Validated according to test case from description:
root@bionic-ssh:~# python3 test_bug_1863930.py localhost
Server is patched
root@bionic-ssh:~# dpkg -l | grep openssh
ii openssh-client 1:7.6p1-4ubuntu0.6 amd64
secure shell (SSH) client, for secure access to remote machines
ii openssh-server 1:7.6p1-4ubuntu0.6 amd64
secure shell (SSH) server, for secure access from remote machines
ii openssh-sftp-server 1:7.6p1-4ubuntu0.6 amd64
secure shell (SSH) sftp server module, for SFTP access from remote
machines
Given we have an ACK from both Server and Security and this is affecting
multiple users, I'll remove the blocked tag as well.
** Tags removed: block-proposed-bionic verification-needed
verification-needed-bionic
** Tags added: verification-done verification-done-bionic
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1863930
Title:
SSH 1.99 clients fail to connect to openssh-server 1:7.6p1-4ubuntu0.3
Status in openssh package in Ubuntu:
Fix Released
Status in openssh source package in Bionic:
Fix Committed
Bug description:
[Impact]
* The version check in ssh was broken no more following RFC 4253 and
thereby denying some clients that it shouldn't.
https://datatracker.ietf.org/doc/html/rfc4253#section-5.1
* It is intended for clients reporting SSH-1.99 to be treated as if
they were advertising SSH-2.0, but with some backwards compatibility.
* Upstream fixed that, and this request is to back-port the changes into
18.04 Bionic.
* In practice this is affecting clients using the SolarWinds
monitoring agent. Solarwinds SSH client advertises SSH-1.99 and Ubuntu
18.04 openssh-server is refusing the connection.
* This results in the following error in the auth.log, and a failed
connection from the agent.
Protocol major versions differ for <IP> port <port>:
SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 vs. SSH-1.99-WeOnlyDo.Net
* More information from SolarWinds at the link below. They call out
18.04 as affected and recommend upgrading OpenSSH-server to 7.7 or
greater.
https://support.solarwinds.com/SuccessCenter/s/article/SAM-s-Linux-
Unix-Script-monitor-fails-to-connect-on-a-server-running-
OpenSSH-7-6?language=en_US
[Test Case]
# Prep
* configure the ssh server to generally work
# Testcase
$ wget
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1863930/+attachment/5332797/+files/test_bug_1863930.py
$ apt install python3-paramiko
$ python3 test_bug_1863930.py localhost (or whatever your host is)
Will report "Server is not patched." or "Server is patched.
* for an extra regression check it might be worth to do some "normal" ssh
connections as well
[Regression Potential]
* The change is very small and reviewable as well as being upstream and
in all Ubuntu releases >=Cosmic for a while now so it seems safe.
If anything the kind of regression to expect is that some former
(wrong) connection denials will then succeed. I can only think of
that being an issue in test suites but not in the real world.
[Other Info]
* n/a
--
SSHD closes the connection and logs the error message below when a
client presents a protoversion of "1.99":
Protocol major versions differ for X.X.X.X port X:
SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 vs. SSH-1.99-XXX
RFC 4253 only states that clients should treat a server's protoversion
of "1.99" as equivalent to "2.0"; however, some backward-compatible
clients send a protoversion of "1.99" and expect the server to treat
it as "2.0".
This regression was introduced in openssh-portable 7.6p1 from commit
97f4d3083; fixes were implemented in commits 9e9c4a7e5 and c9c1bba06.
I've attached a patch with both of those fixes.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1863930/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
