Bug 34458

Summary:	4.5S/sshd forwarding problems
Product:	Base System	Reporter:	Jan-Peter Koopmann <j.koopmann>
Component:	misc	Assignee:	Brian Feldman <green>
Status:	Closed FIXED
Severity:	Affects Only Me
Priority:	Normal
Version:	Unspecified
Hardware:	Any
OS:	Any

Description Jan-Peter Koopmann 2002-01-30 17:30:00 UTC

I use ssh to tunnel tcp connections like IRC and http from my Windows client to a FreeBSD 4.5 Stable machine. Since I upgraded from 4.4R to 4.4S this does not work anymore. Symptoms: The ssh connection works normally but tunneled connection does not.

Example with IRC: On my client I connect to localhost:6667 which is correctly tunneled via my FreeBSD machine to the IRC server. The connection request reaches the server. tcpdump shows that the IRC server even answers the request. The irc client however is unable to establish the connection. After around 60 seconds we see a "PING timeout" message from the IRC server. Funny enough THIS message is even transmitted through the tunnel to the client.

We crosschecked with differen irc clients, SSH clients and protocols (we tried the same thing with tunneling HTTP), Windows version, client-machines, FreeBSD versions and machines. Everything works up to FreeBSD 4.4R. After that: Nothing.

To us this seems to be a problem of dropped packets. To exclude client-program problems we tried connecting to the tunnel with telnet. THIS WORKS!

Fix:

Downgrade to 4.4R. Sad but true. :-)
How-To-Repeat: 1. Setup an ssh connection with tunnel/forward of port 6667 to an irc-server:6667. Client: Windows 2000 or XP. Server: FreeBSD 4.5R.

2. Try to establish a connection on your Windows client with an irc program (e.g. mirc) to localhost:6667. Wait for the timeout.

3. Then try to establish a connection on your Windows client using telnet to the same port and be astonished!

Comment 1 Jan-Peter Koopmann 2002-01-30 18:00:08 UTC

I just tried the whole thing with the current OpenSSH 3.0.2 and the
problem was gone. This seems to be some sort of interoperability problem
of the OpenSSH that comes with 4.5S.
=20
JP

Comment 2 Sheldon Hearn freebsd_committer

2002-01-31 09:48:51 UTC

Responsible Changed
From-To: freebsd-bugs->green

Over to maintainer.

Comment 3 greg 2002-02-17 20:22:09 UTC

The problem can be seen purely on localhost. Below are script recordings
of both sshd -d and ssh -v. It is an integration problem since openssh
sshd from ports does not manifest this problem.

