[Touch-packages] [Bug 1863930] Re: SSH 1.99 clients fail to connect to openssh-server 1:7.6p1-4ubuntu0.3
** Tags removed: server-next -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1863930 Title: SSH 1.99 clients fail to connect to openssh-server 1:7.6p1-4ubuntu0.3 Status in openssh package in Ubuntu: Fix Released Status in openssh source package in Bionic: Incomplete Bug description: [Impact] * The version check in ssh was broken no more following RFC 4253 and thereby denying some clients that it shouldn't * Upstream fixed that and this is backporting the changes to bionic. [Test Case] # Prep * configure the ssh server to generally work # Testcase $ wget https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1863930/+attachment/5332797/+files/test_bug_1863930.py $ apt install python3-paramiko $ python3 test_bug_1863930.py localhost (or whatever your host is) Will report "Server is not patched." or "Server is patched. * for an extra regression check it might be worth to do some "normal" ssh connections as well [Regression Potential] * The change is very small and reviewable as well as being upstream and in all Ubuntu releases >=Cosmic for a while now so it seems safe. If anything the kind of regression to expect is that some former (wrong) connection denials will then succeed. I can only think of that being an issue in test suites but not in the real world. [Other Info] * n/a -- SSHD closes the connection and logs the error message below when a client presents a protoversion of "1.99": Protocol major versions differ for X.X.X.X port X: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 vs. SSH-1.99-XXX RFC 4253 only states that clients should treat a server's protoversion of "1.99" as equivalent to "2.0"; however, some backward-compatible clients send a protoversion of "1.99" and expect the server to treat it as "2.0". This regression was introduced in openssh-portable 7.6p1 from commit 97f4d3083; fixes were implemented in commits 9e9c4a7e5 and c9c1bba06. I've attached a patch with both of those fixes. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1863930/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1863930] Re: SSH 1.99 clients fail to connect to openssh-server 1:7.6p1-4ubuntu0.3
** Description changed: [Impact] * The version check in ssh was broken no more following RFC 4253 and - thereby denying some clients that it shouldn't + thereby denying some clients that it shouldn't. - * Upstream fixed that and this is backporting the changes to bionic. +https://datatracker.ietf.org/doc/html/rfc4253#section-5.1 + + * It is intended for clients reporting SSH-1.99 to be treated as if +they were advertising SSH-2.0, but with some backwards compatibility. + + * Upstream fixed that, and this request is to back-port the changes into +18.04 Bionic. + + * In practice this is affecting clients using the SolarWinds monitoring + agent. Solarwinds SSH client advertises SSH-1.99 and Ubuntu 18.04 + openssh-server is refusing the connection. + + * This results in the following error in the auth.log, and a failed + connection from the agent. + + Protocol major versions differ for port : + SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 vs. SSH-1.99-WeOnlyDo.Net + + * More information from SolarWinds at the link below. They call out + 18.04 as affected and recommend upgrading OpenSSH-server to 7.7 or + greater. + + https://support.solarwinds.com/SuccessCenter/s/article/SAM-s-Linux-Unix- + Script-monitor-fails-to-connect-on-a-server-running- + OpenSSH-7-6?language=en_US [Test Case] # Prep * configure the ssh server to generally work # Testcase $ wget https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1863930/+attachment/5332797/+files/test_bug_1863930.py $ apt install python3-paramiko $ python3 test_bug_1863930.py localhost (or whatever your host is) Will report "Server is not patched." or "Server is patched. - * for an extra regression check it might be worth to do some "normal" ssh -connections as well + * for an extra regression check it might be worth to do some "normal" ssh + connections as well [Regression Potential] - * The change is very small and reviewable as well as being upstream and -in all Ubuntu releases >=Cosmic for a while now so it seems safe. -If anything the kind of regression to expect is that some former -(wrong) connection denials will then succeed. I can only think of -that being an issue in test suites but not in the real world. + * The change is very small and reviewable as well as being upstream and + in all Ubuntu releases >=Cosmic for a while now so it seems safe. + If anything the kind of regression to expect is that some former + (wrong) connection denials will then succeed. I can only think of + that being an issue in test suites but not in the real world. [Other Info] * n/a -- SSHD closes the connection and logs the error message below when a client presents a protoversion of "1.99": Protocol major versions differ for X.X.X.X port X: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 vs. SSH-1.99-XXX RFC 4253 only states that clients should treat a server's protoversion of "1.99" as equivalent to "2.0"; however, some backward-compatible clients send a protoversion of "1.99" and expect the server to treat it as "2.0". This regression was introduced in openssh-portable 7.6p1 from commit 97f4d3083; fixes were implemented in commits 9e9c4a7e5 and c9c1bba06. I've attached a patch with both of those fixes. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1863930 Title: SSH 1.99 clients fail to connect to openssh-server 1:7.6p1-4ubuntu0.3 Status in openssh package in Ubuntu: Fix Released Status in openssh source package in Bionic: Incomplete Bug description: [Impact] * The version check in ssh was broken no more following RFC 4253 and thereby denying some clients that it shouldn't. https://datatracker.ietf.org/doc/html/rfc4253#section-5.1 * It is intended for clients reporting SSH-1.99 to be treated as if they were advertising SSH-2.0, but with some backwards compatibility. * Upstream fixed that, and this request is to back-port the changes into 18.04 Bionic. * In practice this is affecting clients using the SolarWinds monitoring agent. Solarwinds SSH client advertises SSH-1.99 and Ubuntu 18.04 openssh-server is refusing the connection. * This results in the following error in the auth.log, and a failed connection from the agent. Protocol major versions differ for port : SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 vs. SSH-1.99-WeOnlyDo.Net * More information from SolarWinds at the link below. They call out 18.04 as affected and recommend upgrading OpenSSH-server to 7.7 or greater. https://support.solarwinds.com/SuccessCenter/s/article/SAM-s-Linux- Unix-Script-monitor-fails-to-connect-on-a-server-running- OpenSSH-7-6?language=en_US [Test Case] # Prep * configure the ssh server to generally work # Test
[Touch-packages] [Bug 1863930] Re: SSH 1.99 clients fail to connect to openssh-server 1:7.6p1-4ubuntu0.3
