bin/118005: Can no longer SSH into 7.0 Beta Host.

Rob Zietlow rob.zietlow at gmail.com
Mon Nov 12 06:50:01 PST 2007


>Number:         118005
>Category:       bin
>Synopsis:       Can No Longer SSH into 7.0 host
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Nov 12 14:50:01 UTC 2007
>Closed-Date:
>Last-Modified:
>Originator:     Rob.Zietlow at gmail.com
>Release:        FreeBSD 7.0-BETA2 i386
>Organization:
>Environment:
System: FreeBSD voltron.example.com 7.0-BETA2 FreeBSD 7.0-BETA2 #3: Thu Nov
8 15:08:45 CST 2007 root at voltron.example.com:/usr/src/sys/i386/compile/GENERIC
i386


>Description:
        Since upgrading to 7.0 I am no longer able to SSH into my server.  I
cvsup'ed to 7.0 code and rebuild world and since then I have had this
issue.  I have rebuilt multiple times in beta 1, 1.5 and 2. I can SSH into
my host from some hosts within the local LAN. Some machines from outside my
LAN I cannot ssh into this host.  Hosts on my lan I have ssh'ed into this
host with are windows(putty), Linux, and Solaris.  From outside my LAN I
cannot ssh into my host from Freebsd 6.2, Openbsd 4.1, and Linux(RHEL 4U4).
Freebsd & Openbsd machines are on my home network. However my OSX laptop and
windows machine, from my home network, can SSH into the host without a
problem.

>From the hosts that get denied I get the following message:
"ssh_exchange_identification: read: Connection reset by peer"
On the server I see the following in /var/log/auth.log: "Nov  9 10:45:10
voltron sshd[15867]: Did not receive identification string from
192.168.3.132"

No other information.  I currently have no firewall running on the host.
voltron# pfctl -si
pfctl: /dev/pf: No such file or directory
You have new mail.
voltron#

/etc/hosts.allow is allowing everything
voltron# cat /etc/hosts.allow
# Wrapping sshd(8) is not normally a good idea, but if you
#sshd : .evil.cracker.example.com : deny
ALL : ALL : allow
voltron#

No special settings in /etc/ssh/sshd_config. I have copied over the sshd
from an existing host and this still doesn't seem to help. Here are my
current settings.
voltron# grep -v \# /etc/ssh/sshd_config
Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_dsa_key
SyslogFacility AUTH
LogLevel DEBUG
Subsystem       sftp    /usr/libexec/sftp-server
DSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys

When I telnet to the port from a host that has issues I immediately get
disconnected.  When I telnet from an allowed machine I get a banner.
.ssh]$ telnet 192.168.8.163 22
Trying 192.168.8.163...
Connected to 192.168.8.163.
Escape character is '^]'.
Connection closed by foreign host.

Banner:   SSH-2.0-OpenSSH_4.5p1 FreeBSD-20061110

Verbose output from a problem host:

[user at bastion .ssh]$ ssh -vvv 192.168.8.163
OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 192.168.8.163 [192.168.8.163] port 22.
debug1: Connection established.
debug1: identity file /home/user/.ssh/identity type -1
debug1: identity file /home/user/.ssh/id_rsa type -1
debug1: identity file /home/user/.ssh/id_dsa type -1
ssh_exchange_identification: read: Connection reset by peer

Debugging from the server:
voltron# /usr/sbin/sshd -ddd
debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 332
debug2: parse_server_config: config /etc/ssh/sshd_config len 332
debug3: /etc/ssh/sshd_config:19 setting Port 22
debug3: /etc/ssh/sshd_config:20 setting Protocol 2
debug3: /etc/ssh/sshd_config:28 setting HostKey /etc/ssh/ssh_host_dsa_key
debug3: /etc/ssh/sshd_config:36 setting SyslogFacility AUTH
debug3: /etc/ssh/sshd_config:37 setting LogLevel DEBUG
debug3: /etc/ssh/sshd_config:111 setting Subsystem sftp
/usr/libexec/sftp-server
debug3: /etc/ssh/sshd_config:118 setting DSAAuthentication yes
debug3: /etc/ssh/sshd_config:119 setting PubkeyAuthentication yes
debug3: /etc/ssh/sshd_config:120 setting AuthorizedKeysFile
.ssh/authorized_keys
debug1: sshd version OpenSSH_4.5p1 FreeBSD-20061110
debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: private host key: #0 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-ddd'
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug1: fd 4 clearing O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 7 config len 332
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7
debug1: inetd sockets after dupping: 3, 3
debug1: res_init()
Connection from 192.168.3.132 port 41916
Did not receive identification string from 192.168.3.132


tcpdump (does show an incorrect checksum, and broken apart for easier
reading)
voltron# tcpdump -e -vvnn port 22 and host 192.168.3.132
tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 68
bytes
08:09:55.816411 00:90:5f:0c:00:00 > 00:18:fe:67:54:76, ethertype IPv4
(0x0800), length 74: (tos 0x0, ttl 61, id 56887, offset 0, flags [DF], proto
TCP (6), length 60) 192.168.3.132.41922 > 192.168.8.163.22: S
722288481:722288481(0) win 5840 <mss 1460,sackOK,timestamp 1350033750[|tcp]>

