Bug#898345: sshuttle consistently crashes ssh

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#898345: sshuttle consistently crashes ssh
From: Joey Hess <id@joeyh.name>
Date: Thu, 10 May 2018 10:27:48 -0400
Message-id: <[🔎] 20180510142748.GA5654@kitenet.net>
Reply-to: Joey Hess <id@joeyh.name>, 898345@bugs.debian.org
Package: sshuttle
Version: 0.78.4-1
Severity: normal

I'm seeing this problem on multiple local networks, connecting to multiple
remote servers.

joey@darkstar:~>sshuttle -vNHr kitenet.net 0/0
Starting sshuttle proxy.
firewall manager: Starting firewall with Python version 3.6.5
firewall manager: ready method name nat.
IPv6 enabled: False
UDP enabled: False
DNS enabled: False
User enabled: False
TCP redirector listening on ('127.0.0.1', 12300).
Starting client with Python version 3.6.5
c : connecting to server...
Starting server with Python version 3.6.5
 s: latency control setting = True
 s: available routes:
 s:   2/66.228.36.0/24
c : Connected.
c : seed_hosts: []
firewall manager: setting up.
>> iptables -t nat -N sshuttle-12300
>> iptables -t nat -F sshuttle-12300
>> iptables -t nat -I OUTPUT 1 -j sshuttle-12300
>> iptables -t nat -I PREROUTING 1 -j sshuttle-12300
>> iptables -t nat -A sshuttle-12300 -j RETURN --dest 127.0.0.1/32 -p tcp
>> iptables -t nat -A sshuttle-12300 -j REDIRECT --dest 66.228.36.0/24 -p tcp --to-ports 12300 -m ttl ! --ttl 42
>> iptables -t nat -A sshuttle-12300 -j REDIRECT --dest 0.0.0.0/0 -p tcp --to-ports 12300 -m ttl ! --ttl 42
packet_write_wait: Connection to 66.228.36.95 port 22: Broken pipe
firewall manager: undoing changes.
>> iptables -t nat -D OUTPUT -j sshuttle-12300
>> iptables -t nat -D PREROUTING -j sshuttle-12300
>> iptables -t nat -F sshuttle-12300
>> iptables -t nat -X sshuttle-12300
c : fatal: server died with error code 255
- exit 99

The servers are running debian testing/unstable with openssh 1:7.7p1-2,
and stable with 1:7.4p1-10+deb9u2.

This happens when I move .ssh/config out of the way too, so it's apparently
not due to a local configuration. (/etc/ssh/ssh_config seems stock and is
attached below)

Intriguingly, ssh itself seems to be crashed by something sshuttle does.
So, I think this might really be a ssh bug (and am ccing its
maintainers). To show ssh is crashing, I used ssh connection
multiplexing, opening the ssh master connection first:

ssh -oControlMaster=auto -vS  /tmp/ssh.sock kitenet.net

Then running sshuttle over the same ssh connection:

sshuttle -e 'ssh -oControlMaster=auto -vS /tmp/ssh.sock' -vNHr kitenet.net 0/0

This crashed the *whole* ssh connection. In the master ssh connection's
window, it prints:

debug1: multiplexing control connection
debug1: channel 2: new [mux-control]
debug1: channel 3: new [client-session]
debug1: Sending environment.
debug1: Sending env LANG = en_US.utf8
debug1: Sending env LC_COLLATE = C
debug1: Sending env LC_TIME = C
debug1: Sending command: exec /bin/sh -c 'P=python3; $P -V 2>/dev/null || P=python; exec "$P" -c '"'"'import sys, os; verbosity=1; sys.stdin = os.fdopen(0, "rb"); exec(compile(sys.stdin.read(1082), "assembler.py", "exec"))'"'"''
packet_write_wait: Connection to 66.228.36.95 port 22: Broken pipe

And ssh dies with exit code 255.

On the server, the journal contains only this for such a connection:

May 10 10:21:29 kite sshd[32759]: rexec line 16: Deprecated option UsePrivilegeSeparation
May 10 10:21:29 kite sshd[32759]: rexec line 19: Deprecated option KeyRegenerationInterval
May 10 10:21:29 kite sshd[32759]: rexec line 20: Deprecated option ServerKeyBits
May 10 10:21:29 kite sshd[32759]: rexec line 31: Deprecated option RSAAuthentication
May 10 10:21:29 kite sshd[32759]: rexec line 38: Deprecated option RhostsRSAAuthentication
May 10 10:21:29 kite sshd[32759]: reprocess config line 31: Deprecated option RSAAuthentication
May 10 10:21:29 kite sshd[32759]: reprocess config line 38: Deprecated option RhostsRSAAuthentication
May 10 10:21:29 kite sshd[32759]: Accepted publickey for joey from 67.223.12.39 port 47306 ssh2: RSA SHA256:b6mfcGYiKZh/Vb6JRyv8uGb7BBGxjGKOJeSCo7Ojhsg
May 10 10:21:29 kite sshd[32759]: pam_unix(sshd:session): session opened for user joey by (uid=0)

And intestingly, systemctl status on the server still shows me as logged
in from that persistent ssh session, even though it seemed to crash.

           │ ├─user-1000.slice
           │ │ ├─session-29583.scope
           │ │ │ ├─32736 sshd: joey [priv]
           │ │ │ ├─32742 sshd: joey@notty
           │ │ │ └─32743 python3 -c import sys, os; verbosity=5; sys.stdin = os.fdopen(0, "rb"); exec(compile(sys.stdin.read(1082), "assembler.py", "exec"))
           │ │ ├─session-29586.scope
           │ │ │ ├─412 sshd: joey [priv]
           │ │ │ ├─418 sshd: joey@pts/3
           │ │ │ ├─419 -bash
           │ │ │ └─474 python3 -c import sys, os; verbosity=1; sys.stdin = os.fdopen(0, "rb"); exec(compile(sys.stdin.read(1082), "assembler.py", "exec"))

So, the crash must be on the local side, and in a way the ssh server
doesn't notice it's disconnected. (Incidentially, this server has logind
configured with KillUserProcesses=no.)