Canonical client has opened a case regarding this as a current issue preventing them from upgrading their systems from 14.04 to 18.04. This blocker is due to the version of openssh-server on Bionic not allowing the SolarWinds monitoring agent to establish a successful SSH connection, as it advertises SSH-1.99 as the protocol. I have updated the Impact statement in the initial comment with further information and references. Please re-evaluate this bug as having a current impact on some clients. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1863930 Title: SSH 1.99 clients fail to connect to openssh-server 1:7.6p1-4ubuntu0.3 Status in openssh package in Ubuntu: Fix Released Status in openssh source package in Bionic: Incomplete Bug description: [Impact] * The version check in ssh was broken no more following RFC 4253 and thereby denying some clients that it shouldn't. https://datatracker.ietf.org/doc/html/rfc4253#section-5.1 * It is intended for clients reporting SSH-1.99 to be treated as if they were advertising SSH-2.0, but with some backwards compatibility. * Upstream fixed that, and this request is to back-port the changes into 18.04 Bionic. * In practice this is affecting clients using the SolarWinds monitoring agent. Solarwinds SSH client advertises SSH-1.99 and Ubuntu 18.04 openssh-server is refusing the connection. * This results in the following error in the auth.log, and a failed connection from the agent. Protocol major versions differ for port : SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 vs. SSH-1.99-WeOnlyDo.Net * More information from SolarWinds at the link below. They call out 18.04 as affected and recommend upgrading OpenSSH-server to 7.7 or greater. https://support.solarwinds.com/SuccessCenter/s/article/SAM-s-Linux- Unix-Script-monitor-fails-to-connect-on-a-server-running- OpenSSH-7-6?language=en_US [Test Case] # Prep * configure the ssh server to generally work # Testcase $ wget https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1863930/+attachment/5332797/+files/test_bug_1863930.py $ apt install python3-paramiko $ python3 test_bug_1863930.py localhost (or whatever your host is) Will report "Server is not patched." or "Server is patched. * for an extra regression check it might be worth to do some "normal" ssh connections as well [Regression Potential] * The change is very small and reviewable as well as being upstream and in all Ubuntu releases >=Cosmic for a while now so it seems safe. If anything the kind of regression to expect is that some former (wrong) connection denials will then succeed. I can only think of that being an issue in test suites but not in the real world. [Other Info] * n/a -- SSHD closes the connection and logs the error message below when a client presents a protoversion of "1.99": Protocol major versions differ for X.X.X.X port X: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 vs. SSH-1.99-XXX RFC 4253 only states that clients should treat a server's protoversion of "1.99" as equivalent to "2.0"; however, some backward-compatible clients send a protoversion of "1.99" and expect the server to treat it as "2.0". This regression was introduced in openssh-portable 7.6p1 from commit 97f4d3083; fixes were implemented in commits 9e9c4a7e5 and c9c1bba06. I've attached a patch with both of those fixes. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1863930/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1863930] Re: SSH 1.99 clients fail to connect to openssh-server 1:7.6p1-4ubuntu0.3
** Changed in: openssh (Ubuntu Bionic) Assignee: Christian Ehrhardt (paelzer) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1863930 Title: SSH 1.99 clients fail to connect to openssh-server 1:7.6p1-4ubuntu0.3 Status in openssh package in Ubuntu: Fix Released Status in openssh source package in Bionic: Incomplete Bug description: [Impact] * The version check in ssh was broken no more following RFC 4253 and thereby denying some clients that it shouldn't. https://datatracker.ietf.org/doc/html/rfc4253#section-5.1 * It is intended for clients reporting SSH-1.99 to be treated as if they were advertising SSH-2.0, but with some backwards compatibility. * Upstream fixed that, and this request is to back-port the changes into 18.04 Bionic. * In practice this is affecting clients using the SolarWinds monitoring agent. Solarwinds SSH client advertises SSH-1.99 and Ubuntu 18.04 openssh-server is refusing the connection. * This results in the following error in the auth.log, and a failed connection from the agent. Protocol major versions differ for port : SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 vs. SSH-1.99-WeOnlyDo.Net * More information from SolarWinds at the link below. They call out 18.04 as affected and recommend upgrading OpenSSH-server to 7.7 or greater. https://support.solarwinds.com/SuccessCenter/s/article/SAM-s-Linux- Unix-Script-monitor-fails-to-connect-on-a-server-running- OpenSSH-7-6?language=en_US [Test Case] # Prep * configure the ssh server to generally work # Testcase $ wget https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1863930/+attachment/5332797/+files/test_bug_1863930.py $ apt install python3-paramiko $ python3 test_bug_1863930.py localhost (or whatever your host is) Will report "Server is not patched." or "Server is patched. * for an extra regression check it might be worth to do some "normal" ssh connections as well [Regression Potential] * The change is very small and reviewable as well as being upstream and in all Ubuntu releases >=Cosmic for a while now so it seems safe. If anything the kind of regression to expect is that some former (wrong) connection denials will then succeed. I can only think of that being an issue in test suites but not in the real world. [Other Info] * n/a -- SSHD closes the connection and logs the error message below when a client presents a protoversion of "1.99": Protocol major versions differ for X.X.X.X port X: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 vs. SSH-1.99-XXX RFC 4253 only states that clients should treat a server's protoversion of "1.99" as equivalent to "2.0"; however, some backward-compatible clients send a protoversion of "1.99" and expect the server to treat it as "2.0". This regression was introduced in openssh-portable 7.6p1 from commit 97f4d3083; fixes were implemented in commits 9e9c4a7e5 and c9c1bba06. I've attached a patch with both of those fixes. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1863930/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1863930] Re: SSH 1.99 clients fail to connect to openssh-server 1:7.6p1-4ubuntu0.3
As per Mark's description, this seems to fall in the > - some reasonable cases exists, but are very rare: SRU it but hold the release in block-proposed until the next "important" update comes case described above. ** Tags added: server-todo -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1863930 Title: SSH 1.99 clients fail to connect to openssh-server 1:7.6p1-4ubuntu0.3 Status in openssh package in Ubuntu: Fix Released Status in openssh source package in Bionic: Incomplete Bug description: [Impact] * The version check in ssh was broken no more following RFC 4253 and thereby denying some clients that it shouldn't. https://datatracker.ietf.org/doc/html/rfc4253#section-5.1 * It is intended for clients reporting SSH-1.99 to be treated as if they were advertising SSH-2.0, but with some backwards compatibility. * Upstream fixed that, and this request is to back-port the changes into 18.04 Bionic. * In practice this is affecting clients using the SolarWinds monitoring agent. Solarwinds SSH client advertises SSH-1.99 and Ubuntu 18.04 openssh-server is refusing the connection. * This results in the following error in the auth.log, and a failed connection from the agent. Protocol major versions differ for port : SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 vs. SSH-1.99-WeOnlyDo.Net * More information from SolarWinds at the link below. They call out 18.04 as affected and recommend upgrading OpenSSH-server to 7.7 or greater. https://support.solarwinds.com/SuccessCenter/s/article/SAM-s-Linux- Unix-Script-monitor-fails-to-connect-on-a-server-running- OpenSSH-7-6?language=en_US [Test Case] # Prep * configure the ssh server to generally work # Testcase $ wget https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1863930/+attachment/5332797/+files/test_bug_1863930.py $ apt install python3-paramiko $ python3 test_bug_1863930.py localhost (or whatever your host is) Will report "Server is not patched." or "Server is patched. * for an extra regression check it might be worth to do some "normal" ssh connections as well [Regression Potential] * The change is very small and reviewable as well as being upstream and in all Ubuntu releases >=Cosmic for a while now so it seems safe. If anything the kind of regression to expect is that some former (wrong) connection denials will then succeed. I can only think of that being an issue in test suites but not in the real world. [Other Info] * n/a -- SSHD closes the connection and logs the error message below when a client presents a protoversion of "1.99": Protocol major versions differ for X.X.X.X port X: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 vs. SSH-1.99-XXX RFC 4253 only states that clients should treat a server's protoversion of "1.99" as equivalent to "2.0"; however, some backward-compatible clients send a protoversion of "1.99" and expect the server to treat it as "2.0". This regression was introduced in openssh-portable 7.6p1 from commit 97f4d3083; fixes were implemented in commits 9e9c4a7e5 and c9c1bba06. I've attached a patch with both of those fixes. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1863930/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1863930] Re: SSH 1.99 clients fail to connect to openssh-server 1:7.6p1-4ubuntu0.3
