging is on.
"ssh_exchange_identification: Connection closed by remote host"
TagsNo tags attached.

Activities

russellsmithies

russellsmithies

2014-11-03 00:38

reporter   ~0021513

We are seeing this behavior as well in our recent yum update from 6.5 to 6.6.
Downgrading from rsyslog-5.8.10-9.el6.x86_64 to the previous version rsyslog-5.8.10-8.el6.x86_64 still blocked sshd so perhaps it's openssh that's the problem? Old version was openssh-5.3p1-94.el6.x86_64, new one is openssh-5.3p1-104.el6.x86_64
As a workaround I've disabled rsyslog.
lgilbert

lgilbert

2014-11-06 21:44

reporter   ~0021576

I have discovered you can update openssh opessl the kernel and rsyslog with no issues I thought at first the issue may be sssd but the latest server i updated did not use it. I will now install one update at a time until I find the issue, as turning off system logging is not an option for us.
sreece84

sreece84

2014-11-07 12:16

reporter   ~0021585

The problem is with package nss-softokn-freebl-3.14.3-17.el6.x86_64

Updating from 3.14.3-12 to 3.14.3-17 caused the ssh problems listed as well as unable to su or login from console with a password. If you disable the password, you are able to login; however, the package affects the GUI panel from displaying at all. When attempting to ssh, /var/log/secure displays an error: "sshd[#####]: error: setsocket SO_KEEPALIVE: Bad file descriptor"

Turning off rsyslog is a workaround. However, I rolled back my version of nss-softokn-freebl to 3.14.3-12.el6_5.x86_64 so I could keep rsyslog enabled.
sreece84

sreece84

2014-11-10 14:49

reporter   ~0021622

I am very confused about this problem. I have updated multiple servers and do no know of any differences between them; however, one works fine and two have the problem listed here.
hsanjuan

hsanjuan

2014-11-12 11:51

reporter   ~0021642

We can confirm the issue and the workarounds above on an OpenVZ platform on clean boxes. This is effectively blocking us from using CentOS 6.6.

Shall we report it mozilla nss upstream? nss is already in the 3.17 versions though, and maybe it has been fixed (can't find anything similar in the bug reports though). I will try to allocate some time to test with a newer nss version and report back.

Frankly, I'm quite surprised how bad this bug is, as it just makes CentOS 6.6 fully unusable at this point :(
mgiesen

mgiesen

2014-11-14 10:42

reporter   ~0021689

I can confirm this problem, after investigation i found out removing the prelink package (prelink-0.4.6-3.1.el6_4) solves the problem.
russellsmithies

russellsmithies

2014-12-08 03:23

reporter   ~0021877

Hopefully today's nss bug fix will cure it (fingers crossed)
https://rhn.redhat.com/rhn/errata/details/Details.do?eid=28804
russellsmithies

russellsmithies

2014-12-08 03:25

reporter   ~0021878

My misteak, this was to fix the "POODLE" issue.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
yankeepride13

yankeepride13

2014-12-10 20:59

reporter   ~0021902

I am also seeing something similar to what you see:

http://bugs.centos.org/view.php?id=7984
onlineque

onlineque

2014-12-14 17:32

reporter   ~0021946

Thanks mgiesen, you saved my life.
I can aknowledge the bug. Removing prelink package (prelink-0.4.6-3.1.el6_4) workarounds really the issue.
This bug is rendering the whole box to be unusable.

Issue History

Date Modified Username Field Change
2014-10-31 18:11 lgilbert New Issue
2014-11-03 00:38 russellsmithies Note Added: 0021513
2014-11-06 21:44 lgilbert Note Added: 0021576
2014-11-07 12:16 sreece84 Note Added: 0021585
2014-11-10 14:49 sreece84 Note Added: 0021622
2014-11-12 11:51 hsanjuan Note Added: 0021642
2014-11-14 10:42 mgiesen Note Added: 0021689
2014-12-08 03:23 russellsmithies Note Added: 0021877
2014-12-08 03:25 russellsmithies Note Added: 0021878
2014-12-10 20:59 yankeepride13 Note Added: 0021902
2014-12-14 17:32 onlineque Note Added: 0021946