bin/45049: The HPN patch for OpenSSH breaks on SOCKS proxies

To: gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: bin/45049: The HPN patch for OpenSSH breaks on SOCKS proxies
From: Pierre Pronchery <khorben%defora.org@localhost>
Date: Fri, 10 Jun 2011 21:10:00 +0000 (UTC)

>Number:         45049
>Category:       bin
>Synopsis:       The HPN patch for OpenSSH breaks on SOCKS proxies
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Jun 10 21:10:00 +0000 2011
>Originator:     Pierre Pronchery <khorben%defora.org@localhost>
>Release:        NetBSD 5.1_STABLE
>Organization:
>Environment:
System: NetBSD rst.defora.lan 5.1_STABLE NetBSD 5.1_STABLE (GENERIC) #0: Sun 
Apr 24 04:27:02 UTC 2011 
khorben%kwarx.defora.lan@localhost:/home/i386/obj/sys/arch/i386/compile/GENERIC 
i386
Architecture: i386
Machine: i386
>Description:
I am currently using OpenSSH over SOCKS proxies, as provided by existing
OpenSSH connections (using the "DynamicForward" mechanism). When using
the default SSH binaries from NetBSD base (on both client and server
side) I am observing difficulties after a few minutes of use with
interactive sessions:
- data is sent properly from the client to the server
- data is received from the server to the client, but never displayed on
  the terminal
- when this occurs, the ssh client forwarding the connection outputs the
  following error: "rcvd too much data"

This behavior has already been reported publicly, like found here in the
Gentoo bug reporting system:
http://bugs.gentoo.org/197182

During the ensueing debugging process, the HPN patch was found to be the
culprit. This patch seems to be applied by default on NetBSD; see
src/crypto/dist/ssh/HPN-README, and the output of "ssh -v" for instance:

Remote protocol version 2.0, remote software version OpenSSH_5.0
NetBSD_Secure_Shell-20080403-hpn13v1
debug1: match: OpenSSH_5.0 NetBSD_Secure_Shell-20080403-hpn13v1 pat
OpenSSH*

Replacing the SSH client used to forward connections over SOCKS with one
built from pkgsrc/security/openssh (without the "hpn-patch" option set)
seems to work-around the problem.

Alternatively, using the SSH client from base with the (undocumented
except in HPN-README) "HPNDisabled=yes" option seems to do the trick
too.

>How-To-Repeat:
first:
$ ssh -D 9050 some.remote.host

then, with pkgsrc's net/tsocks configured:
$ cat /usr/pkg/etc/tsocks.conf
local = 192.168.0.0/255.255.0.0
server = 127.0.0.1
server_type = 5
server_port = 9050
$ tsocks ssh some.other.host

after a while, the connection seems to break, and error messages appear
on the first client (providing the SOCKS proxy).

>Fix:
As mentioned above, the "HPNDisabled" option can be enabled to
workaround the problem.

Unfortunately, the HPN project doesn't seem to have enough resources to
maintain its patch properly:
http://www.psc.edu/networking/projects/hpn-ssh/

Prev by Date: NetBSD Nightly Trouble Ticket Report
Next by Date: Re: bin/45049: The HPN patch for OpenSSH breaks on SOCKS proxies
Previous by Thread: misc/45038: lack of tests options
Next by Thread: Re: bin/45049: The HPN patch for OpenSSH breaks on SOCKS proxies
Indexes:

Home | Main Index | Thread Index | Old Index