Bug 1162620 - fatal: monitor_read: unsupported request: 82 on server while attempting GSSAPI key exchange
Summary: fatal: monitor_read: unsupported request: 82 on server while attempting GSSAP...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: openssh
Version: 7.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Petr Lautrbach
QA Contact: Stanislav Zidek
URL:
Whiteboard:
Depends On: 1118005
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-11-11 11:36 UTC by Stanislav Zidek
Modified: 2015-03-05 09:28 UTC (History)
8 users (show)

Fixed In Version: openssh-6.6.1p1-7.el7
Doc Type: Bug Fix
Doc Text:
Clone Of: 1118005
Environment:
Last Closed: 2015-03-05 09:28:42 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0425 normal SHIPPED_LIVE Moderate: openssh security, bug fix and enhancement update 2015-03-05 14:26:20 UTC

Description Stanislav Zidek 2014-11-11 11:36:42 UTC
I just found similar issue in RHEL-7.1 candidate.

$ rpm -q openssh
openssh-6.6.1p1-4.el7.x86_64

ssh_config:
Host *
	GSSAPIKeyExchange yes

sshd_config:
GSSAPIKeyExchange yes

client:
$ ssh tester@<IP>

Connection closed by <IP>

server (/var/log/secure):
Nov 11 06:33:36 intel-sugarbay-dh-03 sshd[3795]: debug1: Forked child 3798.
Nov 11 06:33:36 intel-sugarbay-dh-03 sshd[3798]: Set /proc/self/oom_score_adj to 0
Nov 11 06:33:36 intel-sugarbay-dh-03 sshd[3798]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8
Nov 11 06:33:36 intel-sugarbay-dh-03 sshd[3798]: debug1: inetd sockets after dupping: 3, 3
Nov 11 06:33:36 intel-sugarbay-dh-03 sshd[3798]: Connection from <IP> port 47624 on 10.16.44.133 port 22
Nov 11 06:33:36 intel-sugarbay-dh-03 sshd[3798]: debug1: Client protocol version 2.0; client software version OpenSSH_6.6.1
Nov 11 06:33:36 intel-sugarbay-dh-03 sshd[3798]: debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000
Nov 11 06:33:36 intel-sugarbay-dh-03 sshd[3798]: debug1: Enabling compatibility mode for protocol 2.0
Nov 11 06:33:36 intel-sugarbay-dh-03 sshd[3798]: debug1: Local version string SSH-2.0-OpenSSH_6.6.1
Nov 11 06:33:36 intel-sugarbay-dh-03 sshd[3798]: debug1: SELinux support enabled [preauth]
Nov 11 06:33:36 intel-sugarbay-dh-03 sshd[3798]: debug1: permanently_set_uid: 74/74 [preauth]
Nov 11 06:33:36 intel-sugarbay-dh-03 sshd[3798]: debug1: list_hostkey_types: ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
Nov 11 06:33:36 intel-sugarbay-dh-03 sshd[3798]: debug1: SSH2_MSG_KEXINIT sent [preauth]
Nov 11 06:33:36 intel-sugarbay-dh-03 sshd[3798]: debug1: SSH2_MSG_KEXINIT received [preauth]
Nov 11 06:33:36 intel-sugarbay-dh-03 sshd[3798]: debug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.com none [preauth]
Nov 11 06:33:36 intel-sugarbay-dh-03 sshd[3798]: debug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.com none [preauth]
Nov 11 06:33:36 intel-sugarbay-dh-03 sshd[3798]: debug1: Doing group exchange [preauth]
Nov 11 06:33:36 intel-sugarbay-dh-03 sshd[3798]: debug1: Wait SSH2_MSG_GSSAPI_INIT [preauth]
Nov 11 06:33:36 intel-sugarbay-dh-03 sshd[3798]: debug1: Got no client credentials
Nov 11 06:33:36 intel-sugarbay-dh-03 sshd[3798]: fatal: monitor_read: unsupported request: 82
Nov 11 06:33:36 intel-sugarbay-dh-03 sshd[3798]: debug1: do_cleanup
Nov 11 06:33:36 intel-sugarbay-dh-03 sshd[3798]: debug1: Killing privsep child 3799


+++ This bug was initially created as a clone of Bug #1118005 +++

Description of problem:
Since updating to openssh-6.6.1p1-1.fc21, access fails when I try to log in using GSSAPI key exhange.  The server disconnects the client and logs:

  fatal: monitor_read: unsupported request: 82

Disabling the GSSAPIKeyExchange option on the client allows the login to succeed.