** Changed in: openssh (Ubuntu Bionic) Assignee: (unassigned) => Heitor Alves de Siqueira (halves) ** Changed in: openssh (Ubuntu Bionic) Importance: Low => High ** Changed in: openssh (Ubuntu Bionic) Importance: High => Medium -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1863930 Title: SSH 1.99 clients fail to connect to openssh-server 1:7.6p1-4ubuntu0.3 Status in openssh package in Ubuntu: Fix Released Status in openssh source package in Bionic: Incomplete Bug description: [Impact] * The version check in ssh was broken no more following RFC 4253 and thereby denying some clients that it shouldn't. https://datatracker.ietf.org/doc/html/rfc4253#section-5.1 * It is intended for clients reporting SSH-1.99 to be treated as if they were advertising SSH-2.0, but with some backwards compatibility. * Upstream fixed that, and this request is to back-port the changes into 18.04 Bionic. * In practice this is affecting clients using the SolarWinds monitoring agent. Solarwinds SSH client advertises SSH-1.99 and Ubuntu 18.04 openssh-server is refusing the connection. * This results in the following error in the auth.log, and a failed connection from the agent. Protocol major versions differ for port : SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 vs. SSH-1.99-WeOnlyDo.Net * More information from SolarWinds at the link below. They call out 18.04 as affected and recommend upgrading OpenSSH-server to 7.7 or greater. https://support.solarwinds.com/SuccessCenter/s/article/SAM-s-Linux- Unix-Script-monitor-fails-to-connect-on-a-server-running- OpenSSH-7-6?language=en_US [Test Case] # Prep * configure the ssh server to generally work # Testcase $ wget https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1863930/+attachment/5332797/+files/test_bug_1863930.py $ apt install python3-paramiko $ python3 test_bug_1863930.py localhost (or whatever your host is) Will report "Server is not patched." or "Server is patched. * for an extra regression check it might be worth to do some "normal" ssh connections as well [Regression Potential] * The change is very small and reviewable as well as being upstream and in all Ubuntu releases >=Cosmic for a while now so it seems safe. If anything the kind of regression to expect is that some former (wrong) connection denials will then succeed. I can only think of that being an issue in test suites but not in the real world. [Other Info] * n/a -- SSHD closes the connection and logs the error message below when a client presents a protoversion of "1.99": Protocol major versions differ for X.X.X.X port X: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 vs. SSH-1.99-XXX RFC 4253 only states that clients should treat a server's protoversion of "1.99" as equivalent to "2.0"; however, some backward-compatible clients send a protoversion of "1.99" and expect the server to treat it as "2.0". This regression was introduced in openssh-portable 7.6p1 from commit 97f4d3083; fixes were implemented in commits 9e9c4a7e5 and c9c1bba06. I've attached a patch with both of those fixes. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1863930/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1863930] Re: SSH 1.99 clients fail to connect to openssh-server 1:7.6p1-4ubuntu0.3
** Tags removed: server-todo -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1863930 Title: SSH 1.99 clients fail to connect to openssh-server 1:7.6p1-4ubuntu0.3 Status in openssh package in Ubuntu: Fix Released Status in openssh source package in Bionic: Incomplete Bug description: [Impact] * The version check in ssh was broken no more following RFC 4253 and thereby denying some clients that it shouldn't. https://datatracker.ietf.org/doc/html/rfc4253#section-5.1 * It is intended for clients reporting SSH-1.99 to be treated as if they were advertising SSH-2.0, but with some backwards compatibility. * Upstream fixed that, and this request is to back-port the changes into 18.04 Bionic. * In practice this is affecting clients using the SolarWinds monitoring agent. Solarwinds SSH client advertises SSH-1.99 and Ubuntu 18.04 openssh-server is refusing the connection. * This results in the following error in the auth.log, and a failed connection from the agent. Protocol major versions differ for port : SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 vs. SSH-1.99-WeOnlyDo.Net * More information from SolarWinds at the link below. They call out 18.04 as affected and recommend upgrading OpenSSH-server to 7.7 or greater. https://support.solarwinds.com/SuccessCenter/s/article/SAM-s-Linux- Unix-Script-monitor-fails-to-connect-on-a-server-running- OpenSSH-7-6?language=en_US [Test Case] # Prep * configure the ssh server to generally work # Testcase $ wget https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1863930/+attachment/5332797/+files/test_bug_1863930.py $ apt install python3-paramiko $ python3 test_bug_1863930.py localhost (or whatever your host is) Will report "Server is not patched." or "Server is patched. * for an extra regression check it might be worth to do some "normal" ssh connections as well [Regression Potential] * The change is very small and reviewable as well as being upstream and in all Ubuntu releases >=Cosmic for a while now so it seems safe. If anything the kind of regression to expect is that some former (wrong) connection denials will then succeed. I can only think of that being an issue in test suites but not in the real world. [Other Info] * n/a -- SSHD closes the connection and logs the error message below when a client presents a protoversion of "1.99": Protocol major versions differ for X.X.X.X port X: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 vs. SSH-1.99-XXX RFC 4253 only states that clients should treat a server's protoversion of "1.99" as equivalent to "2.0"; however, some backward-compatible clients send a protoversion of "1.99" and expect the server to treat it as "2.0". This regression was introduced in openssh-portable 7.6p1 from commit 97f4d3083; fixes were implemented in commits 9e9c4a7e5 and c9c1bba06. I've attached a patch with both of those fixes. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1863930/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1863930] Re: SSH 1.99 clients fail to connect to openssh-server 1:7.6p1-4ubuntu0.3
ACK from the security team on the changes in the MP. