[Hardy] Update from alpha 3 to alpha 4 broke ssh connections to openbsd boxes

secret@celery:~$ ssh -vvv eco.li -l secretlondon
OpenSSH_4.7p1 Debian-2, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to eco.li [195.10.223.77] port 22.
debug1: Connection established.
debug1: identity file /home/secret/.ssh/identity type -1
debug1: identity file /home/secret/.ssh/id_rsa type -1
debug1: identity file /home/secret/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.7p1 Debian-2
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
Read from socket failed: Connection reset by peer

iptables was also upgraded and seems to have had an error:

Setting up iptables (1.3.8.0debian1-1ubuntu2) ...
I/O error : Attempt to load network entity http://www.w3.org/TR/xhtml1/DTD/xhtml-lat1.ent
I/O error : Attempt to load network entity http://www.w3.org/TR/xhtml1/DTD/xhtml-special.ent
I/O error : Attempt to load network entity http://www.w3.org/TR/xhtml1/DTD/xhtml-symbol.ent

(from /var/log/apt/term.log)

It never gets past debug1: SSH2_MSG_KEXINIT sent

I've tried sshing to a different machine and got a lot further:

debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/secret/.ssh/identity
debug1: Trying private key: /home/secret/.ssh/id_rsa
debug1: Trying private key: /home/secret/.ssh/id_dsa
debug1: No more authentication methods to try.
Permission denied (publickey).
secret@celery:~$

I don't have a valid key so it's behaving as expected

Failing ssh connection is to an openbsd box running remote software version OpenSSH_4.3
Okay ssh connection is to a linux box running remote software version OpenSSH_4.6p1 Debian-5ubuntu0.1

http://kerneltrap.org/mailarchive/openbsd-misc/2007/4/24/148492

Thread on openbsd-misc referring to the same problem on a gutsy machine.

http://kerneltrap.org/mailarchive/openbsd-misc/2007/4/24/148531

We have a workround:

"I told it to keep state on incoming ssh connections"
"What I had before was allow ssh traffic in non-statefully"

With those changes to the server it now works. I am told the server was

"Only when running pf"
"And not having a fully stateful firewall"

Hope this helps.

Are you still having this problem?

Thanks
chuck

No - but the server I connect to is using the workround I mentioned above.

It's not clear to me that there is an Ubuntu bug here - clearly the firewall on the server wasn't allowing through some of the packets associated with the connection, but those packets constitute legitimate traffic, so isn't this a bug on the server side - with the "workaround" actually a correct fix for a misconfiguration? Is there an explanation somewhere of why the behavior of the ssh client should be considered wrong/buggy?

It seems to be only versions of Debian and Ubuntu that have this problem.

We are closing this bug report because it lacks the information we need to investigate the problem, as described in the previous comments. Please reopen it if you can give us the missing information, and don't hesitate to submit bug reports in the future. To reopen the bug report you can click on the current status, under the Status column, and change the Status back to "New". Thanks again!