RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2115246 - ssh connect gives strange error in update_known_hosts
Summary: ssh connect gives strange error in update_known_hosts
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: openssh
Version: CentOS Stream
Hardware: Unspecified
OS: Unspecified
medium
low
Target Milestone: rc
: ---
Assignee: Dmitry Belyavskiy
QA Contact: Marek Havrila
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-08-04 08:29 UTC by Dr. Stephan Wonczak
Modified: 2022-11-15 13:18 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-11-15 11:21:51 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openssh/openssh-portable/commit/8832402bd500d1661ccc80a476fd563335ef6cdc 0 None None None 2022-08-16 12:24:35 UTC
Red Hat Issue Tracker CRYPTO-8095 0 None None None 2022-08-15 13:13:57 UTC
Red Hat Issue Tracker RHELPLAN-130276 0 None None None 2022-08-04 08:35:15 UTC
Red Hat Product Errata RHBA-2022:8375 0 None None None 2022-11-15 11:21:57 UTC

Description Dr. Stephan Wonczak 2022-08-04 08:29:01 UTC 
Description of problem:
Connecting to a remote server gives the following error

update_known_hosts: hostfile_replace_entries failed for /home/<user>/.ssh/known_hosts: memory allocation failed

The connection does open, though, and works fine.


Version-Release number of selected component (if applicable):

openssh-8.7p1-19.el9.x86_64

How reproducible:


Steps to Reproduce:
1. Connect to remote host
2. Enter password
3. Error pops up, connection works.

Actual results:
[<user>@<local> tmp]$ ssh <user>@<remote>
<user>@<remote>'s password: 
update_known_hosts: hostfile_replace_entries failed for /home/<user>/.ssh/known_hosts: memory allocation failed
<user>@<remote>$

Expected results:
Same as above, without the error line

Additional info:
Remote server is a RHEL-7 system, running openssh-server-7.4p1-22.el7_9.x86_64
Browsing the net, the only hits for this error message were direct references to the source code. Error does not seem to have popped up "in the wild" as of yet.
Comment 1 Dr. Stephan Wonczak 2022-08-08 11:55:38 UTC 
Hi everyone,
A bit of playing around made this bug even weirder:
started with an empty known_hosts-file. 
"remote-A" and "remote-B" refer to two different remote hosts. Same user/credentials are used for both hosts
logins work in all cases, even if the "memory error" pops up


login to remote-A
New key is written to local known_hosts, no error
login to remote-A
(gives memory-allocation error, as described above)
login to remote-B
New key is written to known_hosts, no error
login to remote-A
(mem-alloc-error)
login to remote-A.domain (i.e. with FQDN)
New key is written to known_hosts, no error
login to remote-A (short name)
(NO ERROR!)
login to remote-B
(mem-alloc error)
login to remote-B.domain
New key is written to known_hosts, no error
login to remote-B
(NO ERROR)

After this experiment, known_hosts looks like this:

remote-A <key>
remote-B <key>
remote-A.domain <key>
remote-B.domain <key>

If I try the same with remote-C, it gives this memory-allocation error as long as it is contained only -once- inside known hosts. As soon as there are -two- (or more) lines, eveything looks fine.
Comment 2 Dmitry Belyavskiy 2022-08-08 13:35:01 UTC 
What are the RHEL (if any) and OpenSSH versions on RemoteA and RemoteB? 

