https://bugzilla.mindrot.org/show_bug.cgi?id=3639
Bug ID: 3639 Summary: server thread aborts during client login after receiving SSH2_MSG_KEXINIT Product: Portable OpenSSH Version: 9.2p1 Hardware: ARM OS: Linux Status: NEW Severity: critical Priority: P5 Component: sshd Assignee: unassigned-b...@mindrot.org Reporter: jtm.moon.forum.user+mind...@gmail.com tl;dr I downloaded and compiled openssh-9.2p1.tar.gz . When an openssh client attempts to login it sends SSH2_MSG_KEXINIT, the server immediately resets the connection ### Reproduction Steps Using Raspbian 11 (based on Debian 11 Bullseye) on a Raspberry Pi 4 (ARM aarch64), I downloaded https://mirror.edgecast.com/pub/OpenBSD/OpenSSH/portable/openssh-9.2p1.tar.gz I compiled and installed it. First, make sure necessary build packages are available apt install \ libssl-dev \ gcc g++ gdb cpp \ make cmake \ libtool \ libc6 \ autoconf automake pkg-config \ build-essential \ gettext \ libzstd1 zlib1g \ libssh-4 libssh-dev libssl3 \ libc6-dev libc6 \ libcrypt-dev Download, build, install cd /tmp wget https://mirror.edgecast.com/pub/OpenBSD/OpenSSH/portable/openssh-9.2p1.tar.gz tar -xvf openssh-9.2p1.tar.gz cd openssh-9.2p1 ./configure --prefix=/opt/openssh-9.2p1 make make install Adjust sshd_config vim /opt/openssh-9.2p1/etc/sshd_config Add lines for a unique port, 2232, increase the log level Port 2232 LogLevel DEBUG3 Otherwise, the `sshd_config` is used as-is. Manually start `sshd` /opt/openssh-9.2p1/sbin/sshd -D Tail the logs tail -f /var/log/auth.log On a different host, attempt to login using the openssh client PS> ssh.exe root@192.168.1.2 -p 2232 -vvvv The tail of the output shows ... debug3: send packet: type 20 debug1: SSH2_MSG_KEXINIT sent debug3: recv - from CB ERROR:10054, io:000002E46F4CB690 Connection reset by 192.168.1.2 port 2232 That output is from Windows ssh.exe (OpenSSH_for_Windows_8.6p1, LibreSSL 3.4.3). Using Ubuntu 22 x64 ssh (OpenSSH_8.9p1 Ubuntu-3ubuntu0.4, OpenSSL 3.0.2 15 Mar 2022) the ssh client output looks like: $ ssh root@192.168.1.2 -p 2232 -vvvv ... debug3: send packet: type 20 debug1: SSH2_MSG_KEXINIT sent Connection reset by 192.168.1.2 port 2232 Using Debian 11 ARM ssh client compiled from the same compilation (OpenSSH_9.2p1, OpenSSL 1.1.1w 11 Sep 2023) the same error occurs. $ /opt/openssh-9.2p1/bin/ssh -p 2232 root@192.168.1.2 -vvvvv ... debug3: send packet: type 20 debug1: SSH2_MSG_KEXINIT sent Connection reset by 192.168.1.2 port 2232 The server log messages from `/var/log/auth.log` are 2023-12-02T12:28:41.051665-08:00 host1 sshd[3790]: Connection from 192.168.1.3 port 62155 on 192.168.1.2 port 2232 rdomain "" 2023-12-02T12:28:41.050817-08:00 host1 sshd[3790]: Connection from 192.168.1.3 port 62155 on 192.168.1.2 port 2232 rdomain "" 2023-12-02T12:28:41.053381-08:00 host1 audit[3791]: SECCOMP auid=4294967295 uid=107 gid=65534 ses=4294967295 pid=3791 comm="sshd" exe="/opt/openssh-9.2p1/sbin/sshd" sig=31 arch=40000028 syscall=20 compat=1 ip=0xf787080c code=0x0 ### Notes This error does not occur using release 9.1p1. This error does occur for release 9.2p1 up to 9.5p1 (I tried all of them). I attempted to reproduce this on a Ubuntu 22 x64 Virtual Machine as the server. The error did not occur (logins succeeded). Various information about the host on which the error occurs $ lscpu Architecture: aarch64 Byte Order: Little Endian CPU(s): 4 On-line CPU(s) list: 0-3 Thread(s) per core: 1 Core(s) per socket: 4 Socket(s): 1 Vendor ID: ARM Model: 3 Model name: Cortex-A72 Stepping: r0p3 CPU max MHz: 1500.0000 CPU min MHz: 600.0000 BogoMIPS: 108.00 L1d cache: 128 KiB L1i cache: 192 KiB L2 cache: 1 MiB Vulnerability Itlb multihit: Not affected Vulnerability L1tf: Not affected Vulnerability Mds: Not affected Vulnerability Meltdown: Not affected Vulnerability Mmio stale data: Not affected Vulnerability Retbleed: Not affected Vulnerability Spec store bypass: Vulnerable Vulnerability Spectre v1: Mitigation; __user pointer sanitization Vulnerability Spectre v2: Vulnerable Vulnerability Srbds: Not affected Vulnerability Tsx async abort: Not affected Flags: fp asimd evtstrm crc32 cpuid $ uname -a Linux host1 6.1.21-v8+ #1642 SMP PREEMPT Mon Apr 3 17:24:16 BST 2023 aarch64 GNU/Linux The host `apt` packages (dpkg) are up-to-date. I suspect this bug is specific to this Debian-derived distribution and/or ARM architecture. -- You are receiving this mail because: You are watching the assignee of the bug. _______________________________________________ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs