FreeBSD 14.1 + OpenSSH 9.7 = 1 connection limit?. SSHD sockets stuck in CLOSED state, cannot /etc/rc.d/sshd restart

B

bigbrother

I am experiencing the same problem with https://forums.freebsd.org/threads/freebsd-13-2-openssh-9-3-1-connection-limit.88891/ when I run sshd as a standalone process (the problem was also in FreeBSD 13).
When the sshd is executed from inetd nothing happens.

Executing /etc/rc.d/sshd start makes the sshd stuck/hang after some time

FreeBSD up to date, and no load currently.

Code: 
> uname -a
FreeBSD <myname> 14.1-RELEASE-p4 FreeBSD 14.1-RELEASE-p4 GENERIC amd64
> uptime
 1:59PM  up 6 days, 11:25, 7 users, load averages: 0.30, 0.25, 0.33
> ssh -V
OpenSSH_9.7p1, OpenSSL 3.0.13 30 Jan 2024



if I execute SSHD from /etc/rc.d/sshd start
then only one user can login, the rest stuck at the message Local version, even when I am sshing from my own machine and the firewall is complete open

Code: 
> sudo ipfw add 1 allow all from any to any
00001 allow ip from any to any


> ssh -4 -v 127.0.0.1
OpenSSH_9.7p1, OpenSSL 3.0.13 30 Jan 2024
debug1: Connecting to 127.0.0.1 [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /home/mdasyg/.ssh/id_rsa type -1
debug1: identity file /home/mdasyg/.ssh/id_rsa-cert type -1
debug1: identity file /home/mdasyg/.ssh/id_ecdsa type -1
debug1: identity file /home/mdasyg/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/mdasyg/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/mdasyg/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/mdasyg/.ssh/id_ed25519 type -1
debug1: identity file /home/mdasyg/.ssh/id_ed25519-cert type -1
debug1: identity file /home/mdasyg/.ssh/id_ed25519_sk type -1
debug1: identity file /home/mdasyg/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/mdasyg/.ssh/id_xmss type -1
debug1: identity file /home/mdasyg/.ssh/id_xmss-cert type -1
debug1: identity file /home/mdasyg/.ssh/id_dsa type -1
debug1: identity file /home/mdasyg/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.7
^C


I have tried many settings on sshd config. Currently I am using the following. Whatever i have changed the problem still exists, even from local or from remote.
Code: 
> sudo more /etc/ssh/sshd_config | grep -v '#' | sort | uniq
AuthorizedKeysFile      .ssh/authorized_keys
ChallengeResponseAuthentication no
channeltimeout global=60
ClientAliveCountMax 2
ClientAliveInterval 30
Compression no
GSSAPIAuthentication no
HostbasedAuthentication no
KerberosAuthentication no
LoginGraceTime 30
MaxStartups 50:50:200
PermitEmptyPasswords no
PermitRootLogin yes
Subsystem       sftp    /usr/libexec/sftp-server
UsePAM no



Moreover, the sshd server does not restart by its own.
If I try to restart it it hangs indefinite:
Code: 
> /etc/rc.d/sshd onerestart
Performing sanity check on sshd configuration.
Stopping sshd.
Waiting for PIDS: 73968

only by killing -9 the PID of the main sshd process I can restart it.


the process tree (pstree) when sshd stuck always shows at least one user connected. The user is autneticated and valid.

Code: 
> pstree 73968
-+= 73968 root sshd: /usr/sbin/sshd [listener] 0 of 50-200 startups (sshd)
 \-+= 74250 root sshd: mduser [priv] (sshd)
   \--- 74494 mdasygenis sshd: mduser@notty (sshd)

freebsd-ids shows no errors cocnerning the ssh

Code: 
> freebsd-update  IDS |& grep -i ssh
/etc/ssh/moduli has 0600 permissions, but should have 0644 permissions.
/etc/ssh/ssh_config has 0600 permissions, but should have 0644 permissions.
/etc/ssh/ssh_config has SHA256 hash bc09a9b9fe785a714bc153f3e9bad32efe81d160ea921a464a1eb180ece3b983, but should have SHA256 hash d12f4f223cd089cc47121cdfcd10463965db41e63c425c68e9a2bbf7b3e26a3f.
/etc/ssh/sshd_config has 0600 permissions, but should have 0644 permissions.
/etc/ssh/sshd_config has SHA256 hash fc9459564ab8273c76431712c012d965dad94f950c5af69437199d7eed147f72, but should have SHA256 hash 726ea8f0217e8a89fd3b2dd3128b4f681939c19ef434f522eea479320341c201.