Could you also check if switching the crypto policy to DEFAULT:SHA1 or LEGACY resolves the issue?
Comment 3 Dr. Stephan Wonczak 2022-08-09 08:45:28 UTC 
Both remote servers are RHEL-7 systems, running openssh-server-7.4p1-22.el7_9.x86_64. 
Switching the crypto policy makes no difference - first tests were during "DEFAULT" (with SHA1 disabled). I then switched to "LEGACY" since I needed connectivity to older systems (RHEL-6).
The error is independent of the remote server, since it tries to update the local user's .ssh/known_hosts-file.
Comment 4 Dr. Stephan Wonczak 2022-08-10 11:44:23 UTC 
Update: A new OpenSSH-Version arrived today - openssh-8.7p1-21.el9.x86_64
The issue is -NOT- resolved, however, and still easily reproducible.
Comment 5 Dmitry Belyavskiy 2022-08-15 13:15:10 UTC 
Are the remote keys RSA only?
Comment 6 Dr. Stephan Wonczak 2022-08-15 14:00:56 UTC 
Yes - but this should not really matter since I am -not- using the keys for login. 
The problem is strictly local when ssh attempts to update the local known_hosts. To me, the symptoms look like an off-by-one, and I am somehow able to trigger this in my machine.
Comment 7 Dmitry Belyavskiy 2022-08-15 14:04:40 UTC 
I strongly suspect we try to allocate memory for 0 keys and it causes this error, but I didn't check it yet.
Comment 8 Dr. Stephan Wonczak 2022-08-15 14:35:11 UTC 
Just for kicks I did a bit of experinemting:

I booted a Fedora-36-Live image and tested there. No errors! However, the local known_hosts had -three- entries after the single login, as opposed to the single one on my current Centos-9-Stream. I also tested a Rocky-Linux-9 Live image. This throws yet another error. I will summarize how the outcome of a single login (which always gives me a working connection, by the way) in all cases looks like:


CentOS 9 Stream (completely updated)

Error during login to remote: update_known_hosts: hostfile_replace_entries failed for /home/sws/.ssh/known_hosts: memory allocation failed

[user@local ~]$ ssh -V
OpenSSH_8.7p1, OpenSSL 3.0.1 14 Dec 2021
[user@local ~]$ cat .ssh/known_hosts 
remote ssh-ed25519 AAA(...)


Fedora 36 Live image

Error during login to remote: NONE

[liveuser@localhost-live ~]$ ssh -V
OpenSSH_8.8p1, OpenSSL 3.0.2 15 Mar 2022
[liveuser@localhost-live ~]$ cat .ssh/known_hosts
remote ssh-ed25519 AAA(...)
remote ssh-rsa AAA(...)
remote ecdsa-sha2-nistp256 AAA(...)


Rocky 9 live

Error during login to remote: client_global_hostkeys_private_confirm: server gave bad signature for RSA key 0: error in libcrypto

[liveuser@localhost-live ~]$ ssh -V
OpenSSH_8.7p1, OpenSSL 3.0.1 14 Dec 2021
[liveuser@localhost-live ~]$ cat .ssh/known_hosts 
remote ssh-ed25519 AAA(...)
Comment 9 Dmitry Belyavskiy 2022-08-16 11:20:50 UTC 
The error itself is completely misleading. It happens when we try to add ssh-rsa hostkey to known_hosts.
Comment 10 Dmitry Belyavskiy 2022-08-16 12:24:36 UTC 
There was an upstream commit to fix this issue: https://github.com/openssh/openssh-portable/commit/8832402bd500d1661ccc80a476fd563335ef6cdc

I'm going to make a fresh build including this commit, so could you please try it when it lands to Fedora?
Comment 11 Dr. Stephan Wonczak 2022-08-16 13:28:27 UTC 
Sure, if you have an RPM for me to try out, I am game. Just send a link :-)
Note, however, I am on CentOS 9 Stream, not Fedora.
Comment 14 Dmitry Belyavskiy 2022-08-17 09:02:46 UTC 
Just built -22 with this fix. I think it will be available via CentOS stream relatively soon.
Comment 17 Dr. Stephan Wonczak 2022-08-24 08:52:43 UTC 
To report back:
openssh-8.7p1-22.el9.x86_64 landed today. 
Bug is fixed in this build. Login to the remote host no longer gives an error, and .ssh/known-hosts is updated with the second key. No more memory allocation failures.

This Bug can be marked as resolved.
Comment 18 Dmitry Belyavskiy 2022-08-24 16:05:02 UTC 
Many thanks for confirmation!
Comment 20 errata-xmlrpc 2022-11-15 11:21:51 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (openssh bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:8375
Note You need to log in before you can comment on or make changes to this bug.