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1863930 Title: SSH 1.99 clients fail to connect to openssh-server 1:7.6p1-4ubuntu0.3 Status in openssh package in Ubuntu: Fix Released Status in openssh source package in Bionic: Incomplete Bug description: [Impact] * The version check in ssh was broken no more following RFC 4253 and thereby denying some clients that it shouldn't. https://datatracker.ietf.org/doc/html/rfc4253#section-5.1 * It is intended for clients reporting SSH-1.99 to be treated as if they were advertising SSH-2.0, but with some backwards compatibility. * Upstream fixed that, and this request is to back-port the changes into 18.04 Bionic. * In practice this is affecting clients using the SolarWinds monitoring agent. Solarwinds SSH client advertises SSH-1.99 and Ubuntu 18.04 openssh-server is refusing the connection. * This results in the following error in the auth.log, and a failed connection from the agent. Protocol major versions differ for port : SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 vs. SSH-1.99-WeOnlyDo.Net * More information from SolarWinds at the link below. They call out 18.04 as affected and recommend upgrading OpenSSH-server to 7.7 or greater. https://support.solarwinds.com/SuccessCenter/s/article/SAM-s-Linux- Unix-Script-monitor-fails-to-connect-on-a-server-running- OpenSSH-7-6?language=en_US [Test Case] # Prep * configure the ssh server to generally work # Testcase $ wget https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1863930/+attachment/5332797/+files/test_bug_1863930.py $ apt install python3-paramiko $ python3 test_bug_1863930.py localhost (or whatever your host is) Will report "Server is not patched." or "Server is patched. * for an extra regression check it might be worth to do some "normal" ssh connections as well [Regression Potential] * The change is very small and reviewable as well as being upstream and in all Ubuntu releases >=Cosmic for a while now so it seems safe. If anything the kind of regression to expect is that some former (wrong) connection denials will then succeed. I can only think of that being an issue in test suites but not in the real world. [Other Info] * n/a -- SSHD closes the connection and logs the error message below when a client presents a protoversion of "1.99": Protocol major versions differ for X.X.X.X port X: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 vs. SSH-1.99-XXX RFC 4253 only states that clients should treat a server's protoversion of "1.99" as equivalent to "2.0"; however, some backward-compatible clients send a protoversion of "1.99" and expect the server to treat it as "2.0". This regression was introduced in openssh-portable 7.6p1 from commit 97f4d3083; fixes were implemented in commits 9e9c4a7e5 and c9c1bba06. I've attached a patch with both of those fixes. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1863930/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1863930] Re: SSH 1.99 clients fail to connect to openssh-server 1:7.6p1-4ubuntu0.3
** Changed in: openssh (Ubuntu Bionic) Status: Incomplete => In Progress ** Tags added: sts sts-sponsor-halves -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1863930 Title: SSH 1.99 clients fail to connect to openssh-server 1:7.6p1-4ubuntu0.3 Status in openssh package in Ubuntu: Fix Released Status in openssh source package in Bionic: In Progress Bug description: [Impact] * The version check in ssh was broken no more following RFC 4253 and thereby denying some clients that it shouldn't. https://datatracker.ietf.org/doc/html/rfc4253#section-5.1 * It is intended for clients reporting SSH-1.99 to be treated as if they were advertising SSH-2.0, but with some backwards compatibility. * Upstream fixed that, and this request is to back-port the changes into 18.04 Bionic. * In practice this is affecting clients using the SolarWinds monitoring agent. Solarwinds SSH client advertises SSH-1.99 and Ubuntu 18.04 openssh-server is refusing the connection. * This results in the following error in the auth.log, and a failed connection from the agent. Protocol major versions differ for port : SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 vs. SSH-1.99-WeOnlyDo.Net * More information from SolarWinds at the link below. They call out 18.04 as affected and recommend upgrading OpenSSH-server to 7.7 or greater. https://support.solarwinds.com/SuccessCenter/s/article/SAM-s-Linux- Unix-Script-monitor-fails-to-connect-on-a-server-running- OpenSSH-7-6?language=en_US [Test Case] # Prep * configure the ssh server to generally work # Testcase $ wget https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1863930/+attachment/5332797/+files/test_bug_1863930.py $ apt install python3-paramiko $ python3 test_bug_1863930.py localhost (or whatever your host is) Will report "Server is not patched." or "Server is patched. * for an extra regression check it might be worth to do some "normal" ssh connections as well [Regression Potential] * The change is very small and reviewable as well as being upstream and in all Ubuntu releases >=Cosmic for a while now so it seems safe. If anything the kind of regression to expect is that some former (wrong) connection denials will then succeed. I can only think of that being an issue in test suites but not in the real world. [Other Info] * n/a -- SSHD closes the connection and logs the error message below when a client presents a protoversion of "1.99": Protocol major versions differ for X.X.X.X port X: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 vs. SSH-1.99-XXX RFC 4253 only states that clients should treat a server's protoversion of "1.99" as equivalent to "2.0"; however, some backward-compatible clients send a protoversion of "1.99" and expect the server to treat it as "2.0". This regression was introduced in openssh-portable 7.6p1 from commit 97f4d3083; fixes were implemented in commits 9e9c4a7e5 and c9c1bba06. I've attached a patch with both of those fixes. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1863930/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1863930] Re: SSH 1.99 clients fail to connect to openssh-server 1:7.6p1-4ubuntu0.3
Server-Team: As you see in the bug-history we (Server Team) have ourselves stopped working on this believing it might be too much of a corner case waiting for it to come back. But that come-back has happened by even more people reporting to be affected. Therefore - as much as it initially seems to be just a corner case - as of today I do believe that there is a real case for this fix and releasing it IMHO seems to be the right choice. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1863930 Title: SSH 1.99 clients fail to connect to openssh-server 1:7.6p1-4ubuntu0.3 Status in openssh package in Ubuntu: Fix Released Status in openssh source package in Bionic: Fix Committed Bug description: [Impact] * The version check in ssh was broken no more following RFC 4253 and thereby denying some clients that it shouldn't. https://datatracker.ietf.org/doc/html/rfc4253#section-5.1 * It is intended for clients reporting SSH-1.99 to be treated as if they were advertising SSH-2.0, but with some backwards compatibility. * Upstream fixed that, and this request is to back-port the changes into 18.04 Bionic. * In practice this is affecting clients using the SolarWinds monitoring agent. Solarwinds SSH client advertises SSH-1.99 and Ubuntu 18.04 openssh-server is refusing the connection. * This results in the following error in the auth.log, and a failed connection from the agent. Protocol major versions differ for port : SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 vs. SSH-1.99-WeOnlyDo.Net * More information from SolarWinds at the link below. They call out 18.04 as affected and recommend upgrading OpenSSH-server to 7.7 or greater. https://support.solarwinds.com/SuccessCenter/s/article/SAM-s-Linux- Unix-Script-monitor-fails-to-connect-on-a-server-running- OpenSSH-7-6?language=en_US [Test Case] # Prep * configure the ssh server to generally work # Testcase $ wget https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1863930/+attachment/5332797/+files/test_bug_1863930.py $ apt install python3-paramiko $ python3 test_bug_1863930.py localhost (or whatever your host is) Will report "Server is not patched." or "Server is patched. * for an extra regression check it might be worth to do some "normal" ssh connections as well [Regression Potential] * The change is very small and reviewable as well as being upstream and in all Ubuntu releases >=Cosmic for a while now so it seems safe. If anything the kind of regression to expect is that some former (wrong) connection denials will then succeed. I can only think of that being an issue in test suites but not in the real world. [Other Info] * n/a -- SSHD closes the connection and logs the error message below when a client presents a protoversion of "1.99": Protocol major versions differ for X.X.X.X port X: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 vs. SSH-1.99-XXX RFC 4253 only states that clients should treat a server's protoversion of "1.99" as equivalent to "2.0"; however, some backward-compatible clients send a protoversion of "1.99" and expect the server to treat it as "2.0". This regression was introduced in openssh-portable 7.6p1 from commit 97f4d3083; fixes were implemented in commits 9e9c4a7e5 and c9c1bba06. I've attached a patch with both of those fixes. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1863930/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1863930] Re: SSH 1.99 clients fail to connect to openssh-server 1:7.6p1-4ubuntu0.3
