Hello, I am experiencing a problem with OpenSSH_4.3p2 Debian-8, OpenSSL 0.9.8c 05 Sep 2006 I have a tool which I use to generate command lines for end-end encryption through firewalls, following directions from an old discussion on this mailing list (thanks btw). It gives me something like this: ssh -p 47774 localhost -o "ProxyCommand=ssh -v -v vds5.dedi.blackcatnetworks.co.uk -- 'nc localhost 47774'" -- 'echo hi' When I run that, two sshd processes appear at the final destination host, and don't go away until I kill them. I am wondering if this problem is known to have been fixed in a recent version, or if I should download the latest version and try, or what. The end of the output I see from the above command is (note this is verbose output from the ProxyCommand ssh, not the parent one): debug1: Entering interactive session. debug2: callback start debug2: x11_get_proto: /usr/X11R6/bin/xauth list :0.0 2>/dev/null debug1: Requesting X11 forwarding with authentication spoofing. debug2: channel 0: request x11-req confirm 0 debug1: Requesting authentication agent forwarding. debug2: channel 0: request auth-agent-req at openssh.com confirm 0 debug2: client_session2_setup: id 0 debug1: Sending environment. debug1: Sending env LANG = en_US.UTF-8 debug2: channel 0: request env confirm 0 debug1: Sending command: nc localhost 47774 debug2: channel 0: request exec confirm 0 debug2: fd 3 setting TCP_NODELAY debug2: callback done debug2: channel 0: open confirm rwindow 0 rmax 32768 debug2: channel 0: rcvd adjust 131072 hi debug1: channel 0: free: client-session, nchannels 1 debug1: fd 0 clearing O_NONBLOCK debug1: fd 1 clearing O_NONBLOCK debug1: Killed by signal 1. Many thanks, Frederik -- http://ofb.net/~frederik/
Frederik Eaton wrote:> Hello, > > I am experiencing a problem with > > OpenSSH_4.3p2 Debian-8, OpenSSL 0.9.8c 05 Sep 2006 > > I have a tool which I use to generate command lines for end-end > encryption through firewalls, following directions from an old > discussion on this mailing list (thanks btw). It gives me something > like this: > > ssh -p 47774 localhost -o "ProxyCommand=ssh -v -v vds5.dedi.blackcatnetworks.co.uk -- 'nc localhost 47774'" -- 'echo hi' > > When I run that, two sshd processes appear at the final destination > host, and don't go away until I kill them. > > I am wondering if this problem is known to have been fixed in a recent > version, or if I should download the latest version and try, or what.You're using "traditional" netcat (ie 1.10) on the intermediate server? What's happening is that sshd closes the stdio to the "nc" processes and waits for it to exit, but the nc process never checks for this closure and never exits, thus deadlocks. You can substitute connect[1] for netcat as it does not have this particular problem. See also http://bugzilla.mindrot.org/show_bug.cgi?id=396 It's possible that the recent changes for bug #52 help in this situation but I suspect not. [1] http://zippo.taiyo.co.jp/~gotoh/ssh/connect.html -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
On Mon, 5 Mar 2007, Frederik Eaton wrote:> Hello, > > I am experiencing a problem with > > OpenSSH_4.3p2 Debian-8, OpenSSL 0.9.8c 05 Sep 2006 > > I have a tool which I use to generate command lines for end-end > encryption through firewalls, following directions from an old > discussion on this mailing list (thanks btw). It gives me something > like this: > > ssh -p 47774 localhost -o "ProxyCommand=ssh -v -v vds5.dedi.blackcatnetworks.co.uk -- 'nc localhost 47774'" -- 'echo hi' > > When I run that, two sshd processes appear at the final destination > host, and don't go away until I kill them.It is normal to have two sshd processes when privilege separation is enabled, but it is not normal for them to linger. How do they appear in the output of a 'ps awwwwwx'?> I am wondering if this problem is known to have been fixed in a recent > version, or if I should download the latest version and try, or what.It would be a good idea to try a recent release, or better yet, one of the snapshots at http://www.mindrot.org/openssh_snap/ -- these are to be openssh-4.6 very soon..> The end of the output I see from the above command is (note this is > verbose output from the ProxyCommand ssh, not the parent one):If you can recreate the problem with a more recent version, a debug trace from sshd would be more instructive than the output of the client. -d