openssh bugs - Feb 2020 - [Bug 3118] New: ProxyCommand and ProxyJump not works with openssh-server-8.1p1-1.el7.x86_64

https://bugzilla.mindrot.org/show_bug.cgi?id=3118

            Bug ID: 3118
           Summary: ProxyCommand and ProxyJump not works with
                    openssh-server-8.1p1-1.el7.x86_64
           Product: Portable OpenSSH
           Version: 8.1p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: security
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: henzhang at aligntech.com

Hi Team,

   For some remediate vulnerabilities, I have upgrade ssh from 7.4 to
8.1p1
 on bastion "CentOS Linux release 7.7.1908 (Core)"

  After that we can't use ProxyCommand/ProxyJump with target server. We
tried the following action:

   1.with default 7.4
   ssh to target instance with proxycommand, it works well.

Host prd-bastion_host
    User centos
    IdentityFile ~/.ssh/Admins.pem
    Hostname xxx.xxx.xxx.xxx
    Port 22

Host 10.244.152.103
    User centos
    IdentityFile ~/.ssh/Admins.pem
    ProxyJump prd-bastion_host

   2.with upgrade bastion ssh to 8.1

ssh 10.244.152.103, return failed.

   3.with upgrade bastion and target instance ssh to 8.1
still return failed:

debug1: Authentication succeeded (publickey).
Authenticated to X.X.X.X ([X.X.X.X]:22).
debug3: ssh_init_stdio_forwarding: 10.244.152.103,:22
debug1: channel_connect_stdio_fwd 10.244.152.103,:22
debug1: channel 0: new [stdio-forward]
debug2: fd 4 setting O_NONBLOCK
debug2: fd 5 setting O_NONBLOCK
debug1: getpeername failed: Bad file descriptor
debug3: send packet: type 90
debug2: fd 3 setting TCP_NODELAY
debug3: ssh_packet_set_tos: set IP_TOS 0x48
debug1: Requesting no-more-sessions at openssh.com
debug3: send packet: type 80
debug1: Entering interactive session.
debug1: pledge: network
debug3: receive packet: type 80
debug1: client_input_global_request: rtype hostkeys-00 at openssh.com
want_reply 0
debug3: receive packet: type 4
debug1: Remote: /home/centos/.ssh/authorized_keys:4: key options:
agent-forwarding port-forwarding pty user-rc x11-forwarding
debug3: receive packet: type 4
debug1: Remote: /home/centos/.ssh/authorized_keys:4: key options:
agent-forwarding port-forwarding pty user-rc x11-forwarding
debug3: receive packet: type 92
channel 0: open failed: connect failed: open failed
debug2: channel_input_open_failure: channel 0: callback start
stdio forwarding failed
kex_exchange_identification: Connection closed by remote host

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3118

--- Comment #1 from Henry Zhang <henzhang at aligntech.com> ---
ssh -A bastion_ip , then ssh targetIP, it can works with sshd 8.1p1

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3118

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at dtucker.net

--- Comment #2 from Darren Tucker <dtucker at dtucker.net> ---
"openssh-server-8.1p1-1.el7.x86_64" is a vendor-supplied package.  Can
you reproduce the problem with an openssh built from the source we ship
at openssh.com?  If not you need to report the problem to the vendor.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3118

--- Comment #3 from Henry Zhang <henzhang at aligntech.com> ---
@Darren Tucker, thanks for the reminder.
Actually these rpm build by myself. Today I also tried build by source
code.
We still have the same issue.

# yum install wget gcc openssl-devel pam-devel rpm-build
tcp_wrappers-devel -y

# wget -P /usr/src/
https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-8.1p1.tar.gz
cd /usr/src/
# tar xf openssh-8.1p1.tar.gz
# cd openssh-8.1p1
# ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam
--with-zlib --with-md5-passwords --with-tcp-wrappers
# make
# make install
# cp contrib/redhat/sshd.init /etc/init.d/sshd
# echo "PasswordAuthentication yes" >> /etc/ssh/sshd_config
# chkconfig --add sshd
# chkconfig sshd on
# service sshd restart

git:(master) ? ssh 10.244.164.208 -v
OpenSSH_8.1p1, OpenSSL 1.1.1d  10 Sep 2019
debug1: Reading configuration data /Users/haifeng.zhang/.ssh/config
debug1: /Users/haifeng.zhang/.ssh/config line 120: Applying options for
10.244.16*
debug1: Reading configuration data /usr/local/etc/ssh/ssh_config
debug1: Executing proxy command: exec ssh -W 10.244.164.208:22
bastion_oed_qas
debug1: identity file /Users/haifeng.zhang/.ssh/AlignAdmins.pem type -1
debug1: identity file /Users/haifeng.zhang/.ssh/AlignAdmins.pem-cert
type -1
debug1: Local version string SSH-2.0-OpenSSH_8.1
channel 0: open failed: connect failed: open failed
stdio forwarding failed
kex_exchange_identification: Connection closed by remote host


[centos at ip-10-244-160-105 ~]$ openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017
[centos at ip-10-244-160-105 ~]$ rpm -qa|grep zlib
zlib-devel-1.2.7-18.el7.x86_64
zlib-1.2.7-18.el7.i686
zlib-1.2.7-18.el7.x86_64

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3118

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #4 from Damien Miller <djm at mindrot.org> ---
This is the server refusing the port forward. Can you get logs from the
server?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.