Call for testing: OpenSSH 8.0
Damien Miller
djm at mindrot.org
Fri Mar 29 22:31:44 AEDT 2019
Thanks for testing - are you able to see if there's anything in
the server logs?
I've just committed some extra verbosity in the client's log messages that
might clarify where it is exiting (patch attached).
-d
On Fri, 29 Mar 2019, Adam Eijdenberg wrote:
> On Wed, Mar 27, 2019 at 10:04 PM Damien Miller <djm at mindrot.org> wrote:
> >
> > OpenSSH 8.0p1 is almost ready for release, so we would appreciate testing
> > on as many platforms and systems as possible.
> >
> > Snapshot releases for portable OpenSSH are available from
> > http://www.mindrot.org/openssh_snap/
>
> Hi Damien,
>
> I pull today's snapshot from the link above onto an Ubuntu 18.04.2 and
> was able to successfully build and run the regression tests.
>
> I then tried to use the new ssh binary to connect to one of our
> production servers (which run OpenSSH_7.4p1) and observed an error
> connecting, after authentication appeared to succeed.
>
> $ ./ssh -p 4444 ec2-user at our.server.in.the.cloud
> client_loop: Broken pipe
>
> When I execute the same command with the built-in SSH (OpenSSH_7.6p1)
> it succeeds.
>
> If relevant, we use short-lived RSA certificates that are in our local
> SSH agent, and the private keys are not written to disk.
>
> Full verbose output below - I've changed the server names / IPs / port
> numbers a little but otherwise as is:
>
> $ ssh-add -L
> ssh-rsa AA...AN /home/me/.ssh/id_rsa
> ssh-rsa-cert-v01 at openssh.com AAAAH...MJskQ== id_dtacld_shortlived_rsa
>
> $ ./ssh -vvv -p 4444 ec2-user at our.server.in.the.cloud
> OpenSSH_7.9p1-snap20190329, OpenSSL 1.1.0g 2 Nov 2017
> debug2: resolving "our.server.in.the.cloud" port 4444
> debug2: ssh_connect_direct
> debug1: Connecting to our.server.in.the.cloud [our.ip.in.the.cloud] port 4444.
> debug1: Connection established.
> debug1: identity file /home/me/.ssh/id_rsa type 0
> debug1: identity file /home/me/.ssh/id_rsa-cert type -1
> debug1: identity file /home/me/.ssh/id_dsa type -1
> debug1: identity file /home/me/.ssh/id_dsa-cert type -1
> debug1: identity file /home/me/.ssh/id_ecdsa type -1
> debug1: identity file /home/me/.ssh/id_ecdsa-cert type -1
> debug1: identity file /home/me/.ssh/id_ed25519 type -1
> debug1: identity file /home/me/.ssh/id_ed25519-cert type -1
> debug1: identity file /home/me/.ssh/id_xmss type -1
> debug1: identity file /home/me/.ssh/id_xmss-cert type -1
> debug1: Local version string SSH-2.0-OpenSSH_7.9
> debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
> debug1: match: OpenSSH_7.4 pat
> OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7*
> compat 0x04000002
> debug2: fd 3 setting O_NONBLOCK
> debug1: Authenticating to our.server.in.the.cloud:4444 as 'ec2-user'
> debug3: put_host_port: [our.server.in.the.cloud]:4444
> debug3: hostkeys_foreach: reading file "/home/me/.ssh/known_hosts"
> debug3: send packet: type 20
> debug1: SSH2_MSG_KEXINIT sent
> debug3: receive packet: type 20
> debug1: SSH2_MSG_KEXINIT received
> debug2: local client KEXINIT proposal
> debug2: KEX algorithms:
> curve25519-sha256,curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
> debug2: host key algorithms:
> ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ssh-ed25519-cert-v01 at openssh.com,rsa-sha2-512-cert-v01 at openssh.com,rsa-sha2-256-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
> debug2: ciphers ctos:
> chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.com,aes256-gcm at openssh.com
> debug2: ciphers stoc:
> chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.com,aes256-gcm at openssh.com
> debug2: MACs ctos:
> umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
> debug2: MACs stoc:
> umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
> debug2: compression ctos: none,zlib at openssh.com,zlib
> debug2: compression stoc: none,zlib at openssh.com,zlib
> debug2: languages ctos:
> debug2: languages stoc:
> debug2: first_kex_follows 0
> debug2: reserved 0
> debug2: peer server KEXINIT proposal
> debug2: KEX algorithms:
> curve25519-sha256,curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: host key algorithms:
> ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01 at openssh.com,ssh-ed25519
> debug2: ciphers ctos:
> chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.com,aes256-gcm at openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc
> debug2: ciphers stoc:
> chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.com,aes256-gcm at openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc
> debug2: MACs ctos:
> umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
> debug2: MACs stoc:
> umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
> debug2: compression ctos: none,zlib at openssh.com
> debug2: compression stoc: none,zlib at openssh.com
> debug2: languages ctos:
> debug2: languages stoc:
> debug2: first_kex_follows 0
> debug2: reserved 0
> debug1: kex: algorithm: curve25519-sha256
> debug1: kex: host key algorithm: ecdsa-sha2-nistp256-cert-v01 at openssh.com
> debug1: kex: server->client cipher: chacha20-poly1305 at openssh.com MAC:
> <implicit> compression: none
> debug1: kex: client->server cipher: chacha20-poly1305 at openssh.com MAC:
> <implicit> compression: none
> debug3: send packet: type 30
> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
> debug3: receive packet: type 31
> debug1: Server host certificate:
> ecdsa-sha2-nistp256-cert-v01 at openssh.com
> SHA256:AH8vtFSfhKUE41ankmoB/tpo9Duxe7ZHA5S1sja36Fk, serial 0 ID
> "our.server.in.the.cloud" CA ssh-rsa
> SHA256:QtxnpSvhjow+Z68+z5VMnNGitHHc+nkoDMiJM0C+JtM valid from
> 2019-03-29T11:00:01 to 2019-03-30T11:00:01
> debug2: Server host certificate hostname: our.server.in.the.cloud
> debug3: put_host_port: [our.ip.in.the.cloud]:4444
> debug3: put_host_port: [our.server.in.the.cloud]:4444
> debug3: hostkeys_foreach: reading file "/home/me/.ssh/known_hosts"
> debug1: checking without port identifier
> debug3: hostkeys_foreach: reading file "/home/me/.ssh/known_hosts"
> debug3: record_hostkey: found ca key type RSA in file
> /home/me/.ssh/known_hosts:11
> debug3: load_hostkeys: loaded 1 keys from our.server.in.the.cloud
> debug1: Host 'our.server.in.the.cloud' is known and matches the
> ECDSA-CERT host certificate.
> debug1: Found CA key in /home/me/.ssh/known_hosts:11
> debug1: found matching key w/out port
> debug3: send packet: type 21
> debug2: set_newkeys: mode 1
> debug1: rekey out after 134217728 blocks
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug3: receive packet: type 21
> debug1: SSH2_MSG_NEWKEYS received
> debug2: set_newkeys: mode 0
> debug1: rekey in after 134217728 blocks
> debug1: Will attempt key: /home/me/.ssh/id_rsa RSA
> SHA256:jFWK2zuc3SuLroIcpk/awobdgD43pu0G9iWtst1lLzg agent
> debug1: Will attempt key: id_dtacld_shortlived_rsa RSA-CERT
> SHA256:AeEypypDIQ7DXiFtXfpEGmNZHHSpDoD9Hppg+YzU+O0 agent
> debug1: Will attempt key: /home/me/.ssh/id_dsa
> debug1: Will attempt key: /home/me/.ssh/id_ecdsa
> debug1: Will attempt key: /home/me/.ssh/id_ed25519
> debug1: Will attempt key: /home/me/.ssh/id_xmss
> debug2: pubkey_prepare: done
> debug3: send packet: type 5
> debug3: receive packet: type 7
> debug1: SSH2_MSG_EXT_INFO received
> debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
> debug3: receive packet: type 6
> debug2: service_accept: ssh-userauth
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug3: send packet: type 50
> debug3: receive packet: type 51
> debug1: Authentications that can continue: publickey
> debug3: start over, passed a different list publickey
> debug3: preferred publickey,keyboard-interactive,password
> debug3: authmethod_lookup publickey
> debug3: remaining preferred: keyboard-interactive,password
> debug3: authmethod_is_enabled publickey
> debug1: Next authentication method: publickey
> debug1: Offering public key: /home/me/.ssh/id_rsa RSA
> SHA256:jFWK2zuc3SuLroIcpk/awobdgD43pu0G9iWtst1lLzg agent
> debug3: send packet: type 50
> debug2: we sent a publickey packet, wait for reply
> debug3: receive packet: type 51
> debug1: Authentications that can continue: publickey
> debug1: Offering public key: id_dtacld_shortlived_rsa RSA-CERT
> SHA256:AeEypypDIQ7DXiFtXfpEGmNZHHSpDoD9Hppg+YzU+O0 agent
> debug3: send packet: type 50
> debug2: we sent a publickey packet, wait for reply
> debug3: receive packet: type 60
> debug1: Server accepts key: id_dtacld_shortlived_rsa RSA-CERT
> SHA256:AeEypypDIQ7DXiFtXfpEGmNZHHSpDoD9Hppg+YzU+O0 agent
> debug3: sign_and_send_pubkey: RSA-CERT
> SHA256:AeEypypDIQ7DXiFtXfpEGmNZHHSpDoD9Hppg+YzU+O0
> debug1: sign_and_send_pubkey: no separate private key for certificate
> "id_dtacld_shortlived_rsa"
> debug3: sign_and_send_pubkey: signing using ssh-rsa-cert-v01 at openssh.com
> debug3: send packet: type 50
> debug3: receive packet: type 52
> debug1: Authentication succeeded (publickey).
