openssh bugs - Jul 2025 - [Bug 3846] New: Connect failure with large sshd_config

https://bugzilla.mindrot.org/show_bug.cgi?id=3846

            Bug ID: 3846
           Summary: Connect failure with large sshd_config
           Product: Portable OpenSSH
           Version: 10.0p2
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: dbelyavs at redhat.com

I use this test script 

$ cat regress/connect_large_sshd.sh 
```
#       $OpenBSD: connect.sh,v 1.8 2020/01/25 02:57:53 dtucker Exp $
#       Placed in the Public Domain.

tid="simple connect"

printf 'Match Group GRP\nChrootDirectory /some/path/for/group/\n%.s'
{1..10000} >> $OBJ/sshd_config
#cat $OBJ/sshd_config
start_sshd

trace "direct connect with large sshd_config"
${SSH} -F $OBJ/ssh_config somehost true
if [ $? -ne 0 ]; then
        fail "ssh direct connect with large sshd_config failed"
fi
```
Command 

make tests LTESTS=connect_large_sshd INTEROP_TESTS="" SKIP_UNIT=1

fails with the current master and OpenSSH-10.0p1/p2 but succeeds with
9.9p2

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3846

--- Comment #1 from Dmitry Belyavskiy <dbelyavs at redhat.com> ---
I'm afraid git bisect is not of much help

==============6072e4c9385713e9c166f32cfca6a7e603d4f0b8 is the first bad commit
commit 6072e4c9385713e9c166f32cfca6a7e603d4f0b8
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Mon Oct 14 01:57:50 2024 +0000

    upstream: Split per-connection sshd-session binary

    This splits the user authentication code from the sshd-session
    binary into a separate sshd-auth binary. This will be executed by
    sshd-session to complete the user authentication phase of the
    protocol only.

    Splitting this code into a separate binary ensures that the crucial
    pre-authentication attack surface has an entirely disjoint address
    space from the code used for the rest of the connection. It also
    yields a small runtime memory saving as the authentication code
will
    be unloaded after thhe authentication phase completes.

    Joint work with markus@ feedback deraadt@

    Tested in snaps since last week

    OpenBSD-Commit-ID: 9c3b2087ae08626ec31b4177b023db600e986d9c
===============
-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3846

Dmitry Belyavskiy <dbelyavs at redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Priority|P5                          |P3
           Severity|enhancement                 |normal

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3846

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Assignee|unassigned-bugs at mindrot.org |djm at mindrot.org
                 CC|                            |djm at mindrot.org,
                   |                            |dtucker at dtucker.net
   Attachment #3889|                            |ok?(dtucker at dtucker.net)
              Flags|                            |

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
Created attachment 3889
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3889&action=edit
Increase max state size to 4MB

There's an implicit limit of 256KB for config+connection state at
present. We can definitely increase it, but there's always going some
limit.

This increases the limit and provides an error message before sshd
daemonises if the config is likely too large. I say "likely" because
we
can't be 100% sure whether the config+connection state will exceed the
maximum message size. I've included 64KB of headroom for the other
connection state, typically this is <2KB.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3846

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3889|ok?(dtucker at dtucker.net)    |ok+
              Flags|                            |

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3846

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |3808


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=3808
[Bug 3808] Tracking bug for OpenSSH 10.1
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3846

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
Committed as 0cf38d74463 - thanks!

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3846

--- Comment #4 from Damien Miller <djm at mindrot.org> ---
I also added your regress test

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3846

--- Comment #5 from Dmitry Belyavskiy <dbelyavs at redhat.com> ---
I'm sorry but the latest master configured with

./configure --build=x86_64-redhat-linux --host=x86_64-redhat-linux
--program-prefix= --disable-dependency-tracking --prefix=/usr
--exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin
--sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include
--libdir=/usr/lib64 --libexecdir=/usr/libexec --localstatedir=/var
--runstatedir=/run --sharedstatedir=/var/lib --mandir=/usr/share/man
--infodir=/usr/share/info --sysconfdir=/etc/ssh
--libexecdir=/usr/libexec/openssh --datadir=/usr/share/openssh
--with-default-path=/usr/local/bin:/usr/bin:/usr/local/sbin
--with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/bin
--with-privsep-path=/usr/share/empty.sshd --disable-strip
--without-zlib-version-check --with-ipaddr-display --with-pie=no
--without-hardening --with-systemd --with-default-pkcs11-provider=yes
--with-security-key-builtin=yes --with-pam --with-selinux
--with-audit=linux --with-sandbox=seccomp_filter --with-kerberos5
--with-libedit

fails to compile with
In file included from sshd.c:97:
monitor_wrap.h:68:1: error: unknown type name ?OM_uint32?
   68 | OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
      | ^~~~~~~~~
monitor_wrap.h:68:36: error: unknown type name ?Gssctxt?
   68 | OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
      |                                    ^~~~~~~
monitor_wrap.h:68:48: error: unknown type name ?gss_OID?
   68 | OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
      |                                                ^~~~~~~
monitor_wrap.h:69:1: error: unknown type name ?OM_uint32?
   69 | OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
      | ^~~~~~~~~
monitor_wrap.h:69:36: error: unknown type name ?Gssctxt?
   69 | OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
      |                                    ^~~~~~~
monitor_wrap.h:70:4: error: unknown type name ?gss_buffer_desc?
   70 |    gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
      |    ^~~~~~~~~~~~~~~
monitor_wrap.h:70:23: error: unknown type name ?gss_buffer_desc?
   70 |    gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
      |                       ^~~~~~~~~~~~~~~
monitor_wrap.h:70:42: error: unknown type name ?OM_uint32?
   70 |    gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
      |                                          ^~~~~~~~~
monitor_wrap.h:72:1: error: unknown type name ?OM_uint32?
   72 | OM_uint32 mm_ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t,
gss_buffer_t);
      | ^~~~~~~~~
monitor_wrap.h:72:34: error: unknown type name ?Gssctxt?
   72 | OM_uint32 mm_ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t,
gss_buffer_t);
      |                                  ^~~~~~~
monitor_wrap.h:72:45: error: unknown type name ?gss_buffer_t?
   72 | OM_uint32 mm_ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t,
gss_buffer_t);
      |                                             ^~~~~~~~~~~~
monitor_wrap.h:72:59: error: unknown type name ?gss_buffer_t?
   72 | OM_uint32 mm_ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t,
gss_buffer_t);
      |                                                          
^~~~~~~~~~~~
make: *** [Makefile:218: sshd.o] Error 1

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3846

--- Comment #6 from Dmitry Belyavskiy <dbelyavs at redhat.com> ---
Created attachment 3890
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3890&action=edit
compilation fix

This change makes code compiling again for me

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3846

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED

--- Comment #7 from Darren Tucker <dtucker at dtucker.net> ---
(In reply to Dmitry Belyavskiy from comment #6)
> Created attachment 3890 [details]
> compilation fix
> 
> This change makes code compiling again for me
The github tests also caught this:
https://github.com/openssh/openssh-portable/actions/runs/16068702490

Applied as https://github.com/openssh/openssh-portable/commit/c971f3d. 
Thanks.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.