Bug#495917: openssh-client: patch for Netscreen - not sure how it affects other systems
On Thu, Aug 28, 2008 at 03:10:01PM +0200, Reinhold Trocker wrote:
> the provided patch did not help but I have found the problem:
> it is the part
> "If we don't expect to open a new session, then disallow it"
> in ssh.c
> which did "debug1: Requesting no-more-sessions@openssh.com"
>
> I commented it out completely and it works
> So there is no need to have a new NetScreen line in compat.c
That code was not added frivolously; it does serve a real
security-relevant purpose! The point of the compat.c stuff is to allow
OpenSSH to behave differently when talking to systems known to be broken
in certain ways. Although ssh still "works" when this code is removed,
it is weaker, as this entry from the 5.1 release notes shows:
* Added a no-more-sessions@openssh.com global request extension that is
sent from ssh(1) to sshd(8) when the client knows that it will never
request another session (i.e. when session multiplexing is disabled).
This allows a server to disallow further session requests and
terminate the session in cases where the client has been hijacked.
Anyway, it would surprise me if this were actually the real cause of the
problem, rather than an unlucky request that always happens to sit on a
packet boundary or something like that. ssh uses this kind of request in
various places and there's surely no reason why
no-more-sessions@openssh.com would break when e.g. tcpip-forward or
keepalive@openssh.com (as far as I know) doesn't.
I think perhaps we need somebody to get in contact with NetScreen and
find out what the actual bug is, rather than guessing. It seems likely
that that would be best done by a customer of NetScreen.
--
Colin Watson [cjwatson@debian.org]
Reply to: