openssh upgrade to 3.7 causes no incoming ssh allowed

[mdawson]

After upgrading openssh from openssh-3.6.1_p2 to
openssh-3.7.1_p2-r2, ssh can no longer connect with the machine, but
get "ssh_exchange_identification: Connection closed by remote host".
The machine can ssh to others just fine.

Emerging back to openssh-3.6.1_p2-r2 causes everything to work just
fine again, without manually changing any configuration files (or my
/etc/hosts.allow or /etc/hosts.deny files) at all.

The puzzling thing is that 3.7 will work just fine if I delete my
/etc/hosts.deny file, so it is the tcp-wrappers that are actually
rejecting the call from other machines.

Is there some configuration change that I've missed?

Michael

[coldfire]

Can you post your sshd_config? Perhaps there is something there that might be preventing connections.

[mdawson]

> Can you post your sshd_config?

It is quite lengthy, so I checked that it is the one that ships with
3.7, with no changes (as reported by diff.) Every line is commented
out. The first line is:
$OpenBSD: sshd_config,v 1.65 2003/08/28 12:54:34 markus Exp $


The key thing is that it works fine as soon as /etc/hosts.deny is
removed, so it is the tcpd configuration that is doing the actual
rejection. Of course, I haven't any idea if there is any relation
between the behavior of the tcpd program and the sshd program.

Michael

[coldfire]

I've never used hosts.deny, as it isn't as secure as RSA Host Authentication. On most boxes that I have it installed, I just use User Authntication with DSA keys. Are you using protocol 1 or 2? It might be something to check. This is a long shot, but you could try to see if there are any broken dependencies at all by doing a "revdep-rebuild -p" (emerge gentoolkit first).

EDIT: What are your iptables rules like? Do you have a fairly simple 'reject all accept only what you want' setup?

coldfire

[mdawson]

I'm sorry to say that there is no problem with the dependencies, and
the problem is the same with the firewalls down.

The key thing is that everything works under 3.6, and it doesn't
under 3.7, and then it works again if I re-emerge 3.6 -- with no
changes in any config files anywhere. But 3.7 does work if I remove
the /etc/hosts.deny file.

From poring through the man files, the part that is issuing that
error message is the new version of tcp-wrappers (an emerge
dependency of openssh), which read the /etc/hosts.deny and
/etc.hosts.allow files. ( I gather that openssh uses the libwrap.so
component of tcp-wrappers.) This is consistent with the problem
going away if I just remove the /etc/hosts.deny file.

I can find no sign of any changed format for the hosts.[allow|deny]
files.

This has been going on for some time. I've gotten used to just
re-emerging 3.6 after every world update. I need ssh to work, as
rsync depends on it for backups.

I certainly can't find any bug reports, and I don't want to file one
until I figure out if it is one.

Michael

[coldfire]

Sorry that I could not be of more help. I guess tcp-wrappers is the culprit then. Perhaps you have found a bug with the wrappers....

Hopefully it can be fixed if that is so!

Could you post back here if/when you solve it? I'd like to be aware if it is truly a bug.

Thanks!

[0g]

After installing openssh-3.7.1_p2-r2 a few days ago, my server now has the same problem. So I added sshd:ALL to hosts.allow, and I now depend the firewall to restrict access.

I re-emerged the last working version (openssh-3.7.1_p2-r1) and it failed too. I tried reducing the CFLAGS to "-march=pentium3 -O" and rebuilding tcpwrappers and openssh, but that didn't help either.

Almost the entire machine has been upgraded in the interval between the working openssh-3.7.1_p2-r1 and the non-working openssh-3.7.1_p2-r1, so there is little hope of isolating the bug that way.

Like Michael, I haven't changed anything relevant to SSH or tcpwrappers configuration. Yet, ssh behaves exactly as if tcp-wrappers had been told to block. There is nothing helpful in the logs, so I need some way to find out what is going on with tcp-wrappers.

Which makes me wonder, is sshd the only tcp-wrapped service that is affected on your machine, Michael?

[hielvc]

Ive been haveing the same roblem for three weeks now. Emptying hosts.deny worked. This is also happening with openssh-3.8... .

TRUST ME THIS IS A BUG

Filed bug *44142

[krunk]

[drumz]

Hopefully this will help someone here.

I had the same exact problem with a new box I just built (amd64). Checking the versions of openssh between that box and my laptop (piii) which was working fine, showed that the versions matched. That led me to believe it was a 64bit issue until it dawned on me that there was one other difference:

IPV6 support was enabled in the kernel on my amd box and NOT enabled on my laptop. A quick recompile/reconfigure of my kernel and now it's working fine.

Due to the age of tcpwrappers and the fact that it's not been updated in quite a while, it probably doesn't support IPV6 addresses.

Drumz

[0g]

[drumz]

Just as a final followup for anyone else that reads this thread later:

1. tcpwrappers DOES support IPV6, you need to set the USE flag to enable it.
2. BOTH the kernel AND tcpwrappers must have IPV6 support compiled in, otherwise you'll see the behavior exhibited above.

Most of us had it compiled into the kernel but not tcpwrappers which caused tcpwrappers to block everything when we configured our hosts.allow and hosts.deny.

I now have IPV6 enabled in both the kernel and tcpwrappers and am happily using my hosts.deny again.