Bug 202856

Summary: OpenSSH rejects connections if IP options are present
Product: [Fedora] Fedora Reporter: Paul Moore <paul.moore>
Component: opensshAssignee: Tomas Mraz <tmraz>
Status: CLOSED RAWHIDE QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 6CC: iboverma, jmorris, linda.knippers, sgrubb
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openssh-4.3p2-9 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-08-23 18:30:46 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Attachments:
Description Flags
Patch to correct IP option checks none

Description Paul Moore 2006-08-16 15:53:51 EDT
Description of problem:
The latest versions of OpenSSH reject connections if any IP options are 
present when in reality they are only concerned with source routing options.  
This blind rejection of connections causes problems when CIPSO is used as it 
makes use of IP options to tag each packet with security attributes.  The 
attached patch is a quick and dirty pass at fixing the problem, a quick test 
shows that it solves the problem.

Version-Release number of selected component (if applicable):
4.3p2-8

How reproducible:
Every time.

Steps to Reproduce:
1. Enable CIPSO using NetLabel
2. Restart the ssh daemon
3. Try to ssh to localhost
  
Actual results:
The connection is refused by the server.  More information can be found if the 
server is run in debug mode, "/usr/sbin/sshd -ddd"

Expected results:
The connections succeeds.

Additional info:
This is part of the HP/RedHat CC LSPP effort and this bug needs to be fixed if
CIPSO is to be part of a LSPP evaluation.
Comment 1 Paul Moore 2006-08-16 15:53:52 EDT
Created attachment 134340 [details]
Patch to correct IP option checks