Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[EX/QFX] Troubleshooting SSHD log message "sshd 1234 fatal: Missing privilege separation directory: /var/empty"

0

0

Article ID: KB34025 KB Last Updated: 05 Apr 2019Version: 1.0
Summary:

This article explains how to troubleshoot an SSH problem in relation to the log message "sshd 1234 fatal: Missing privilege separation directory: /var/empty".

 

Symptoms:

The switch may reject the connection even if SSH is properly configured on the switch, with the following log message reported:

sshd 1234 fatal: Missing privilege separation directory: /var/empty

 

Cause:

The above problem may be due to a missing /var/empty directory. This directory prevents the abuse of privileges by certain protocols that should not have unrestricted access to file systems, by forcing them to work within a limited environment.

 

Solution:

The issue has been resolved in Junos OS releases 11.3R7, 11.4R4, 12.1R3, 12.2R1, and 12.3R1.

Meanwhile, to troubleshoot SSH issues with the missing /var/empty/ directory, perform the following steps:

  1. Issue the >show system process extensive command to know whether SSHD is running on the device. SSHD should not be present on the list so this command should not display any output:
root@switch> show system processes extensive | match ssh
  1. Check the log messages for the switch and look for the following error message (sometimes the messages may not be present):

Jul 25 12:00:11 PWK-Core-switch sshd 1234 fatal: Missing privilege separation directory: /var/empty
  1. If the log message is seen on the device, issue the > file list /var/ command to check whether the /var/empty directory is present: 

user@switch> file list /var/
 
/var/:
.snap/
BSD.var.dist
account/
at /
backups/
bin/
crash/
cron/
db /
etc/
etcroot/
heimdal/
home/
jail/
log/
logical-systems/
lost+found/
mail/
mfs/
msgs/
named/
preserve/
root/
run/
rundb/
rundb.juniper.data/
rwho/
spool/
sw /
tmp/
transfer/
validate/
yp /
  1. As seen above, the directory is not present. Therefore, the next step is to log in to shell as the root user and generate the /var/empty directory with the following commands: 

root@switch>start shell user root
% mkdir /var/empty
% chown root:wheel /var/empty
%chmod 555 /var/empty
  1. Then, go to configuration mode, deactivate SSH, and activate it again: 

root@switch# deactivate system services ssh
root@switch# commit full
root@switch# activate system services ssh
root@switch# commit full

 

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search