Bug 1114008 - SSH access fails after upgrade to openssh-7.8p1-1.1.x86_64
SSH access fails after upgrade to openssh-7.8p1-1.1.x86_64
Status: RESOLVED FIXED
: 1112649 1114064 1114090 (view as bug list)
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Basesystem
Current
All All
: P2 - High : Normal (vote)
: ---
Assigned To: Pedro Monreal Gonzalez
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-10-30 15:41 UTC by Michael Ströder
Modified: 2019-01-23 10:25 UTC (History)
33 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
failed SSH connection attempt (6.23 KB, text/plain)
2018-10-30 15:57 UTC, Michael Ströder
Details
successful SSH connection (7.64 KB, text/plain)
2018-10-30 15:57 UTC, Michael Ströder
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Ströder 2018-10-30 15:41:28 UTC
SSH access fails after upgrade client and server to openssh-7.8p1-1.1.x86_64.

Connecting with updated client to a Tumbleweed SSH server running openssh-7.7p1-4.1.x86_64 still works.

Maybe relevant:
https://bugzilla.redhat.com/show_bug.cgi?id=1623929
https://bugzilla.redhat.com/show_bug.cgi?id=1627875
Comment 1 Tomáš Chvátal 2018-10-30 15:49:43 UTC
Care to provide logs? and Ie sample keys/algorithms how you connect, otherwise there is not enough info for us to get it working.

Also the bugs you link are not relevant for this case.
Comment 2 Michael Ströder 2018-10-30 15:57:34 UTC
Created attachment 787831 [details]
failed SSH connection attempt
Comment 3 Michael Ströder 2018-10-30 15:57:59 UTC
Created attachment 787832 [details]
successful SSH connection
Comment 4 Jiri Slaby 2018-10-30 15:58:18 UTC
ssh to a VM:
ssh xslaby@localhost -p 2222

VM:
 sshd[17336]: fatal: mm_answer_keyverify: buffer error: incomplete message
Comment 5 Michael Ströder 2018-10-30 15:59:26 UTC
Added attachments with output of ssh -vv. I suspect the order of the host key algorithms might cause the issue.
Comment 6 Jiri Slaby 2018-10-30 15:59:46 UTC
And there is also with every attempt to connect:
sshd[17598]: rexec line 119: Deprecated option UsePrivilegeSeparation
Comment 7 Michael Ströder 2018-10-30 16:04:58 UTC
(In reply to Jiri Slaby from comment #6)
> And there is also with every attempt to connect:
> sshd[17598]: rexec line 119: Deprecated option UsePrivilegeSeparation

If you haven't touched your old sshd_config a while this (and a few other deprecated config options) is reported since quite a while and thus is likely not relevant.
Comment 8 Jiri Slaby 2018-10-30 16:09:13 UTC
With DEBUG3 and the deprecated config disabled:
> sshd[18110]: Accepted key RSA SHA256:wFdhQNtVE8yJYO33FqgkertrosyTUndoqC8L5dVqQUw found at /home/xslaby/.ssh/authorized_keys:1
> sshd[18110]: debug1: restore_uid: 0/0
> sshd[18110]: debug3: mm_answer_keyallowed: publickey authentication: RSA key is allowed
> sshd[18110]: debug3: mm_request_send entering: type 23
> sshd[18110]: debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED [preauth]
> sshd[18110]: debug3: mm_request_receive_expect entering: type 23 [preauth]
> sshd[18110]: debug3: mm_request_receive entering [preauth]
> sshd[18110]: debug3: mm_sshkey_verify entering [preauth]
> sshd[18110]: debug3: mm_request_send entering: type 24 [preauth]
> sshd[18110]: debug3: mm_sshkey_verify: waiting for MONITOR_ANS_KEYVERIFY [preauth]
> sshd[18110]: debug3: mm_request_receive_expect entering: type 25 [preauth]
> sshd[18110]: debug3: mm_request_receive entering [preauth]
> sshd[18110]: debug3: mm_request_receive entering
> sshd[18110]: debug3: monitor_read: checking request 24
> sshd[18110]: fatal: mm_answer_keyverify: buffer error: incomplete message
> sshd[18110]: debug1: do_cleanup
> sshd[18110]: debug1: PAM: cleanup
> sshd[18110]: debug3: PAM: sshpam_thread_cleanup entering
> sshd[18110]: debug1: Killing privsep ch
Comment 9 Pedro Monreal Gonzalez 2018-10-30 16:18:36 UTC
We have just updated to version 7.9p1 and shows the same behavior.
Comment 10 Jiri Slaby 2018-10-30 17:35:18 UTC
OTOH, downgrade to 15.1's 7.6p1 makes it work again:
openssh-helpers-7.6p1-lp151.8.13
openssh-7.6p1-lp151.8.13
Comment 11 Michael Ströder 2018-10-30 17:40:24 UTC
(In reply to Jiri Slaby from comment #10)
> OTOH, downgrade to 15.1's 7.6p1 makes it work again:
> openssh-helpers-7.6p1-lp151.8.13
> openssh-7.6p1-lp151.8.13

