SSH service fails to start on port 22 after some irregular behavior

StrikeAgainst · 13. Februar 2023

Some context that might or might not be helpful:

I've been setting up a docker container with a wireguard client which I wanted to send some containers' internet traffic through, my apache web server container amongst others. To set up the IP routing rules, I first had to install iproute2 on the container - not via Dockerfile yet, but on the running container, for testing purposes. During the installation process though there was some strange, unexpected occurrence where the terminal completely froze and all other services (DNS, nginx,...) - mostly running on containers - failed to respond for several minutes. Only after killing the PuTTY terminal the situation normalized - not sure though if this is just timing coincidence though. I have no idea what actually caused this stuckup, I had installed iproute2 on containers before without any issue. IIRC the stuckup happened while the libpam-cap package was being set up.

Now after everything seemed to be back up running stably, I tried to spin up that wireguard client container that I already had spun up several times with its configuration unchanged. While starting the container, the exact same occurence happened again: Terminal freezing, services failing to respond... this time waiting for some time or killing the terminal didn't make a difference. Connecting to the OMV web GUI was loading very slow, and any login attempts did fail with a timeout. As I had no way to communicate with my NAS now - forgetting I could just have tried to hook up screen and keyboard to the device itself - I plugged out the network cable, hoping to trigger some timeout which might bring the system back up again. Instead after a few seconds, the NAS signalled through beeps that it ungracefully rebooted itself.

The current problem:

Now the result of all of this hassle for some reason is that connecting via SSH on port 22 won't work anymore. After some research I found that I still could connect if I changed the port to some different one on the web GUI, but not without triggering some error first which goes like "Failed to execute command 'export... - I'm assuming some logging process is failing here, the GUI keeps informing me about pending configuration changes since. I think the relevant part of this log correctly formatted looks like this though:

Code

----------
          ID: configure_sshd_config
    Function: file.managed
        Name: /etc/ssh/sshd_config
      Result: True
     Comment: File /etc/ssh/sshd_config updated
     Started: 06:18:04.375249
    Duration: 120.635 ms
     Changes:
              ----------
              diff:
                  ---
                  +++
                  @@ -23,7 +23,7 @@
                   UsePAM yes
                   AllowGroups root ssh
                   AddressFamily any
                  -Port 22
                  +Port 26
                   PermitRootLogin yes
                   AllowTcpForwarding no
                   Compression no
----------
          ID: divert_sshd_config
    Function: omv_dpkg.divert_add
        Name: /etc/ssh/sshd_config
      Result: True
     Comment: Leaving 'local diversion of /etc/ssh/sshd_config to /etc/ssh/sshd_config.distrib'
     Started: 06:18:04.497091
    Duration: 22.644 ms
     Changes:
----------
          ID: test_sshd_config
    Function: cmd.run
        Name: sshd -t
      Result: False
     Comment: Command \"sshd -t\" run
     Started: 06:18:04.522577
    Duration: 34.569 ms
     Changes:
              ----------
              pid:
                  78972
              retcode:
                  255
              stderr:
                  Missing privilege separation directory: /run/sshd
              stdout:
----------
          ID: start_ssh_service
    Function: service.running
        Name: ssh
      Result: True
     Comment: Service ssh is already enabled, and is running
     Started: 06:18:04.604062
    Duration: 238.338 ms
     Changes:
              ----------
              ssh:
                  True

Summary for debian
------------
Succeeded: 7 (changed=7)
Failed:    1
------------

Alles anzeigen

So running sshd -t throws the error Missing privilege separation directory: /run/sshd, but the SSH service start just fine.

On the other hand, if I switch the SSH port back to 22, another error comes up, this time like this:

