Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  nodelist  faq  login

Every program is a part of some other program, and rarely fits.


computers / comp.security.ssh / Re: Putty combined with CentOS 8 with 802.3ad bonding - lost keystrokes

SubjectAuthor
* Putty combined with CentOS 8 with 802.3ad bonding - lost keystrokesMD Mikka
`- Re: Putty combined with CentOS 8 with 802.3ad bonding - lost keystrokesMD Mikka

1
Subject: Putty combined with CentOS 8 with 802.3ad bonding - lost keystrokes
From: MD Mikka
Newsgroups: comp.security.ssh
Date: Fri, 14 May 2021 14:17 UTC
X-Received: by 2002:a05:620a:2097:: with SMTP id e23mr45010446qka.98.1621001862385;
Fri, 14 May 2021 07:17:42 -0700 (PDT)
X-Received: by 2002:aca:ac58:: with SMTP id v85mr6965870oie.148.1621001862056;
Fri, 14 May 2021 07:17:42 -0700 (PDT)
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!feeds.phibee-telecom.net!newsfeed.xs4all.nl!newsfeed9.news.xs4all.nl!feeder5.feed.usenet.farm!feeder1.feed.usenet.farm!feed.usenet.farm!Xbb.tags.giganews.com!border1.nntp.ams1.giganews.com!nntp.giganews.com!feeder1.cambriumusenet.nl!feed.tweak.nl!209.85.160.216.MISMATCH!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.security.ssh
Date: Fri, 14 May 2021 07:17:41 -0700 (PDT)
Injection-Info: google-groups.googlegroups.com; posting-host=178.58.72.140; posting-account=nMdlGAoAAABCMSckwPWNT07_g2WFoeN1
NNTP-Posting-Host: 178.58.72.140
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <e5082012-018e-4e34-880e-fb029098f980n@googlegroups.com>
Subject: Putty combined with CentOS 8 with 802.3ad bonding - lost keystrokes
From: md.mi...@gmail.com (MD Mikka)
Injection-Date: Fri, 14 May 2021 14:17:42 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: base64
Lines: 351
View all headers
Hello!

I have been following an issue with OpenSSH server on CentOS 8  - package openssh-server-8.0p1-5.el8.x86_64.rpm. The issue happens in combination with Putty (0.71, 0.73 and 0.74 tested) but not with other clients (Cygwin ssh and Windows 10 ssh).

When I press key 'a' nothing appears in the terminal. I have to press again several times till 'a' actually appears in Putty terminal.

This happens usually during the work day. At the time of writing I am not able to reproduce the issue. It happens more often when using Putty over DirectAccess tunnel, less likely over WiFi connection and someties at the start of SSH session even over corporate LAN.

At the same time when this issue happens with Putty other ssh clients have no problems.

First I thought that the issue is somewhere in the switching fiber because the CentOS 8 servers in question all have two network interfaces bonded with 802.3ad. But further investigation showed that the sshd doesn't respond with the packet as would be expected.

These are the packet capture from the server.

No response from server:
No.      Time            Source         Destination   Proto Length  Info
3574933  4521.403882417  172.28.128.57  16.122.12.184 SSHv2    118  Client: Encrypted packet (len=64)
3574934  4521.403904725  16.122.12.184  172.28.128.57 TCP       54  22 -> 26758 [ACK] Seg:4494 Ack=4621 Win=43008 Len=0

With response from the server:
No.      Time            Source         Destination   Proto Length  Info
3575606  4521.509405156  172.28.128.57  16.122.12.184 SSHv2    118  Client: Encrypted packet (len=64)
3575607  4521.509430159  16.122.12.184  172.28.128.57 TCP       54  22 -> 26758 [ACK] Seg:4494 Ack=4685 Win=43008 Len=0
3575608  4521.509765698  16.122.12.184  172.28.128.57 SSHv2    118  Server: Encrypted packet (len=64)
3575619  4521.594057396  172.28.128.57  16.122.12.184 TCP       60  26758 -> 22 [ACK] Seg:4685 Ack=4558 Win=65792 Len=0

From ltrace of sshd one can see that the server is not encripting and sending the response but I don't really know what the real problem is.