Did you downgrade at the client or at the server side or both?
Comment 12 Maximilian Trummer 2018-10-30 17:45:32 UTC
I can accesss a server running OpenSSH 7.7p1-4.1 just fine with a machine running an OpenSSH 7.8p1-1.1 client, so it seems like a server-side issue.
Comment 13 Илья Индиго 2018-10-31 00:06:12 UTC
https://bugzilla.opensuse.org/show_bug.cgi?id=1112649
Comment 14 Cristian Rodríguez 2018-10-31 00:19:14 UTC
(In reply to Илья Индиго from comment #13)
> https://bugzilla.opensuse.org/show_bug.cgi?id=1112649

Yes, that's it. thanks for taking a look at this.
Comment 15 Neil Rickert 2018-10-31 00:28:04 UTC
*** Bug 1114064 has been marked as a duplicate of this bug. ***
Comment 16 Cristian Rodríguez 2018-10-31 00:31:09 UTC
fixed in request id 645609
Comment 17 Cristian Rodríguez 2018-10-31 00:36:32 UTC
*** Bug 1112649 has been marked as a duplicate of this bug. ***
Comment 18 Andrei Dziahel 2018-10-31 07:13:54 UTC
Could you guys also make sure the fix would land Updates repository too? TIA.
Comment 19 Marcus Meissner 2018-10-31 07:31:25 UTC
*** Bug 1114090 has been marked as a duplicate of this bug. ***
Comment 20 Joop Boonen 2018-10-31 07:37:31 UTC
Just tested version: openssh-7.9p1 ( https://build.opensuse.org/package/show/network/openssh )
This one solves this issue.
Comment 21 Michael Ströder 2018-10-31 08:52:46 UTC
(In reply to Joop Boonen from comment #20)
> Just tested version: openssh-7.9p1 (
> https://build.opensuse.org/package/show/network/openssh )
> This one solves this issue.

I can confirm that openssh-7.9p1-198.1.x86_64 from the above repo works.
Comment 22 Pedro Monreal Gonzalez 2018-10-31 12:36:29 UTC
An update containing the fix in version openssh-7.8p1 has been released. Version 7.9p1 will be released shortly.

Please, check that it fixes the issue. Thanks!
Comment 23 Swamp Workflow Management 2018-10-31 12:50:06 UTC
This is an autogenerated message for OBS integration:
This bug (1114008) was mentioned in
https://build.opensuse.org/request/show/645729 Factory / openssh
Comment 24 C K 2018-11-01 04:29:42 UTC
openssh-7.8p1-3.1.x86_64 works again - thanks!
Comment 25 Pedro Monreal Gonzalez 2018-11-01 05:59:12 UTC
Thanks, closing.
Comment 26 Robert Schweikert 2018-11-01 11:32:44 UTC
Thanks for the quick fix. Is anyone investigating how to avoid an issue like this in the future?
Comment 27 Fabian Schmidt 2018-11-01 17:10:57 UTC
/etc/sysconfig/SuSEfirewall2.d/services/sshd is still missing in openssh-7.8p1-3.1. So, while openssh works, it is blocked by SuSEfirewall2 if you allow the named service in the firewall rules (FW_CONFIGURATIONS_...="sshd" instead of FW_SERVICES_..._TCP="22").
Comment 28 Cristian Rodríguez 2018-11-01 22:41:15 UTC
(In reply to Fabian Schmidt from comment #27)
> /etc/sysconfig/SuSEfirewall2.d/services/sshd is still missing in
> openssh-7.8p1-3.1. So, while openssh works, it is blocked by SuSEfirewall2
> if you allow the named service in the firewall rules
> (FW_CONFIGURATIONS_...="sshd" instead of FW_SERVICES_..._TCP="22").

You have to open a new bug report, this issue is specifically about an ssh fatal error, not a SUSEfirewall issue.
Comment 29 Klaus Kämpf 2018-11-09 08:31:55 UTC
*** Bug 1114965 has been marked as a duplicate of this bug. ***
Comment 30 Bernhard Wiedemann 2018-11-11 16:33:49 UTC
Worth mentioning, that this is still broken in the main Tumbleweed oss repo.
For some reason, I did not have the update repo on my tumbleweed install.
It is rolling since 2015-06-05
Comment 31 Ron Lovell 2018-11-12 13:44:25 UTC
(In reply to Bernhard Wiedemann from comment #30)

Thank you for mentioning that. I had disabled the main updates repo back
in July due to a temporary issue with its repomd.xml. I hadn't missed it
until now. Thanks!
Comment 32 Hans de Raad 2018-11-23 20:23:08 UTC
(In reply to Ron Lovell from comment #31)
> (In reply to Bernhard Wiedemann from comment #30)
> 
> Thank you for mentioning that. I had disabled the main updates repo back
> in July due to a temporary issue with its repomd.xml. I hadn't missed it
> until now. Thanks!

The build for 42.3 (as well as for SLE_12_SP3) fails with a mention of an issue with openbsd-compat:

Makefile:181: recipe for target 'openbsd-compat/libopenbsd-compat.a' failed

Is there any indication on if/when this issue will be fixed for 42.3?
Comment 33 Pedro Monreal Gonzalez 2018-11-26 10:23:56 UTC
> Makefile:181: recipe for target 'openbsd-compat/libopenbsd-compat.a' failed

I just tried in both 42.3 and SLE_12_SP3 and builds fine. This is a different bug, please open a separate one with more information and the steps to reproduce it.
Comment 34 Vítězslav Čížek 2018-11-26 14:17:09 UTC
(In reply to Hans de Raad from comment #32)
> Is there any indication on if/when this issue will be fixed for 42.3?

It has been fixed:
https://build.opensuse.org/request/show/651986