Red Hat Bugzilla – Bug 202856
OpenSSH rejects connections if IP options are present
Last modified: 2007-11-30 17:11:40 EST
Description of problem:
The latest versions of OpenSSH reject connections if any IP options are
present when in reality they are only concerned with source routing options.
This blind rejection of connections causes problems when CIPSO is used as it
makes use of IP options to tag each packet with security attributes. The
attached patch is a quick and dirty pass at fixing the problem, a quick test
shows that it solves the problem.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Enable CIPSO using NetLabel
2. Restart the ssh daemon
3. Try to ssh to localhost
The connection is refused by the server. More information can be found if the
server is run in debug mode, "/usr/sbin/sshd -ddd"
The connections succeeds.
This is part of the HP/RedHat CC LSPP effort and this bug needs to be fixed if
CIPSO is to be part of a LSPP evaluation.
Created attachment 134340 [details]
Patch to correct IP option checks