openssh bugs - Jan 2013 - [Bug 2057] New: ssh should treat "Received disconnect" messages as errors

https://bugzilla.mindrot.org/show_bug.cgi?id=2057

            Bug ID: 2057
           Summary: ssh should treat "Received disconnect" messages as
                    errors
    Classification: Unclassified
           Product: Portable OpenSSH
           Version: -current
          Hardware: All
                OS: All
            Status: NEW
          Severity: minor
          Priority: P4
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: imorgan at nas.nasa.gov

Created attachment 2204
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2204&action=edit
Use error() to report "Received disconnect" messages to the user

In packet.c, logit() is used to report SSH2_MSG_DISCONNECT and
SSH_MSG_DISCONNECT messages to the user. This means that if the user
has LogLevel set to "error," such messages will be suppressed. Since
the circumstances which trigger packet_disconnect() to be called are
really error conditions, it seems more appropriate to use error().

One scenario where this occurs is when a user has LogLevel=error to
suppress the login banner of the remote system, but exceeds
MaxAuthTries due to a combination of failed hostbased and public-key
authentication attempts. In that case, the user receives no feedback.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2057

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2204|                            |ok?(dtucker at zip.com.au)
              Flags|                            |

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Comment on attachment 2204
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2204
Use error() to report "Received disconnect" messages to the user

I think this is a good idea. Darren?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2057

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org
             Blocks|                            |2035

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2057

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2204|ok?(dtucker at zip.com.au)     |ok+
              Flags|                            |

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2057

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
applied - this will be in openssh-6.2, due soon. Thanks again

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2057

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
mark bugs closed by openssh-6.2 release as CLOSED

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2057

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at zip.com.au

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2057

--- Comment #4 from Darren Tucker <dtucker at zip.com.au> ---
hm.  one problem: the client does send this packet type at the normal
end of a connection, although it doesn't use packet_disconnect() to do
it:

        if (compat20) {
                packet_start(SSH2_MSG_DISCONNECT);
                packet_put_int(SSH2_DISCONNECT_BY_APPLICATION);
                packet_put_cstring("disconnected by user");
                packet_put_cstring(""); /* language tag */
                packet_send();
                packet_write_wait();
        }

resulting in a lot of this kind of thing in syslog:
sshd[12224]: error: Received disconnect from 192.168.32.1: 11:
disconnected by user

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2057

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|CLOSED                      |REOPENED
         Resolution|FIXED                       |---

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2057

--- Comment #5 from Damien Miller <djm at mindrot.org> ---
Created attachment 2239
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2239&action=edit
Hush sshd-side error for

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2057

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2239|Hush sshd-side error for    |Hush sshd-side error for
        description|                            |SSH2_DISCONNECT_BY_APPLICAT
                   |                            |ION disconnects
   Attachment #2239|                            |ok?(dtucker at zip.com.au)
              Flags|                            |

--- Comment #6 from Damien Miller <djm at mindrot.org> ---
Comment on attachment 2239
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2239
Hush sshd-side error for SSH2_DISCONNECT_BY_APPLICATION disconnects

Only the client generates SSH2_DISCONNECT_BY_APPLICATION exit
notifications and AFAIK it is the only sensible code for
client-initiated disconnects in the standard. I think it is safe to
drop them back to debug()

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2057

--- Comment #7 from Iain Morgan <imorgan at nas.nasa.gov> ---
Sorry for overlooking this case. However, logging client-initiated
disconnects with SYSLOG_LEVEL_DEBUG might be an issue with sites that
expect a message to be logged at session termination.

The behaviour prior to 6.2 was to log such messages via logit() and
thus
SYSLOG_LEVEL_INFO. So, it might be better to do:

    resaon == SSH2_DISCONNECT_BY_APPLICATION ?
    SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2057

--- Comment #8 from Darren Tucker <dtucker at zip.com.au> ---
I agree with Iain: it was logit() which was info, so the client
disconnect case should go back to what it was (INFO).  Otherwise, ok.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2057

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|REOPENED                    |RESOLVED
         Resolution|---                         |FIXED

--- Comment #9 from Damien Miller <djm at mindrot.org> ---
I committed with SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR a couple of
weeks back and it will be in 6.2p2

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2057

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #10 from Damien Miller <djm at mindrot.org> ---
Set all RESOLVED bugs to CLOSED with release of OpenSSH 7.1

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2057

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2204|ok+                         |
              Flags|                            |

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2057

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2239|ok?(dtucker at dtucker.net)    |
              Flags|                            |

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.