Version-Release number of selected component (if applicable):
  openssh-6.6.1p1-1.fc21.x86_64.rpm

How reproducible:
Always

Steps to Reproduce:

1. Set up a server on F21 with a keytab, say as an IPA server.
2. Use kinit on the server to get a TGT.
3. Try to ssh to the server with the client's GSSAPIAuthentication, GSSAPIDelegateCredentials, and GSSAPIKeyExchange options enabled.

Actual results:
OpenSSH_6.6.1, OpenSSL 1.0.1h-fips 5 Jun 2014
debug1: Reading configuration data /home/nalin/.ssh/config
debug1: /home/nalin/.ssh/config line 75: Applying options for blade
debug1: /home/nalin/.ssh/config line 154: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 51: Applying options for *
debug1: Hostname has changed; re-reading configuration
debug1: Reading configuration data /home/nalin/.ssh/config
debug1: /home/nalin/.ssh/config line 75: Applying options for blade.bos.redhat.com
debug1: /home/nalin/.ssh/config line 125: Applying options for *.bos.redhat.com
debug1: /home/nalin/.ssh/config line 154: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 51: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to blade.bos.redhat.com [10.18.57.10] port 22.
debug1: Connection established.
debug1: identity file /home/nalin/.ssh/id_rsa type 1
debug1: identity file /home/nalin/.ssh/id_rsa-cert type -1
debug1: identity file /home/nalin/.ssh/id_dsa type 2
debug1: identity file /home/nalin/.ssh/id_dsa-cert type -1
debug1: identity file /home/nalin/.ssh/id_ecdsa type -1
debug1: identity file /home/nalin/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/nalin/.ssh/id_ed25519 type -1
debug1: identity file /home/nalin/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1
debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Offering GSSAPI proposal: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group1-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group14-sha1-A/vxljAEU54gt9a48EiANQ==,gss-gex-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group1-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group14-sha1-bontcUwnM6aGfWCP21alxQ==,gss-gex-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-group1-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-group14-sha1-eipGX3TCiQSrx573bT1o1Q==
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group1-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group14-sha1-A/vxljAEU54gt9a48EiANQ==,gss-gex-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group1-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group14-sha1-bontcUwnM6aGfWCP21alxQ==,gss-gex-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-group1-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-group14-sha1-eipGX3TCiQSrx573bT1o1Q==,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-dss-cert-v00@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-dss,null
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_setup: setup hmac-md5-etm@openssh.com
debug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.com none
debug2: mac_setup: setup hmac-md5-etm@openssh.com
debug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.com none
debug1: Doing group exchange

debug2: bits set: 1514/3072
debug1: Calling gss_init_sec_context
debug1: Delegating credentials
Connection closed by 10.18.57.10

Expected results:
Login succeeds.

Additional info:
Downgrading the server back to 6.4p1-4.fc21 works around it.

--- Additional comment from Petr Lautrbach on 2014-07-10 13:57:36 EDT ---

Thanks for the report.

I'm not sure if I'm able to reproduce the same issue but I'm able to login using openssh-6.6.1p1-1.1.fc20.1 [1] on f20 and I can't do the same with the same package or with openssh-6.4p1-4.fc21.x86_64 on rawhide. But my rawhide host could be mis-configured since I get "wrong principal" error message. 

The patch with gsskex support hasn't changed at all between 6.4 and 6.6 so it could be some change in rebase package or in used libraries.

I'll try to setup clean environments and try to investigate it more.

[1] http://koji.fedoraproject.org/koji/taskinfo?taskID=7125711

Comment 4 errata-xmlrpc 2015-03-05 09:28:42 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0425.html


Note You need to log in before you can comment on or make changes to this bug.