<div dir="auto"><div>Given that other users have reported similiar issues with that exact kernel coupled with updated openssl + openssh, you want to update that kernel to something a bit more recent.<div dir="auto"><br></div><div dir="auto">Should be a straight forward apt-get install <linux-image> from memory, as suggested here :</div><div dir="auto"><br></div><div dir="auto"><a href="https://wiki.debian.org/HowToUpgradeKernel" target="_blank" rel="noreferrer">https://wiki.debian.org/HowToUpgradeKernel</a><br></div><div dir="auto"><br></div><div dir="auto">It's a pretty safe process these days, though you are making some big jumps (3.16 to 4.19.x (Buster latest)) - so have some get out of jail cards handy (backups, console access, coffee, etc)</div><div dir="auto"><br></div><div dir="auto"><br></div><div dir="auto">If it was just recently upgraded to buster, you shouldn't have any issues on latest kernel(s) Being on 686 as opposed to amd64 (pretty much the default these days, and I guarantee amd64 gets better testing with stuff then 686 ! ). I wouldn't mangle that unless you feel like a reinstall tho, it should be fine for 99% of use cases.</div><div dir="auto"><br></div><div dir="auto">Enjoy</div><div dir="auto">/Chris</div><br><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, 18 Dec 2019, 12:41 pm Joe Aquilina, <<a href="mailto:joe@chem.com.au" target="_blank" rel="noreferrer">joe@chem.com.au</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div>
    <div>I think that is a default sshd_config.
      I have tried removing (and later purging) it recently and that is
      pretty much as it was after the latest reinstall.</div>
    <div><br>
    </div>
    <div>The kernel is an older one, which
      surprises me. It doesn't seem to have been updated as part of the
      upgrade from stretch to buster, which I was expecting to have
      happened. The kernel is still 3.16.0-4-686-pae.</div>
    <div><br>
    </div>
    <div>I have never updated a kernel, is there
      a link to a procedure for this? I have found one that suggests
      using ukuu, but I have not been able to install that, there seems
      to be a problem with the repository.</div>
    <div><br>
    </div>
    <div>Cheers.</div>
    <div><br>
    </div>
    <div>Joe Aquilina<br>
    </div>
    <div><br>
    </div>
    <div><br>
    </div>
    <div>On 18/12/19 12:19 pm, Chris Hoy Poy
      wrote:<br>
    </div>
    <blockquote type="cite">
      
