Bug 2136824
Summary: | cockpit-ssh get's a connection reset by peer | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 9 | Reporter: | Jelle van der Waa <jvanderwaa> |
Component: | libssh | Assignee: | Norbert Pócs <npocs> |
Status: | CLOSED ERRATA | QA Contact: | Stanislav Zidek <szidek> |
Severity: | high | Docs Contact: | |
Priority: | medium | ||
Version: | 9.2 | CC: | mpitt, mvollmer |
Target Milestone: | rc | Keywords: | Triaged |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | libssh-0.10.4-6.el9 | Doc Type: | No Doc Update |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2023-05-09 08:15:49 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jelle van der Waa
2022-10-21 13:58:28 UTC
While this runs, there are *zero* messages in `tail -f /var/log/sssd/*`. I'm not sure what `Proxy command returned 127` refers to exactly, supposedly the ssh_knownhostsproxy? cockpit-ssh does call this [1], but with different options than what the log says: ssh_socket_connect_proxycommand: Executing proxycommand 'exec exec /usr/bin/sss_ssh_knownhostsproxy -p 22 x0.cockpit.lan' plus, cockpit-ssh's own call succeeds (log says "host known: 1"). The above command seems to happen in ssh_connect(), which fails with that connection reset. I think it's from /etc/ssh/ssh_config.d/04-ipa.conf , which does Match exec true ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h I can call $ /usr/bin/sss_ssh_knownhostsproxy -p 22 x0.cockpit.lan SSH-2.0-OpenSSH_8.8 but I don't know how to drive this from the CLI. When I press enter, it just fails with "Invalid SSH identification string." Running `ssh -vv -K x0.cockpit.lan echo hello` works fine, and it runs the same proxy command: debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p 22 x0.cockpit.lan [1] https://github.com/cockpit-project/cockpit/blob/a180ea3a134bde4adc40d6713ad8b6cbde594768/src/ssh/cockpitsshrelay.c#L539 "exec exec" looks suspicous. If I run this in the shell: $ exec exec /usr/bin/sss_ssh_knownhostsproxy -p 22 x0.cockpit.lan bash: exec: exec: not found $ echo $? 127 This is a bug in libssh (or maybe a bug in how we use it, but that would make me sad). libssh has the concept of "applying the options", and you can only do that once per ssh_session. In our use it happens twice, which leads to two "exec" prefixes of the ProxyCommand option. ssh_session_connect "applies the options" unconditionally, but several other ssh_session functions can do it as well on-demand, such as ssh_session_ssh_session_has_known_hosts_entry, which cockpit-ssh might call a couple of times. I'll file a bug. We can work around this by calling ssh_session_has_known_hosts_entry from a copy of the main ssh_session structure, made with ssh_options_copy. Proposed workaround: https://github.com/cockpit-project/cockpit/pull/17834 libssh bug report: https://gitlab.com/libssh/libssh-mirror/-/issues/156 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (libssh bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:2476 |