Date: Mon, 12 Nov 2007 08:15:08 -0600 From: "Rob Zietlow" <rob.zietlow@gmail.com> To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/118005: Can no longer SSH into 7.0 Beta Host. Message-ID: <bf64a0fe0711120615t75947f79ge041fe41965fdebb@mail.gmail.com> Resent-Message-ID: <200711121450.lACEo13h004507@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 118005 >Category: bin >Synopsis: Can No Longer SSH into 7.0 host >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Nov 12 14:50:01 UTC 2007 >Closed-Date: >Last-Modified: >Originator: Rob.Zietlow@gmail.com >Release: FreeBSD 7.0-BETA2 i386 >Organization: >Environment: System: FreeBSD voltron.example.com 7.0-BETA2 FreeBSD 7.0-BETA2 #3: Thu Nov 8 15:08:45 CST 2007 root@voltron.example.com:/usr/src/sys/i386/compile/GENERIC i386 >Description: Since upgrading to 7.0 I am no longer able to SSH into my server. I cvsup'ed to 7.0 code and rebuild world and since then I have had this issue. I have rebuilt multiple times in beta 1, 1.5 and 2. I can SSH into my host from some hosts within the local LAN. Some machines from outside my LAN I cannot ssh into this host. Hosts on my lan I have ssh'ed into this host with are windows(putty), Linux, and Solaris. From outside my LAN I cannot ssh into my host from Freebsd 6.2, Openbsd 4.1, and Linux(RHEL 4U4). Freebsd & Openbsd machines are on my home network. However my OSX laptop and windows machine, from my home network, can SSH into the host without a problem. >From the hosts that get denied I get the following message: "ssh_exchange_identification: read: Connection reset by peer" On the server I see the following in /var/log/auth.log: "Nov 9 10:45:10 voltron sshd[15867]: Did not receive identification string from 192.168.3.132" No other information. I currently have no firewall running on the host. voltron# pfctl -si pfctl: /dev/pf: No such file or directory You have new mail. voltron# /etc/hosts.allow is allowing everything voltron# cat /etc/hosts.allow # Wrapping sshd(8) is not normally a good idea, but if you #sshd : .evil.cracker.example.com : deny ALL : ALL : allow voltron# No special settings in /etc/ssh/sshd_config. I have copied over the sshd from an existing host and this still doesn't seem to help. Here are my current settings. voltron# grep -v \# /etc/ssh/sshd_config Port 22 Protocol 2 HostKey /etc/ssh/ssh_host_dsa_key SyslogFacility AUTH LogLevel DEBUG Subsystem sftp /usr/libexec/sftp-server DSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys When I telnet to the port from a host that has issues I immediately get disconnected. When I telnet from an allowed machine I get a banner. .ssh]$ telnet 192.168.8.163 22 Trying 192.168.8.163... Connected to 192.168.8.163. Escape character is '^]'. Connection closed by foreign host. Banner: SSH-2.0-OpenSSH_4.5p1 FreeBSD-20061110 Verbose output from a problem host: [user@bastion .ssh]$ ssh -vvv 192.168.8.163 OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to 192.168.8.163 [192.168.8.163] port 22. debug1: Connection established. debug1: identity file /home/user/.ssh/identity type -1 debug1: identity file /home/user/.ssh/id_rsa type -1 debug1: identity file /home/user/.ssh/id_dsa type -1 ssh_exchange_identification: read: Connection reset by peer Debugging from the server: voltron# /usr/sbin/sshd -ddd debug2: load_server_config: filename /etc/ssh/sshd_config debug2: load_server_config: done config len = 332 debug2: parse_server_config: config /etc/ssh/sshd_config len 332 debug3: /etc/ssh/sshd_config:19 setting Port 22 debug3: /etc/ssh/sshd_config:20 setting Protocol 2 debug3: /etc/ssh/sshd_config:28 setting HostKey /etc/ssh/ssh_host_dsa_key debug3: /etc/ssh/sshd_config:36 setting SyslogFacility AUTH debug3: /etc/ssh/sshd_config:37 setting LogLevel DEBUG debug3: /etc/ssh/sshd_config:111 