Sshd bug with 0.13b+DO?

bzg · September 8, 2015, 7:57am

thanks a lot for miab, great project.

I’ve successfully installed two boxes already with DO, but I’ve been hit by a bug.

With latest DO Ubuntu 14.04, and miab 0.13b, system checks are broken and restarting sshd makes it completely unavailable.

Looking into /var/log/syslog, I’ve found this:

Sep  8 03:23:03 box kernel: [ 1332.623212] [UFW BLOCK] IN=eth0 OUT= MAC=04:01:6d:2e:dd:01:28:8a:1c:64:cb:f0:08:00 SRC=222.186.56.133 DST=178.62.152.234 LEN=40 TOS=0x00 PREC=0x00 TTL=104 ID=256 PROTO=TCP SPT=6000 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0 
Sep  8 03:25:01 box CRON[18594]: (root) CMD (if [ -x /etc/munin/plugins/apt_all ]; then munin-run apt_all update 7200 12 >/dev/null; elif [ -x /etc/munin/plugins/apt ]; then munin-run apt update 7200 12 >/dev/null; fi)
Sep  8 03:25:01 box CRON[18595]: (munin) CMD (if [ -x /usr/bin/munin-cron ]; then /usr/bin/munin-cron; fi)
Sep  8 03:25:08 box named[16115]: error (connection refused) resolving '232.131.53.161.in-addr.arpa/PTR/IN': 161.53.22.24#53
Sep  8 03:25:40 box postfix/anvil[18493]: statistics: max connection rate 1/60s for (submission:178.62.152.234) at Sep  8 03:22:20
Sep  8 03:25:40 box postfix/anvil[18493]: statistics: max connection count 1 for (submission:178.62.152.234) at Sep  8 03:22:20
Sep  8 03:25:40 box postfix/anvil[18493]: statistics: max cache size 2 at Sep  8 03:22:20
Sep  8 03:25:56 box Exception on /system/status [POST]#012Traceback (most recent call last):#012  File "/usr/lib/python3/dist-packages/flask/app.py", line 1817, in wsgi_app#012    response = self.full_dispatch_request()#012  File "/usr/lib/python3/dist-packages/flask/app.py", line 1477, in full_dispatch_request#012  rv = self.handle_user_exception(e)#012  File "/usr/lib/python3/dist-packages/flask/app.py", line 1381, in handle_user_exception#012    reraise(exc_type, exc_value, tb)#012  File "/usr/lib/python3/dist-packages/flask/_compat.py", line 33, in reraise#012    raise value#012  File "/usr/lib/python3/dist-packages/flask/app.py", line 1475, in full_dispatch_request#012    rv = self.dispatch_request()#012  File "/usr/lib/python3/dist-packages/flask/app.py", line 1461, in dispatch_request#012    return self.view_functions[rule.endpoint](**req.view_args)#012  File "/usr/local/bin/mailinabox-daemon", line 49, in newview#012    return viewfunc(*args, **kwargs)#012  File "/usr/local/bin/mailinabox-daemon", line 386, in system_status#012    run_checks(False, env, output, pool)#012  File "/root/mailinabox/management/status_checks.py", line 26, in run_checks#012    if not run_services_checks(env, output, pool):#012  File "/root/mailinabox/management/status_checks.py", line 78, in run_services_checks#012    { "name": "SSH Login (ssh)", "port": get_ssh_port(), "public": True, },#012  File "/root/mailinabox/management/status_checks.py", line 47, in get_ssh_port#012    output = shell('check_output', ['sshd', '-T'])#012  File "/root/mailinabox/management/utils.py", line 169, in shell#012    ret = getattr(subprocess, method)(cmd_args, **kwargs)#012  File "/usr/lib/python3.4/subprocess.py", line 616, in check_output#012    raise CalledProcessError(retcode, process.args, output=output)#012subprocess.CalledProcessError: Command '['sshd', '-T']' returned non-zero exit status 255

Also, on box.xxx.xyz/admin, I’ve noticed that Custom DNS can only be set for xxx.xyz, not box.xxx.xyz, which prevents the DNS validation step for the certificate with gandi.net.

Any idea what could be wrong here?

Steps to reproduce the bug are these:

create a DO droplet
install as per setup instructions
notice the system checks error
restart sshd (to prevent password auth.)
logout
notice you cannot login back.

Thanks in advance,

JoshData · September 8, 2015, 10:18am

The error is that sshd -T isn’t working. Can you run that and see what happens?

I’ve noticed that Custom DNS can only be set for xxx.xyz, not box.xxx.xyz, which prevents the DNS validation step for the certificate with gandi.net.

You can’t set an A/CNAME record on box... itself, but DNS validation shouldn’t require that. Subdomains should work fine. If you’re saying it can’t be entered into the form… just put “subdomain.box” in the input field.

bzg · September 8, 2015, 10:26am

Thanks for replying.

I don’t have any access to the machine right now, because sshd is down.

I asked DO to reset the password to login without a password, but I didn’t receive the new password, because my DO email is not working (yes, it’s a mess.)

I will let you know when I have access again.

PS: I was able to reproduce the problem on two other DO droplets.

JoshData · September 8, 2015, 10:45am

Sorry I misunderstood. If you locked yourself out of your box, then your problem is that you misconfigured SSH! Nothing to do with Mail-in-a-Box. We don’t touch SSH for precisely this reason.

bzg · September 8, 2015, 11:56am

I only updated /etc/ssh/sshd_config by adding PasswordAuthentication no and then restarted the sshd daemon, then got locked out without knowing why.

This happened twice, once on a bare DO droplet, another time on a droplet where I did apt-get update && apt-get upgrade before installing miab through the usual curl command.

I will try again and report if I can find more useful information.

just4t · September 8, 2015, 6:23pm

You can’t do that if you didn’t created, enabled and tested twice your keys for your root user before to finally setting: PasswordAuthentication = No at /etc/ssh/sshd_config
If you don’t know how to do it this tutorial may be of help: How To Set Up SSH Keys

bzg · September 8, 2015, 7:42pm

Thanks - I think I nailed down the problem: I installed Emacs on both machines, thinking there would be no conflict. When I don’t install Emacs, ssh is not broken and miab is fine.

Sorry for the noise.