      <div dir="auto">That line shouldn't bother it (the nologin is
        fine, you don't want it logging in)
        <div dir="auto"><br>
        </div>
        <div dir="auto">I can't see "usePrivilegeSeparation" in that
          config, it's probably default.</div>
        <div dir="auto"><br>
        </div>
        <div dir="auto">How old is the overall install, and has the
          kernel been upgraded recently?</div>
        <div dir="auto"><br>
        </div>
        <div dir="auto">I see a number of recent minor issues around
          openssl versions + kernel versions </div>
        <div dir="auto"><br>
        </div>
        <div dir="auto">Probably want to be a later kernel if possible,
          just to be sure.</div>
        <div dir="auto"><br>
        </div>
        <div dir="auto"><a href="https://www.mail-archive.com/debian-ssh@lists.debian.org/msg08820.html" rel="noreferrer noreferrer noreferrer" target="_blank">https://www.mail-archive.com/debian-ssh@lists.debian.org/msg08820.html</a><br>
        </div>
        <div dir="auto"><br>
        </div>
        <div dir="auto"><a href="https://www.mail-archive.com/debian-ssh@lists.debian.org/msg08852.html" rel="noreferrer noreferrer" target="_blank">https://www.mail-archive.com/debian-ssh@lists.debian.org/msg08852.html</a><br>
        </div>
        <div dir="auto"><br>
        </div>
      </div>
      <br>
      <div class="gmail_quote">
        <div dir="ltr" class="gmail_attr">On Wed, 18 Dec 2019, 12:05 pm
          Joe Aquilina, <<a href="mailto:joe@chem.com.au" rel="noreferrer noreferrer noreferrer noreferrer noreferrer" target="_blank">joe@chem.com.au</a>> wrote:<br>
        </div>
        <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
          <div>
            <div>Chris</div>
            <div><br>
            </div>
            <div>Her is the sshd_config file on the server:</div>
            <div><br>
            </div>
            <div>$ cat /etc/ssh/sshd_config     <br>
              <tt>#       $OpenBSD: sshd_config,v 1.103 2018/04/09
                20:41:22 tj Exp $</tt><tt><br>
              </tt><tt><br>
              </tt><tt># This is the sshd server system-wide
                configuration file.  See</tt><tt><br>
              </tt><tt># sshd_config(5) for more information.</tt><tt><br>
              </tt><tt><br>
              </tt><tt># This sshd was compiled with
                PATH=/usr/bin:/bin:/usr/sbin:/sbin</tt><tt><br>
              </tt><tt><br>
              </tt><tt># The strategy used for options in the default
                sshd_config shipped with</tt><tt><br>
              </tt><tt># OpenSSH is to specify options with their
                default value where</tt><tt><br>
              </tt><tt># possible, but leave them commented. 
                Uncommented options override the</tt><tt><br>
              </tt><tt># default value.</tt><tt><br>
              </tt><tt><br>
              </tt><tt>Port 22</tt><tt><br>
              </tt><tt>#AddressFamily any</tt><tt><br>
              </tt><tt>#ListenAddress 0.0.0.0</tt><tt><br>
              </tt><tt>#ListenAddress ::</tt><tt><br>
              </tt><tt><br>
              </tt><tt>#HostKey /etc/ssh/ssh_host_rsa_key</tt><tt><br>
              </tt><tt>#HostKey /etc/ssh/ssh_host_ecdsa_key</tt><tt><br>
              </tt><tt>#HostKey /etc/ssh/ssh_host_ed25519_key</tt><tt><br>
              </tt><tt><br>
              </tt><tt># Ciphers and keying</tt><tt><br>
              </tt><tt>#RekeyLimit default none</tt><tt><br>
              </tt><tt><br>
              </tt><tt># Logging</tt><tt><br>
              </tt><tt>#SyslogFacility AUTH</tt><tt><br>
              </tt><tt>#LogLevel INFO</tt><tt><br>
              </tt><tt><br>
              </tt><tt># Authentication:</tt><tt><br>
              </tt><tt><br>
              </tt><tt>#LoginGraceTime 2m</tt><tt><br>
              </tt><tt>#PermitRootLogin prohibit-password</tt><tt><br>
              </tt><tt>AllowUsers joe</tt><tt><br>
              </tt><tt>#StrictModes yes</tt><tt><br>
              </tt><tt>#MaxAuthTries 6</tt><tt><br>
              </tt><tt>#MaxSessions 10</tt><tt><br>
              </tt><tt><br>
              </tt><tt>#PubkeyAuthentication yes</tt><tt><br>
              </tt><tt><br>
              </tt><tt># Expect .ssh/authorized_keys2 to be disregarded
                by default in future.</tt><tt><br>
              </tt><tt>#AuthorizedKeysFile     .ssh/authorized_keys
                .ssh/authorized_keys2</tt><tt><br>
              </tt><tt><br>
              </tt><tt>#AuthorizedPrincipalsFile none</tt><tt><br>
              </tt><tt><br>
              </tt><tt>#AuthorizedKeysCommand none</tt><tt><br>
              </tt><tt>#AuthorizedKeysCommandUser nobody</tt><tt><br>
              </tt><tt><br>
              </tt><tt># For this to work you will also need host keys
                in /etc/ssh/ssh_known_hosts</tt><tt><br>
              </tt><tt>#HostbasedAuthentication no</tt><tt><br>
              </tt><tt># Change to yes if you don't trust
                ~/.ssh/known_hosts for</tt><tt><br>
              </tt><tt># HostbasedAuthentication</tt><tt><br>
              </tt><tt>#IgnoreUserKnownHosts no</tt><tt><br>
              </tt><tt># Don't read the user's ~/.rhosts and ~/.shosts
                files</tt><tt><br>
              </tt><tt>#IgnoreRhosts yes</tt><tt><br>
              </tt><tt><br>
              </tt><tt># To disable tunneled clear text passwords,
                change to no here!</tt><tt><br>
              </tt><tt>#PasswordAuthentication yes</tt><tt><br>
              </tt><tt>#PermitEmptyPasswords no</tt><tt><br>
              </tt><tt><br>
              </tt><tt># Change to yes to enable challenge-response
                passwords (beware issues with</tt><tt><br>
              </tt><tt># some PAM modules and threads)</tt><tt><br>
              </tt><tt>ChallengeResponseAuthentication no</tt><tt><br>
              </tt><tt><br>
              </tt><tt># Kerberos options</tt><tt><br>
              </tt><tt>#KerberosAuthentication no</tt><tt><br>
              </tt><tt>#KerberosOrLocalPasswd yes</tt><tt><br>
              </tt><tt>#KerberosTicketCleanup yes</tt><tt><br>
              </tt><tt>#KerberosGetAFSToken no</tt><tt><br>
              </tt><tt><br>
              </tt><tt># GSSAPI options</tt><tt><br>
              </tt><tt>#GSSAPIAuthentication no</tt><tt><br>
              </tt><tt>#GSSAPICleanupCredentials yes</tt><tt><br>
              </tt><tt>#GSSAPIStrictAcceptorCheck yes</tt><tt><br>
              </tt><tt>#GSSAPIKeyExchange no</tt><tt><br>
              </tt><tt><br>
              </tt><tt># Set this to 'yes' to enable PAM authentication,
                account processing,</tt><tt><br>
              </tt><tt># and session processing. If this is enabled, PAM
                authentication will</tt><tt><br>
              </tt><tt># be allowed through the
                ChallengeResponseAuthentication and</tt><tt><br>
              </tt><tt># PasswordAuthentication.  Depending on your PAM
                configuration,</tt><tt><br>
              </tt><tt># PAM authentication via
                ChallengeResponseAuthentication may bypass</tt><tt><br>
              </tt><tt># the setting of "PermitRootLogin
                without-password".</tt><tt><br>
              </tt><tt># If you just want the PAM account and session
                checks to run without</tt><tt><br>
              </tt><tt># PAM authentication, then enable this but set
                PasswordAuthentication</tt><tt><br>
              </tt><tt># and ChallengeResponseAuthentication to 'no'.</tt><tt><br>
              </tt><tt>UsePAM yes</tt><tt><br>
              </tt><tt>UseLogin no</tt><tt><br>
              </tt><tt><br>
              </tt><tt>#AllowAgentForwarding yes</tt><tt><br>
              </tt><tt>#AllowTcpForwarding yes</tt><tt><br>
              </tt><tt>#GatewayPorts no</tt><tt><br>
              </tt><tt>X11Forwarding yes</tt><tt><br>
              </tt><tt>#X11DisplayOffset 10</tt><tt><br>
              </tt><tt>#X11UseLocalhost yes</tt><tt><br>
              </tt><tt>#PermitTTY yes</tt><tt><br>
              </tt><tt>PrintMotd no</tt><tt><br>
              </tt><tt>#PrintLastLog yes</tt><tt><br>
              </tt><tt>#TCPKeepAlive yes</tt><tt><br>
              </tt><tt>#PermitUserEnvironment no</tt><tt><br>
              </tt><tt>#Compression delayed</tt><tt><br>
              </tt><tt>#ClientAliveInterval 0</tt><tt><br>
              </tt><tt>#ClientAliveCountMax 3</tt><tt><br>
              </tt><tt>#UseDNS no</tt><tt><br>
              </tt><tt>#PidFile /var/run/sshd.pid</tt><tt><br>
              </tt><tt>#MaxStartups 10:30:100</tt><tt><br>
              </tt><tt>#PermitTunnel no</tt><tt><br>
              </tt><tt>#ChrootDirectory none</tt><tt><br>
              </tt><tt>#VersionAddendum none</tt><tt><br>
              </tt><tt><br>
              </tt><tt># no default banner path</tt><tt><br>
              </tt><tt>#Banner none</tt><tt><br>
              </tt><tt><br>
              </tt><tt># Allow client to pass locale environment