Script started on Sun Feb 17 11:57:31 2002
[greg@bum greg]$ sudo /usr/sbin/sshd -d -p2222
debug1: sshd version OpenSSH_2.9 FreeBSD localisations 20011202=0D
debug1: private host key: #0 type 0 RSA1=0D
debug1: read PEM private key done: type DSA=0D
debug1: private host key: #1 type 2 DSA=0D
debug1: read PEM private key done: type RSA=0D
debug1: private host key: #2 type 1 RSA=0D
debug1: Bind to port 2222 on 0.0.0.0.=0D
Server listening on 0.0.0.0 port 2222.=0D
Generating 768 bit RSA key.=0D
RSA key generation complete.=0D
debug1: Server will not fork when running in debugging mode.=0D
Connection from localhost port 4142=0D
Connection from 127.0.0.1 port 4142=0D
debug1: Client protocol version 2.0; client software version OpenSSH_2.9 Fr=
eeBSD localisations 20011202=0D
debug1: match: OpenSSH_2.9 FreeBSD localisations 20011202 pat ^OpenSSH=0D
Enabling compatibility mode for protocol 2.0=0D
debug1: Local version string SSH-1.99-OpenSSH_2.9 FreeBSD localisations 200=
11202=0D
debug1: Rhosts Authentication disabled, originating port not trusted.=0D
debug1: list_hostkey_types: ssh-dss,ssh-rsa=0D
debug1: SSH2_MSG_KEXINIT sent=0D
debug1: SSH2_MSG_KEXINIT received=0D
debug1: kex: client->server aes128-cbc hmac-md5 none=0D
debug1: kex: server->client aes128-cbc hmac-md5 none=0D
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received=0D
WARNING: /etc/ssh/primes does not exist, using old prime=0D
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent=0D
debug1: dh_gen_key: priv key bits set: 131/256=0D
debug1: bits set: 503/1024=0D
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT=0D
debug1: bits set: 517/1024=0D
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent=0D
debug1: kex_derive_keys=0D
debug1: newkeys: mode 1=0D
debug1: SSH2_MSG_NEWKEYS sent=0D
debug1: waiting for SSH2_MSG_NEWKEYS=0D
debug1: newkeys: mode 0=0D
debug1: SSH2_MSG_NEWKEYS received=0D
debug1: KEX done=0D
debug1: userauth-request for user greg service ssh-connection method none=0D
debug1: attempt 0 failures 0=0D
debug1: Starting up PAM with username "greg"=0D
Failed none for greg from 127.0.0.1 port 4142 ssh2=0D
debug1: userauth-request for user greg service ssh-connection method passwo=
rd=0D
debug1: attempt 1 failures 1=0D
debug1: PAM Password authentication accepted for user "greg"=0D
debug1: PAM setting rhost to "localhost"=0D
Accepted password for greg from 127.0.0.1 port 4142 ssh2=0D
debug1: Entering interactive session for SSH2.=0D
debug1: server_init_dispatch_20=0D
debug1: server_input_global_request: rtype tcpip-forward want_reply 0=0D
debug1: server_input_global_request: tcpip-forward listen 0.0.0.0 port 1234=
5=0D
debug1: Local forwarding listening on 127.0.0.1 port 12345.=0D
debug1: fd 3 setting O_NONBLOCK=0D
debug1: fd 3 IS O_NONBLOCK=0D
debug1: channel 0: new [port listener]=0D
debug1: server_input_channel_open: ctype session rchan 0 win 32768 max 1638=
4=0D
debug1: input_session_request=0D
debug1: channel 1: new [server-session]=0D
debug1: session_new: init=0D
debug1: session_new: session 0=0D
debug1: session_open: channel 1=0D
debug1: session_open: session 0: link with channel 1=0D
debug1: server_input_channel_open: confirm session=0D
debug1: session_by_channel: session 0 channel 1=0D
debug1: session_input_channel_req: session 0 channel 1 request pty-req repl=
y 0=0D
debug1: session_pty_req: session 0 alloc /dev/ttyp4=0D
debug1: session_by_channel: session 0 channel 1=0D
debug1: session_input_channel_req: session 0 channel 1 request shell reply =
0=0D
debug1: PAM setting tty to "/dev/ttyp4"=0D
debug1: do_pam_session: euid 0, uid 0=0D
debug1: PAM establishing creds=0D
debug1: channel 1: rfd 8 isatty=0D
debug1: fd 8 setting O_NONBLOCK=0D
debug1: fd 7 IS O_NONBLOCK=0D
debug1: Setting controlling tty using TIOCSCTTY.=0D
debug1: Connection to port 12345 forwarding to 0.0.0.0 port 0 requested.=0D
debug1: fd 10 IS O_NONBLOCK=0D
debug1: fd 10 IS O_NONBLOCK=0D
debug1: channel 2: new [forwarded-tcpip]=0D
debug1: channel_free: channel 2: status: The following connections are open=
:=0D
  #1 server-session (t4 r0 i1/0 o16/0 fd 8/7)=0D
  #2 forwarded-tcpip (t13 r-1 i1/6 o16/0 fd 10/10)=0D
=0D
debug1: Received SIGCHLD.=0D
debug1: session_by_pid: pid 80855=0D
debug1: session_exit_message: session 0 channel 1 pid 80855=0D
debug1: session_exit_message: release channel 1=0D
debug1: channel 1: write failed=0D
debug1: channel 1: output open -> closed=0D
debug1: channel 1: close_write=0D
debug1: session_pty_cleanup: session 0 release /dev/ttyp4=0D
debug1: session_free: session 0 pid 80855=0D
debug1: channel 1: read<=3D0 rfd 8 len 0=0D
debug1: channel 1: read failed=0D
debug1: channel 1: input open -> drain=0D
debug1: channel 1: close_read=0D
debug1: channel 1: input: no drain shortcut=0D
debug1: channel 1: ibuf empty=0D
debug1: channel 1: input drain -> closed=0D
debug1: channel 1: send eof=0D
debug1: channel 1: send close=0D
debug1: channel 1: rcvd close=0D
debug1: channel 1: is dead=0D
debug1: channel_free: channel 1: status: The following connections are open=
:=0D
  #1 server-session (t4 r0 i8/0 o128/0 fd -1/-1)=0D
=0D
Connection closed by remote host.=0D
debug1: channel_free: channel 0: status: The following connections are open=
:=0D
=0D
Closing connection to 127.0.0.1=0D
[greg@bum greg]$ exit

Script done on Sun Feb 17 12:00:36 2002

Script started on Sun Feb 17 11:59:31 2002
[greg@bum greg]$  ssh -R12345:localhost:25 -v -p2222 localhost
OpenSSH_2.9 FreeBSD localisations 20011202, SSH protocols 1.5/2.0, OpenSSL =
0x0090601f
debug1: Reading configuration data /home/greg/.ssh/config=0D
debug1: Reading configuration data /etc/ssh/ssh_config=0D
debug1: Rhosts Authentication disabled, originating port will not be truste=
d.=0D
debug1: restore_uid=0D
debug1: ssh_connect: getuid 502 geteuid 502 anon 1=0D
debug1: Connecting to localhost [127.0.0.1] port 2222.=0D
debug1: temporarily_use_uid: 502/1001 (e=3D502)=0D
debug1: restore_uid=0D
debug1: temporarily_use_uid: 502/1001 (e=3D502)=0D
debug1: restore_uid=0D
debug1: Connection established.=0D
debug1: identity file /home/greg/.ssh/identity type -1=0D
debug1: identity file /home/greg/.ssh/id_rsa type -1=0D
debug1: identity file /home/greg/.ssh/id_dsa type -1=0D
debug1: Remote protocol version 1.99, remote software version OpenSSH_2.9 F=
reeBSD localisations 20011202=0D
debug1: match: OpenSSH_2.9 FreeBSD localisations 20011202 pat ^OpenSSH=0D
Enabling compatibility mode for protocol 2.0=0D
debug1: Local version string SSH-2.0-OpenSSH_2.9 FreeBSD localisations 2001=
1202=0D
debug1: SSH2_MSG_KEXINIT sent=0D
debug1: SSH2_MSG_KEXINIT received=0D
debug1: kex: server->client aes128-cbc hmac-md5 none=0D
debug1: kex: client->server aes128-cbc hmac-md5 none=0D
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent=0D
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP=0D
debug1: dh_gen_key: priv key bits set: 117/256=0D
debug1: bits set: 517/1024=0D
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent=0D
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY=0D
debug1: Forcing accepting of host key for loopback/localhost.=0D
debug1: bits set: 503/1024=0D
debug1: ssh_rsa_verify: signature correct=0D
debug1: kex_derive_keys=0D
debug1: newkeys: mode 1=0D
debug1: SSH2_MSG_NEWKEYS sent=0D
debug1: waiting for SSH2_MSG_NEWKEYS=0D
debug1: newkeys: mode 0=0D
debug1: SSH2_MSG_NEWKEYS received=0D
debug1: done: ssh_kex2.=0D
debug1: send SSH2_MSG_SERVICE_REQUEST=0D
debug1: service_accept: ssh-userauth=0D
debug1: got SSH2_MSG_SERVICE_ACCEPT=0D
debug1: authentications that can continue: publickey,password,keyboard-inte=
ractive=0D
debug1: next auth method to try is publickey=0D
debug1: try privkey: /home/greg/.ssh/identity=0D
debug1: try privkey: /home/greg/.ssh/id_rsa=0D
debug1: try privkey: /home/greg/.ssh/id_dsa=0D
debug1: next auth method to try is password=0D
greg@localhost's password:=20
debug1: ssh-userauth2 successful: method password=0D
debug1: Connections to remote port 12345 forwarded to local address localho=
st:25=0D
debug1: channel 0: new [client-session]=0D
debug1: channel_new: 0=0D
debug1: send channel open 0=0D
debug1: Entering interactive session.=0D
debug1: client_init id 0 arg 0
debug1: channel request 0: shell
debug1: channel 0: open confirm rwindow 0 rmax 16384
Last login: Sun Feb 17 11:59:25 2002 from localhost=0D
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
	The Regents of the University of California.  All rights reserved.
Environment:
  PATH=3D/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/loca=
l/bin:/usr/X11R6/bin:/home/greg/bin
  MAIL=3D/var/mail/greg
  BLOCKSIZE=3DK
  FTP_PASSIVE_MODE=3DYES
  USER=3Dgreg
  LOGNAME=3Dgreg
  HOME=3D/home/greg
  SHELL=3D/bin/bash
  SSH_CLIENT=3D127.0.0.1 4142 2222
  SSH_TTY=3D/dev/ttyp4
  TERM=3Dxterm
[greg@bum greg]$ telnet localhost 12345
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
helo
Connection closed by foreign host.
[greg@bum greg]$ logout
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: channel 0: rcvd eof
debug1: channel 0: output open -> drain
debug1: channel 0: rcvd close
debug1: channel 0: input open -> closed
debug1: channel 0: close_read
=1B[H=1B[Jdebug1: channel 0: obuf empty
debug1: channel 0: output drain -> closed
debug1: channel 0: close_write
debug1: channel 0: send close
debug1: channel 0: is dead
debug1: channel_free: channel 0: status: The following connections are open:
  #0 client-session (t4 r1 i8/0 o128/0 fd -1/-1)

debug1: channel_free: channel 0: dettaching channel user
Connection to localhost closed.=0D
debug1: Transferred: stdin 0, stdout 0, stderr 40 bytes in 28.4 seconds=0D
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 1.4=0D
debug1: Exit status 1=0D
Script done on Sun Feb 17 12:07:34 2002

Comment 4 Tom Hukins freebsd_committer

2002-08-19 21:52:39 UTC

State Changed
From-To: open->closed

A newer version of OpenSSH which does not exhibit this problem has been 
integrated into -STABLE. 

This problem report can be closed for the same reason as 35538.