After trying to restart the sshd i see processed stuck at CLOSED state in netstat forever. I was waiting for more than 30 minutes and they were still in CLOSED.

Code: 
>sysctl net.inet.tcp.keepidle ; sysctl net.inet.tcp.keepintvl ; sysctl net.inet.tcp.msl
net.inet.tcp.keepidle: 300000
net.inet.tcp.keepintvl: 15000
net.inet.tcp.msl: 15000


procstat of the process shows that there is one child process (the valid connectin) still in progress and it is not killed

Code: 
> procstat -f 73968
  PID COMM                FD T V FLAGS    REF  OFFSET PRO NAME
73968 sshd             trace v r rw------   -       - -   /root/ktrace.out
73968 sshd              text v r r-------   -       - -   /usr/sbin/sshd
73968 sshd               cwd v d r-------   -       - -   /
73968 sshd              root v d r-------   -       - -   /
73968 sshd                 0 v c rw------   3       0 -   /dev/null
73968 sshd                 1 v c rw------   3       0 -   /dev/null
73968 sshd                 2 v c rw------   3       0 -   /dev/null
73968 sshd                 3 s - rw---n--   1       0 TCP 0 0 ::.22 ::.0
73968 sshd                 4 s - rw---n--   1       0 TCP 0 458954624 *:22 *:0
73968 sshd                 5 s - rw---n--   1       0 TCP 0 43 <myip>22 <otherip>:58478


the connection remains in CLOSED and it is not killed

Code: 
>  netstat -an | grep 58478
tcp4      43      <myip>22 <otherip>:58478   CLOSED


NOTE that in time every user gets one connectin and then it remains in CLOSED, so after some hours/days of usage there are multiple CLOSED connections in netstat that do not dissapear.


the sshd process of that connection is in 'S' state

Code: 
> ps axuww | grep 74494
mduser  74494   0.0  0.1  22904  10296  -  S    12:36       0:00.05 sshd: mduser@notty (sshd)

If I kill -9 the sshd process everything is cleared, sshd is restarted but after some minutes again the same problem arises as before.

Nothing relavent is logged /var/log/auth.log or /var/log/messages.


ps does not show anything useful:
Code: 
> ps -fp 74494
  PID TT  STAT    TIME COMMAND
74494  -  S    0:00.06 sshd: mduser@notty (sshd)


> ps -fp 73968
  PID TT  STAT    TIME COMMAND
73968  -  IWs  0:00.00 sshd: /usr/sbin/sshd [listener] 0 of 50-200 startups (sshd)


tcpdump shows [R] reset packages sent from my server ocassionaly to the <otherip>:58478 but nothing else.


lsof (list open files) verified that the connection remains in CLOSED state.
Code: 
> lsof -i tcp:22
sshd    73968       root 3u  IPv6 0xfffff8010cef2540         0  TCP *:ssh (LISTEN)
sshd    73968       root 4u  IPv4 0xfffff801caeb9a80 458954624  TCP *:ssh->*:* (LISTEN)
sshd    73968       root 5u  IPv4 0xfffff8023002b000        43  TCP <myip>:ssh-><otherip>:58478 (CLOSED)


I even tryied to ktrace the sshd process (and then the child process 74494)
ktrace -p 73968

and after 20 minutes nothing was logged. The file ktrace.out was 0 bytes and 'kdump' was empty.

procstat shows that the main sshd process is in sleeping state (why did not receive the kill signal?)
while the CLOSED state for the chld sshd process seems to wait something(?)