                variables</tt><tt><br>
              </tt><tt>AcceptEnv LANG LC_*</tt><tt><br>
              </tt><tt><br>
              </tt><tt># override default of no subsystems</tt><tt><br>
              </tt><tt>Subsystem       sftp   
                /usr/lib/openssh/sftp-server</tt><tt><br>
              </tt><tt><br>
              </tt><tt># Example of overriding settings on a per-user
                basis</tt><tt><br>
              </tt><tt>#Match User anoncvs</tt><tt><br>
              </tt><tt>#       X11Forwarding no</tt><tt><br>
              </tt><tt>#       AllowTcpForwarding no</tt><tt><br>
              </tt><tt>#       PermitTTY no</tt><tt><br>
              </tt><tt>#       ForceCommand cvs server</tt><tt><br>
              </tt></div>
            <div><br>
            </div>
            <div>I just checked the passwd file on the server and both
              accounts I use to login finish with /bin/bash. However, I
              also noticed that the last line of the passwd file looks
              like this:</div>
            <div><br>
            </div>
            <div><tt>sshd:x:100:65534::/run/sshd:/usr/sbin/nologin</tt></div>
            <div><br>
            </div>
            <div>Looking at the passwd file from a backup done before
              the upgrade, and when ssh logins were working, this line
              is a recent addition - it does not appear in past
              instances of the passwd file. Is this the cause of my
              problems? Can I simply delete this line and try again?</div>
            <div><br>
            </div>
            <div>Cheers.</div>
            <div><br>
            </div>
            <div>Joe Aquilina</div>
            <div><br>
            </div>
            <div><br>
            </div>
            <div>On 18/12/19 11:49 am, Chris Hoy Poy wrote:<br>
            </div>
            <blockquote type="cite">
              <div dir="auto">Hey Joe,
                <div dir="auto"><br>
                </div>
                <div dir="auto">Can you check what
                  "usePrivilegeSeparation" is defined as in the server
                  sshd_config is ?</div>
                <div dir="auto"><br>
                </div>
                <div dir="auto">Cheers</div>
                <div dir="auto">/Chris</div>
              </div>
              <br>
              <div class="gmail_quote">
                <div dir="ltr" class="gmail_attr">On Wed, 18 Dec 2019,
                  11:42 am Joe Aquilina, <<a href="mailto:joe@chem.com.au" rel="noreferrer
                    noreferrer noreferrer noreferrer noreferrer noreferrer" target="_blank">joe@chem.com.au</a>>
                  wrote:<br>
                </div>
                <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                  <div>
                    <div>sestatus and getenforce both show selinux as
                      disabled.</div>
                    <div><br>
                    </div>
                    <div>There is already another account that is
                      occasionally used to login to the server - it
                      fails exactly the same as my (joe) account. I
                      don't believe that any scripts at login.<br>
                    </div>
                    <div><br>
                    </div>
                    <div>And yes I did edit the output to protect the
                      "guilty" ... replaced the real server name with
                      <server> and the server's IP address. I
                      presumed that is what was requested when it was
                      suggested that I post a sanitised copy of the
                      login attempt output.</div>
                    <div><br>
                    </div>
                    <div>Cheers.</div>
                    <div><br>
                    </div>
                    <div>Joe Aquilina<br>
                    </div>
                    <div><br>
                    </div>
                    <div>On 18/12/19 11:08 am, mike wrote:<br>
                    </div>
                    <blockquote type="cite">
                      <div>On 18/12/2019 10:43, Joe Aquilina wrote:<br>
                      </div>
                      <blockquote type="cite">I have no idea about
                        selinux, whether it is installed/enabled. How do
                        I check that and disable it if necessary, and
                        then re-enable?</blockquote>
                      <br>
                      <pre>sestatus or <span></span>getenforce