setting Subsystem sftp /usr/libexec/sftp-server debug3: /etc/ssh/sshd_config:118 setting DSAAuthentication yes debug3: /etc/ssh/sshd_config:119 setting PubkeyAuthentication yes debug3: /etc/ssh/sshd_config:120 setting AuthorizedKeysFile .ssh/authorized_keys debug1: sshd version OpenSSH_4.5p1 FreeBSD-20061110 debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #0 type 2 DSA debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-ddd' debug2: fd 3 setting O_NONBLOCK debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. debug1: fd 4 clearing O_NONBLOCK debug1: Server will not fork when running in debugging mode. debug3: send_rexec_state: entering fd = 7 config len 332 debug3: ssh_msg_send: type 0 debug3: send_rexec_state: done debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7 debug1: inetd sockets after dupping: 3, 3 debug1: res_init() Connection from 192.168.3.132 port 41916 Did not receive identification string from 192.168.3.132 tcpdump (does show an incorrect checksum, and broken apart for easier reading) voltron# tcpdump -e -vvnn port 22 and host 192.168.3.132 tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 68 bytes 08:09:55.816411 00:90:5f:0c:00:00 > 00:18:fe:67:54:76, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 61, id 56887, offset 0, flags [DF], proto TCP (6), length 60) 192.168.3.132.41922 > 192.168.8.163.22: S 722288481:722288481(0) win 5840 <mss 1460,sackOK,timestamp 1350033750[|tcp]> 08:09:55.816432 00:18:fe:67:54:76 > 00:00:0c:07:ac:09, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 27230, offset 0, flags [DF], proto TCP (6), length 60) 192.168.8.163.22 > 192.168.3.132.41922: S 2406244836:2406244836(0) ack 722288482 win 65535 <mss 1460,nop,wscale 3,nop,nop,timestamp[|tcp]> 08:09:55.816925 00:90:5f:0c:00:00 > 00:18:fe:67:54:76, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 58, id 0, offset 0, flags [none], proto TCP (6), length 40) 192.168.3.132.41922 > 192.168.8.163.22: ., cksum 0x6872 (correct), 1:1(0) ack 1 win 0 08:09:55.816933 00:18:fe:67:54:76 > 00:00:0c:07:ac:09, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 64, id 27231, offset 0, flags [DF], proto TCP (6), length 40) 192.168.8.163.22 > 192.168.3.132.41922: R, cksum 0x47e3 (incorrect (-> 0xd2ed), 2406244837:2406244837(0) win 0 08:09:55.817215 00:90:5f:0c:00:00 > 00:18:fe:67:54:76, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 61, id 56889, offset 0, flags [DF], proto TCP (6), length 52) 192.168.3.132.41922 > 192.168.8.163.22: ., cksum 0x8036 (correct), 1:1(0) ack 1 win 1460 <nop,nop,timestamp 1350033751 1692996280> 08:09:55.833093 00:18:fe:67:54:76 > 00:00:0c:07:ac:09, ethertype IPv4 (0x0800), length 105: (tos 0x0, ttl 64, id 27232, offset 0, flags [DF], proto TCP (6), length 91) 192.168.8.163.22 > 192.168.3.132.41922: P 1:40(39) ack 1 win 8326 <nop,nop,timestamp 1692996295 1350033751> 08:09:55.833929 00:90:5f:0c:00:00 > 00:18:fe:67:54:76, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 61, id 8446, offset 0, flags [DF], proto TCP (6), length 40) 192.168.3.132.41922 > 192.168.8.163.22: R, cksum 0x59d0 (correct), 722288482:722288482(0) win 0 >How-To-Repeat: ssh into the host from certain machines. >Fix: None at this time. ------=_Part_32325_5100847.1194876908667 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline >Submitter-Id: current-users<br>>Originator: <a href="mailto:Rob.Zietlow@gmail.com">Rob.Zietlow@gmail.com</a><br>>Organization: <br>>Confidential: no <FreeBSD PRs are public data><br>>Synopsis: Can No Longer SSH into 7.0 host<br>>Severity: serious<br>>Priority: medium<br>>Category: bin<br>>Class: sw-bug<br>>Release: FreeBSD 7.0-BETA2 i386<br>>Environment:<br>System: FreeBSD <a href="http://voltron.example.com"> voltron.example.com</a> 7.0-BETA2 FreeBSD 7.0-BETA2 #3: Thu Nov 8 15:08:45 CST 2007 root@voltron.example.com:/usr/src/sys/i386/compile/GENERIC i386<br><br><br>>Description:<br> Since upgrading to 7.0 I am no longer able to SSH into my server. I cvsup'ed to 7.0 code and rebuild world and since then I have had this issue. I have rebuilt multiple times in beta 1, 1.5 and 2. I can SSH into my host from some hosts within the local LAN. Some machines from outside my LAN I cannot ssh into this host. Hosts on my lan I have ssh'ed into this host with are windows(putty), Linux, and Solaris. From outside my LAN I cannot ssh into my host from Freebsd 6.2, Openbsd 4.1, and Linux(RHEL 4U4). Freebsd & Openbsd machines are on my home network. However my OSX laptop and windows machine, from my home network, can SSH into the host without a problem. <br><br>From the hosts that get denied I get the following message: "ssh_exchange_identification: read: Connection reset by peer" <br>On the server I see the following in /var/log/auth.log: "Nov 9 10:45:10 voltron sshd[15867]: Did not receive identification string from <a href="http://192.168.3.132">192.168.3.132</a>"<br><br>No other information. I currently have no firewall running on the host. <br>voltron# pfctl -si<br>pfctl: /dev/pf: No such file or directory<br>You have new mail.<br>voltron# <br><br>/etc/hosts.allow is allowing everything<br>voltron# cat /etc/hosts.allow<br># Wrapping sshd(8) is not normally a good idea, but if you <br>#sshd : .evil.cracker.example.com : deny<br>ALL : ALL : allow<br>voltron# <br><br>No special settings in /etc/ssh/sshd_config. I have copied over the sshd from an existing host and this still doesn't seem to help. Here are my current settings. <br>voltron# grep -v \# /etc/ssh/sshd_config<br>Port 22<br>Protocol 2<br>HostKey /etc/ssh/ssh_host_dsa_key<br>SyslogFacility AUTH<br>LogLevel DEBUG<br>Subsystem sftp /usr/libexec/sftp-server<br>DSAAuthentication yes <br>PubkeyAuthentication yes<br>AuthorizedKeysFile .ssh/authorized_keys<br><br>When I telnet to the port from a host that has issues I immediately get disconnected. When I telnet from an allowed machine I get a banner. <br>.ssh]$ telnet <a href="http://192.168.8.163">192.168.8.163</a> 22<br>Trying 192.168.8.163...<br>Connected to <a href="http://192.168.8.163">192.168.8.163</a>.<br>Escape character is '^]'.<br>Connection closed by foreign host. <br><br>Banner: SSH-2.0-OpenSSH_4.5p1 FreeBSD-20061110<br><br>Verbose output from a problem host:<br><br>[user@bastion .ssh]$ ssh -vvv <a href="http://192.168.8.163">192.168.8.163</a><br>OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003 <br>debug1: Reading configuration data /etc/ssh/ssh_config<br>debug1: Applying options for *<br>debug2: ssh_connect: needpriv 0<br>debug1: Connecting to <a href="http://192.168.8.163">192.168.8.163</a> [<a href="http://192.168.8.163"> 192.168.8.163</a>] port 22.<br>debug1: Connection established.<br>debug1: identity file /home/user/.ssh/identity type -1<br>debug1: identity file /home/user/.ssh/id_rsa type -1<br>debug1: identity file /home/user/.ssh/id_dsa type -1 <br>ssh_exchange_identification: read: Connection reset by peer<br><br>Debugging from the server: <br>voltron# /usr/sbin/sshd -ddd<br>debug2: load_server_config: filename /etc/ssh/sshd_config<br>debug2: load_server_config: done config len = 332 <br>debug2: parse_server_config: config /etc/ssh/sshd_config len 332<br>debug3: /etc/ssh/sshd_config:19 setting Port 22<br>debug3: /etc/ssh/sshd_config:20 setting Protocol 2<br>debug3: /etc/ssh/sshd_config:28 setting HostKey /etc/ssh/ssh_host_dsa_key <br>debug3: /etc/ssh/sshd_config:36 setting SyslogFacility AUTH<br>debug3: /etc/ssh/sshd_config:37 setting LogLevel DEBUG<br>debug3: /etc/ssh/sshd_config:111 setting Subsystem sftp /usr/libexec/sftp-server<br>debug3: /etc/ssh/sshd_config:118 