APAR status
Closed as suggestion for future release.
Error description
SSHD may encounter the following messages in its log: - FOTS3214 cleanup_exit: kill(pid): EDC5139I Operation not permitted. (errno2=0x0D100114) - It may be preceeded with a "Connection closed by ... [preauth]" message. This situation can be encountered when SSHD is running using privilege separation and handling an incoming connection, but the connection is dropped prior to authentication (but after forking the privilege separation child process). The issue occurs when the client disconnects from the privsep child which self-terminates and sshd attempts to kill the child, which is already terminated. Note: This condition does not impact sshd functionality, these messages are currently for informational purposes. Verification Steps: 1) SSHD running with privilege separation enabled. 2) Condition is encountered for an incoming user prior to sucessful authentication. Keywords: msgFOTS3214 cleanup_exit kill msgEDC5139I 0D100114
Local fix
If desired this can be avoided by disabling privilege separation in the sshd_config file by settting: UsePrivilegeSeparation no will prevent the FOTS3214 and subsequent conditions from encountering when a connection is dropped before authentication is completed. Note: This condition does not impact sshd functionality, these messages are currently for informational purposes.
Problem summary
Problem conclusion
Temporary fix
Comments
When the privilege separation is enabled, the OpenSSH daemon will fork an unprivileged child process to handle network traffic and everything not requiring special privileges. If the unprivileged child process terminates prior to authentication due to some exception, such as the client disconnects from the unprivileged child process, the daemon will recycle the child process with a kill() call. Because the unprivileged child process is already terminated, the kill() call will get the return code EPERM from USS kernel. Correspondingly, the OpenSSH daemon will print the following error message in the debug output. FOTS3214 cleanup_exit: kill(pid): EDC5139I Operation not permitted. (errno2=0x0D100114) For this scenario, everything works as the current design for both OpenSSH and USS kernel. To prevent printing this error message in OpenSSH, the reasonable method is changing the current design of BPX1KIL/kill() to provide a specific return code for killing processes which are already terminated(in zombie states), then OpenSSH can use the specific return code to distinguish this condition from others. The related RFE, RFE ID 111146 and RTC ID 202870, has been opened against USS component.
APAR Information
APAR number
OA54150
Reported component name
OPENSSH FOR Z/O
Reported component ID
5655M2301
Reported release
220
Status
CLOSED SUG
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2017-10-12
Closed date
2017-11-01
Last modified date
2017-11-01
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Applicable component levels
[{"Business Unit":{"code":null,"label":null},"Product":{"code":"SG19O","label":"APARs - MVS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"220","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"220","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
01 November 2017