08:09:55.816432 00:18:fe:67:54:76 > 00:00:0c:07:ac:09, ethertype IPv4
(0x0800), length 74: (tos 0x0, ttl 64, id 27230, offset 0, flags [DF], proto
TCP (6), length 60) 192.168.8.163.22 > 192.168.3.132.41922: S
2406244836:2406244836(0) ack 722288482 win 65535 <mss 1460,nop,wscale
3,nop,nop,timestamp[|tcp]>

08:09:55.816925 00:90:5f:0c:00:00 > 00:18:fe:67:54:76, ethertype IPv4
(0x0800), length 60: (tos 0x0, ttl 58, id 0, offset 0, flags [none], proto
TCP (6), length 40) 192.168.3.132.41922 > 192.168.8.163.22: ., cksum 0x6872
(correct), 1:1(0) ack 1 win 0

08:09:55.816933 00:18:fe:67:54:76 > 00:00:0c:07:ac:09, ethertype IPv4
(0x0800), length 54: (tos 0x0, ttl 64, id 27231, offset 0, flags [DF], proto
TCP (6), length 40) 192.168.8.163.22 > 192.168.3.132.41922: R, cksum 0x47e3
(incorrect (-> 0xd2ed), 2406244837:2406244837(0) win 0

08:09:55.817215 00:90:5f:0c:00:00 > 00:18:fe:67:54:76, ethertype IPv4
(0x0800), length 66: (tos 0x0, ttl 61, id 56889, offset 0, flags [DF], proto
TCP (6), length 52) 192.168.3.132.41922 > 192.168.8.163.22: ., cksum 0x8036
(correct), 1:1(0) ack 1 win 1460 <nop,nop,timestamp 1350033751 1692996280>

08:09:55.833093 00:18:fe:67:54:76 > 00:00:0c:07:ac:09, ethertype IPv4
(0x0800), length 105: (tos 0x0, ttl 64, id 27232, offset 0, flags [DF],
proto TCP (6), length 91) 192.168.8.163.22 > 192.168.3.132.41922: P 1:40(39)
ack 1 win 8326 <nop,nop,timestamp 1692996295 1350033751>

08:09:55.833929 00:90:5f:0c:00:00 > 00:18:fe:67:54:76, ethertype IPv4
(0x0800), length 60: (tos 0x0, ttl 61, id 8446, offset 0, flags [DF], proto
TCP (6), length 40) 192.168.3.132.41922 > 192.168.8.163.22: R, cksum 0x59d0
(correct), 722288482:722288482(0) win 0




>How-To-Repeat:
       ssh into the host from certain machines.
>Fix:

        None at this time.

------=_Part_32325_5100847.1194876908667
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

