workaround for VMware WS NAT bug triggered by OpenSSH 7.8p1 changes

Fri, 21 Dec 2018 15:58:53 -0800 

Hi,

There's apparently a bug in VMware Workstation NAT implementation, made
visible by the change to default values of IPQoS in OpenSSH 7.8p1,
making all ssh connections from the guest behind the NAT to fail with
obscure "Fssh_packet_write_wait: Connection to 192.168.1.53 port 22:
Broken pipe".

I wonder if we could integrate the attached patch (or some smarter
version of it) for the time being as the bug affects several major WS
releases, and it's not immediately clear where the problem is.

The change itself:

https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/readconf.c#rev1.284

The bug reports (some of them):

https://bugzilla.redhat.com/show_bug.cgi?id=1624437
https://communities.vmware.com/message/2803219#2803219

The patch itself is attached.

diff --git a/crypto/openssh/readconf.c b/crypto/openssh/readconf.c
index f97a6ac72a95..9ed6902a0f46 100644
--- a/crypto/openssh/readconf.c
+++ b/crypto/openssh/readconf.c
@@ -16,6 +16,9 @@
 __RCSID("$FreeBSD$");
 
 #include <sys/types.h>
+#ifdef VMWARE_GUEST_WORKAROUND
+#include <sys/sysctl.h>
+#endif
 #include <sys/stat.h>
 #include <sys/socket.h>
 #include <sys/wait.h>
@@ -1954,6 +1957,15 @@ fill_default_options(Options * options)
 {
        char *all_cipher, *all_mac, *all_kex, *all_key;
        int r;
+#ifdef VMWARE_GUEST_WORKAROUND
+       char scval[7];  /* "vmware\0" */
+       size_t scsiz = sizeof(scval);
+       int vmwguest = 0;
+
+       if (sysctlbyname("kern.vm_guest", scval, &scsiz, NULL, 0) == 0 &&
+           strcmp(scval, "vmware") == 0)
+               vmwguest = 1;
+#endif
 
        if (options->forward_agent == -1)
                options->forward_agent = 0;
@@ -2088,8 +2100,18 @@ fill_default_options(Options * options)
        if (options->visual_host_key == -1)
                options->visual_host_key = 0;
        if (options->ip_qos_interactive == -1)
+#ifdef VMWARE_GUEST_WORKAROUND
+               if (vmwguest)
+                       options->ip_qos_interactive = IPTOS_LOWDELAY;
+               else
+#endif
                options->ip_qos_interactive = IPTOS_DSCP_AF21;
        if (options->ip_qos_bulk == -1)
+#ifdef VMWARE_GUEST_WORKAROUND
+               if (vmwguest)
+                       options->ip_qos_bulk = IPTOS_THROUGHPUT;
+               else
+#endif
                options->ip_qos_bulk = IPTOS_DSCP_CS1;
        if (options->request_tty == -1)
                options->request_tty = REQUEST_TTY_AUTO;
diff --git a/secure/usr.bin/ssh/Makefile b/secure/usr.bin/ssh/Makefile
index 614cc7627fc5..023fa4a55be9 100644
--- a/secure/usr.bin/ssh/Makefile
+++ b/secure/usr.bin/ssh/Makefile
@@ -37,6 +37,9 @@ LIBADD+=      crypto
 CFLAGS+= -DXAUTH_PATH=\"${LOCALBASE}/bin/xauth\"
 .endif
 
+# Workaround VMware Workstation NAT bug
+CFLAGS+=-DVMWARE_GUEST_WORKAROUND
+
 .include <bsd.prog.mk>
 
 .PATH: ${SSHDIR}

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to