Validated according to test case from description: root@bionic-ssh:~# python3 test_bug_1863930.py localhost Server is patched root@bionic-ssh:~# dpkg -l | grep openssh ii openssh-client 1:7.6p1-4ubuntu0.6 amd64 secure shell (SSH) client, for secure access to remote machines ii openssh-server 1:7.6p1-4ubuntu0.6 amd64 secure shell (SSH) server, for secure access from remote machines ii openssh-sftp-server 1:7.6p1-4ubuntu0.6 amd64 secure shell (SSH) sftp server module, for SFTP access from remote machines Given we have an ACK from both Server and Security and this is affecting multiple users, I'll remove the blocked tag as well. ** Tags removed: block-proposed-bionic verification-needed verification-needed-bionic ** Tags added: verification-done verification-done-bionic -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1863930 Title: SSH 1.99 clients fail to connect to openssh-server 1:7.6p1-4ubuntu0.3 Status in openssh package in Ubuntu: Fix Released Status in openssh source package in Bionic: Fix Committed Bug description: [Impact] * The version check in ssh was broken no more following RFC 4253 and thereby denying some clients that it shouldn't. https://datatracker.ietf.org/doc/html/rfc4253#section-5.1 * It is intended for clients reporting SSH-1.99 to be treated as if they were advertising SSH-2.0, but with some backwards compatibility. * Upstream fixed that, and this request is to back-port the changes into 18.04 Bionic. * In practice this is affecting clients using the SolarWinds monitoring agent. Solarwinds SSH client advertises SSH-1.99 and Ubuntu 18.04 openssh-server is refusing the connection. * This results in the following error in the auth.log, and a failed connection from the agent. Protocol major versions differ for port : SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 vs. SSH-1.99-WeOnlyDo.Net * More information from SolarWinds at the link below. They call out 18.04 as affected and recommend upgrading OpenSSH-server to 7.7 or greater. https://support.solarwinds.com/SuccessCenter/s/article/SAM-s-Linux- Unix-Script-monitor-fails-to-connect-on-a-server-running- OpenSSH-7-6?language=en_US [Test Case] # Prep * configure the ssh server to generally work # Testcase $ wget https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1863930/+attachment/5332797/+files/test_bug_1863930.py $ apt install python3-paramiko $ python3 test_bug_1863930.py localhost (or whatever your host is) Will report "Server is not patched." or "Server is patched. * for an extra regression check it might be worth to do some "normal" ssh connections as well [Regression Potential] * The change is very small and reviewable as well as being upstream and in all Ubuntu releases >=Cosmic for a while now so it seems safe. If anything the kind of regression to expect is that some former (wrong) connection denials will then succeed. I can only think of that being an issue in test suites but not in the real world. [Other Info] * n/a -- SSHD closes the connection and logs the error message below when a client presents a protoversion of "1.99": Protocol major versions differ for X.X.X.X port X: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 vs. SSH-1.99-XXX RFC 4253 only states that clients should treat a server's protoversion of "1.99" as equivalent to "2.0"; however, some backward-compatible clients send a protoversion of "1.99" and expect the server to treat it as "2.0". This regression was introduced in openssh-portable 7.6p1 from commit 97f4d3083; fixes were implemented in commits 9e9c4a7e5 and c9c1bba06. I've attached a patch with both of those fixes. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1863930/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1863930] Re: SSH 1.99 clients fail to connect to openssh-server 1:7.6p1-4ubuntu0.3
This bug was fixed in the package openssh - 1:7.6p1-4ubuntu0.6 --- openssh (1:7.6p1-4ubuntu0.6) bionic; urgency=medium * fix clients advertising version 1.99 (LP: #1863930) - d/p/lp-1863930-Fix-logic-bug-in-sshd_exchange_identification.patch - d/p/lp-1863930-unbreak-clients-that-advertise-protocol.patch -- Christian Ehrhardt Tue, 03 Mar 2020 07:47:02 +0100 ** Changed in: openssh (Ubuntu Bionic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1863930 Title: SSH 1.99 clients fail to connect to openssh-server 1:7.6p1-4ubuntu0.3 Status in openssh package in Ubuntu: Fix Released Status in openssh source package in Bionic: Fix Released Bug description: [Impact] * The version check in ssh was broken no more following RFC 4253 and thereby denying some clients that it shouldn't. https://datatracker.ietf.org/doc/html/rfc4253#section-5.1 * It is intended for clients reporting SSH-1.99 to be treated as if they were advertising SSH-2.0, but with some backwards compatibility. * Upstream fixed that, and this request is to back-port the changes into 18.04 Bionic. * In practice this is affecting clients using the SolarWinds monitoring agent. Solarwinds SSH client advertises SSH-1.99 and Ubuntu 18.04 openssh-server is refusing the connection. * This results in the following error in the auth.log, and a failed connection from the agent. Protocol major versions differ for port : SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 vs. SSH-1.99-WeOnlyDo.Net * More information from SolarWinds at the link below. They call out 18.04 as affected and recommend upgrading OpenSSH-server to 7.7 or greater. https://support.solarwinds.com/SuccessCenter/s/article/SAM-s-Linux- Unix-Script-monitor-fails-to-connect-on-a-server-running- OpenSSH-7-6?language=en_US [Test Case] # Prep * configure the ssh server to generally work # Testcase $ wget https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1863930/+attachment/5332797/+files/test_bug_1863930.py $ apt install python3-paramiko $ python3 test_bug_1863930.py localhost (or whatever your host is) Will report "Server is not patched." or "Server is patched. * for an extra regression check it might be worth to do some "normal" ssh connections as well [Regression Potential] * The change is very small and reviewable as well as being upstream and in all Ubuntu releases >=Cosmic for a while now so it seems safe. If anything the kind of regression to expect is that some former (wrong) connection denials will then succeed. I can only think of that being an issue in test suites but not in the real world. [Other Info] * n/a -- SSHD closes the connection and logs the error message below when a client presents a protoversion of "1.99": Protocol major versions differ for X.X.X.X port X: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 vs. SSH-1.99-XXX RFC 4253 only states that clients should treat a server's protoversion of "1.99" as equivalent to "2.0"; however, some backward-compatible clients send a protoversion of "1.99" and expect the server to treat it as "2.0". This regression was introduced in openssh-portable 7.6p1 from commit 97f4d3083; fixes were implemented in commits 9e9c4a7e5 and c9c1bba06. I've attached a patch with both of those fixes. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1863930/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1863930] Re: SSH 1.99 clients fail to connect to openssh-server 1:7.6p1-4ubuntu0.3
