Bug 202856 - OpenSSH rejects connections if IP options are present
OpenSSH rejects connections if IP options are present
Product: Fedora
Classification: Fedora
Component: openssh (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Brian Brock
Depends On:
  Show dependency treegraph
Reported: 2006-08-16 15:53 EDT by Paul Moore
Modified: 2007-11-30 17:11 EST (History)
4 users (show)

See Also:
Fixed In Version: openssh-4.3p2-9
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-08-23 18:30:46 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Patch to correct IP option checks (1.92 KB, patch)
2006-08-16 15:53 EDT, Paul Moore
no flags Details | Diff

  None (edit)
Description Paul Moore 2006-08-16 15:53:51 EDT
Description of problem:
The latest versions of OpenSSH reject connections if any IP options are 
present when in reality they are only concerned with source routing options.  
This blind rejection of connections causes problems when CIPSO is used as it 
makes use of IP options to tag each packet with security attributes.  The 
attached patch is a quick and dirty pass at fixing the problem, a quick test 
shows that it solves the problem.

Version-Release number of selected component (if applicable):

How reproducible:
Every time.

Steps to Reproduce:
1. Enable CIPSO using NetLabel
2. Restart the ssh daemon
3. Try to ssh to localhost
Actual results:
The connection is refused by the server.  More information can be found if the 
server is run in debug mode, "/usr/sbin/sshd -ddd"

Expected results:
The connections succeeds.

Additional info:
This is part of the HP/RedHat CC LSPP effort and this bug needs to be fixed if
CIPSO is to be part of a LSPP evaluation.
Comment 1 Paul Moore 2006-08-16 15:53:52 EDT
Created attachment 134340 [details]
Patch to correct IP option checks

Note You need to log in before you can comment on or make changes to this bug.