sshd Failing New Inbound Connections

Damien Miller djm at mindrot.org
Fri Mar 18 14:52:17 AEDT 2022 

On Thu, 17 Mar 2022, Aaron Poffenberger wrote:

> I managed to lock myself out of my firewall today.
> 
> I disabled inet6 resolution by removing it from the `family` option in 
> resolve.conf(5). After a while I noticed I couldn't make new inbound
> connections using either ipv4 or ipv6. My client kept reporting:
> 
> "kex_exchange_identification: Connection closed by remote host"
> 
> On the server I found the following errors in /var/log/authlog:
> 
> "fatal: bad addr or host: ::1 (no address associated with name)"
> 
> Totally my fault for changing resolv.conf without enough thought, but 
> perhaps sshd could disable the listener in such cases.

Well, we can't catch every misconfiguration that could result in
sshd failing to accept connections, but I think we can fix this one :)

sshd doesn't need to actually resolve the listenaddress directives in
the reexec path, so skip it.

diff --git a/servconf.c b/servconf.c
index 63a7303..dd936f0 100644
--- a/servconf.c
+++ b/servconf.c
@@ -2459,7 +2459,7 @@ parse_server_match_config(ServerOptions *options,
 
 	initialize_server_options(&mo);
 	parse_server_config(&mo, "reprocess config", cfg, includes,
-	    connectinfo);
+	    connectinfo, 0);
 	copy_set_server_options(options, &mo, 0);
 }
 
@@ -2637,12 +2637,13 @@ parse_server_config_depth(ServerOptions *options, const char *filename,
 void
 parse_server_config(ServerOptions *options, const char *filename,
     struct sshbuf *conf, struct include_list *includes,
-    struct connection_info *connectinfo)
+    struct connection_info *connectinfo, int reexec)
 {
 	int active = connectinfo ? 0 : 1;
 	parse_server_config_depth(options, filename, conf, includes,
 	    connectinfo, (connectinfo ? SSHCFG_MATCH_ONLY : 0), &active, 0);
-	process_queued_listen_addrs(options);
+	if (!reexec)
+		process_queued_listen_addrs(options);
 }
 
 static const char *
diff --git a/servconf.h b/servconf.h
index 1197c57..6f1f745 100644
--- a/servconf.h
+++ b/servconf.h
@@ -295,7 +295,7 @@ int	 process_server_config_line(ServerOptions *, char *, const char *, int,
 void	 process_permitopen(struct ssh *ssh, ServerOptions *options);
 void	 load_server_config(const char *, struct sshbuf *);
 void	 parse_server_config(ServerOptions *, const char *, struct sshbuf *,
-	    struct include_list *includes, struct connection_info *);
+	    struct include_list *includes, struct connection_info *, int);
 void	 parse_server_match_config(ServerOptions *,
 	    struct include_list *includes, struct connection_info *);
 int	 parse_server_match_testspec(struct connection_info *, char *);
diff --git a/sshd.c b/sshd.c
index 6d8bc2a..72e9fe7 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1638,7 +1638,7 @@ main(int ac, char **av)
 		load_server_config(config_file_name, cfg);
 
 	parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
-	    cfg, &includes, NULL);
+	    cfg, &includes, NULL, rexeced_flag);
 
 #ifdef WITH_OPENSSL
 	if (options.moduli_file != NULL)

More information about the openssh-unix-dev mailing list