The attachment "protocol_major_version_mismatch_regression.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team. [This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.] ** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1863930 Title: SSH 1.99 clients fail to connect to openssh-server 1:7.6p1-4ubuntu0.3 Status in openssh package in Ubuntu: New Bug description: SSHD closes the connection and logs the error message below when a client presents a protoversion of "1.99": Protocol major versions differ for X.X.X.X port X: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 vs. SSH-1.99-XXX RFC 4253 only states that clients should treat a server's protoversion of "1.99" as equivalent to "2.0"; however, some backward-compatible clients send a protoversion of "1.99" and expect the server to treat it as "2.0". This regression was introduced in openssh-portable 7.6p1 from commit 97f4d3083; fixes were implemented in commits 9e9c4a7e5 and c9c1bba06. I've attached a patch with both of those fixes. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1863930/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1863930] Re: SSH 1.99 clients fail to connect to openssh-server 1:7.6p1-4ubuntu0.3
Thanks Kyle for the great report and prepping a fix already. offending: 97f4d3083 is in >=1%7.6p1-1 fix: 9e9c4a7e5 is in >=1%7.7p1-1 fix: c9c1bba06 is in >=1%7.7p1-1 Matching that with versions in Ubuntu means only Bionic should be affected. openssh | 1:5.9p1-5ubuntu1| precise | source openssh | 1:5.9p1-5ubuntu1.10 | precise-security | source openssh | 1:5.9p1-5ubuntu1.10 | precise-updates | source openssh | 1:6.6p1-2ubuntu1| trusty | source openssh | 1:6.6p1-2ubuntu2.13 | trusty-security | source openssh | 1:6.6p1-2ubuntu2.13 | trusty-updates | source openssh | 1:7.2p2-4 | xenial | source openssh | 1:7.2p2-4ubuntu2.8 | xenial-security | source openssh | 1:7.2p2-4ubuntu2.8 | xenial-updates | source openssh | 1:7.2p2-4ubuntu2.9 | xenial-proposed | source openssh | 1:7.6p1-4 | bionic | source openssh | 1:7.6p1-4ubuntu0.3 | bionic-security | source openssh | 1:7.6p1-4ubuntu0.3 | bionic-updates | source openssh | 1:7.6p1-4ubuntu0.4 | bionic-proposed | source openssh | 1:7.9p1-10 | disco| source openssh | 1:8.0p1-6build1 | eoan | source openssh | 1:8.0p1-6ubuntu0.1 | eoan-proposed| source openssh | 1:8.1p1-5 | focal| source openssh | 1:8.2p1-4 | focal-proposed | source @CJWatson - are you also doing the openssh SRUs or would you expect us to handle that? ** Tags added: server-next ** Also affects: openssh (Ubuntu Bionic) Importance: Undecided Status: New ** Changed in: openssh (Ubuntu) Status: New => Fix Released ** Changed in: openssh (Ubuntu Bionic) Assignee: (unassigned) => Colin Watson (cjwatson) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1863930 Title: SSH 1.99 clients fail to connect to openssh-server 1:7.6p1-4ubuntu0.3 Status in openssh package in Ubuntu: Fix Released Status in openssh source package in Bionic: New Bug description: SSHD closes the connection and logs the error message below when a client presents a protoversion of "1.99": Protocol major versions differ for X.X.X.X port X: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 vs. SSH-1.99-XXX RFC 4253 only states that clients should treat a server's protoversion of "1.99" as equivalent to "2.0"; however, some backward-compatible clients send a protoversion of "1.99" and expect the server to treat it as "2.0". This regression was introduced in openssh-portable 7.6p1 from commit 97f4d3083; fixes were implemented in commits 9e9c4a7e5 and c9c1bba06. I've attached a patch with both of those fixes. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1863930/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1863930] Re: SSH 1.99 clients fail to connect to openssh-server 1:7.6p1-4ubuntu0.3
Assigned to cjwatson for now, but feel free to tell us you want us to drive the SRU for this and we can change it. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1863930 Title: SSH 1.99 clients fail to connect to openssh-server 1:7.6p1-4ubuntu0.3 Status in openssh package in Ubuntu: Fix Released Status in openssh source package in Bionic: New Bug description: SSHD closes the connection and logs the error message below when a client presents a protoversion of "1.99": Protocol major versions differ for X.X.X.X port X: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 vs. SSH-1.99-XXX RFC 4253 only states that clients should treat a server's protoversion of "1.99" as equivalent to "2.0"; however, some backward-compatible clients send a protoversion of "1.99" and expect the server to treat it as "2.0". This regression was introduced in openssh-portable 7.6p1 from commit 97f4d3083; fixes were implemented in commits 9e9c4a7e5 and c9c1bba06. I've attached a patch with both of those fixes. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1863930/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1863930] Re: SSH 1.99 clients fail to connect to openssh-server 1:7.6p1-4ubuntu0.3
I have time to maintain openssh in Debian, but in general I don't have cycles to deal with SRUs, so please could somebody else take care of that part? ** Changed in: openssh (Ubuntu Bionic) Assignee: Colin Watson (cjwatson) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1863930 Title: SSH 1.99 clients fail to connect to openssh-server 1:7.6p1-4ubuntu0.3 Status in openssh package in Ubuntu: Fix Released Status in openssh source package in Bionic: New Bug description: SSHD closes the connection and logs the error message below when a client presents a protoversion of "1.99": Protocol major versions differ for X.X.X.X port X: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 vs. SSH-1.99-XXX RFC 4253 only states that clients should treat a server's protoversion of "1.99" as equivalent to "2.0"; however, some backward-compatible clients send a protoversion of "1.99" and expect the server to treat it as "2.0". This regression was introduced in openssh-portable 7.6p1 from commit 97f4d3083; fixes were implemented in commits 9e9c4a7e5 and c9c1bba06. I've attached a patch with both of those fixes. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1863930/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1863930] Re: SSH 1.99 clients fail to connect to openssh-server 1:7.6p1-4ubuntu0.3
@Kyle - in prep for an SRU - do you have steps to reproduce this e.g. with which Ubuntu based client/options one can easily send 1.99 on a connection attempt? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1863930 Title: SSH 1.99 clients fail to connect to openssh-server 1:7.6p1-4ubuntu0.3 Status in openssh package in Ubuntu: Fix Released Status in openssh source package in Bionic: New Bug description: SSHD closes the connection and logs the error message below when a client presents a protoversion of "1.99": Protocol major versions differ for X.X.X.X port X: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 vs. SSH-1.99-XXX RFC 4253 only states that clients should treat a server's protoversion of "1.99" as equivalent to "2.0"; however, some backward-compatible clients send a protoversion of "1.99" and expect the server to treat it as "2.0". This regression was introduced in openssh-portable 7.6p1 from commit 97f4d3083; fixes were implemented in commits 9e9c4a7e5 and c9c1bba06. I've attached a patch with both of those fixes. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1863930/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1863930] Re: SSH 1.99 clients fail to connect to openssh-server 1:7.6p1-4ubuntu0.3
Yep, thanks cjwatson -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1863930 Title: SSH 1.99 clients fail to connect to openssh-server 1:7.6p1-4ubuntu0.3 Status in openssh package in Ubuntu: Fix Released Status in openssh source package in Bionic: New Bug description: SSHD closes the connection and logs the error message below when a client presents a protoversion of "1.99": Protocol major versions differ for X.X.X.X port X: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 vs. SSH-1.99-XXX RFC 4253 only states that clients should treat a server's protoversion of "1.99" as equivalent to "2.0"; however, some backward-compatible clients send a protoversion of "1.99" and expect the server to treat it as "2.0". This regression was introduced in openssh-portable 7.6p1 from commit 97f4d3083; fixes were implemented in commits 9e9c4a7e5 and c9c1bba06. I've attached a patch with both of those fixes. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1863930/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1863930] Re: SSH 1.99 clients fail to connect to openssh-server 1:7.6p1-4ubuntu0.3