setting DSAAuthentication yes <br>debug3: /etc/ssh/sshd_config:119 setting PubkeyAuthentication yes<br>debug3: /etc/ssh/sshd_config:120 setting AuthorizedKeysFile .ssh/authorized_keys<br>debug1: sshd version OpenSSH_4.5p1 FreeBSD-20061110<br>debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. <br>debug1: read PEM private key done: type DSA<br>debug1: private host key: #0 type 2 DSA<br>debug1: rexec_argv[0]='/usr/sbin/sshd'<br>debug1: rexec_argv[1]='-ddd'<br>debug2: fd 3 setting O_NONBLOCK<br>debug1: Bind to port 22 on <a href="http://0.0.0.0">0.0.0.0</a>.<br>Server listening on <a href="http://0.0.0.0">0.0.0.0</a> port 22.<br>debug1: fd 4 clearing O_NONBLOCK<br>debug1: Server will not fork when running in debugging mode.<br>debug3: send_rexec_state: entering fd = 7 config len 332 <br>debug3: ssh_msg_send: type 0<br>debug3: send_rexec_state: done<br>debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7<br>debug1: inetd sockets after dupping: 3, 3<br>debug1: res_init()<br>Connection from <a href="http://192.168.3.132"> 192.168.3.132</a> port 41916<br>Did not receive identification string from <a href="http://192.168.3.132">192.168.3.132</a><br><br><br>tcpdump (does show an incorrect checksum, and broken apart for easier reading)<br>voltron# tcpdump -e -vvnn port 22 and host <a href="http://192.168.3.132">192.168.3.132</a><br>tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 68 bytes<br>08:09:55.816411 00:90:5f:0c:00:00 > 00:18:fe:67:54:76, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 61, id 56887, offset 0, flags [DF], proto TCP (6), length 60) 192.168.3.132.41922 > 192.168.8.163.22: S 722288481:722288481(0) win 5840 <mss 1460,sackOK,timestamp 1350033750[|tcp]><br><br>08:09:55.816432 00:18:fe:67:54:76 > 00:00:0c:07:ac:09, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 27230, offset 0, flags [DF], proto TCP (6), length 60) 192.168.8.163.22 > 192.168.3.132.41922: S 2406244836:2406244836(0) ack 722288482 win 65535 <mss 1460,nop,wscale 3,nop,nop,timestamp[|tcp]><br><br>08:09:55.816925 00:90:5f:0c:00:00 > 00:18:fe:67:54:76, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 58, id 0, offset 0, flags [none], proto TCP (6), length 40) 192.168.3.132.41922 > 192.168.8.163.22: ., cksum 0x6872 (correct), 1:1(0) ack 1 win 0<br><br>08:09:55.816933 00:18:fe:67:54:76 > 00:00:0c:07:ac:09, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 64, id 27231, offset 0, flags [DF], proto TCP (6), length 40) 192.168.8.163.22 > 192.168.3.132.41922: R, cksum 0x47e3 (incorrect (-> 0xd2ed), 2406244837:2406244837(0) win 0<br><br>08:09:55.817215 00:90:5f:0c:00:00 > 00:18:fe:67:54:76, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 61, id 56889, offset 0, flags [DF], proto TCP (6), length 52) 192.168.3.132.41922 > 192.168.8.163.22: ., cksum 0x8036 (correct), 1:1(0) ack 1 win 1460 <nop,nop,timestamp 1350033751 1692996280><br><br>08:09:55.833093 00:18:fe:67:54:76 > 00:00:0c:07:ac:09, ethertype IPv4 (0x0800), length 105: (tos 0x0, ttl 64, id 27232, offset 0, flags [DF], proto TCP (6), length 91) 192.168.8.163.22 > 192.168.3.132.41922: P 1:40(39) ack 1 win 8326 <nop,nop,timestamp 1692996295 1350033751><br><br>08:09:55.833929 00:90:5f:0c:00:00 > 00:18:fe:67:54:76, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 61, id 8446, offset 0, flags [DF], proto TCP (6), length 40) 192.168.3.132.41922 > 192.168.8.163.22: R, cksum 0x59d0 (correct), 722288482:722288482(0) win 0<br><br><br><br><br>>How-To-Repeat:<br> ssh into the host from certain machines. <br>>Fix:<br><br> None at this time. <br><br> ------=_Part_32325_5100847.1194876908667-- >Release-Note: >Audit-Trail: >Unformatted: ------=_Part_32325_5100847.1194876908667 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bf64a0fe0711120615t75947f79ge041fe41965fdebb>