https://bugzilla.mindrot.org/show_bug.cgi?id=3295
Bug ID: 3295
Summary: Session Id mismatch
Product: Portable OpenSSH
Version: 8.5p1
Hardware: Other
OS: Windows 10
Status: NEW
Severity: normal
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: balu.gajjala at gmail.com
I'm from the win32 OpenSSH team. After merge V8.5, I'm occasionally
getting session-id mismatch. If I retry then it goes away.
Looking at the sshd logs, the ssh->kex->session_id and session_id2 are
matching but memcmp fails. one interesting observation is
session_id2_len is always 32 no matter how big the session id is.
---------------------
6220 2021-04-08 18:38:30.216 debug1:
ssh->kex->session_id:+\350\274{\371b
\276\220\030\272DC\206K!\301)\275\257c{\377\340\352\226\310
session_id2:+\350\274{\371b
\276\220\030\272DC\206K!\301)\275\257c{\377\340\352\226\310
session_id2_len:32 ssh->kex->session_id_len:27
6220 2021-04-08 18:38:30.216 fatal: monitor_apply_keystate: session ID
mismatch
6220 2021-04-08 18:38:30.216 debug1: do_cleanup
---------------------
5312 2021-04-08 18:01:51.939 debug1: ssh->kex->session_id:\0234\206
session_id2:\0234\206 session_id2_len:32 ssh->kex->session_id_len:3
5312 2021-04-08 18:01:51.939 fatal: monitor_apply_keystate: session ID
mismatch
5312 2021-04-08 18:01:51.939 debug1: do_cleanup
---------------------
4484 2021-04-08 17:57:25.640 debug1: ssh->kex->session_id: session_id2:
session_id2_len:32 ssh->kex->session_id_len:0
4484 2021-04-08 17:57:25.640 fatal: monitor_apply_keystate: session ID
mismatch
4484 2021-04-08 17:57:25.640 debug1: do_cleanup
--
You are receiving this mail because:
You are watching the assignee of the bug.
https://bugzilla.mindrot.org/show_bug.cgi?id=3295
balu <balu.gajjala at gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |balu.gajjala at gmail.com
--
You are receiving this mail because:
You are watching the assignee of the bug.
https://bugzilla.mindrot.org/show_bug.cgi?id=3295
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org
--- Comment #1 from Damien Miller <djm at mindrot.org> ---
I can't really tell what is going on for lack of context.
At what point in the connection is the mismatch occuring?
> 5312 2021-04-08 18:01:51.939 debug1: ssh->kex->session_id:\0234\206
session_id2:\0234\206 session_id2_len:32 ssh->kex->session_id_len:3
The session ID length should only ever be exactly the same size as the
KEX hash. There is no KEX hash that has a 3 byte output length :)
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
https://bugzilla.mindrot.org/show_bug.cgi?id=3295 --- Comment #2 from balu <balu.gajjala at gmail.com> --- Created attachment 3497 --> https://bugzilla.mindrot.org/attachment.cgi?id=3497&action=edit ssh client log -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
https://bugzilla.mindrot.org/show_bug.cgi?id=3295 --- Comment #3 from balu <balu.gajjala at gmail.com> --- Created attachment 3498 --> https://bugzilla.mindrot.org/attachment.cgi?id=3498&action=edit sshd server logs -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
https://bugzilla.mindrot.org/show_bug.cgi?id=3295
--- Comment #4 from balu <balu.gajjala at gmail.com> ---
Scenario - Normal ssh connection fails when session_id length is not
32.
Code - V8.5 introduces new code (in monitor_apply_keystate(),
monitor.c) wherein authenticated sshd process verifies if the
session_id. If there is a mismatch in the session id then it closes the
connection.
https://github.com/openssh/openssh-portable/blob/0727dd09eca355e7539cbcb23b148fcee9b21513/monitor.c#L1726
if (memcmp(sshbuf_ptr(ssh->kex->session_id), session_id2,
session_id2_len) != 0)
fatal_f("session ID mismatch");
strlen(sshbuf_ptr(ssh->kex->session_id)) is not always 32 but
session_id2_len is always 32. If the
strlen(sshbuf_ptr(ssh->kex->session_id)) is not 32 then memcmp
condition fails on windows.