Code

----------
          ID: configure_sshd_config
    Function: file.managed
        Name: /etc/ssh/sshd_config
      Result: True
     Comment: File /etc/ssh/sshd_config updated
     Started: 06:09:04.432631
    Duration: 122.287 ms
     Changes:
              ----------
              diff:
                  ---
                  +++
                  @@ -23,7 +23,7 @@
                   UsePAM yes
                   AllowGroups root ssh
                   AddressFamily any
                  -Port 26
                  +Port 22
                   PermitRootLogin yes
                   AllowTcpForwarding no
                   Compression no
----------
          ID: divert_sshd_config
    Function: omv_dpkg.divert_add
        Name: /etc/ssh/sshd_config
      Result: True
     Comment: Leaving 'local diversion of /etc/ssh/sshd_config to /etc/ssh/sshd_config.distrib'
     Started: 06:09:04.556140
    Duration: 23.328 ms
     Changes:
----------
          ID: test_sshd_config
    Function: cmd.run
        Name: sshd -t
      Result: True
     Comment: Command \"sshd -t\" run
     Started: 06:09:04.582858
    Duration: 36.385 ms
     Changes:
              ----------
              pid:
                  74176
              retcode:
                  0
              stderr:
              stdout:
----------
          ID: start_ssh_service
    Function: service.running
        Name: ssh
      Result: False
     Comment: Job for ssh.service failed because the control process exited with error code.
              See \"systemctl status ssh.service\" and \"journalctl -xe\" for details.
     Started: 06:09:04.729608
    Duration: 3059.629 ms
     Changes:

Summary for debian
------------
Succeeded: 7 (changed=6)
Failed:    1
------------

Alles anzeigen

This time, sshd -t is silent, but starting the SSH service fails.

Now that I finally got the idea to hook up to the NAS directly to check on that condition when I cannot connect via SSH, sshd -t and systemctl status ssh.service provide me this:

... which is not saying a lot. journalctl -xe's output is very verbose, but doesn't seem to have any hint either - grepping for ssh gives me nothing. Trying to start SSH gives me the same error as in the log above.

Now while I could deal with SSH no longer running through port 22, this whole situation seems rather spooky to me and I fear that I might run into further issues down the road, given the premise that lead to this issue. That's why I'd like to evaluate what could have caused all of this havoc and what I can do to fix and prevent issues like this in the future. So... does anyone have a clue what is up with all that? Are there any logs I should check for further information? (Still kind of a novice to OMV and Linux in general, so please bare with me.)

NAS model: Terramaster F2-221 (Intel Celeron J3355)

OMV version: 6.3.0-2 (Shaitan) (the latest one to date)

I set up this NAS about 6 weeks ago, so the system is still kind of fresh.

Any help is greatly appreciated!

PP88PP · 13. Februar 2023

According to https://askubuntu.com/a/1110843 ,try

sudo crontab -e and add the following entry:

@reboot mkdir -p -m0755 /var/run/sshd && systemctl restart ssh.service

to fix "Missing privilege separation directory: /run/sshd"

ryecoaaron · 13. Februar 2023

Zitat von PP88PP

According to https://askubuntu.com/a/1110843 ,try
sudo crontab -e and add the following entry:
@reboot mkdir -p -m0755 /var/run/sshd && systemctl restart ssh.service
to fix "Missing privilege separation directory: /run/sshd"

This isn't a fix. I do not recommend doing this.

Zitat von StrikeAgainst

does anyone have a clue what is up with all that?

Are you using the flashmemory plugin?

PP88PP · 13. Februar 2023

Zitat von ryecoaaron

This isn't a fix. I do not recommend doing this.

I know that, but I tried all methods from ChatGPT, not work. This directory should be created when bootup and make sshd service run successfully. I don't know why it didn't be created automaticlly. But it is just a softlink folder, I think creat it manully won't harm anything.

Although I can ssh to OMV machine without do this, sshd server not running will lead SSH in OMV panel turn red. It's not a solution, just help sshd server run.

ryecoaaron · 13. Februar 2023

Zitat von PP88PP

I know that, but I tried all methods from ChatGPT, not work. This directory should be created when bootup and make sshd service run successfully. I don't know why it didn't be created automaticlly. But it is just a softlink folder, I think creat it manully won't harm anything.
Although I can ssh to OMV machine without do this, sshd server not running will lead SSH in OMV panel turn red. It's not a solution, just help sshd server run.

I understand that it can get it running but I have ideas on why it is broken. If flashmemory is installed, it could be breaking it. Using folder2ram -syncall could possibly fix the problem with no hack. ChatGPT is neat but shouldn't be used to fix these things because you can't supply it with enough information.

StrikeAgainst · 13. Februar 2023

Zitat von PP88PP

According to https://askubuntu.com/a/1110843 ,try
sudo crontab -e and add the following entry:
@reboot mkdir -p -m0755 /var/run/sshd && systemctl restart ssh.service
to fix "Missing privilege separation directory: /run/sshd"

I am aware of this, but I'm not trying this out because:

1. This doesn't quite seem to be the source of the problem since SSH still works with other ports. The problem has to be port specific.