&gt;Submitter-Id:&nbsp; current-users<br>&gt;Originator:&nbsp;&nbsp;&nbsp; <a href="mailto:Rob.Zietlow at gmail.com">Rob.Zietlow at gmail.com</a><br>&gt;Organization:&nbsp; <br>&gt;Confidential:&nbsp; no &lt;FreeBSD PRs are public data&gt;<br>&gt;Synopsis:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Can No Longer SSH into 
7.0 host<br>&gt;Severity:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; serious<br>&gt;Priority:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; medium<br>&gt;Category:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; bin<br>&gt;Class:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; sw-bug<br>&gt;Release:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; FreeBSD 7.0-BETA2 i386<br>&gt;Environment:<br>System: FreeBSD <a href="http://voltron.example.com">
voltron.example.com</a> 7.0-BETA2 FreeBSD 7.0-BETA2 #3: Thu Nov 8 15:08:45 CST 2007 root at voltron.example.com:/usr/src/sys/i386/compile/GENERIC i386<br><br><br>&gt;Description:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Since upgrading to 7.0 I am no longer able to SSH into my server.&nbsp; I cvsup&#39;ed to 
7.0 code and rebuild world and since then I have had this issue.&nbsp; I have rebuilt multiple times in beta 1, 1.5 and 2. I can SSH into my host from some hosts within the local LAN. Some machines from outside my LAN I cannot ssh into this host.&nbsp; Hosts on my lan I have ssh&#39;ed into this host with are windows(putty), Linux, and Solaris.&nbsp; From outside my LAN I cannot ssh into my host from Freebsd 
6.2, Openbsd 4.1, and Linux(RHEL 4U4). Freebsd &amp; Openbsd machines are on my home network. However my OSX laptop and windows machine, from my home network, can SSH into the host without a problem. <br><br>From the hosts that get denied I get the following message:&nbsp; &quot;ssh_exchange_identification: read: Connection reset by peer&quot;
<br>On the server I see the following in /var/log/auth.log: &quot;Nov&nbsp; 9 10:45:10 voltron sshd[15867]: Did not receive identification string from <a href="http://192.168.3.132">192.168.3.132</a>&quot;<br><br>No other information.&nbsp; I currently have no firewall running on the host. 
<br>voltron# pfctl -si<br>pfctl: /dev/pf: No such file or directory<br>You have new mail.<br>voltron#&nbsp;&nbsp; <br><br>/etc/hosts.allow is allowing everything<br>voltron# cat /etc/hosts.allow<br># Wrapping sshd(8) is not normally a good idea, but if you
<br>#sshd : .evil.cracker.example.com : deny<br>ALL : ALL : allow<br>voltron#&nbsp;&nbsp; <br><br>No special settings in /etc/ssh/sshd_config. I have copied over the sshd from an existing host and this still doesn&#39;t seem to help. Here are my current settings. 
<br>voltron# grep -v \# /etc/ssh/sshd_config<br>Port 22<br>Protocol 2<br>HostKey /etc/ssh/ssh_host_dsa_key<br>SyslogFacility AUTH<br>LogLevel DEBUG<br>Subsystem&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; sftp&nbsp;&nbsp;&nbsp; /usr/libexec/sftp-server<br>DSAAuthentication yes
<br>PubkeyAuthentication yes<br>AuthorizedKeysFile&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .ssh/authorized_keys<br><br>When I telnet to the port from a host that has issues I immediately get disconnected.&nbsp; When I telnet from an allowed machine I get a banner. 
<br>.ssh]$ telnet <a href="http://192.168.8.163">192.168.8.163</a> 22<br>Trying 192.168.8.163...<br>Connected to <a href="http://192.168.8.163">192.168.8.163</a>.<br>Escape character is &#39;^]&#39;.<br>Connection closed by foreign host.
<br><br>Banner:&nbsp;&nbsp; SSH-2.0-OpenSSH_4.5p1 FreeBSD-20061110<br><br>Verbose output from a problem host:<br><br>[user at bastion .ssh]$ ssh -vvv <a href="http://192.168.8.163">192.168.8.163</a><br>OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003
<br>debug1: Reading configuration data /etc/ssh/ssh_config<br>debug1: Applying options for *<br>debug2: ssh_connect: needpriv 0<br>debug1: Connecting to <a href="http://192.168.8.163">192.168.8.163</a> [<a href="http://192.168.8.163">
192.168.8.163</a>] port 22.<br>debug1: Connection established.<br>debug1: identity file /home/user/.ssh/identity type -1<br>debug1: identity file /home/user/.ssh/id_rsa type -1<br>debug1: identity file /home/user/.ssh/id_dsa type -1
<br>ssh_exchange_identification: read: Connection reset by peer<br><br>Debugging from the server: <br>voltron# /usr/sbin/sshd -ddd<br>debug2: load_server_config: filename /etc/ssh/sshd_config<br>debug2: load_server_config: done config len = 332
<br>debug2: parse_server_config: config /etc/ssh/sshd_config len 332<br>debug3: /etc/ssh/sshd_config:19 setting Port 22<br>debug3: /etc/ssh/sshd_config:20 setting Protocol 2<br>debug3: /etc/ssh/sshd_config:28 setting HostKey /etc/ssh/ssh_host_dsa_key
<br>debug3: /etc/ssh/sshd_config:36 setting SyslogFacility AUTH<br>debug3: /etc/ssh/sshd_config:37 setting LogLevel DEBUG<br>debug3: /etc/ssh/sshd_config:111 setting Subsystem sftp /usr/libexec/sftp-server<br>debug3: /etc/ssh/sshd_config:118 setting DSAAuthentication yes
<br>debug3: /etc/ssh/sshd_config:119 setting PubkeyAuthentication yes<br>debug3: /etc/ssh/sshd_config:120 setting AuthorizedKeysFile .ssh/authorized_keys<br>debug1: sshd version OpenSSH_4.5p1 FreeBSD-20061110<br>debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key.
<br>debug1: read PEM private key done: type DSA<br>debug1: private host key: #0 type 2 DSA<br>debug1: rexec_argv[0]=&#39;/usr/sbin/sshd&#39;<br>debug1: rexec_argv[1]=&#39;-ddd&#39;<br>debug2: fd 3 setting O_NONBLOCK<br>debug1: Bind to port 22 on 
<a href="http://0.0.0.0">0.0.0.0</a>.<br>Server listening on <a href="http://0.0.0.0">0.0.0.0</a> port 22.<br>debug1: fd 4 clearing O_NONBLOCK<br>debug1: Server will not fork when running in debugging mode.<br>debug3: send_rexec_state: entering fd = 7 config len 332
<br>debug3: ssh_msg_send: type 0<br>debug3: send_rexec_state: done<br>debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7<br>debug1: inetd sockets after dupping: 3, 3<br>debug1: res_init()<br>Connection from <a href="http://192.168.3.132">
192.168.3.132</a> port 41916<br>Did not receive identification string from <a href="http://192.168.3.132">192.168.3.132</a><br><br><br>tcpdump (does show an incorrect checksum, and broken apart for easier reading)<br>voltron# tcpdump -e -vvnn port 22 and host 
<a href="http://192.168.3.132">192.168.3.132</a><br>tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 68 bytes<br>08:09:55.816411 00:90:5f:0c:00:00 &gt; 00:18:fe:67:54:76, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 61, id 56887, offset 0, flags [DF], proto TCP (6), length 60) 
192.168.3.132.41922 &gt; 192.168.8.163.22: S 722288481:722288481(0) win 5840 &lt;mss 1460,sackOK,timestamp 1350033750[|tcp]&gt;<br><br>08:09:55.816432 00:18:fe:67:54:76 &gt; 00:00:0c:07:ac:09, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 27230, offset 0, flags [DF], proto TCP (6), length 60) 
192.168.8.163.22 &gt; 192.168.3.132.41922: S 2406244836:2406244836(0) ack 722288482 win 65535 &lt;mss 1460,nop,wscale 3,nop,nop,timestamp[|tcp]&gt;<br><br>08:09:55.816925 00:90:5f:0c:00:00 &gt; 00:18:fe:67:54:76, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 58, id 0, offset 0, flags [none], proto TCP (6), length 40) 
192.168.3.132.41922 &gt; 192.168.8.163.22: ., cksum 0x6872 (correct), 1:1(0) ack 1 win 0<br><br>08:09:55.816933 00:18:fe:67:54:76 &gt; 00:00:0c:07:ac:09, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 64, id 27231, offset 0, flags [DF], proto TCP (6), length 40) 
192.168.8.163.22 &gt; 192.168.3.132.41922: R, cksum 0x47e3 (incorrect (-&gt; 0xd2ed), 2406244837:2406244837(0) win 0<br><br>08:09:55.817215 00:90:5f:0c:00:00 &gt; 00:18:fe:67:54:76, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 61, id 56889, offset 0, flags [DF], proto TCP (6), length 52) 
192.168.3.132.41922 &gt; 192.168.8.163.22: ., cksum 0x8036 (correct), 1:1(0) ack 1 win 1460 &lt;nop,nop,timestamp 1350033751 1692996280&gt;<br><br>08:09:55.833093 00:18:fe:67:54:76 &gt; 00:00:0c:07:ac:09, ethertype IPv4 (0x0800), length 105: (tos 0x0, ttl 64, id 27232, offset 0, flags [DF], proto TCP (6), length 91) 
192.168.8.163.22 &gt; 192.168.3.132.41922: P 1:40(39) ack 1 win 8326 &lt;nop,nop,timestamp 1692996295 1350033751&gt;<br><br>08:09:55.833929 00:90:5f:0c:00:00 &gt; 00:18:fe:67:54:76, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 61, id 8446, offset 0, flags [DF], proto TCP (6), length 40) 
192.168.3.132.41922 &gt; 192.168.8.163.22: R, cksum 0x59d0 (correct), 722288482:722288482(0) win 0<br><br><br><br><br>&gt;How-To-Repeat:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ssh into the host from certain machines. <br>&gt;Fix:<br><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; None at this time. 
<br><br>

------=_Part_32325_5100847.1194876908667--
>Release-Note:
>Audit-Trail:
>Unformatted:
 ------=_Part_32325_5100847.1194876908667
 Content-Type: text/plain; charset=ISO-8859-1
 Content-Transfer-Encoding: 7bit
 Content-Disposition: inline
 


More information about the freebsd-bugs mailing list