SSH 1.99 clients fail to connect to openssh-server 1:7.6p1-4ubuntu0.3
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssh (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Medium
|
Heitor Alves de Siqueira |
Bug Description
[Impact]
* The version check in ssh was broken no more following RFC 4253 and
thereby denying some clients that it shouldn't.
https:/
* It is intended for clients reporting SSH-1.99 to be treated as if
they were advertising SSH-2.0, but with some backwards compatibility.
* Upstream fixed that, and this request is to back-port the changes into
18.04 Bionic.
* In practice this is affecting clients using the SolarWinds monitoring agent. Solarwinds SSH client advertises SSH-1.99 and Ubuntu 18.04 openssh-server is refusing the connection.
* This results in the following error in the auth.log, and a failed connection from the agent.
Protocol major versions differ for <IP> port <port>:
SSH-2.
* More information from SolarWinds at the link below. They call out 18.04 as affected and recommend upgrading OpenSSH-server to 7.7 or greater.
[Test Case]
# Prep
* configure the ssh server to generally work
# Testcase
$ wget https:/
$ apt install python3-paramiko
$ python3 test_bug_1863930.py localhost (or whatever your host is)
Will report "Server is not patched." or "Server is patched.
* for an extra regression check it might be worth to do some "normal" ssh
connections as well
[Regression Potential]
* The change is very small and reviewable as well as being upstream and
in all Ubuntu releases >=Cosmic for a while now so it seems safe.
If anything the kind of regression to expect is that some former
(wrong) connection denials will then succeed. I can only think of
that being an issue in test suites but not in the real world.
[Other Info]
* n/a
--
SSHD closes the connection and logs the error message below when a client presents a protoversion of "1.99":
Protocol major versions differ for X.X.X.X port X: SSH-2.0-
RFC 4253 only states that clients should treat a server's protoversion of "1.99" as equivalent to "2.0"; however, some backward-compatible clients send a protoversion of "1.99" and expect the server to treat it as "2.0".
This regression was introduced in openssh-portable 7.6p1 from commit 97f4d3083; fixes were implemented in commits 9e9c4a7e5 and c9c1bba06. I've attached a patch with both of those fixes.
Related branches
- Bryce Harrington (community): Approve
- Canonical Server packageset reviewers: Pending requested
- git-ubuntu developers: Pending requested
-
Diff: 100 lines (+72/-0)4 files modifieddebian/changelog (+8/-0)
debian/patches/lp-1863930-Fix-logic-bug-in-sshd_exchange_identification.patch (+31/-0)
debian/patches/lp-1863930-unbreak-clients-that-advertise-protocol.patch (+31/-0)
debian/patches/series (+2/-0)
description: | updated |
Changed in openssh (Ubuntu Bionic): | |
assignee: | nobody → Christian Ehrhardt (paelzer) |
tags: | removed: server-next |
description: | updated |
Changed in openssh (Ubuntu Bionic): | |
assignee: | Christian Ehrhardt (paelzer) → nobody |
Changed in openssh (Ubuntu Bionic): | |
assignee: | nobody → Heitor Alves de Siqueira (halves) |
importance: | Low → High |
importance: | High → Medium |
tags: | removed: server-todo |
Changed in openssh (Ubuntu Bionic): | |
status: | Incomplete → In Progress |
tags: | added: sts sts-sponsor-halves |
The attachment "protocol_ major_version_ mismatch_ regression. patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.
[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]