bug in channel_still_open() ?

Richard E. Silverman slade at shore.net
Thu Apr 5 18:09:18 EST 2001 

channel_still_open() does not count "larval" channels as open.  If the server
sets up a protocol 2 connection with no remote command (as with "ssh -N ..."),
the "server-session" channel remains larval, and the server exits as soon as
it notices that there are no open channels besides this one.  Typically, it
exits right after the first use of a port forwarding closes.

Below I'm appending a post I just made to comp.security.ssh, with a patch
which fixes the problem.  I don't know if it's the right thing to do, though.
I'm guessing that not counting larval channels might have been a mistake.
Perhaps counting them will cause some other problem, though, and the right fix
is something else?

--
  Richard Silverman
  slade at shore.net

============================================================================
Newsgroups: comp.security.ssh
Subject: Re: POP3 Tunnel Closes on Second Connection
References: <3AC4AAE0.4EE58BE9 at well.com>
From: slade at shore.net (Richard E. Silverman)
Date: 05 Apr 2001 03:56:34 -0400
Message-ID: <m1llmpfye31.fsf at syrinx.oankali.net>
Lines: 40


> We have set up a local server to tunnel pop3 connections to our "real"
> mail server, using ssh2 local port forwarding:
> 
>     ssh -f -g -l {user} -L 110:mailserver:110 -N -P mailserver
> 
> The first time we make a pop3 connection to the local server, everything
> works fine: the connection is forwarded across the ssh tunnel to the
> remote mail server, and we retrieve our mail. The second time we attempt
> a pop3 connection, the remote mail server drops the ssh connection.
> 
> What is going on? What is the fix?

This appears to be a bug; it doesn't happen if you e.g. remove the -f -N.
The problem is that without a session channel, OpenSSH uses a sort of
placeholder channel of a special internal type which does not get counted
as "open", so sshd thinks that all channels are closed and exits.  I think
the fact you get even one chance is an accident.

A quick fix is this:

--- channels.c  Thu Apr  5 03:53:30 2001
+++ channels.c.new      Thu Apr  5 03:54:56 2001
@@ -1503,7 +1503,6 @@
                case SSH_CHANNEL_LARVAL:
                        if (!compat20)
                                fatal("cannot happen: SSH_CHANNEL_LARVAL");
-                       continue;
                case SSH_CHANNEL_OPENING:
                case SSH_CHANNEL_OPEN:
                case SSH_CHANNEL_X11_OPEN:

(That is, remove the "continue" statement.)

I'm not 100% sure this is the right fix, though; I'm going to post to the
OpenSSH developers list and see what they say.

--
  Richard Silverman
  slade at shore.net
============================================================================

More information about the openssh-unix-dev mailing list