Bug 105710 - sshd not accepting connections
sshd not accepting connections
Status: CLOSED WORKSFORME
Product: Red Hat Linux
Classification: Retired
Component: openssh (Show other bugs)
9
All Linux
high Severity high
: ---
: ---
Assigned To: Tomas Mraz
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-09-26 15:10 EDT by Ted Kaczmarek
Modified: 2005-10-31 17:00 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-02-05 11:39:41 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Debug of sshd hosing (1.94 KB, text/plain)
2003-09-29 16:01 EDT, Ted Kaczmarek
no flags Details

  None (edit)
Description Ted Kaczmarek 2003-09-26 15:10:49 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686) Gecko/20030701 Galeon/1.3.7

Description of problem:
Clients get ssh_exchange_identification error, restrting daemon will fix for
about 30 minutes. Will also start working by itself after some undetermined
period of time.

Version-Release number of selected component (if applicable):
openssh-server-3.5p1-11

How reproducible:
Always

Steps to Reproduce:
1.up2date openssh
2.ssh to up2date sshd
3.
    

Actual Results:  ssh_exchange_identification: Connection closed by remote host


Expected Results:  ssh connection establishes

Additional info:

I am able to reproduce this at will.
Comment 1 Ted Kaczmarek 2003-09-26 17:01:07 EDT
Reviewing my monitoring logs shows that is goes down between every 30-40 minutes
for between 30-60 minutes,
Comment 2 Ted Kaczmarek 2003-09-29 15:20:24 EDT
OK, every ssh daemon running 3.5X is affected, not all the same way. Any sshd
daemon that is 3.4X is not experiencing this issue. I have some running on port
2022 in debug mode, but I suspect these will not have an issue.
Comment 3 Ted Kaczmarek 2003-09-29 16:01:16 EDT
Created attachment 94833 [details]
Debug of sshd hosing

Why would not receiving an identification string cause the daemon to hose?
One would suspect it would just reject the connection. Anyway I have a few
workaround options but am amazed that this was let loose. Talk about a simple
way to DOS someone. 
Ted
Comment 4 Ted Kaczmarek 2003-10-26 16:35:42 EST
it seems that opennms launches on ssh poller invocation abackground-task.If so ,
the check if I/O-channels STDIN,STDOUT and STDERR are linked toa local
file/device.e.g. ssh ares4 '/opt/opennms/doit_as_backgroundtask.sh
</dev/null+>/var/log/doit_as_backgroundtask.log 2>&1'If one of these I/O
channels are bound to the console then the sshd will not terminate correctly.
That's the reason I reach the redhat defaultlimit of maximum 10 sshd processes.
raising this limit to <30 helps. Forthe archive.
Comment 5 Alex Pircher 2004-01-12 04:24:04 EST
I'm also unable to connect to one server using
openssh-server-3.5p1-11. This
has now happened for the second time within one month. Only a restart
of the
daemon fixes this:

# ssh -vvv web3
OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL 0x0090701f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Rhosts Authentication disabled, originating port will not be
trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to web3 [172.16.1.3] port 22.
debug1: Connection established.
debug1: identity file /root/.ssh/identity type -1
debug3: Not a RSA1 key file /root/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: no key found
debug3: key_read: no space
...
debug3: key_read: no space
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: no key found
debug1: identity file /root/.ssh/id_rsa type 1
debug1: identity file /root/.ssh/id_dsa type -1
ssh_exchange_identification: Connection closed by remote host
debug1: Calling cleanup 0x80674e0(0x0)
Comment 6 Ted Kaczmarek 2004-01-12 06:55:24 EST
How may sshd's do you see running when this happens?
You will need console access or enable another  daemon that you can
remotely access host with. You may want to increase the amount of
sshd's allowed to 30, that so far has prevented my problem, it will
get up to about 24-26 typically in my setup. 
Comment 7 Tomas Mraz 2005-02-04 11:35:48 EST
Does it still happen for you with the current Fedora Core?
Comment 8 Ted Kaczmarek 2005-02-04 18:34:55 EST
Wouldn't be able to tell you for sure, the OpenNMS guys accidentally
created the DOS that did this with one version of their ssh poller. I
haven't seen any problems with this since I upgraded the poller code. 
That was quite some time ago. 
I would say close it at this time.


Comment 9 Tomas Mraz 2005-02-05 11:39:41 EST
It's possible that it could be a problem of syslog deadlock which was
reported in another bug report. Closing for now.
Comment 10 Mark Huang 2005-05-04 10:59:43 EDT
I believe that the root cause of both this bug as well as <a
href="https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=144799">144799</a> is
a bug in OpenSSH 3.6.x and 3.7.x that only shows up under privilege separation:

<a
href="http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=107520317020444&w=2">http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=107520317020444&w=2</a>

Basically, the MaxStartups (10) and LoginGraceTime (120 seconds) settings are
supposed to defend against DoS, but when run in privilege-separated mode (the
default), OpenSSH server does not properly kill its children after
LoginGraceTime expires. Thus, sshd processes that are still in authentication
phase after LoginGraceTime expires can hang around forever, and you can DoS an
FC2 OpenSSH server with default settings by simply opening up 10 connections to
the server, specifying an SSH key with a passphrase, and never typing the
passphrase.

We recently upgraded all 500 of our <a
href="http://www.planet-lab.org/">PlanetLab</a> nodes, which run a modified FC2,
to the latest FC3 version of OpenSSH server (3.9ish), which seems to have fixed
the problem. The latest FC3 version of OpenSSH server does have some annoying
New Requirements ("locked" accounts (those with "!!" passwords in /etc/shadow)
must be "unlocked" ("!!" replaced with "*"), the server refuses to start unless
argv[0] is an absolute path (i.e. you cannot rename the process)), but works.

Note You need to log in before you can comment on or make changes to this bug.