> I am using Cygwin stunnel 5.71 on Windows 11 to connect to 'ssh' into my > Ubuntu > server over 'stunnel'. > > - The first time I ssh via stunnel it works fine The second time, I > - try to connect, it hangs with 'ssh -v' showing only the initial > local steps of connection: > > OpenSSH_9.5p1, OpenSSL 3.0.12 24 Oct 2023 > debug1: Reading configuration data /home/myuser/.ssh/config > debug1: Reading configuration data /etc/ssh_config > debug1: Connecting to localhost [::1] port 2222. > debug1: Connection established. > debug1: identity file /home/myuser/.ssh/id_rsa type 0 > debug1: identity file /home/myuser/.ssh/id_rsa-cert type -1 > debug1: identity file /home/myuser/.ssh/id_ecdsa type -1 > debug1: identity file /home/myuser/.ssh/id_ecdsa-cert type -1 > debug1: identity file /home/myuser/.ssh/id_ecdsa_sk type -1 > debug1: identity file /home/myuser/.ssh/id_ecdsa_sk-cert type -1 > debug1: identity file /home/myuser/.ssh/id_ed25519 type -1 > debug1: identity file /home/myuser/.ssh/id_ed25519-cert type -1 > debug1: identity file /home/myuser/.ssh/id_ed25519_sk type -1 > debug1: identity file /home/myuser/.ssh/id_ed25519_sk-cert type -1 > debug1: identity file /home/myuser/.ssh/id_xmss type -1 > debug1: identity file /home/myuser/.ssh/id_xmss-cert type -1 > debug1: identity file /home/myuser/.ssh/id_dsa type -1 > debug1: identity file /home/myuser/.ssh/id_dsa-cert type -1 > debug1: Local version string SSH-2.0-OpenSSH_9.5 > > and '/var/log/stunnel' on the Cygwin client failing early: > > LOG7[main]: Found 1 ready file descriptor(s) > LOG7[main]: FD=4 events=0x1 revents=0x0 > LOG7[main]: FD=8 events=0x1 revents=0x1 > LOG7[main]: FD=10 events=0x1 revents=0x0 > LOG7[main]: Service [ssh] accepted (FD=3) from ::1:52718 > > > - If I connect a *third* (or more times), 'ssh -v' hangs with the same > output as above, but there is *no* additional logging in > '/var/log/stunnel' on the client. > > > It thus is acting as if 'stunnel' on the Cygwin client itself somehow > hangs/becomes unresponsive early in the second 'ssh' connection > attempt. > > Note that the client '/usr/bin/stunnel/ process continues to run so it > doesn't crash. > > Killing and relaunching /usr/bin/stunnel restarts the situation > allowing me to ssh-over-stunel OK on the first attempt but again > hanging on the 2nd and subsequent 'ssh' attempts > > Also, the 'stunnel' server on Ubuntu continues to run throughout since > I can continue to ssh-over-stunnel into it from other machines. > > It doesn't *seem* to be a firewall problem, since it connects fine the > first time. Nor does it seem to be a network or 'stunnel' server > problem. > > Any ideas on why this is happening?
Hi. I'm the stunnel maintainer for Cygwin. I don't know why stunnel would hang as you describe, but I'll try to help. I agree that your configuration of ssh over TLS is common - I used it myself for years. However as matthew patton suggests, there are other ways to get the same goal, that may let you work around this problem. One possibility that matthew didn't mention, is to run your ssh server on port 443, and connect directly to it with ssh - no TLS wrapper. Yes, that's non-standard, but if you can live with that, it might work fine for you and be simpler. My best understanding is that ssh and TLS are indistinguishable to an application firewall. But supposing you keep your current configuration. Can you please clarify how you're invoking stunnel? Do you have a ProxyCommand directive in your .ssh/config, like: ProxyCommand /usr/bin/stunnel stunnel.conf or is it some other way? I ask this because with ProxyCommand as above, you should get a separate stunnel process for each new ssh connection, and I can't think why they would interfere with each other. Andrew -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