Code: 
procstat -k 73968
  PID    TID COMM                TDNAME              KSTACK
73968 137151 sshd                -                   mi_switch sleepq_catch_signals sleepq_wait_sig _sleep kern_wait6 sys_wait4 amd64_syscall fast_syscall_common



procstat -k 74494
  PID    TID COMM                TDNAME              KSTACK
74494 138290 sshd                -                   mi_switch sleepq_catch_signals sleepq_timedwait_sig _cv_timedwait_sig_sbt seltdwait kern_poll_kfds kern_poll sys_ppoll amd64_syscall fast_syscall_common

sshd process has empty queue in netstat:

Code: 
netstat -Lan | grep 22
tcp4  14/0/128                         *.22
tcp6  0/0/128                          *.22

Finaly, my client config that I am using to connect to server, utilizes multiplexing as follows:
Code: 
>cat ~/.ssh/config
host *
    ControlMaster auto
    ControlPath /tmp/ssh-%r@%h:%p
    ControlPersist yes
    ControlPersist 3600
    ServerAliveInterval 300
    ServerAliveCountMax 2


I have been searching for many hours to find a solution.

I could use inetd as a workarround, but I would like to use the sshd process.

As i told you this is similar with: https://forums.freebsd.org/threads/freebsd-13-2-openssh-9-3-1-connection-limit.88891/

and also from a very intersting post from 2008 about sockets stuck in CLOSED state:



Thanks for any suggestions!
 
Many entries, but in the first lines I have

Code: 
ALL: 10.                : allow
ALL: 10.100.100.        : allow
ALL: 10.100.101.        : allow
ALL: 10.100.10.         : allow
ALL: 172.16.            : allow
ALL: 127.0.0.1          : allow
ALL: 192.168.           : allow
ALL:localhost 127.0.0.1 : allow
ALL: [::1]              : allow

the problem still exists in connecting from 127.0.0.1

The connections even from 127.0.0.1 remain in CLOSED forever.

Code: 
# netstat -an | grep 127.0.0.1 | grep 22
tcp4      21      0 127.0.0.1.22           127.0.0.1.47591        CLOSED
tcp4      21      0 127.0.0.1.22           127.0.0.1.62090        CLOSED
tcp4      21      0 127.0.0.1.22           127.0.0.1.55052        CLOSED

even though in the first lines of firewall I have

Code: 
allow ip from any to any via lo0

They keep pilling up and always the number of CLOSED increasing. They stay at closed

Code: 
# netstat -an | grep 22 | grep CLOSED | wc -l
      34
 
In my case the first lines of /etc/hosts.allow permit every communication from the local and lan addresses. So first rule will match the ssh -4 -v 127.0.0.1 is
Code: 
ALL: 127.0.0.1          : allow
and nothing else will be computed.

The lines before that are, some scripts that I want to be executed if requested from anywhere to print the IP of the connected client and to unban the IP from the firewall, but these are not triggered in the sshd execution. The lines before are:

Code: 
pythonIP.py: ALL        : allow
pythonIP.py: ALL        : allow
unban_IPs_whitelist_firewall.py: ALL: allow
unban_IPs_whitelist_firewall.sh: ALL: allow

Nevertheless, I have replaced the entire hosts.allow with the stock file that has the ALL: all: allow and I will monitor whether this changes something.

I have kill -9 the main sshd process to complete the sshd restart.

After I completed the sshd restart I see now a lot of lines with
Code: 
tcp4       0      0 *.*                    *.*                    CLOSED
tcp4       0      0 *.*                    *.*                    CLOSED
tcp4       0      0 *.*                    *.*                    CLOSED
tcp4       0      0 *.*                    *.*                    CLOSED
tcp4       0      0 *.*                    *.*                    CLOSED
tcp4       0      0 *.*                    *.*                    CLOSED
tcp4       0      0 *.*                    *.*                    CLOSED
tcp4       0      0 *.*                    *.*                    CLOSED
tcp4       0      0 *.*                    *.*                    CLOSED
tcp4       0      0 *.*                    *.*                    CLOSED

which do not make sense (?). Perhaps they are artifacts from previous CLOSED communications that lasted in the CLOSED state for many hours?

In some hours I will have more info.
 
Hi,
After many hours using the stock /etc/hosts.allow I still have pending connections at closed, and the strange lines that I shows before about "tcp4 0 0 *.* *.* CLOSED" are still here. so the hosts allow is not the problem.