Fix - Use strlen(sshbuf_ptr(ssh->kex->session_id)) instead of
session_id2_len.
if (memcmp(sshbuf_ptr(ssh->kex->session_id), session_id2,
strlen(sshbuf_ptr(ssh->kex->session_id))) != 0)
fatal_f("session ID mismatch");
FYI, I have attached the client, server-side logs on my windows machine
for this issue when the session id is not 32 bytes.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2021-Apr-21 00:44 UTC
[Bug 3295] ssh connection is close when session id is not 32 bytes with Session Id mismatch error
https://bugzilla.mindrot.org/show_bug.cgi?id=3295
balu <balu.gajjala at gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|Session Id mismatch |ssh connection is close
| |when session id is not 32
| |bytes with Session Id
| |mismatch error
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Apr-21 00:44 UTC
[Bug 3295] ssh connection is closed when session id is not 32 bytes with Session Id mismatch error
https://bugzilla.mindrot.org/show_bug.cgi?id=3295
balu <balu.gajjala at gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|ssh connection is close |ssh connection is closed
|when session id is not 32 |when session id is not 32
|bytes with Session Id |bytes with Session Id
|mismatch error |mismatch error
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Apr-21 00:44 UTC
[Bug 3295] ssh connection is closed when session id is not 32 bytes (Error - Session Id mismatch error)
https://bugzilla.mindrot.org/show_bug.cgi?id=3295
balu <balu.gajjala at gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|ssh connection is closed |ssh connection is closed
|when session id is not 32 |when session id is not 32
|bytes with Session Id |bytes (Error - Session Id
|mismatch error |mismatch error)
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2021-Apr-27 01:48 UTC
[Bug 3295] ssh connection is closed when session id is not 32 bytes (Error - Session Id mismatch error)
https://bugzilla.mindrot.org/show_bug.cgi?id=3295 --- Comment #5 from balu <balu.gajjala at gmail.com> --- ping. Did you get a chance to look at this issue? Thank you. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2021-Apr-30 04:04 UTC
[Bug 3295] ssh connection is closed when session id is not 32 bytes (Error - Session Id mismatch error)
https://bugzilla.mindrot.org/show_bug.cgi?id=3295
--- Comment #6 from Damien Miller <djm at mindrot.org> ---
I don't have any idea what is going wrong here - this does not occur
with OpenSSH as we release it, so it is likely related to changes made
by OpenSSH for Windows.
In any case, strlen() should never be called on the session ID and nor
should printf("%s"). It is binary data and may contain \0 characters.
For this reason the dumps in your sshd log aren't usable for debugging
this - they are truncated.
If you are at some point treating it as an ASCIIZ/UTF8 string, then
that's likely to be your problem.
I would recommend adding some sshbuf_dump(kex->session_id, stderr) to
kex.c:kex_derive_keys(), packet.c:kex_to_blob(),
packet.c:kex_from_blob() and monitor.c:monitor_apply_keystate()
Also sshbuf_dump_data(session_id2, session_id2_len, stderr) to
monitor.c:mm_answer_sign() and monitor.c:monitor_apply_keystate()
These will dump all the session ID copies at various stages of their
lifecycle and might clarify what is getting corrupted.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2021-May-03 18:45 UTC
[Bug 3295] ssh connection is closed when session id is not 32 bytes (Error - Session Id mismatch error)
https://bugzilla.mindrot.org/show_bug.cgi?id=3295 --- Comment #7 from balu <balu.gajjala at gmail.com> --- Thank you for your input. Windows don't have the fork() so we added code (3 years back) to pass the required information from sshd root process to sshd authenticated process. OpenSSH V8.5 verifies the sessionid2 in the authenticated sshd process. I added a new code to pass the sessionid2 from sshd root process to sshd authenticated process. The bug lies here, I used sshbuf_put_cstring() which caused the bug. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-May-03 18:45 UTC
[Bug 3295] ssh connection is closed when session id is not 32 bytes (Error - Session Id mismatch error)
https://bugzilla.mindrot.org/show_bug.cgi?id=3295
balu <balu.gajjala at gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2022-Feb-25 02:59 UTC
[Bug 3295] ssh connection is closed when session id is not 32 bytes (Error - Session Id mismatch error)
https://bugzilla.mindrot.org/show_bug.cgi?id=3295
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED
--- Comment #8 from Damien Miller <djm at mindrot.org> ---
closing bugs resolved before openssh-8.9
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.