** Description changed: [Impact] * The version check in ssh was broken no more following RFC 4253 and - thereby denying some clients that it shouldn't + thereby denying some clients that it shouldn't. - * Upstream fixed that and this is backporting the changes to bionic. + https://datatracker.ietf.org/doc/html/rfc4253#section-5.1 + + * It is intended for clients reporting SSH-1.99 to be treated as if + they were advertising SSH-2.0, but with some backwards compatibility. + + * Upstream fixed that, and this request is to back-port the changes into + 18.04 Bionic. + + * In practice this is affecting clients using the SolarWinds monitoring + agent. Solarwinds SSH client advertises SSH-1.99 and Ubuntu 18.04 + openssh-server is refusing the connection. + + * This results in the following error in the auth.log, and a failed + connection from the agent. + + Protocol major versions differ for <IP> port <port>: + SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 vs. SSH-1.99-WeOnlyDo.Net + + * More information from SolarWinds at the link below. They call out + 18.04 as affected and recommend upgrading OpenSSH-server to 7.7 or + greater. + + https://support.solarwinds.com/SuccessCenter/s/article/SAM-s-Linux-Unix- + Script-monitor-fails-to-connect-on-a-server-running- + OpenSSH-7-6?language=en_US [Test Case] # Prep * configure the ssh server to generally work # Testcase $ wget https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1863930/+attachment/5332797/+files/test_bug_1863930.py $ apt install python3-paramiko $ python3 test_bug_1863930.py localhost (or whatever your host is) Will report "Server is not patched." or "Server is patched. - * for an extra regression check it might be worth to do some "normal" ssh - connections as well + * for an extra regression check it might be worth to do some "normal" ssh + connections as well [Regression Potential] - * The change is very small and reviewable as well as being upstream and - in all Ubuntu releases >=Cosmic for a while now so it seems safe. - If anything the kind of regression to expect is that some former - (wrong) connection denials will then succeed. I can only think of - that being an issue in test suites but not in the real world. + * The change is very small and reviewable as well as being upstream and + in all Ubuntu releases >=Cosmic for a while now so it seems safe. + If anything the kind of regression to expect is that some former + (wrong) connection denials will then succeed. I can only think of + that being an issue in test suites but not in the real world. [Other Info] * n/a -- SSHD closes the connection and logs the error message below when a client presents a protoversion of "1.99": Protocol major versions differ for X.X.X.X port X: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 vs. SSH-1.99-XXX RFC 4253 only states that clients should treat a server's protoversion of "1.99" as equivalent to "2.0"; however, some backward-compatible clients send a protoversion of "1.99" and expect the server to treat it as "2.0". This regression was introduced in openssh-portable 7.6p1 from commit 97f4d3083; fixes were implemented in commits 9e9c4a7e5 and c9c1bba06. I've attached a patch with both of those fixes.
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1863930 Title: SSH 1.99 clients fail to connect to openssh-server 1:7.6p1-4ubuntu0.3 Status in openssh package in Ubuntu: Fix Released Status in openssh source package in Bionic: Incomplete Bug description: [Impact] * The version check in ssh was broken no more following RFC 4253 and thereby denying some clients that it shouldn't. https://datatracker.ietf.org/doc/html/rfc4253#section-5.1 * It is intended for clients reporting SSH-1.99 to be treated as if they were advertising SSH-2.0, but with some backwards compatibility. * Upstream fixed that, and this request is to back-port the changes into 18.04 Bionic. * In practice this is affecting clients using the SolarWinds monitoring agent. Solarwinds SSH client advertises SSH-1.99 and Ubuntu 18.04 openssh-server is refusing the connection. * This results in the following error in the auth.log, and a failed connection from the agent. Protocol major versions differ for <IP> port <port>: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 vs. SSH-1.99-WeOnlyDo.Net * More information from SolarWinds at the link below. They call out 18.04 as affected and recommend upgrading OpenSSH-server to 7.7 or greater. https://support.solarwinds.com/SuccessCenter/s/article/SAM-s-Linux- Unix-Script-monitor-fails-to-connect-on-a-server-running- OpenSSH-7-6?language=en_US [Test Case] # Prep * configure the ssh server to generally work # Testcase $ wget https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1863930/+attachment/5332797/+files/test_bug_1863930.py $ apt install python3-paramiko $ python3 test_bug_1863930.py localhost (or whatever your host is) Will report "Server is not patched." or "Server is patched. * for an extra regression check it might be worth to do some "normal" ssh connections as well [Regression Potential] * The change is very small and reviewable as well as being upstream and in all Ubuntu releases >=Cosmic for a while now so it seems safe. If anything the kind of regression to expect is that some former (wrong) connection denials will then succeed. I can only think of that being an issue in test suites but not in the real world. [Other Info] * n/a -- SSHD closes the connection and logs the error message below when a client presents a protoversion of "1.99": Protocol major versions differ for X.X.X.X port X: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 vs. SSH-1.99-XXX RFC 4253 only states that clients should treat a server's protoversion of "1.99" as equivalent to "2.0"; however, some backward-compatible clients send a protoversion of "1.99" and expect the server to treat it as "2.0". This regression was introduced in openssh-portable 7.6p1 from commit 97f4d3083; fixes were implemented in commits 9e9c4a7e5 and c9c1bba06. I've attached a patch with both of those fixes. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1863930/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