> Authenticated to our.server.in.the.cloud ([our.ip.in.the.cloud]:4444).
> debug1: channel 0: new [client-session]
> debug3: ssh_session2_open: channel_new: 0
> debug2: channel 0: send open
> debug3: send packet: type 90
> debug1: Requesting no-more-sessions at openssh.com
> debug3: send packet: type 80
> debug1: Entering interactive session.
> debug1: pledge: network
> debug3: receive packet: type 80
> debug1: client_input_global_request: rtype hostkeys-00 at openssh.com want_reply 0
> debug3: receive packet: type 91
> debug2: channel_input_open_confirmation: channel 0: callback start
> debug2: fd 3 setting TCP_NODELAY
> debug3: ssh_packet_set_tos: set IP_TOS 0x48
> debug2: client_session2_setup: id 0
> debug2: channel 0: request pty-req confirm 1
> debug3: send packet: type 98
> debug2: channel 0: request shell confirm 1
> debug3: send packet: type 98
> debug2: channel_input_open_confirmation: channel 0: callback done
> debug2: channel 0: open confirm rwindow 0 rmax 32768
> debug3: send packet: type 1
> client_loop: Broken pipe
>
-------------- next part --------------
diff --git a/clientloop.c b/clientloop.c
index 521467bd..677236a9 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -364,7 +364,7 @@ client_x11_get_proto(struct ssh *ssh, const char *display,
SSH_X11_PROTO, x11_timeout_real,
_PATH_DEVNULL);
}
- debug2("%s: %s", __func__, cmd);
+ debug2("%s: xauth command: %s", __func__, cmd);
if (timeout != 0 && x11_refuse_time == 0) {
now = monotime() + 1;
@@ -492,7 +492,7 @@ server_alive_check(struct ssh *ssh)
(r = sshpkt_put_cstring(ssh, "keepalive at openssh.com")) != 0 ||
(r = sshpkt_put_u8(ssh, 1)) != 0 || /* boolean: want reply */
(r = sshpkt_send(ssh)) != 0)
- fatal("%s: %s", __func__, ssh_err(r));
+ fatal("%s: send packet: %s", __func__, ssh_err(r));
/* Insert an empty placeholder to maintain ordering */
client_register_global_confirm(NULL, NULL);
}
@@ -1035,7 +1035,7 @@ process_escapes(struct ssh *ssh, Channel *c,
channel_request_start(ssh, c->self, "break", 0);
if ((r = sshpkt_put_u32(ssh, 1000)) != 0 ||
(r = sshpkt_send(ssh)) != 0)
- fatal("%s: %s", __func__,
+ fatal("%s: send packet: %s", __func__,
ssh_err(r));
continue;
@@ -1416,7 +1416,7 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
(r = sshpkt_put_cstring(ssh, "")) != 0 || /* language tag */
(r = sshpkt_send(ssh)) != 0 ||
(r = ssh_packet_write_wait(ssh)) != 0)
- fatal("%s: %s", __func__, ssh_err(r));
+ fatal("%s: send disconnect: %s", __func__, ssh_err(r));
channel_free_all(ssh);
@@ -1502,7 +1502,7 @@ client_request_forwarded_tcpip(struct ssh *ssh, const char *request_type,
(r = sshpkt_get_cstring(ssh, &originator_address, NULL)) != 0 ||
(r = sshpkt_get_u32(ssh, &originator_port)) != 0 ||
(r = sshpkt_get_end(ssh)) != 0)
- fatal("%s: %s", __func__, ssh_err(r));
+ fatal("%s: parse packet: %s", __func__, ssh_err(r));
debug("%s: listen %s port %d, originator %s port %d", __func__,
listen_address, listen_port, originator_address, originator_port);