Again I tried to connect via
ssh -v -4 127.0.0.1
and this is stuck at debug1: Local version string SSH-2.0-OpenSSH_9.7 waiting for the remote banner.

concerning the kldstat
Code: 
# kldstat
Id Refs Address                Size Name
 1   79 0xffffffff80200000  1f370e8 kernel
 2    2 0xffffffff82138000    485b8 ipfw.ko
 3    1 0xffffffff82181000     2878 accf_data.ko
 4    1 0xffffffff82de7000     2eb0 accf_http.ko
 5    1 0xffffffff82deb000     81b0 ichwd.ko
 6    1 0xffffffff83800000   3da728 zfs.ko
 7    1 0xffffffff83620000     3560 fdescfs.ko
 8    1 0xffffffff83624000     3250 ichsmb.ko
 9    1 0xffffffff83628000     2178 smbus.ko
10    1 0xffffffff8362b000    30a80 linux.ko
11    4 0xffffffff8365c000     c2a8 linux_common.ko
12    1 0xffffffff83669000    2de10 linux64.ko
13    1 0xffffffff83697000     2278 pty.ko
14    1 0xffffffff8369a000     73c0 linprocfs.ko
15    1 0xffffffff836a2000     440c linsysfs.ko
16    1 0xffffffff836a7000     2240 cpuctl.ko
17    1 0xffffffff836aa000     3360 uhid.ko
18    1 0xffffffff836ae000     33c0 usbhid.ko
19    1 0xffffffff836b2000     3380 hidbus.ko
20    1 0xffffffff836b6000     3360 wmt.ko
21    1 0xffffffff836ba000     3568 ipdivert.ko
22    1 0xffffffff836be000     42d0 ipfw_nat.ko
23    1 0xffffffff836c3000     c962 libalias.ko
24    1 0xffffffff836d0000     4850 nullfs.ko



Also I would like to add that the same config (firewall, hosts.allow, sshd_config) in other servers does not cause such problems. The other servers seem to work normally. The only exception is that this has a public ssh port at 22, but I am using ipfw rules to limit setup after accepting local LAN and loopback connections.

This is a very old xeon server that maybe lacks a CPU instruction that is required? Perhaps it would be interesting to remove the hard disks from these and put it on another workstation just to see if the problems will arise, but this is very difficult for the time being. If we dont find a solution I will try this in a couple of months.

