Knowledge Search


×
 

[EX/QFX] Troubleshooting SSHD log message "sshd 1234 fatal: Missing privilege separation directory: /var/empty"

  [KB34025] Show Article Properties


Summary:

This article explains how to troubleshoot an SSH problem in relation to the log message "sshd 1234 fatal: Missing privilege separation directory: /var/empty".

 

Symptoms:

The switch may reject the connection even if SSH is properly configured on the switch, with the following log message reported:

sshd 1234 fatal: Missing privilege separation directory: /var/empty

 

Cause:

The above problem may be due to a missing /var/empty directory. This directory prevents the abuse of privileges by certain protocols that should not have unrestricted access to file systems, by forcing them to work within a limited environment.

 

Solution:

The issue has been resolved in Junos OS releases 11.3R7, 11.4R4, 12.1R3, 12.2R1, and 12.3R1.

Meanwhile, to troubleshoot SSH issues with the missing /var/empty/ directory, perform the following steps:

  1. Issue the >show system process extensive command to know whether SSHD is running on the device. SSHD should not be present on the list so this command should not display any output:
root@switch> show system processes extensive | match ssh
  1. Check the log messages for the switch and look for the following error message (sometimes the messages may not be present):

Jul 25 12:00:11 PWK-Core-switch sshd 1234 fatal: Missing privilege separation directory: /var/empty
  1. If the log message is seen on the device, issue the > file list /var/ command to check whether the /var/empty directory is present: 

user@switch> file list /var/
 
/var/:
.snap/
BSD.var.dist
account/
at /
backups/
bin/
crash/
cron/
db /
etc/
etcroot/
heimdal/
home/
jail/
log/
logical-systems/
lost+found/
mail/
mfs/
msgs/
named/
preserve/
root/
run/
rundb/
rundb.juniper.data/
rwho/
spool/
sw /
tmp/
transfer/
validate/
yp /
  1. As seen above, the directory is not present. Therefore, the next step is to log in to shell as the root user and generate the /var/empty directory with the following commands: 

root@switch>start shell user root
% mkdir /var/empty
% chown root:wheel /var/empty
%chmod 555 /var/empty
  1. Then, go to configuration mode, deactivate SSH, and activate it again: 

root@switch# deactivate system services ssh
root@switch# commit full
root@switch# activate system services ssh
root@switch# commit full

 

 

Related Links: