[Bug 3639] New: server thread aborts during client login after receiving SSH2_MSG_KEXINIT
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Sun Dec 3 07:45:02 AEDT 2023
https://bugzilla.mindrot.org/show_bug.cgi?id=3639
Bug ID: 3639
Summary: server thread aborts during client login after
receiving SSH2_MSG_KEXINIT
Product: Portable OpenSSH
Version: 9.2p1
Hardware: ARM
OS: Linux
Status: NEW
Severity: critical
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: jtm.moon.forum.user+mindrot at gmail.com
tl;dr I downloaded and compiled openssh-9.2p1.tar.gz . When an openssh
client attempts to login it sends SSH2_MSG_KEXINIT, the server
immediately resets the connection
### Reproduction Steps
Using Raspbian 11 (based on Debian 11 Bullseye) on a Raspberry Pi 4
(ARM aarch64), I downloaded
https://mirror.edgecast.com/pub/OpenBSD/OpenSSH/portable/openssh-9.2p1.tar.gz
I compiled and installed it.
First, make sure necessary build packages are available
apt install \
libssl-dev \
gcc g++ gdb cpp \
make cmake \
libtool \
libc6 \
autoconf automake pkg-config \
build-essential \
gettext \
libzstd1 zlib1g \
libssh-4 libssh-dev libssl3 \
libc6-dev libc6 \
libcrypt-dev
Download, build, install
cd /tmp
wget
https://mirror.edgecast.com/pub/OpenBSD/OpenSSH/portable/openssh-9.2p1.tar.gz
tar -xvf openssh-9.2p1.tar.gz
cd openssh-9.2p1
./configure --prefix=/opt/openssh-9.2p1
make
make install
Adjust sshd_config
vim /opt/openssh-9.2p1/etc/sshd_config
Add lines for a unique port, 2232, increase the log level
Port 2232
LogLevel DEBUG3
Otherwise, the `sshd_config` is used as-is.
Manually start `sshd`
/opt/openssh-9.2p1/sbin/sshd -D
Tail the logs
tail -f /var/log/auth.log
On a different host, attempt to login using the openssh client
PS> ssh.exe root at 192.168.1.2 -p 2232 -vvvv
The tail of the output shows
...
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: recv - from CB ERROR:10054, io:000002E46F4CB690
Connection reset by 192.168.1.2 port 2232
That output is from Windows ssh.exe (OpenSSH_for_Windows_8.6p1,
LibreSSL 3.4.3).
Using Ubuntu 22 x64 ssh (OpenSSH_8.9p1 Ubuntu-3ubuntu0.4, OpenSSL 3.0.2
15 Mar 2022) the ssh client output looks like:
$ ssh root at 192.168.1.2 -p 2232 -vvvv
...
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
Connection reset by 192.168.1.2 port 2232
Using Debian 11 ARM ssh client compiled from the same compilation
(OpenSSH_9.2p1, OpenSSL 1.1.1w 11 Sep 2023) the same error occurs.
$ /opt/openssh-9.2p1/bin/ssh -p 2232 root at 192.168.1.2 -vvvvv
...
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
Connection reset by 192.168.1.2 port 2232
The server log messages from `/var/log/auth.log` are
2023-12-02T12:28:41.051665-08:00 host1 sshd[3790]: Connection from
192.168.1.3 port 62155 on 192.168.1.2 port 2232 rdomain ""
2023-12-02T12:28:41.050817-08:00 host1 sshd[3790]: Connection from
192.168.1.3 port 62155 on 192.168.1.2 port 2232 rdomain ""
2023-12-02T12:28:41.053381-08:00 host1 audit[3791]: SECCOMP
auid=4294967295 uid=107 gid=65534 ses=4294967295 pid=3791 comm="sshd"
exe="/opt/openssh-9.2p1/sbin/sshd" sig=31 arch=40000028 syscall=20
compat=1 ip=0xf787080c code=0x0
### Notes
This error does not occur using release 9.1p1.
This error does occur for release 9.2p1 up to 9.5p1 (I tried all of
them).
I attempted to reproduce this on a Ubuntu 22 x64 Virtual Machine as the
server. The error did not occur (logins succeeded).
Various information about the host on which the error occurs
$ lscpu
Architecture: aarch64
Byte Order: Little Endian
CPU(s): 4
On-line CPU(s) list: 0-3
Thread(s) per core: 1
Core(s) per socket: 4
Socket(s): 1
Vendor ID: ARM
Model: 3
Model name: Cortex-A72
Stepping: r0p3
CPU max MHz: 1500.0000
CPU min MHz: 600.0000
BogoMIPS: 108.00
L1d cache: 128 KiB
L1i cache: 192 KiB
L2 cache: 1 MiB
Vulnerability Itlb multihit: Not affected
Vulnerability L1tf: Not affected
Vulnerability Mds: Not affected
Vulnerability Meltdown: Not affected
Vulnerability Mmio stale data: Not affected
Vulnerability Retbleed: Not affected
Vulnerability Spec store bypass: Vulnerable
Vulnerability Spectre v1: Mitigation; __user pointer
sanitization
Vulnerability Spectre v2: Vulnerable
Vulnerability Srbds: Not affected
Vulnerability Tsx async abort: Not affected
Flags: fp asimd evtstrm crc32 cpuid
$ uname -a
Linux host1 6.1.21-v8+ #1642 SMP PREEMPT Mon Apr 3 17:24:16 BST
2023 aarch64 GNU/Linux
The host `apt` packages (dpkg) are up-to-date.
I suspect this bug is specific to this Debian-derived distribution
and/or ARM architecture.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list