Code: 
>cat /var/run/dmesg.boot
---<<BOOT>>---
Copyright (c) 1992-2023 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
        The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 14.1-RELEASE-p4 GENERIC amd64
FreeBSD clang version 18.1.5 (https://github.com/llvm/llvm-project.git llvmorg-18.1.5-0-g617a15a9eac9)
VT(vga): resolution 640x480
CPU microcode: no matching update found
CPU: Intel(R) Xeon(TM) CPU 3.40GHz (3391.55-MHz K8-class CPU)
  Origin="GenuineIntel"  Id=0xf4a  Family=0xf  Model=0x4  Stepping=10
  Features=0xbfebfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE>
  Features2=0x649d<SSE3,DTES64,MON,DS_CPL,EST,CNXT-ID,CX16,xTPR>
  AMD Features=0x20100800<SYSCALL,NX,LM>
  AMD Features2=0x1<LAHF>
  TSC: P-state invariant
real memory  = 8589934592 (8192 MB)
avail memory = 8263467008 (7880 MB)
Event timer "LAPIC" quality 100
ACPI APIC Table: <A M I  OEMAPIC >
FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
FreeBSD/SMP: 2 package(s) x 1 core(s) x 2 hardware threads
random: unblocking device.
ioapic0 <Version 2.0> irqs 0-23
ioapic1 <Version 2.0> irqs 24-47
Launching APs: 1 2 3
random: entropy device external interface
kbd1 at kbdmux0
vtvga0: <VT VGA driver>
smbios0: <System Management BIOS> at iomem 0xf8bb0-0xf8bce
smbios0: Version: 2.3, BCD Revision: 2.3
aesni0: No AES or SHA support.
acpi0: <A M I OEMRSDT>
acpi0: Power Button (fixed)
cpu0: <ACPI CPU> on acpi0
Firmware Warning (ACPI): Incorrect checksum in table [SSDT] - 0xDD, should be 0x62 (20221020/utcksum-208)
Firmware Warning (ACPI): Incorrect checksum in table [SSDT] - 0x7F, should be 0xFFFFFFB0 (20221020/utcksum-208)
attimer0: <AT timer> port 0x40-0x43 irq 0 on acpi0
Timecounter "i8254" frequency 1193182 Hz quality 0
Event timer "i8254" frequency 1193182 Hz quality 100
atrtc0: <AT realtime clock> port 0x70-0x71 irq 8 on acpi0
atrtc0: registered as a time-of-day clock, resolution 1.000000s
Event timer "RTC" frequency 32768 Hz quality 0
Timecounter "ACPI-fast" frequency 3579545 Hz quality 900
acpi_timer0: <24-bit timer at 3.579545MHz> port 0x808-0x80b on acpi0
pcib0: <ACPI Host-PCI bridge> port 0xcf8-0xcff on acpi0
pci0: <ACPI PCI bus> on pcib0
pci0: <unknown> at device 0.1 (no driver attached)
pcib1: <ACPI PCI-PCI bridge> irq 16 at device 2.0 on pci0
pci1: <ACPI PCI bus> on pcib1
pcib2: <ACPI PCI-PCI bridge> irq 16 at device 3.0 on pci0
pci2: <ACPI PCI bus> on pcib2
mskc0: <Marvell Yukon 88E8050 Gigabit Ethernet> port 0xd800-0xd8ff mem 0xdbffc000-0xdbffffff irq 16 at device 0.0 on pci2
msk0: <Marvell Technology Group Ltd. Yukon EC Id 0xb6 Rev 0x02> on mskc0
msk0: Using defaults for TSO: 65518/35/2048
msk0: Ethernet address: 00:0e:0c:a4:64:06
miibus0: <MII bus> on msk0
e1000phy0: <Marvell 88E1111 Gigabit PHY> PHY 0 on miibus0
e1000phy0:  none, 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseT, 1000baseT-master, 1000baseT-FDX, 1000baseT-FDX-master, auto, auto-flow
pcib3: <ACPI PCI-PCI bridge> irq 16 at device 4.0 on pci0
pci3: <ACPI PCI bus> on pcib3
vgapci0: <VGA-compatible display> mem 0xdd000000-0xddffffff,0xc0000000-0xcfffffff,0xdc000000-0xdcffffff irq 16 at device 0.0 on pci3
vgapci0: Boot video device
pcib4: <ACPI PCI-PCI bridge> at device 28.0 on pci0
pci4: <ACPI PCI bus> on pcib4
uhci0: <Intel 6300ESB USB controller USB-A> port 0xc880-0xc89f irq 16 at device 29.0 on pci0
uhci0: LegSup = 0x2f00
usbus0 on uhci0
usbus0: 12Mbps Full Speed USB v1.0
uhci1: <Intel 6300ESB USB controller USB-B> port 0xcc00-0xcc1f irq 19 at device 29.1 on pci0