2. I'm not going to meddle with any inner workings that OMV is already dealing with - already had a hard time finding that out when I missed the DNS field in the interface configuration and tried to set up the resolve configuration manually....

Zitat von ryecoaaron

Are you using the flashmemory plugin?

I have flashmemory 6.2 installed, although I'm not sure why it is, I cannot remember doing it manually.

Zitat von ryecoaaron

I understand that it can get it running but I have ideas on why it is broken. If flashmemory is installed, it could be breaking it. Using folder2ram -syncall could possibly fix the problem with no hack.

I ran Sync All via the Web GUI but the problem still persists.

ryecoaaron · 13. Februar 2023

Zitat von StrikeAgainst

I have flashmemory 6.2 installed, although I'm not sure why it is, I cannot remember doing it manually.

You must have used the install script and not specified the skip flashmemory flag.

Zitat von StrikeAgainst

I ran Sync All via the Web GUI but the problem still persists.

You could make sure the directory exists after removing the flashmemory plugin and see if that helps.

I would also like to see the output of: systemctl cat ssh

StrikeAgainst · 13. Februar 2023

Zitat von ryecoaaron

I would also like to see the output of: systemctl cat ssh

As of now, on port 22:

Zitat von ryecoaaron

You could make sure the directory exists after removing the flashmemory plugin and see if that helps.

I removed the plugin but it doesn't seem to have any effect. What exactly do you mean by "making sure the directory exists", should I try to create it manually whatsoever? It's not there yet, and sshd -t still provides the usual error.

ryecoaaron · 13. Februar 2023

Zitat von StrikeAgainst

What exactly do you mean by "making sure the directory exists", should I try to create it manually whatsoever?

I meant make sure /run/sshd exists if removing the plugin because that would tell you if the plugin was deleting it.

The RuntimeDirectory parameter in the ssh unit file should be creating the directory when the ssh service is started.

What is the output of:

cat /etc/default/ssh

grep -vE "docker|overlay" /proc/mounts

sudo journalctl -u ssh | tail -n100

grep -r ssh /usr/lib/tmpfiles.d/*

StrikeAgainst · 13. Februar 2023

Zitat von ryecoaaron

I meant make sure /run/sshd exists if removing the plugin because that would tell you if the plugin was deleting it.

Ah my bad, misunderstood you then. Might it help to reinstall the plugin and try again?

Zitat von ryecoaaron

What is the output of:

cat /etc/default/ssh

grep -vE "docker|overlay" /proc/mounts

sudo journalctl -u ssh | tail -n100

It seems like port 22 is already in use? How could that be?

grep -r ssh /usr/lib/tmpfiles.d/* returns nothing.

EDIT: So I checked via netstat -ltnp if something was using port 22, which turned out to be SSH itself already (?). Then via GUI I changed the port from 22 back to 26 one more time, and suddenly I'm not only able to log back in via port 22, but also port 26 as well. Both netstat -ltnp and lsof now list both ports as being listened on by different SSH processes.

Could I just run kill 879, or should I handle this via OMV somehow?

ryecoaaron · 14. Februar 2023

Zitat von StrikeAgainst

should I handle this via OMV somehow?

You are doing so many things from the command line that I wouldn't try to use ssh. Just kill the PIDs.

The only thing I see is a very small tmpfs for /run. How much ram does your system have? What about:

sudo mkdir /run/sshd

sudo chmod 0755 /run/sshd

sudo systemctl start ssh

sudo systemctl stop ssh

Then I would reboot and see if /run/sshd exists.

StrikeAgainst · 14. Februar 2023

My NAS has about 2GB of RAM.

So I killed both SSH PIDs, created the directory like you said, and after a reboot it is still there. But now there's again two SSH instances running on port 22 and 26. Maybe one service has somehow decoupled itself from OMV?

ryecoaaron · 14. Februar 2023

Zitat von StrikeAgainst

But now there's again two SSH instances running on port 22 and 26. Maybe one service has somehow decoupled itself from OMV?

Not knowing exactly what you have done from the command line, it is hard to say. OMV's saltstack code can only configure one instance in /etc/ssh/sshd_config. So, not sure what is starting your second instance.

