Bug 202856 - OpenSSH rejects connections if IP options are present
Summary: OpenSSH rejects connections if IP options are present
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: openssh
Version: 6
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-08-16 19:53 UTC by Paul Moore
Modified: 2007-11-30 22:11 UTC (History)
4 users (show)

Fixed In Version: openssh-4.3p2-9
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-08-23 22:30:46 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
Patch to correct IP option checks (1.92 KB, patch)
2006-08-16 19:53 UTC, Paul Moore 		no flags Details | Diff
View All

Description Paul Moore 2006-08-16 19:53:51 UTC 
Description of problem:
The latest versions of OpenSSH reject connections if any IP options are 
present when in reality they are only concerned with source routing options.  
This blind rejection of connections causes problems when CIPSO is used as it 
makes use of IP options to tag each packet with security attributes.  The 
attached patch is a quick and dirty pass at fixing the problem, a quick test 
shows that it solves the problem.

Version-Release number of selected component (if applicable):
4.3p2-8

How reproducible:
Every time.

Steps to Reproduce:
1. Enable CIPSO using NetLabel
2. Restart the ssh daemon
3. Try to ssh to localhost
  
Actual results:
The connection is refused by the server.  More information can be found if the 
server is run in debug mode, "/usr/sbin/sshd -ddd"

Expected results:
The connections succeeds.

Additional info:
This is part of the HP/RedHat CC LSPP effort and this bug needs to be fixed if
CIPSO is to be part of a LSPP evaluation.
Comment 1 Paul Moore 2006-08-16 19:53:52 UTC 
Created attachment 134340 [details]
Patch to correct IP option checks
Note You need to log in before you can comment on or make changes to this bug.