On Thu, Aug 28, 2008 at 03:10:01PM +0200, Reinhold Trocker wrote: > the provided patch did not help but I have found the problem: > it is the part > "If we don't expect to open a new session, then disallow it" > in ssh.c > which did "debug1: Requesting [EMAIL PROTECTED]" > > I commented it out completely and it works > So there is no need to have a new NetScreen line in compat.c
That code was not added frivolously; it does serve a real security-relevant purpose! The point of the compat.c stuff is to allow OpenSSH to behave differently when talking to systems known to be broken in certain ways. Although ssh still "works" when this code is removed, it is weaker, as this entry from the 5.1 release notes shows: * Added a [EMAIL PROTECTED] global request extension that is sent from ssh(1) to sshd(8) when the client knows that it will never request another session (i.e. when session multiplexing is disabled). This allows a server to disallow further session requests and terminate the session in cases where the client has been hijacked. Anyway, it would surprise me if this were actually the real cause of the problem, rather than an unlucky request that always happens to sit on a packet boundary or something like that. ssh uses this kind of request in various places and there's surely no reason why [EMAIL PROTECTED] would break when e.g. tcpip-forward or [EMAIL PROTECTED] (as far as I know) doesn't. I think perhaps we need somebody to get in contact with NetScreen and find out what the actual bug is, rather than guessing. It seems likely that that would be best done by a customer of NetScreen. -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]