StrikeAgainst · 14. Februar 2023

Not that I know either, I haven't tampered with any SSH related settings from the command line before this issue first came up. So is there no way to retrace whatever is launching the second instance on bootup?

ryecoaaron · 15. Februar 2023

Zitat von StrikeAgainst

So is there no way to retrace whatever is launching the second instance on bootup?

Sure there is but somethings I could do in minutes take hours in back and forth on forum posts.

What is the output of:

ls -al /etc/ssh/

cat /etc/ssh/sshd_config

sudo omv-salt deploy run ssh

systemctl list-units | grep ssh

ps aux | grep ssh

StrikeAgainst · 15. Februar 2023

ls -al /etc/ssh/

Code

total 632
drwxr-xr-x   4 root root   4096 Feb 14 00:48 .
drwxr-xr-x 100 root root   4096 Feb 14 04:59 ..
-rw-r--r--   1 root root 577771 Mar 13  2021 moduli
-rw-r--r--   1 root root    794 Jan 31 20:32 omv_sftp_config
-rw-r--r--   1 root root   1650 Mar 13  2021 ssh_config
drwxr-xr-x   2 root root   4096 Mar 13  2021 ssh_config.d
-rw-r--r--   1 root root    861 Feb 14 00:48 sshd_config
drwxr-xr-x   2 root root   4096 Mar 13  2021 sshd_config.d
-rw-r--r--   1 root root   3274 Dec 15 23:17 sshd_config.distrib
-rw-------   1 root root   1373 Dec 15 23:17 ssh_host_dsa_key
-rw-r--r--   1 root root    599 Dec 15 23:17 ssh_host_dsa_key.pub
-rw-------   1 root root    505 Dec 15 23:17 ssh_host_ecdsa_key
-rw-r--r--   1 root root    171 Dec 15 23:17 ssh_host_ecdsa_key.pub
-rw-------   1 root root    399 Dec 15 23:17 ssh_host_ed25519_key
-rw-r--r--   1 root root     91 Dec 15 23:17 ssh_host_ed25519_key.pub
-rw-------   1 root root   2590 Dec 15 23:17 ssh_host_rsa_key
-rw-r--r--   1 root root    563 Dec 15 23:17 ssh_host_rsa_key.pub

Alles anzeigen

cat /etc/ssh/sshd_config

Code

# This file is auto-generated by openmediavault (https://www.openmediavault.org)
# WARNING: Do not edit this file, your changes will get lost.

Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 120
StrictModes yes
IgnoreRhosts yes
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
AllowGroups root ssh
AddressFamily any
Port 26
PermitRootLogin yes
AllowTcpForwarding no
Compression no
PasswordAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 /var/lib/openmediavault/ssh/authorized_keys/%u
PubkeyAuthentication yes

Alles anzeigen

sudo omv-salt deploy run ssh (redacted some user info there with [R])

