On 09/04/2023 02:20, Philip Prindeville wrote:> What's odd is that the length is*always* 1231976033 (which is 0x496E7661 or "Inva" in ASCII).Could you get a tcpdump when this happens? Then maybe more of the error can be captured. I grepped for Inva in the source code. There are lots of error messages which start with this which are sent with error() or fatal() or fprint(stderr, ...), but two which stand out as being a bit different: # kex.c ?invalid: ??????????????? send_error(ssh, "Invalid SSH identification string."); # packet.c ??????? if (*typep < SSH2_MSG_MIN || *typep >= SSH2_MSG_LOCAL_MIN) { ??????????????? if ((r = sshpkt_disconnect(ssh, ??????????????????? "Invalid ssh2 packet type: %d", *typep)) != 0 || If it happens to be either of these, then the tcpdump showing the exchange prior to this point would be enlightening.
Brian Candler wrote:> > What's odd is that the length is *always* 1231976033 (which is > > 0x496E7661 or "Inva" in ASCII). > > Could you get a tcpdump when this happens?Or debug output from at least the client (run ssh with -vvv) or preferably the server (run sshd with -ddd). //Peter
Sorry about taking so long to get back to you. The problem is sporadic and I've had other fires to put out first... Here's a PCAP of authentication failures: https://www.redfish-solutions.com/misc/kvm1.pcap> On Apr 9, 2023, at 1:21 AM, Brian Candler <b.candler at pobox.com> wrote: > > On 09/04/2023 02:20, Philip Prindeville wrote: >> What's odd is that the length is*always* 1231976033 (which is 0x496E7661 or "Inva" in ASCII). > > Could you get a tcpdump when this happens? Then maybe more of the error can be captured. > > I grepped for Inva in the source code. There are lots of error messages which start with this which are sent with error() or fatal() or fprint(stderr, ...), but two which stand out as being a bit different: > > # kex.c > > invalid: > send_error(ssh, "Invalid SSH identification string."); > > # packet.c > > if (*typep < SSH2_MSG_MIN || *typep >= SSH2_MSG_LOCAL_MIN) { > if ((r = sshpkt_disconnect(ssh, > "Invalid ssh2 packet type: %d", *typep)) != 0 || > > If it happens to be either of these, then the tcpdump showing the exchange prior to this point would be enlightening. >