If file not found then not in use.

Are you removing details from the output? IE:
Authenticated to <server> ([ip.address of server]:22).

Mine says
debug1: Authentication succeeded (publickey).
Authenticated to nos ([10.222.0.4]:22).

Another thought is what does the passwd file say for your login? I have /bin/bash on the end

What user are you trying to login as?

Are you running any scripts at login that may be failing?

Have you tried another user?

Maybe create a new user and try logging in with that just to remove the user as being an issue.

</pre>
                      <pre cols="72">-- 
'ooroo

Mike...(:)-)
---------------------------------------------------
Email: <a href="mailto:mike@wolf-rock.com" rel="noreferrer noreferrer noreferrer noreferrer noreferrer noreferrer noreferrer" target="_blank">mike@wolf-rock.com</a>         o
You need only two tools.        o /////
A hammer and duct tape. If it    /@   `\  /) ~
doesn't move and it should use  >  (O)  X<  ~  Fish!!
the hammer. If it moves and      `\___/'  \) ~
shouldn't, use the tape.           \\\
---------------------------------------------------</pre>
                    </blockquote>
                    <p><br>
                    </p>
                    <pre cols="72">-- 
Joe Aquilina
Central Chemical Consulting Pty Ltd
PO Box 2546 Malaga WA 6944 Australia
1/11 Narloo St Malaga 6090 Australia
Tel: +61  8 9248 2739  Fax: +61  8 9248 2749
<a href="mailto:joe@chem.com.au" rel="noreferrer noreferrer noreferrer noreferrer noreferrer noreferrer noreferrer" target="_blank">joe@chem.com.au</a>  <a href="http://www.chem.com.au" rel="noreferrer noreferrer noreferrer noreferrer noreferrer noreferrer noreferrer" target="_blank">www.chem.com.au</a>    </pre>
                  </div>
                  _______________________________________________<br>
                  PLUG discussion list: <a href="mailto:plug@plug.org.au" rel="noreferrer
                    noreferrer noreferrer noreferrer noreferrer noreferrer noreferrer" target="_blank">plug@plug.org.au</a><br>
                  <a href="http://lists.plug.org.au/mailman/listinfo/plug" rel="noreferrer noreferrer noreferrer noreferrer
                    noreferrer noreferrer noreferrer noreferrer" target="_blank">http://lists.plug.org.au/mailman/listinfo/plug</a><br>
                  Committee e-mail: <a href="mailto:committee@plug.org.au" rel="noreferrer
                    noreferrer noreferrer noreferrer noreferrer noreferrer noreferrer" target="_blank">committee@plug.org.au</a><br>
                  PLUG Membership: <a href="http://www.plug.org.au/membership" rel="noreferrer noreferrer noreferrer noreferrer
                    noreferrer noreferrer noreferrer noreferrer" target="_blank">http://www.plug.org.au/membership</a></blockquote>
              </div>
            </blockquote>
            <p><br>
            </p>
            <pre cols="72">-- 
Joe Aquilina
Central Chemical Consulting Pty Ltd
PO Box 2546 Malaga WA 6944 Australia
1/11 Narloo St Malaga 6090 Australia
Tel: +61  8 9248 2739  Fax: +61  8 9248 2749
<a href="mailto:joe@chem.com.au" rel="noreferrer noreferrer noreferrer noreferrer noreferrer noreferrer" target="_blank">joe@chem.com.au</a>  <a href="http://www.chem.com.au" rel="noreferrer noreferrer noreferrer noreferrer noreferrer noreferrer" target="_blank">www.chem.com.au</a></pre>
          </div>
          _______________________________________________<br>
          PLUG discussion list: <a href="mailto:plug@plug.org.au" rel="noreferrer noreferrer noreferrer noreferrer noreferrer noreferrer" target="_blank">plug@plug.org.au</a><br>
          <a href="http://lists.plug.org.au/mailman/listinfo/plug" rel="noreferrer noreferrer noreferrer noreferrer noreferrer noreferrer noreferrer" target="_blank">http://lists.plug.org.au/mailman/listinfo/plug</a><br>
          Committee e-mail: <a href="mailto:committee@plug.org.au" rel="noreferrer noreferrer noreferrer noreferrer noreferrer noreferrer" target="_blank">committee@plug.org.au</a><br>
          PLUG Membership: <a href="http://www.plug.org.au/membership" rel="noreferrer noreferrer noreferrer noreferrer noreferrer noreferrer noreferrer" target="_blank">http://www.plug.org.au/membership</a></blockquote>
      </div>
    </blockquote>
    <p><br>
    </p>
    <pre cols="72">-- 
Joe Aquilina
Central Chemical Consulting Pty Ltd
PO Box 2546 Malaga WA 6944 Australia
1/11 Narloo St Malaga 6090 Australia
Tel: +61  8 9248 2739  Fax: +61  8 9248 2749
<a href="mailto:joe@chem.com.au" rel="noreferrer noreferrer" target="_blank">joe@chem.com.au</a>  <a href="http://www.chem.com.au" rel="noreferrer noreferrer" target="_blank">www.chem.com.au</a></pre>
  </div>

_______________________________________________<br>
PLUG discussion list: <a href="mailto:plug@plug.org.au" rel="noreferrer noreferrer" target="_blank">plug@plug.org.au</a><br>
<a href="http://lists.plug.org.au/mailman/listinfo/plug" rel="noreferrer noreferrer noreferrer" target="_blank">http://lists.plug.org.au/mailman/listinfo/plug</a><br>
Committee e-mail: <a href="mailto:committee@plug.org.au" rel="noreferrer noreferrer" target="_blank">committee@plug.org.au</a><br>
PLUG Membership: <a href="http://www.plug.org.au/membership" rel="noreferrer noreferrer noreferrer" target="_blank">http://www.plug.org.au/membership</a></blockquote></div>
</div></div>