Code

debian:
----------
          ID: remove_ssh_authorized_keys
    Function: file.directory
        Name: /var/lib/openmediavault/ssh/authorized_keys
      Result: True
     Comment: Files cleaned from directory /var/lib/openmediavault/ssh/authorized_keys
     Started: 21:55:36.976178
    Duration: 5.295 ms
     Changes:
              ----------
              /var/lib/openmediavault/ssh/authorized_keys/[R]:
                  ----------
                  removed:
                      Removed due to clean
              /var/lib/openmediavault/ssh/authorized_keys/[R]:
                  ----------
                  removed:
                      Removed due to clean
              /var/lib/openmediavault/ssh/authorized_keys/appuser:
                  ----------
                  removed:
                      Removed due to clean
              removed:
                  - /var/lib/openmediavault/ssh/authorized_keys/appuser
                  - /var/lib/openmediavault/ssh/authorized_keys/[R]
                  - /var/lib/openmediavault/ssh/authorized_keys/[R]
----------
          ID: create_ssh_authorized_key_file_[R]
    Function: file.managed
        Name: /var/lib/openmediavault/ssh/authorized_keys/[R]
      Result: True
     Comment: File /var/lib/openmediavault/ssh/authorized_keys/[R] updated
     Started: 21:55:36.981760
    Duration: 10.373 ms
     Changes:
              ----------
              diff:
                  New file
              user:
                  [R]
----------
          ID: create_ssh_authorized_key_file_appuser
    Function: file.managed
        Name: /var/lib/openmediavault/ssh/authorized_keys/appuser
      Result: True
     Comment: File /var/lib/openmediavault/ssh/authorized_keys/appuser updated
     Started: 21:55:36.992405
    Duration: 5.549 ms
     Changes:
              ----------
              diff:
                  New file
              user:
                  appuser
----------
          ID: create_ssh_authorized_key_file_[R]
    Function: file.managed
        Name: /var/lib/openmediavault/ssh/authorized_keys/[R]
      Result: True
     Comment: File /var/lib/openmediavault/ssh/authorized_keys/[R] updated
     Started: 21:55:36.998220
    Duration: 5.721 ms
     Changes:
              ----------
              diff:
                  New file
              user:
                  [R]
----------
          ID: configure_sshd_config
    Function: file.managed
        Name: /etc/ssh/sshd_config
      Result: True
     Comment: File /etc/ssh/sshd_config is in the correct state
     Started: 21:55:37.004213
    Duration: 116.917 ms
     Changes:
----------
          ID: divert_sshd_config
    Function: omv_dpkg.divert_add
        Name: /etc/ssh/sshd_config
      Result: True
     Comment: Leaving 'local diversion of /etc/ssh/sshd_config to /etc/ssh/sshd_config.distrib'
     Started: 21:55:37.122772
    Duration: 78.336 ms
     Changes:
----------
          ID: test_sshd_config
    Function: cmd.run
        Name: sshd -t
      Result: True
     Comment: Command "sshd -t" run
     Started: 21:55:37.206084
    Duration: 46.263 ms
     Changes:
              ----------
              pid:
                  659266
              retcode:
                  0
              stderr:
              stdout:
----------
          ID: start_ssh_service
    Function: service.running
        Name: ssh
      Result: True
     Comment: The service ssh is already running
     Started: 21:55:37.330331
    Duration: 78.627 ms
     Changes:

Summary for debian
------------
Succeeded: 8 (changed=5)
Failed:    0
------------
Total states run:     8
Total run time: 347.081 ms

Alles anzeigen

systemctl list-units | grep ssh

Code

  ssh.service                                                                                                                          loaded active running   OpenBSD Secure Shell server

ps aux | grep ssh

Code

root         589  0.0  0.1  13360  2836 ?        Ss   Feb14   0:00 sshd: /usr/sbin/sshd -D -f /etc/ssh/omv_sftp_config [listener] 0 of 10-100 startups
root         616  0.0  0.0  13360  1332 ?        Ss   Feb14   0:00 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
root         791  0.0  0.1 322212  2596 ?        Ssl  Feb14   0:53 node /opt/yarn-v1.22.19/bin/yarn.js start --force-ssh --ssh-port 26 --ssh-host nas2 --base  --port 2222 --ssl-cert /cert.crt --ssl-key /cert.key
root         829  0.9  0.6 10816104 12764 ?      Sl   Feb14  22:39 /usr/local/bin/node . --force-ssh --ssh-port 26 --ssh-host nas2 --base  --port 2222 --ssl-cert /cert.crt --ssl-key /cert.key
root      658770  0.0  0.4  14064  8364 ?        Ss   21:54   0:00 sshd: root@pts/0
root      660390  0.0  0.0   6244   712 pts/0    S+   21:59   0:00 grep ssh

ryecoaaron · 15. Februar 2023

I see you are using the sftp plugin. Did you change the port in there to 22? What is the output of: sudo grep -rw 22 /etc/ssh/*

StrikeAgainst · 16. Februar 2023

Oof that's it! Installed SFTP and turned it on about one or two weeks ago because I had thought I might need it eventually but then forgot about it. Surely also had no idea it would use the same port by default. Turned it off and now I can switch SSH back to 22 just fine.

Sorry for all the hassle and thank you so much for taking your time!

ryecoaaron · 16. Februar 2023

Zitat von StrikeAgainst

Surely also had no idea it would use the same port by default. Turned it off and now I can switch SSH back to 22 just fine.

Glad it is working. The sftp plugin uses port 222 by default. https://github.com/OpenMediaVa…onf.service.sftp.json#L18

SSH service fails to start on port 22 after some irregular behavior

votdev 16. Februar 2023

Jetzt mitmachen!

Tags