Bug 1686065

Summary: SSH connections get closed when time-based rekeyring is used and ClientAliveMaxCount=0
Product: Red Hat Enterprise Linux 8 Reporter: Ondrej Moriš <omoris>
Component: opensshAssignee: Jakub Jelen <jjelen>
Status: CLOSED ERRATA QA Contact: bsmejkal
Severity: medium Docs Contact:
Priority: low    
Version: 8.0CC: bsmejkal, dchong, eric.negaard, jjelen, tmraz
Target Milestone: rcKeywords: Triaged
Target Release: 8.1   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openssh-8.0p1-1.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-05 22:41:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1682500    
Bug Blocks:    
Attachments:
Description Flags
sshd.log none

Description Ondrej Moriš 2019-03-06 16:12:41 UTC 
Created attachment 1541496 [details]
sshd.log

This bug was initially created as a copy of Bug #1480510

I am copying this bug because: 

Issue is present on RHEL-8.0.

Description of problem:

When configuring time-based rekeyring on the SSHD server (e.g. RekeyLimit=default 45s)and configuring "ClientAliveMaxCount=0" on the SSHD server also, SSH connection gets unexpectedly closed by the SSHD server just before the rekeyring happens.

Version-Release number of selected component (if applicable):

openssh-7.8p1-4.el8.x86_64

How reproducible:

ALWAYS

Steps to Reproduce:

1. Allow port 2222 for ssh.
   # semanage port -a -p tcp -t ssh_port_t 2222

2. Start sshd on 2222.
    # runcon system_u:system_r:initrc_t:s0 bash -c "(/usr/sbin/sshd -D -ddd -p 2222 -o 'ClientAliveCountMax=0' -o 'ClientAliveInterval=900' -o 'RekeyLimit=default 15s' &> sshd.log)&

3. Connect by ssh and wait more than 15 seconds.
   # ssh root@localhost
   ...

Actual results:

Connection is closed (full sshd.log attached).

Timeout, client not responding from user root ::1 port 39000

Expected results:

Connection stays alive for ClientAliveInterval.

Additional info:

N/A
Comment 1 Jakub Jelen 2019-03-14 10:34:19 UTC 
First of all, this is misconfiguration, that behaves this wrong way. The upstream still did not manage to fix this (attached upstream bug) so I do not think it is super-important issue, even though it worked in RHEL7.
Comment 4 Jakub Jelen 2019-04-26 13:18:16 UTC 
The fix is merged upstream and available in the OpenSSH 8.0p1 release
Comment 11 errata-xmlrpc 2019-11-05 22:41:32 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:3702
Comment 12 Eric Negaard 2021-04-12 17:56:26 UTC 
This bug is still present in openssh-8.0p1-5.el8 on Red Hat Enterprise Linux release 8.3 (Ootpa), so the upstream fix was not complete.

It is easily reproducible if the timeout component of RekeyLimit is set to something greater than ClientAliveInterval, for example with the following settings in sshd_config:

ClientAliveCountMax 0
ClientAliveInterval 60
RekeyLimit 512M 120

The session will almost always be disconnected as soon as the RekeyLimit is reached, because with the current openssh 8.0p1 code any input that occurs during the final ClientAliveInterval seconds of the RekeyLimit timer does not count towards updating the last_client_time variable which is used for implementing the timeout.

Therefore I request that this ticket be reopened.
Comment 16 Jakub Jelen 2021-04-21 08:09:05 UTC 
Please, open a new bug if you believe the issue is still present as described in the comment #11.
Comment 17 Eric Negaard 2021-04-22 09:05:03 UTC 
Sorry, I missed the instructions in comment #11.

I have created new bug #1952411.