@@ -1559,9 +1559,9 @@ client_request_forwarded_streamlocal(struct ssh *ssh,
if ((r = sshpkt_get_cstring(ssh, &listen_path, NULL)) != 0 ||
(r = sshpkt_get_string(ssh, NULL, NULL)) != 0 || /* reserved */
(r = sshpkt_get_end(ssh)) != 0)
- fatal("%s: %s", __func__, ssh_err(r));
+ fatal("%s: parse packet: %s", __func__, ssh_err(r));
- debug("%s: %s", __func__, listen_path);
+ debug("%s: request: %s", __func__, listen_path);
c = channel_connect_by_listen_path(ssh, listen_path,
"forwarded-streamlocal at openssh.com", "forwarded-streamlocal");
@@ -1591,7 +1591,7 @@ client_request_x11(struct ssh *ssh, const char *request_type, int rchan)
if ((r = sshpkt_get_cstring(ssh, &originator, NULL)) != 0 ||
(r = sshpkt_get_u32(ssh, &originator_port)) != 0 ||
(r = sshpkt_get_end(ssh)) != 0)
- fatal("%s: %s", __func__, ssh_err(r));
+ fatal("%s: parse packet: %s", __func__, ssh_err(r));
/* XXX check permission */
/* XXX range check originator port? */
debug("client_request_x11: request from %s %u", originator,
@@ -2260,12 +2260,12 @@ client_session2_setup(struct ssh *ssh, int id, int want_tty, int want_subsystem,
(r = sshpkt_put_u32(ssh, (u_int)ws.ws_row)) != 0 ||
(r = sshpkt_put_u32(ssh, (u_int)ws.ws_xpixel)) != 0 ||
(r = sshpkt_put_u32(ssh, (u_int)ws.ws_ypixel)) != 0)
- fatal("%s: %s", __func__, ssh_err(r));
+ fatal("%s: build packet: %s", __func__, ssh_err(r));
if (tiop == NULL)
tiop = get_saved_tio();
ssh_tty_make_modes(ssh, -1, tiop);
if ((r = sshpkt_send(ssh)) != 0)
- fatal("%s: %s", __func__, ssh_err(r));
+ fatal("%s: send packet: %s", __func__, ssh_err(r));
/* XXX wait for reply */
c->client_tty = 1;
}
@@ -2299,8 +2299,10 @@ client_session2_setup(struct ssh *ssh, int id, int want_tty, int want_subsystem,
channel_request_start(ssh, id, "env", 0);
if ((r = sshpkt_put_cstring(ssh, name)) != 0 ||
(r = sshpkt_put_cstring(ssh, val)) != 0 ||
- (r = sshpkt_send(ssh)) != 0)
- fatal("%s: %s", __func__, ssh_err(r));
+ (r = sshpkt_send(ssh)) != 0) {
+ fatal("%s: send packet: %s",
+ __func__, ssh_err(r));
+ }
free(name);
}
}
@@ -2318,7 +2320,7 @@ client_session2_setup(struct ssh *ssh, int id, int want_tty, int want_subsystem,
if ((r = sshpkt_put_cstring(ssh, name)) != 0 ||
(r = sshpkt_put_cstring(ssh, val)) != 0 ||
(r = sshpkt_send(ssh)) != 0)
- fatal("%s: %s", __func__, ssh_err(r));
+ fatal("%s: send packet: %s", __func__, ssh_err(r));
free(name);
}
@@ -2340,12 +2342,14 @@ client_session2_setup(struct ssh *ssh, int id, int want_tty, int want_subsystem,
}
if ((r = sshpkt_put_stringb(ssh, cmd)) != 0 ||
(r = sshpkt_send(ssh)) != 0)
- fatal("%s: %s", __func__, ssh_err(r));
+ fatal("%s: send command: %s", __func__, ssh_err(r));
} else {
channel_request_start(ssh, id, "shell", 1);
client_expect_confirm(ssh, id, "shell", CONFIRM_CLOSE);
- if ((r = sshpkt_send(ssh)) != 0)
- fatal("%s: %s", __func__, ssh_err(r));
+ if ((r = sshpkt_send(ssh)) != 0) {
+ fatal("%s: send shell request: %s",
+ __func__, ssh_err(r));
+ }
}
}
More information about the openssh-unix-dev
mailing list