← Back to team overview

touch-packages team mailing list archive

[Bug 1287222] Re: openssh-client 6.5 regression bug with certain servers

 

Looks like there's a patch for openssh available the RH bug which
detects broken server implementations and sends options that they can
accept (by matching "Cisco-*" in the banner).

We probably don't want to have to maintain this patch in Ubuntu
indefinitely though. But we could cherry-pick it if upstream commit the
patch. Is there a bug filed with openssh upstream?

** Tags added: needs-upstream-report

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1287222

Title:
  openssh-client 6.5 regression bug with certain servers

Status in openssh package in Ubuntu:
  Confirmed
Status in openssh package in Debian:
  New
Status in openssh package in Fedora:
  Unknown

Bug description:
  Previous working versions of SSH (6.2p2) work fine on certain host
  machines as follows:

  penSSH_6.2p2 Ubuntu-6, OpenSSL 1.0.1f 6 Jan 2014
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug1: /etc/ssh/ssh_config line 19: Applying options for *
  debug1: Connecting to hostname [IPAddress] port 22.
  debug1: Connection established.
  debug1: identity file /home/nelsot08/.ssh/identity type -1
  debug1: identity file /home/nelsot08/.ssh/identity-cert type -1
  debug1: identity file /home/nelsot08/.ssh/id_rsa type 1
  debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
  debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
  debug1: identity file /home/nelsot08/.ssh/id_rsa-cert type -1
  debug1: identity file /home/nelsot08/.ssh/id_dsa type -1
  debug1: identity file /home/nelsot08/.ssh/id_dsa-cert type -1
  debug1: identity file /home/nelsot08/.ssh/id_ecdsa type -1
  debug1: identity file /home/nelsot08/.ssh/id_ecdsa-cert type -1
  debug1: Remote protocol version 2.0, remote software version Cisco-1.25
  debug1: no match: Cisco-1.25
  debug1: Enabling compatibility mode for protocol 2.0
  debug1: Local version string SSH-2.0-OpenSSH_6.2p2 Ubuntu-6
  debug1: SSH2_MSG_KEXINIT sent
  debug1: SSH2_MSG_KEXINIT received
  debug1: kex: server->client aes128-cbc hmac-md5 none
  debug1: kex: client->server aes128-cbc hmac-md5 none
  debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
  debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
  debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
  debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
  debug1: Server host key: RSA 24:75:76:a1:80:0e:6c:4e:a8:c4:a6:a9:d3:34:98:18
  Warning: Permanently added 'hostname,IPAddress' (RSA) to the list of known hosts.
  debug1: ssh_rsa_verify: signature correct
  debug1: SSH2_MSG_NEWKEYS sent
  debug1: expecting SSH2_MSG_NEWKEYS
  debug1: SSH2_MSG_NEWKEYS received
  debug1: Roaming not allowed by server
  debug1: SSH2_MSG_SERVICE_REQUEST sent
  debug1: SSH2_MSG_SERVICE_ACCEPT received

  
  But in 6.5p1 the following bug occurs:

  OpenSSH_6.5, OpenSSL 1.0.1f 6 Jan 2014
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug1: /etc/ssh/ssh_config line 19: Applying options for *
  debug1: Connecting to hostname [IPAddress] port 22.
  debug1: Connection established.
  debug1: identity file /home/nelsot08/.ssh/identity type -1
  debug1: identity file /home/nelsot08/.ssh/identity-cert type -1
  debug1: identity file /home/nelsot08/.ssh/id_rsa type 1
  debug1: identity file /home/nelsot08/.ssh/id_rsa-cert type -1
  debug1: identity file /home/nelsot08/.ssh/id_dsa type -1
  debug1: identity file /home/nelsot08/.ssh/id_dsa-cert type -1
  debug1: identity file /home/nelsot08/.ssh/id_ecdsa type -1
  debug1: identity file /home/nelsot08/.ssh/id_ecdsa-cert type -1
  debug1: identity file /home/nelsot08/.ssh/id_ed25519 type -1
  debug1: identity file /home/nelsot08/.ssh/id_ed25519-cert type -1
  debug1: Remote protocol version 2.0, remote software version Cisco-1.25
  debug1: no match: Cisco-1.25
  debug1: Enabling compatibility mode for protocol 2.0
  debug1: Local version string SSH-2.0-OpenSSH_6.5p1 Ubuntu-4
  debug1: SSH2_MSG_KEXINIT sent
  debug1: SSH2_MSG_KEXINIT received
  debug1: kex: server->client aes128-cbc hmac-md5 none
  debug1: kex: client->server aes128-cbc hmac-md5 none
  debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<3072<8192) sent
  debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
  Connection closed by IPAddress

  
  This is a regression and there are multiple references to this bug occurring previously:

  http://www.held.org.il/blog/2011/05/the-myterious-case-of-broken-ssh-
  client-connection-reset-by-peer/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1287222/+subscriptions