|
Bugzilla – Full Text Bug Listing |
| Summary: | OpenSSH-7.8p1 sshd closes connection after authentication | ||
|---|---|---|---|
| Product: | [openSUSE] openSUSE Tumbleweed | Reporter: | James Carter <jimc> |
| Component: | Network | Assignee: | E-mail List <bnc-team-screening> |
| Status: | RESOLVED DUPLICATE | QA Contact: | E-mail List <qa-bugs> |
| Severity: | Major | ||
| Priority: | P5 - None | CC: | bart.vanassche+novell |
| Version: | Current | ||
| Target Milestone: | --- | ||
| Hardware: | x86-64 | ||
| OS: | openSUSE Factory | ||
| Whiteboard: | |||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Attachments: |
Session log showing the failure
ssh_config client configuration sshd_config server configuration |
||
Created attachment 787952 [details]
Session log showing the failure
Created attachment 787953 [details]
ssh_config client configuration
Created attachment 787954 [details]
sshd_config server configuration
dup of bug 1114008 I think *** This bug has been marked as a duplicate of bug 1114008 *** Belated fix confirmation: openssh-7.8p1-3.1.x86_64 per bug 1114008 is working well and interoperates (client <-> server) with itself and the back versions that I mentioned. Thank you to the devs for getting this fixed quickly. |
Testing the interoperation of sshd in OpenSSH-7.8p1 with various versions of the ssh client: they do key exchange and the client passes authentication, but the 7.8p1 server then closes the connection, saying: sshd[5841]: fatal: mm_answer_keyverify: buffer error: incomplete message This is the only error message on server's syslog. Test execution is by root. The host keys are RSA or ECDSA. User authentication is by publickey (RSA). There is no Kerberos credential for these tests (for root). Versions tested: openssh-7.2p2-4.1.x86_64.rpm dated 2017-03-05 Didn't write down the mirror site but it's a SuSE Tumbleweed mirror. With OpenSSL 1.0.2o-fips Leap 42.3 is still on openssh-7.2p2-13.1.x86_64.rpm (with SuSE backports) openssh-7.6p1-2.4.x86_64.rpm dated 2018-01-21 from obs://build.opensuse.org/home:aljex With OpenSSL 1.0.2o-fips openssh-7.7p1-4.1.x86_64.rpm dated 2018-10-01 https://download.opensuse.org/tumbleweed/repo/oss/x86_64/openssh-7.7p1-4.1.x86_64.rpm http://mirror.clarkson.edu/opensuse/tumbleweed/repo/oss/x86_64/openssh-7.7p1-4.1.x86_64.rpm (actual mirror -- 404 Not Found). I never got the RPM file. With OpenSSL 1.1.0h-fips on both Iris and Petra These machines did not get upgraded to 7.8p1 today, had 7.7p1 from before. openssh-7.8p1-1.1.x86_64.rpm dated 2018-10-23 https://download.opensuse.org/tumbleweed/repo/oss/x86_64/openssh-7.8p1-1.1.x86_64.rpm http://mirror.us.leaseweb.net/opensuse/tumbleweed/repo/oss/x86_64/openssh-7.8p1-1.1.x86_64.rpm (actual mirror) With OpenSSL 1.1.0h-fips 7.6p1 sshd and ssh can't handle KexDHMin so I commented it out in ssh{,d}_config. All the others including 7.2p2 swallowed it, probably due to SuSE backports. All the hosts are x86_64 except Iris is aarch64 (ARM, Raspberry Pi). Oso and Petra are VMs. Xena is a real machine. Test command line (execute on $CLIENT with key agent): ssh $SERVER ssh -V (This is supposed to be a table but I have my doubts how it will come out.) Client Server Outcome 7.2p1 xena 7.2p1 oso OK 7.2p1 xena 7.6p1 oso OK 7.2p1 xena 7.7p1 iris OK 7.2p1 xena 7.8p1 oso Connection to oso closed by remote host. 7.6p1 oso 7.2p1 xena OK 7.6p1 oso 7.6p1 oso OK 7.6p1 oso 7.7p1 iris OK (also Petra) 7.6p1 oso 7.8p1 xena Connection closed by 192.9.200.195 port 22 7.7p1 iris 7.2p1 oso OK 7.7p1 iris 7.6p1 oso OK 7.7p1 iris 7.7p1 iris OK 7.7p1 iris 7.8p1 oso Connection closed by 192.9.200.212 port 22 7.8p1 oso 7.2p1 xena OK 7.8p1 xena 7.6p1 oso OK 7.8p1 oso 7.7p1 iris OK (also Petra) 7.8p1 oso 7.8p1 oso Connection closed by 192.9.200.212 port 22 I hope the developers can reproduce this and figure out what went wrong with 7.8p1. In case it isn't obvious, the effective workaround is to revert to 7.7p1 or earlier, whichever back-version package you can find. But once your hosts have brought up v7.8p1, you're going to have to visit every machine to downgrade them. A USB memory stick is useful, but I put the packages on my webserver, with a convenient symlink, and gave the URL like this: zypper install --no-recommends --oldpackage http://arachne/openssh/7.2p1.rpm And of course, systemctl restart sshd .