uhci1: LegSup = 0x2f00
usbus1 on uhci1
usbus1: 12Mbps Full Speed USB v1.0
device_attach: ioapic0 attach returned 6
ehci0: <Intel 6300ESB USB 2.0 controller> mem 0xdbeffc00-0xdbefffff irq 23 at device 29.7 on pci0
usbus2: EHCI version 1.0
usbus2 on ehci0
usbus2: 480Mbps High Speed USB v2.0
pcib5: <ACPI PCI-PCI bridge> at device 30.0 on pci0
pci5: <ACPI PCI bus> on pcib5
em0: <Intel(R) Legacy PRO/1000 GT 82541PI> port 0xec00-0xec3f mem 0xdefa0000-0xdefbffff,0xdef80000-0xdef9ffff irq 21 at device 4.0 on pci5
em0: EEPROM V1.0-0
em0: Using 1024 TX descriptors and 1024 RX descriptors
em0: Ethernet address: 00:0e:0c:bc:8e:8d
em0: netmap queues/slots: TX 1/1024, RX 1/1024
isab0: <PCI-ISA bridge> at device 31.0 on pci0
isa0: <ISA bus> on isab0
atapci0: <Intel 6300ESB UDMA100 controller> port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0xfc00-0xfc0f at device 31.1 on pci0
ata0: <ATA channel> at channel 0 on atapci0
ata1: <ATA channel> at channel 1 on atapci0
atapci1: <Intel 6300ESB SATA150 controller> port 0xc800-0xc807,0xc480-0xc483,0xc400-0xc407,0xc080-0xc083,0xc000-0xc00f irq 18 at device 31.2 on pci0
ata2: <ATA channel> at channel 0 on atapci1
ata3: <ATA channel> at channel 1 on atapci1
acpi_button0: <Power Button> on acpi0
uart0: <16550 or compatible> port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0
uart0: console (9600,n,8,1)
uart1: <16550 or compatible> port 0x2f8-0x2ff irq 3 on acpi0
fdc0: <floppy drive controller (FDE)> port 0x3f0-0x3f5,0x3f7 irq 6 drq 2 on acpi0
fd0: <1440-KB 3.5" drive> on fdc0 drive 0
ichwd0: <Intel 6300ESB watchdog timer> on isa0
orm0: <ISA Option ROMs> at iomem 0xcf000-0xcffff,0xd0000-0xd0fff,0xd1000-0xd1fff,0xe0000-0xe3fff pnpid ORM0000 on isa0
vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff pnpid PNP0900 on isa0
atkbdc0: <Keyboard controller (i8042)> at port 0x60,0x64 on isa0
atkbd0: <AT Keyboard> irq 1 on atkbdc0
kbd0 at atkbd0
atkbd0: [GIANT-LOCKED]
atkbdc0: non-PNP ISA device will be removed from GENERIC in FreeBSD 15.
ACPI Warning: \134_PR.CPU1._PSS: SubPackage[8,9] - suspicious power dissipation values (20221020/nsrepair2-902)
acpi_perf0: <ACPI CPU Frequency Control> on cpu0
ACPI Warning: \134_PR.CPU1._PSS: SubPackage[8,9] - suspicious power dissipation values (20221020/nsrepair2-902)
ACPI Warning: \134_PR.CPU3._PSS: SubPackage[8,9] - suspicious power dissipation values (20221020/nsrepair2-902)
ACPI Warning: \134_PR.CPU2._PSS: SubPackage[8,9] - suspicious power dissipation values (20221020/nsrepair2-902)
ACPI Warning: \134_PR.CPU4._PSS: SubPackage[8,9] - suspicious power dissipation values (20221020/nsrepair2-902)
est: CPU supports Enhanced Speedstep, but is not recognized.
est: cpu_vendor GenuineIntel, msr 112d0000112d
device_attach: est1 attach returned 6
est: CPU supports Enhanced Speedstep, but is not recognized.
est: cpu_vendor GenuineIntel, msr 112d0000112d
device_attach: est2 attach returned 6
est: CPU supports Enhanced Speedstep, but is not recognized.
est: cpu_vendor GenuineIntel, msr 112d0000112d
device_attach: est3 attach returned 6
Timecounter "TSC-low" frequency 1695749824 Hz quality 1000
Timecounters tick every 1.000 msec
ipfw2 (+ipv6) initialized, divert loadable, nat loadable, default to accept, logging disabled
ugen0.1: <Intel UHCI root HUB> at usbus0
ugen1.1: <Intel UHCI root HUB> at usbus1
ugen2.1: <Intel EHCI root HUB> at usbus2
device_attach: ioapic0 attach returned 6
uhub0 on usbus2
uhub1 on usbus0
Trying to mount root from ufs:/dev/ufs/zaforaIIroot [ro]...
uhub1: <Intel UHCI root HUB, class 9/0, rev 1.00/1.00, addr 1> on usbus0
uhub0: <Intel EHCI root HUB, class 9/0, rev 2.00/1.00, addr 1> on usbus2
uhub2 on usbus1
uhub2: <Intel UHCI root HUB, class 9/0, rev 1.00/1.00, addr 1> on usbus1
ada0 at ata2 bus 0 scbus2 target 0 lun 0
ada0: <Samsung SSD 870 EVO 500GB SVT02B6Q> ACS-4 ATA SATA 3.x device
ada0: Serial Number S7EWNJ0W478457N
ada0: 150.000MB/s transfers (SATA 1.x, UDMA5, PIO 512bytes)
ada0: 476940MB (976773168 512 byte sectors)
ada0: quirks=0x3<4K,NCQ_TRIM_BROKEN>
uhub1: 2 ports with 2 removable, self powered
ada1 at ata3 bus 0 scbus3 target 0 lun 0
ada1: <WDC WD3200AAJS-00L7A0 01.03E01> ATA8-ACS SATA 2.x device
ada1: Serial Number WD-WMAV2HF73682
ada1: 150.000MB/s transfers (SATA 1.x, UDMA5, PIO 8192bytes)
ada1: 305245MB (625142448 512 byte sectors)
cd0 at ata0 bus 0 scbus0 target 0 lun 0
cd0: <HL-DT-ST DVD-ROM GDR8164B 0L06> Removable CD-ROM SCSI device
cd0: 33.300MB/s transfers (UDMA2, ATAPI 12bytes, PIO 65534bytes)
cd0: Attempt to query device size failed: NOT READY, Medium not present
uhub2: 2 ports with 2 removable, self powered
Root mount waiting for: usbus2
uhub0: 4 ports with 4 removable, self powered
Dual Console: Serial Primary, Video Secondary
ZFS filesystem version: 5
ZFS storage pool version: features support (5000)
ugen1.2: <vendor 0x0835 USB KVM> at usbus1
ukbd0 on uhub2
ukbd0: <vendor 0x0835 USB KVM, class 0/0, rev 2.00/1.10, addr 2> on usbus1
kbd2 at ukbd0
device_attach: ioapic0 attach returned 6
ichsmb0: <Intel 6300ESB (ICH) SMBus controller> port 0x400-0x41f irq 17 at device 31.3 on pci0
smbus0: <System Management Bus> on ichsmb0
CPU: Intel(R) Xeon(TM) CPU 3.40GHz (3391.50-MHz K8-class CPU)
 Origin="GenuineIntel"  Id=0xf4a  Family=0xf  Model=0x4  Stepping=10
Features=0xbfebfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE>
Features2=0x649d<SSE3,DTES64,MON,DS_CPL,EST,CNXT-ID,CX16,xTPR>
AMD Features=0x20100800<SYSCALL,NX,LM>
cd0: 33.300MB/s transfers (UDMA2, ATAPI 12bytes, PIO 65534bytes)
cd0: Attempt to query device size failed: NOT READY, Medium not present
uhub2: 2 ports with 2 removable, self powered
Root mount waiting for: usbus2
uhub0: 4 ports with 4 removable, self powered
Dual Console: Serial Primary, Video Secondary
ZFS filesystem version: 5
ZFS storage pool version: features support (5000)
ugen1.2: <vendor 0x0835 USB KVM> at usbus1
ukbd0 on uhub2
ukbd0: <vendor 0x0835 USB KVM, class 0/0, rev 2.00/1.10, addr 2> on usbus1
kbd2 at ukbd0
device_attach: ioapic0 attach returned 6
ichsmb0: <Intel 6300ESB (ICH) SMBus controller> port 0x400-0x41f irq 17 at device 31.3 on pci0
smbus0: <System Management Bus> on ichsmb0
CPU: Intel(R) Xeon(TM) CPU 3.40GHz (3391.50-MHz K8-class CPU)
  Origin="GenuineIntel"  Id=0xf4a  Family=0xf  Model=0x4  Stepping=10
  Features=0xbfebfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE>
  Features2=0x649d<SSE3,DTES64,MON,DS_CPL,EST,CNXT-ID,CX16,xTPR>
  AMD Features=0x20100800<SYSCALL,NX,LM>
  AMD Features2=0x1<LAHF>
  TSC: P-state invariant
em0: link state changed to UP
lo0: link state changed to UP
em0: link state changed to DOWN
em0: link state changed to UP
cpufreq: need to increase CF_MAX_LEVELS
cpufreq: need to increase CF_MAX_LEVELS
cpufreq: need to increase CF_MAX_LEVELS
cpufreq: need to increase CF_MAX_LEVELS
cpufreq: need to increase CF_MAX_LEVELS
cpufreq: need to increase CF_MAX_LEVELS
uhid0 on uhub2
uhid0: <vendor 0x0835 USB KVM, class 0/0, rev 2.00/1.10, addr 2> on usbus1


