Re: [Buildroot] openssh - kernel messages upon connection attempts (always ending with "connection reset" at the other end)

From: Peter Seiderer <ps.report@gmx.net>
To: Steve <sleepy_dog@gmx.de>
Cc: buildroot@buildroot.org
Subject: Re: [Buildroot] openssh - kernel messages upon connection attempts (always ending with "connection reset" at the other end)
Date: Wed, 20 Oct 2021 18:53:04 +0200	[thread overview]
Message-ID: <20211020185304.60af9ff8@gmx.net> (raw)
In-Reply-To: <trinity-09b27e65-87f1-4757-866e-d1edf67f30e9-1634737088797@3c-app-gmx-bap28>

Hello Steve,

On Wed, 20 Oct 2021 15:38:08 +0200, Steve <sleepy_dog@gmx.de> wrote:

>  
> > This comes from SELinux. However, the raspberrypi3_defconfig enables AppArmor, not SELinux (and AFAIK AppArmor doesn't give messages like this). So somehow you did something weird there...
> 
> > Anyway, the problem is that your AppArmor or SELinux setup is not correct to allow sshd.
>  
> Ok, I was not aware I need to do any setup of those things beyond selecting them in menuconfig.
> Need to look into that.
> Any quick pointers?
> 
> All I did after running raspberrypi3_defconfig was to select a bunch of extra packages.
> To the aforementioned openssh, openvpn, nano, htop; also add gdb, gdbserver.
> I also set things to external toolchain (the ARM 2021 GCC chain that was offered).

This is maybe a known feature/bug of the combination of openssh and (some) external
toolchains, see [1] for discussion, patch/hack to avoid the problem and/or
the hint to use another/internal toolchain..., or use dropbear instead of openssh...

Regards,
Peter

> In linux-menuconfig, I removed a lot of USB drivers I don't need, set stuff to gadget-only mode (I'm actually using a CM3+ module, no regular raspi3), and set DWC2 to load, stuff like that.
> That's basically about it.
> Since i don't know yet how to do that within buildroot, I then run a script to mount the 2 internal partitions within sdcard.img, overwrite the cmdline.txt and config.txt files in the boot partition with mine (which do some UART pin remap and tings like that; no change of other behavior),
> and to the ext4 partition, the /root folder gets 2 of my custom executables copied into, the /etc/init.d folder gets an extra script calling one of those executables.
> Then sync, umount, compress to 7z; and that's what I put on my raspi module.
> From the log I see that my custom stuff gets executed as supposed, i.e. it is not (forever) blocking any of the other init.d stuff or something like that.
> 
> I'm not aware of changes to the default behavior of things except the mentioned adding of packages and script.
> In case I selected anything else in menuconfig which my have weird requirements, menuconfig would have told me so, I guess? (I have seen some warning about something a while back, I added in a requirement after finding the magic "show other packages" option or some such, and it stopped complaining)
> 
>  
>  
> Von: "Arnout Vandecappelle" <arnout@mind.be>
> 
> On 20/10/2021 13:36, Steve wrote:
> > Hello all,
> >
> > I recently downloaded buildroot and used the default config for RasperryPi3,
> > altered to add openssh, among a couple other things.
> > (no idea whether that matters, I am using a USB connection from the raspi
> > running g_cdc driver (ethernet + serial gadget), and am trying to ssh into it
> > from the USB host computer the raspi is plugged into)
> >
> > I have found that root ssh'ing into the machine is off by default. So I altered
> > the sshd_config to, for now, say yes to PermitRootLogin. (I'll look into how to
> > add a non-root user later - but this here *should* normally work, right? UNless
> > something is broken)
> > Still, on the computer that tries to SSH into the buildroot raspi, I get
> > "connection reset" immediately.
> >
> > There is a kernel message for each such attempt:
> >   "audit: type=1326 audit (time...) auid=... uid=1000 gid=1000 ses=... pid=...
> > comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=40000028 syscall=413 compat=0
> > ip=... code=0x0"
> 
> This comes from SELinux. However, the raspberrypi3_defconfig enables AppArmor,
> not SELinux (and AFAIK AppArmor doesn't give messages like this). So somehow you
> did something weird there...
> 
> Anyway, the problem is that your AppArmor or SELinux setup is not correct to
> allow sshd.
> 
> The htop problem might be the same.
> 
> Regards,
> Arnout
> 
> >
> > (the dots replace numbers I guess are pointless to type)
> >
> > I searched a bit around and found threads in forums with similar seeming
> > problems but somewhat different numbers in the message, claims of some problem
> > with this stuff and libc6 and linux versions prior to 5.1, well if I "uname -a"
> > here, it says "5.10.46-v7", I guess that one should not have *that* problem,
> > unless it has nothing to do with that.
> >
> > Any ideas?
> >
> > _______________________________________________
> > buildroot mailing list
> > buildroot@buildroot.org
> > https://lists.buildroot.org/mailman/listinfo/buildroot
> >
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
> 

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot