[Bug 1863930] Update Released
Brian Murray
1863930 at bugs.launchpad.net
Tue Feb 15 20:17:50 UTC 2022
The verification of the Stable Release Update for openssh has completed
successfully and the package is now being released to -updates.
Subsequently, the Ubuntu Stable Release Updates Team is being
unsubscribed and will not receive messages about this bug report. In
the event that you encounter a regression using the package from
-updates please report a new bug using ubuntu-bug and tag the bug report
regression-update so we can easily find any regressions.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1863930
Title:
SSH 1.99 clients fail to connect to openssh-server 1:7.6p1-4ubuntu0.3
Status in openssh package in Ubuntu:
Fix Released
Status in openssh source package in Bionic:
Fix Released
Bug description:
[Impact]
* The version check in ssh was broken no more following RFC 4253 and
thereby denying some clients that it shouldn't.
https://datatracker.ietf.org/doc/html/rfc4253#section-5.1
* It is intended for clients reporting SSH-1.99 to be treated as if
they were advertising SSH-2.0, but with some backwards compatibility.
* Upstream fixed that, and this request is to back-port the changes into
18.04 Bionic.
* In practice this is affecting clients using the SolarWinds
monitoring agent. Solarwinds SSH client advertises SSH-1.99 and Ubuntu
18.04 openssh-server is refusing the connection.
* This results in the following error in the auth.log, and a failed
connection from the agent.
Protocol major versions differ for <IP> port <port>:
SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 vs. SSH-1.99-WeOnlyDo.Net
* More information from SolarWinds at the link below. They call out
18.04 as affected and recommend upgrading OpenSSH-server to 7.7 or
greater.
https://support.solarwinds.com/SuccessCenter/s/article/SAM-s-Linux-
Unix-Script-monitor-fails-to-connect-on-a-server-running-
OpenSSH-7-6?language=en_US
[Test Case]
# Prep
* configure the ssh server to generally work
# Testcase
$ wget https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1863930/+attachment/5332797/+files/test_bug_1863930.py
$ apt install python3-paramiko
$ python3 test_bug_1863930.py localhost (or whatever your host is)
Will report "Server is not patched." or "Server is patched.
* for an extra regression check it might be worth to do some "normal" ssh
connections as well
[Regression Potential]
* The change is very small and reviewable as well as being upstream and
in all Ubuntu releases >=Cosmic for a while now so it seems safe.
If anything the kind of regression to expect is that some former
(wrong) connection denials will then succeed. I can only think of
that being an issue in test suites but not in the real world.
[Other Info]
* n/a
--
SSHD closes the connection and logs the error message below when a
client presents a protoversion of "1.99":
Protocol major versions differ for X.X.X.X port X:
SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 vs. SSH-1.99-XXX
RFC 4253 only states that clients should treat a server's protoversion
of "1.99" as equivalent to "2.0"; however, some backward-compatible
clients send a protoversion of "1.99" and expect the server to treat
it as "2.0".
This regression was introduced in openssh-portable 7.6p1 from commit
97f4d3083; fixes were implemented in commits 9e9c4a7e5 and c9c1bba06.
I've attached a patch with both of those fixes.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1863930/+subscriptions
More information about the foundations-bugs
mailing list