The easiest way I found to reproduce was to monkey patch the python paramiko library. I've attached a short script which can be used to test a host. It requires either python-paramiko or python3-paramiko to run. ** Attachment added: "test_bug_1863930.py" https://bugs.launchpad.net/ubuntu/bionic/+source/openssh/+bug/1863930/+attachment/5332797/+files/test_bug_1863930.py -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1863930 Title: SSH 1.99 clients fail to connect to openssh-server 1:7.6p1-4ubuntu0.3 Status in openssh package in Ubuntu: Fix Released Status in openssh source package in Bionic: New Bug description: SSHD closes the connection and logs the error message below when a client presents a protoversion of "1.99": Protocol major versions differ for X.X.X.X port X: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 vs. SSH-1.99-XXX RFC 4253 only states that clients should treat a server's protoversion of "1.99" as equivalent to "2.0"; however, some backward-compatible clients send a protoversion of "1.99" and expect the server to treat it as "2.0". This regression was introduced in openssh-portable 7.6p1 from commit 97f4d3083; fixes were implemented in commits 9e9c4a7e5 and c9c1bba06. I've attached a patch with both of those fixes. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1863930/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1863930] Re: SSH 1.99 clients fail to connect to openssh-server 1:7.6p1-4ubuntu0.3
Thanks Kyle, I agree the testcase is great and works in my tests. This is exactly what I needed to craft the SRU template as needed. But OTOH about severity of this, as it will mean everyone having ssh installed (which is almost every installation out there) will have to download and install a new package. I was wondering if there is a (can be more complex and doesn't have to have step-by-step instructions) real use-case that is making this bug more severe by breaking it. If there isn't I'm tempted to say it is a correct bug and fix, but doesn't qualify to do the SRU on its own. We might then still prep it completely but hold it in -proposed to only release it together with some other more severe update that will force a new download anyway. Looking forward to your answer and adding the SRU template for now ... ** Changed in: openssh (Ubuntu Bionic) Status: New => Triaged ** Changed in: openssh (Ubuntu Bionic) Importance: Undecided => Low ** Description changed: - SSHD closes the connection and logs the error message below when a - client presents a protoversion of "1.99": + [Impact] - Protocol major versions differ for X.X.X.X port X: + * The version check in ssh was broken no more following RFC 4253 and +thereby denying some clients that it shouldn't + + * Upstream fixed that and this is backporting the changes to bionic. + + [Test Case] + + # Prep + * configure the ssh server to generally work + # Testcase + $ wget https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1863930/+attachment/5332797/+files/test_bug_1863930.py + $ apt install python3-paramiko + $ python3 test_bug_1863930.py localhost (or whatever your host is) + + Will report "Server is not patched." or "Server is patched. + + [Regression Potential] + + TODO + + [Other Info] + + * n/a + + -- + + + SSHD closes the connection and logs the error message below when a client presents a protoversion of "1.99": + + Protocol major versions differ for X.X.X.X port X: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 vs. SSH-1.99-XXX RFC 4253 only states that clients should treat a server's protoversion of "1.99" as equivalent to "2.0"; however, some backward-compatible clients send a protoversion of "1.99" and expect the server to treat it as "2.0". This regression was introduced in openssh-portable 7.6p1 from commit 97f4d3083; fixes were implemented in commits 9e9c4a7e5 and c9c1bba06. I've attached a patch with both of those fixes. ** Description changed: [Impact] - * The version check in ssh was broken no more following RFC 4253 and -thereby denying some clients that it shouldn't + * The version check in ssh was broken no more following RFC 4253 and + thereby denying some clients that it shouldn't - * Upstream fixed that and this is backporting the changes to bionic. + * Upstream fixed that and this is backporting the changes to bionic. [Test Case] - # Prep - * configure the ssh server to generally work - # Testcase - $ wget https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1863930/+attachment/5332797/+files/test_bug_1863930.py - $ apt install python3-paramiko - $ python3 test_bug_1863930.py localhost (or whatever your host is) + # Prep + * configure the ssh server to generally work + # Testcase + $ wget https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1863930/+attachment/5332797/+files/test_bug_1863930.py + $ apt install python3-paramiko + $ python3 test_bug_1863930.py localhost (or whatever your host is) - Will report "Server is not patched." or "Server is patched. + Will report "Server is not patched." or "Server is patched. + + * for an extra regression check it might be worth to do some "normal" ssh +connections as well [Regression Potential] - TODO + * The change is very small and reviewable as well as being upstream and +in all Ubuntu releases >=Cosmic for a while now so it seems safe. +If anything the kind of regression to expect is that some former +(wrong) connection denials will then succeed. I can only think of +that being an issue in test suites but not in the real world. [Other Info] - - * n/a + + * n/a -- - - SSHD closes the connection and logs the error message below when a client presents a protoversion of "1.99": + SSHD closes the connection and logs the error message below when a + client presents a protoversion of "1.99": Protocol major versions differ for X.X.X.X port X: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 vs. SSH-1.99-XXX RFC 4253 only states that clients should treat a server's protoversion of "1.99" as equivalent to "2.0"; however, some backward-compatible clients send a protoversion of "1.99" and expect the server to treat it as "2.0". This regression was introduced in openssh-portable 7.6p1 from commit 97f4d3083; fixes were implemented in commits 9e9c4a7e5 and c9c1bba06. I've attached a patch with both
[Touch-packages] [Bug 1863930] Re: SSH 1.99 clients fail to connect to openssh-server 1:7.6p1-4ubuntu0.3
** Merge proposal linked: https://code.launchpad.net/~paelzer/ubuntu/+source/openssh/+git/openssh/+merge/380138 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1863930 Title: SSH 1.99 clients fail to connect to openssh-server 1:7.6p1-4ubuntu0.3 Status in openssh package in Ubuntu: Fix Released Status in openssh source package in Bionic: Triaged Bug description: [Impact] * The version check in ssh was broken no more following RFC 4253 and thereby denying some clients that it shouldn't * Upstream fixed that and this is backporting the changes to bionic. [Test Case] # Prep * configure the ssh server to generally work # Testcase $ wget https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1863930/+attachment/5332797/+files/test_bug_1863930.py $ apt install python3-paramiko $ python3 test_bug_1863930.py localhost (or whatever your host is) Will report "Server is not patched." or "Server is patched. * for an extra regression check it might be worth to do some "normal" ssh connections as well [Regression Potential] * The change is very small and reviewable as well as being upstream and in all Ubuntu releases >=Cosmic for a while now so it seems safe. If anything the kind of regression to expect is that some former (wrong) connection denials will then succeed. I can only think of that being an issue in test suites but not in the real world. [Other Info] * n/a -- SSHD closes the connection and logs the error message below when a client presents a protoversion of "1.99": Protocol major versions differ for X.X.X.X port X: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 vs. SSH-1.99-XXX RFC 4253 only states that clients should treat a server's protoversion of "1.99" as equivalent to "2.0"; however, some backward-compatible clients send a protoversion of "1.99" and expect the server to treat it as "2.0". This regression was introduced in openssh-portable 7.6p1 from commit 97f4d3083; fixes were implemented in commits 9e9c4a7e5 and c9c1bba06. I've attached a patch with both of those fixes. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1863930/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1863930] Re: SSH 1.99 clients fail to connect to openssh-server 1:7.6p1-4ubuntu0.3
I've redone the patches following the usual patch guidelines and opened an MP with these at: => https://code.launchpad.net/~paelzer/ubuntu/+source/openssh/+git/openssh/+merge/380138 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1863930 Title: SSH 1.99 clients fail to connect to openssh-server 1:7.6p1-4ubuntu0.3 Status in openssh package in Ubuntu: Fix Released Status in openssh source package in Bionic: Triaged Bug description: [Impact] * The version check in ssh was broken no more following RFC 4253 and thereby denying some clients that it shouldn't * Upstream fixed that and this is backporting the changes to bionic. [Test Case] # Prep * configure the ssh server to generally work # Testcase $ wget https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1863930/+attachment/5332797/+files/test_bug_1863930.py $ apt install python3-paramiko $ python3 test_bug_1863930.py localhost (or whatever your host is) Will report "Server is not patched." or "Server is patched. * for an extra regression check it might be worth to do some "normal" ssh connections as well [Regression Potential] * The change is very small and reviewable as well as being upstream and in all Ubuntu releases >=Cosmic for a while now so it seems safe. If anything the kind of regression to expect is that some former (wrong) connection denials will then succeed. I can only think of that being an issue in test suites but not in the real world. [Other Info] * n/a -- SSHD closes the connection and logs the error message below when a client presents a protoversion of "1.99": Protocol major versions differ for X.X.X.X port X: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 vs. SSH-1.99-XXX RFC 4253 only states that clients should treat a server's protoversion of "1.99" as equivalent to "2.0"; however, some backward-compatible clients send a protoversion of "1.99" and expect the server to treat it as "2.0". This regression was introduced in openssh-portable 7.6p1 from commit 97f4d3083; fixes were implemented in commits 9e9c4a7e5 and c9c1bba06. I've attached a patch with both of those fixes. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1863930/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1863930] Re: SSH 1.99 clients fail to connect to openssh-server 1:7.6p1-4ubuntu0.3
Autopkgtests are complete on the PPA at https://bileto.ubuntu.com/#/ticket/3962 https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3962/+packages Tests all passed or are known force-badtest cases already. Waiting for Kyle's response to properly handle the severity of this ... -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1863930 Title: SSH 1.99 clients fail to connect to openssh-server 1:7.6p1-4ubuntu0.3 Status in openssh package in Ubuntu: Fix Released Status in openssh source package in Bionic: Triaged Bug description: [Impact] * The version check in ssh was broken no more following RFC 4253 and thereby denying some clients that it shouldn't * Upstream fixed that and this is backporting the changes to bionic. [Test Case] # Prep * configure the ssh server to generally work # Testcase $ wget https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1863930/+attachment/5332797/+files/test_bug_1863930.py $ apt install python3-paramiko $ python3 test_bug_1863930.py localhost (or whatever your host is) Will report "Server is not patched." or "Server is patched. * for an extra regression check it might be worth to do some "normal" ssh connections as well [Regression Potential] * The change is very small and reviewable as well as being upstream and in all Ubuntu releases >=Cosmic for a while now so it seems safe. If anything the kind of regression to expect is that some former (wrong) connection denials will then succeed. I can only think of that being an issue in test suites but not in the real world. [Other Info] * n/a -- SSHD closes the connection and logs the error message below when a client presents a protoversion of "1.99": Protocol major versions differ for X.X.X.X port X: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 vs. SSH-1.99-XXX RFC 4253 only states that clients should treat a server's protoversion of "1.99" as equivalent to "2.0"; however, some backward-compatible clients send a protoversion of "1.99" and expect the server to treat it as "2.0". This regression was introduced in openssh-portable 7.6p1 from commit 97f4d3083; fixes were implemented in commits 9e9c4a7e5 and c9c1bba06. I've attached a patch with both of those fixes. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1863930/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1863930] Re: SSH 1.99 clients fail to connect to openssh-server 1:7.6p1-4ubuntu0.3
Merge Proposal review is complete, but waiting on some feedback that helps to classify the severity and urgency correctly. Depending on that the options will be: - actually unimportant: don't SRU it at all - some reasonable cases exists, but are very rare: SRU it but hold the release in block-proposed until the next "important" update comes - reasonable case for the Ubuntu community, SRU right away Setting the task to incomplete while waiting on that feedback ** Changed in: openssh (Ubuntu Bionic) Status: Triaged => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1863930 Title: SSH 1.99 clients fail to connect to openssh-server 1:7.6p1-4ubuntu0.3 Status in openssh package in Ubuntu: Fix Released Status in openssh source package in Bionic: Incomplete Bug description: [Impact] * The version check in ssh was broken no more following RFC 4253 and thereby denying some clients that it shouldn't * Upstream fixed that and this is backporting the changes to bionic. [Test Case] # Prep * configure the ssh server to generally work # Testcase $ wget https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1863930/+attachment/5332797/+files/test_bug_1863930.py $ apt install python3-paramiko $ python3 test_bug_1863930.py localhost (or whatever your host is) Will report "Server is not patched." or "Server is patched. * for an extra regression check it might be worth to do some "normal" ssh connections as well [Regression Potential] * The change is very small and reviewable as well as being upstream and in all Ubuntu releases >=Cosmic for a while now so it seems safe. If anything the kind of regression to expect is that some former (wrong) connection denials will then succeed. I can only think of that being an issue in test suites but not in the real world. [Other Info] * n/a -- SSHD closes the connection and logs the error message below when a client presents a protoversion of "1.99": Protocol major versions differ for X.X.X.X port X: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 vs. SSH-1.99-XXX RFC 4253 only states that clients should treat a server's protoversion of "1.99" as equivalent to "2.0"; however, some backward-compatible clients send a protoversion of "1.99" and expect the server to treat it as "2.0". This regression was introduced in openssh-portable 7.6p1 from commit 97f4d3083; fixes were implemented in commits 9e9c4a7e5 and c9c1bba06. I've attached a patch with both of those fixes. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1863930/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