The ipfw firewall that I am using in the first lines accepts loopback connections, so ssh -v -4 127.0.0.1 is not firewalled.

Code: 
00009   14023          0 allow log logamount 100 ip from any to any layer2 mac-type 0x0806
00015       0          0 deny log logamount 80 ip from 156.0.0.0/16 to any via em0 // bad host
00059       0          0 allow tcp from me to any tcpflags fin,rst out // quick drop the connection if requested
00109       0          0 allow udp from any to any 51820 out // WIREGUARD_OUTGOING
00159       0          0 allow udp from any 51820 to any in // WIREGUARD_OUTGOING
00209       0          0 allow ip from any to any ipsec
00259       0          0 allow esp from any to any
00309       0          0 allow ah from any to me
00359       0          0 allow ipencap from any to me
00409   85599    7409614 allow ip from any to any via lo0
00459       0          0 allow ip from me to me
.......


I see that I have CLOSED sockets in netstat even for 127.0.0.1 and they remain until I restart sshd
Code: 
tcp4      21      0 127.0.0.1.22           127.0.0.1.32188        CLOSED
tcp4      21      0 127.0.0.1.22           127.0.0.1.63084        CLOSED
tcp4      21      0 127.0.0.1.22           127.0.0.1.26201        CLOSED
tcp4      21      0 127.0.0.1.22           127.0.0.1.56191        CLOSED
tcp6      21      0 ::1.22                 ::1.18215              CLOSED




This machine uses em0 as primary network interface
Code: 
em0: <Intel(R) Legacy PRO/1000 GT 82541PI> port 0xec00-0xec3f mem 0xdefa0000-0xdefbffff,0xdef80000-0xdef9ffff irq 21 at device 4.0 on pci5

and has also another network card msk0 which does not have an IP or a cable, lo0 for 127.0.0.1 and openvpn tap0 interface.
 
I had added an ipfw add 1 allow all from any to any so I do not believe this will help, but I am doing it:

Code: 
# ipfw flush
Are you sure? [yn] y


Flushed all rules.
root@XXXX:~ # kldunload ipfw
kldunload: can't unload file: Device busy
root@XXX:~ # ipfw -d -a show
65535 3806 876917 allow ip from any to any
I still cannot connect to localhost


Code: 
# ssh -v -4 localhost
OpenSSH_9.7p1, OpenSSL 3.0.13 30 Jan 2024
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /root/.ssh/id_rsa type 0
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa_sk type -1
debug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: identity file /root/.ssh/id_ed25519_sk type -1
debug1: identity file /root/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /root/.ssh/id_xmss type -1
debug1: identity file /root/.ssh/id_xmss-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.7


<nothing more>

and still I have a lines of CLOSED, either reporting an IP or reporting *.*

Code: 
tcp4       0      0 *.*                    *.*                    CLOSED
tcp4       0      0 *.*                    *.*                    CLOSED
tcp4       0      0 *.*                    *.*                    CLOSED
tcp4       0      0 *.*                    *.*                    CLOSED
tcp4       0      0 *.*                    *.*                    CLOSED
tcp4       0      0 *.*                    *.*                    CLOSED
tcp4       0      0 *.*                    *.*                    CLOSED
tcp4       0      0 *.*                    *.*                    CLOSED
tcp4       0      0 *.*                    *.*                    CLOSED
tcp4       0      0 *.*                    *.*                    CLOSED


and the queue of ssh is not crowded:

Code: 
netstat -Lan | grep .22
tcp4  8/0/128                          *.22
tcp6  2/0/128                          *.22

and even with disabled firewall I cannot restart ssh.
Only by kill -9 I can restart it.

Code: 
# /etc/rc.d/sshd onerestart
Performing sanity check on sshd configuration.
Stopping sshd.
Waiting for PIDS: 44159
(hang forever)

CTRL+Z
Suspended
# kill -9 44159
root@XXXX:~ # fg
/etc/rc.d/sshd onerestart
.
Performing sanity check on sshd configuration.
Starting sshd.



After restarting I can
ssh -v -4 localhost
or ssh from other hosts.

but after some time this wont be possible and it will hang forever.
 
You must log in or register to reply here.
Back
Top