Bug 1114090 - OpenSSH-7.8p1 sshd closes connection after authentication
OpenSSH-7.8p1 sshd closes connection after authentication
Status: RESOLVED DUPLICATE of bug 1114008
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Network
Current
x86-64 openSUSE Factory
: P5 - None : Major (vote)
: ---
Assigned To: E-mail List
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-10-31 06:08 UTC by James Carter
Modified: 2018-11-25 01:59 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
Session log showing the failure (3.26 KB, text/plain)
2018-10-31 06:11 UTC, James Carter
Details
ssh_config client configuration (7.37 KB, text/plain)
2018-10-31 06:13 UTC, James Carter
Details
sshd_config server configuration (7.05 KB, text/plain)
2018-10-31 06:13 UTC, James Carter
Details

Note You need to log in before you can comment on or make changes to this bug.
Description James Carter 2018-10-31 06:08:38 UTC
Testing the interoperation of sshd in OpenSSH-7.8p1 with various versions
of the ssh client: they do key exchange and the client passes 
authentication, but the 7.8p1 server then closes the connection, saying:
sshd[5841]: fatal: mm_answer_keyverify: buffer error: incomplete message
This is the only error message on server's syslog.  

Test execution is by root.  The host keys are RSA or ECDSA.  
User authentication is by publickey (RSA).  There is no Kerberos
credential for these tests (for root).

Versions tested:
openssh-7.2p2-4.1.x86_64.rpm dated 2017-03-05
    Didn't write down the mirror site but it's a SuSE Tumbleweed mirror.
    With OpenSSL 1.0.2o-fips
    Leap 42.3 is still on openssh-7.2p2-13.1.x86_64.rpm (with SuSE backports)

openssh-7.6p1-2.4.x86_64.rpm dated 2018-01-21
    from obs://build.opensuse.org/home:aljex
    With OpenSSL 1.0.2o-fips

openssh-7.7p1-4.1.x86_64.rpm dated 2018-10-01
https://download.opensuse.org/tumbleweed/repo/oss/x86_64/openssh-7.7p1-4.1.x86_64.rpm 
http://mirror.clarkson.edu/opensuse/tumbleweed/repo/oss/x86_64/openssh-7.7p1-4.1.x86_64.rpm 
    (actual mirror -- 404 Not Found).  I never got the RPM file.
    With OpenSSL 1.1.0h-fips on both Iris and Petra
    These machines did not get upgraded to 7.8p1 today, had 7.7p1
    from before.  

openssh-7.8p1-1.1.x86_64.rpm dated 2018-10-23
https://download.opensuse.org/tumbleweed/repo/oss/x86_64/openssh-7.8p1-1.1.x86_64.rpm 
http://mirror.us.leaseweb.net/opensuse/tumbleweed/repo/oss/x86_64/openssh-7.8p1-1.1.x86_64.rpm 
    (actual mirror)
    With OpenSSL 1.1.0h-fips

7.6p1 sshd and ssh can't handle KexDHMin so I commented it out in 
ssh{,d}_config.  All the others including 7.2p2 swallowed it, probably 
due to SuSE backports.  

All the hosts are x86_64 except Iris is aarch64 (ARM, Raspberry Pi).  
Oso and Petra are VMs.  Xena is a real machine.  

Test command line (execute on $CLIENT with key agent): ssh $SERVER ssh -V
(This is supposed to be a table but I have my doubts how it will come out.)
Client		Server		Outcome
7.2p1 xena	7.2p1 oso	OK
7.2p1 xena	7.6p1 oso	OK
7.2p1 xena	7.7p1 iris	OK
7.2p1 xena	7.8p1 oso	Connection to oso closed by remote host.

7.6p1 oso	7.2p1 xena	OK
7.6p1 oso	7.6p1 oso	OK
7.6p1 oso	7.7p1 iris	OK (also Petra)
7.6p1 oso	7.8p1 xena	Connection closed by 192.9.200.195 port 22

7.7p1 iris	7.2p1 oso	OK
7.7p1 iris	7.6p1 oso	OK
7.7p1 iris	7.7p1 iris	OK
7.7p1 iris	7.8p1 oso	Connection closed by 192.9.200.212 port 22

7.8p1 oso	7.2p1 xena	OK
7.8p1 xena	7.6p1 oso	OK
7.8p1 oso	7.7p1 iris	OK (also Petra)
7.8p1 oso	7.8p1 oso	Connection closed by 192.9.200.212 port 22

I hope the developers can reproduce this and figure out what went wrong
with 7.8p1.  

In case it isn't obvious, the effective workaround is to revert to 7.7p1 or
earlier, whichever back-version package you can find.  But once your
hosts have brought up v7.8p1, you're going to have to visit every machine
to downgrade them.  A USB memory stick is useful, but I put the packages
on my webserver, with a convenient symlink, and gave the URL like this:
zypper install --no-recommends --oldpackage http://arachne/openssh/7.2p1.rpm
And of course, systemctl restart sshd .
Comment 1 James Carter 2018-10-31 06:11:19 UTC
Created attachment 787952 [details]
Session log showing the failure
Comment 2 James Carter 2018-10-31 06:13:17 UTC
Created attachment 787953 [details]
ssh_config client configuration
Comment 3 James Carter 2018-10-31 06:13:59 UTC
Created attachment 787954 [details]
sshd_config server configuration
Comment 4 Marcus Meissner 2018-10-31 07:31:24 UTC
dup of bug 1114008 I think

*** This bug has been marked as a duplicate of bug 1114008 ***
Comment 5 James Carter 2018-11-04 04:19:30 UTC
Belated fix confirmation: openssh-7.8p1-3.1.x86_64 per bug 1114008
is working well and interoperates (client <-> server) with itself
and the back versions that I mentioned.  Thank you to the devs for
getting this fixed quickly.