Description of problem: The latest versions of OpenSSH reject connections if any IP options are present when in reality they are only concerned with source routing options. This blind rejection of connections causes problems when CIPSO is used as it makes use of IP options to tag each packet with security attributes. The attached patch is a quick and dirty pass at fixing the problem, a quick test shows that it solves the problem. Version-Release number of selected component (if applicable): 4.3p2-8 How reproducible: Every time. Steps to Reproduce: 1. Enable CIPSO using NetLabel 2. Restart the ssh daemon 3. Try to ssh to localhost Actual results: The connection is refused by the server. More information can be found if the server is run in debug mode, "/usr/sbin/sshd -ddd" Expected results: The connections succeeds. Additional info: This is part of the HP/RedHat CC LSPP effort and this bug needs to be fixed if CIPSO is to be part of a LSPP evaluation.
Created attachment 134340 [details] Patch to correct IP option checks