I have used sshuttle successfully for years; IIRC I first saw this
failure sometime within the past 6 months although I at first thought it was
specific to some network I was on at the time.

One more sshuttle transcript, with more verbosity and asking it to do less:

joey@darkstar:~>sshuttle -vvvvvNr kitenet.net
Starting sshuttle proxy.
firewall manager: Starting firewall with Python version 3.6.5
firewall manager: ready method name nat.
IPv6 enabled: False
UDP enabled: False
DNS enabled: False
User enabled: False
Binding redirector: 12300
TCP redirector listening on ('127.0.0.1', 12300).
TCP redirector listening with <socket.socket fd=5, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=0, laddr=('127.0.0.1', 12300)>.
Starting client with Python version 3.6.5
c : connecting to server...
c : executing: ['ssh', 'kitenet.net', '--', 'exec /bin/sh -c \'P=python3; $P -V 2>/dev/null || P=python; exec "$P" -c \'"\'"\'import sys, os; verbosity=5; sys.stdin = os.fdopen(0, "rb"); exec(compile(sys.stdin.read(1082), "assembler.py", "exec"))\'"\'"\'\'']
c :  > channel=0 cmd=PING len=7 (fullness=0)
server: assembling 'sshuttle' (7 bytes)
server: assembling 'sshuttle.cmdline_options' (62 bytes)
server: assembling 'sshuttle.helpers' (944 bytes)
server: assembling 'sshuttle.ssnet' (5647 bytes)
server: assembling 'sshuttle.hostwatch' (2386 bytes)
server: assembling 'sshuttle.server' (3775 bytes)
Starting server with Python version 3.6.5
 s: latency control setting = True
 s: available routes:
 s:   2/66.228.36.0/24
 s:  > channel=0 cmd=PING len=7 (fullness=0)
 s:  > channel=0 cmd=ROUTES len=17 (fullness=7)
 s: Waiting: 1 r=[4] w=[5] x=[] (fullness=24/0)
 s:   Ready: 1 r=[] w=[5] x=[]
 s: mux wrote: 15/15
 s: Waiting: 1 r=[4] w=[5] x=[] (fullness=24/0)
 s:   Ready: 1 r=[] w=[5] x=[]
 s: mux wrote: 25/25
 s: Waiting: 1 r=[4] w=[] x=[] (fullness=24/0)
c : Connected.
c : Waiting: 2 r=[5, 8] w=[8] x=[] (fullness=7/0)
c :   Ready: 2 r=[8] w=[8] x=[]
c : <  channel=0 cmd=PING len=7
c :  > channel=0 cmd=PONG len=7 (fullness=7)
c : <  channel=0 cmd=ROUTES len=17
c : Adding auto net 2/66.228.36.0/24
firewall manager: Got subnets: [(2, 24, False, '66.228.36.0', 0, 0), (2, 32, True, '127.0.0.1', 0, 0)]
firewall manager: Got nslist: []
firewall manager: Got ports: 0,12300,0,0
firewall manager: Got udp: False, user: None
firewall manager: setting up.
firewall manager: setting up IPv4.
>> iptables -t nat -N sshuttle-12300
>> iptables -t nat -F sshuttle-12300
>> iptables -t nat -I OUTPUT 1 -j sshuttle-12300
>> iptables -t nat -I PREROUTING 1 -j sshuttle-12300
>> iptables -t nat -A sshuttle-12300 -j RETURN --dest 127.0.0.1/32 -p tcp
>> iptables -t nat -A sshuttle-12300 -j REDIRECT --dest 66.228.36.0/24 -p tcp --to-ports 12300 -m ttl ! --ttl 42
c : mux wrote: 15/15
c : mux wrote: 15/15
c : Waiting: 2 r=[5, 8] w=[] x=[] (fullness=14/0)
packet_write_wait: Connection to 66.228.36.95 port 22: Broken pipe
c :   Ready: 2 r=[8] w=[] x=[]
firewall manager: undoing changes.
firewall manager: undoing IPv4 changes.
>> iptables -t nat -D OUTPUT -j sshuttle-12300
>> iptables -t nat -D PREROUTING -j sshuttle-12300
>> iptables -t nat -F sshuttle-12300
>> iptables -t nat -X sshuttle-12300
firewall manager: undoing /etc/hosts changes.
c : fatal: server died with error code 255
- exit 99


-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.15.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages sshuttle depends on:
ii  iptables                     1.6.2-1
ii  openssh-client [ssh-client]  1:7.7p1-2
ii  python3                      3.6.5-3
ii  python3-pkg-resources        39.0.1-2

Versions of packages sshuttle recommends:
ii  sudo  1.8.23-1

Versions of packages sshuttle suggests:
pn  autossh  <none>

-- no debconf information

/etc/ssh/ssh_config:

Host *
    SendEnv LANG LC_*
    HashKnownHosts yes
    GSSAPIAuthentication yes


-- 
see shy jo
Attachment: signature.asc
Description: PGP signature
Reply to:
Next by Date: Bug#828475: openssh: Please migrate to openssl1.1 in Buster
Next by thread: Bug#828475: openssh: Please migrate to openssl1.1 in Buster
Index(es):
- Date
- Thread