No response from the server:
----------------------------------------------------------------------------
sigemptyset(<>)                                                                                                      = 0
sigaddset(<16>, SIGCHLD)                                                                                             = 0
sigprocmask(0, <16>, <>)                                                                                             = 0
sigprocmask(SIG_UNBLOCK, <>, nil)                                                                                    = 0
clock_gettime(7, 0x7ffc86124880, 0x55ce81041720, 0x55ce810414b0)                                                     = 0
read(5, "\301\r\335Q\224,a;\274Y<\312", 16384)                                                                       = 64
memcpy(0x55ce810687e0, "\301\r\335Q\224,a;\274Y<\312\0\202\332\f\267/\275\224\333U.-\213XJl\0+j\270\236\376\275{q\224M\365\233K\334\346\200rd\215J\274yS\vx\305:\251\243\315\222\360\003\374k", 64) = 0x55ce810687e0
__explicit_bzero_chk(0x55ce81069a70, 256, -1, 5)                                                                     = 0x55ce81069a70
EVP_Cipher(0x55ce8101e490, 0x55ce81069a70, 0x55ce810687e0, 16)                                                       = 1
EVP_Cipher(0x55ce8101e490, 0x55ce81069a80, 0x55ce810687f0, 16)                                                       = 1
EVP_MD_CTX_copy_ex(0x55ce81041800, 0x55ce8103fca0, 0, 32)                                                            = 1
EVP_DigestUpdate(0x55ce81041800, 0x7ffc861246fc, 4, 32)                                                              = 1
EVP_DigestUpdate(0x55ce81041800, 0x55ce81069a70, 32, 0xa4010000)                                                     = 1
EVP_DigestFinal_ex(0x55ce81041800, 0x55ce81045e00, 0x7ffc861246a4, 0xffffffff)                                       = 1
EVP_MD_CTX_copy_ex(0x55ce81041800, 0x55ce81060b30, 0, 0x987b)                                                        = 1
EVP_DigestUpdate(0x55ce81041800, 0x55ce81045e00, 32, 0x987b)                                                         = 1
EVP_DigestFinal_ex(0x55ce81041800, 0x55ce801ae3c0, 0x7ffc861246a4, 0xffffffff)                                       = 1
memcpy(0x7ffc86124750, "\236\376\275{q\224M\365\233K\334\346\200rd\215J\274yS\vx\305:\251\243\315\222\360\003\374k", 32) = 0x7ffc86124750
memcpy(0x55ce81044c80, "a", 1)                                                                                       = 0x55ce81044c80
memset(0x55ce81041720, '\0', 8)                                                                                      = 0x55ce81041720
memset(0x55ce810414b0, '\0', 8)                                                                                      = 0x55ce810414b0
clock_gettime(7, 0x7ffc861247d0, 0x55ce81041720, 0x55ce810414b0)                                                     = 0
select(21, 0x55ce81041720, 0x55ce810414b0, 0)                                                                        = 1
sigemptyset(<>)                                                                                                      = 0
sigaddset(<16>, SIGCHLD)                                                                                             = 0
sigprocmask(0, <16>, <>)                                                                                             = 0
sigprocmask(SIG_UNBLOCK, <>, nil)                                                                                    = 0
clock_gettime(7, 0x7ffc86124880, 0x55ce81041720, 0x55ce810414b0)                                                     = 0
write(16, "a", 1)                                                                                                    = 1
tcgetattr(16, 0x7ffc86124820)                                                                                        = 0
memset(0x55ce81041720, '\0', 8)                                                                                      = 0x55ce81041720
memset(0x55ce810414b0, '\0', 8)                                                                                      = 0x55ce810414b0
clock_gettime(7, 0x7ffc861247d0, 0x55ce81041720, 0x55ce810414b0)                                                     = 0
select(21, 0x55ce81041720, 0x55ce810414b0, 0
----------------------------------------------------------------------------

With response from the server:
----------------------------------------------------------------------------
sigemptyset(<>)                                                                                                      = 0
sigaddset(<16>, SIGCHLD)                                                                                             = 0
sigprocmask(0, <16>, <>)                                                                                             = 0
sigprocmask(SIG_UNBLOCK, <>, nil)                                                                                    = 0
clock_gettime(7, 0x7ffc86124880, 0x55ce81041720, 0x55ce810414b0)                                                     = 0
read(5, "y\351*)\n\264\261A\260\237\265\300;iR\244\266\217\340\a\204(n\017Roy\003W\300\367=\324R\227{\375c`W\201'\020\274\t\256`\251\350\304\266dDfo!\212\261u\341\216\346\177\216", 16384) = 64
memcpy(0x55ce810687e0, "y\351*)\n\264\261A\260\237\265\300;iR\244\266\217\340\a\204(n\017Roy\003W\300\367=\324R\227{\375c`W\201'\020\274\t\256`\251\350\304\266dDfo!\212\261u\341\216\346\177\216", 64) = 0x55ce810687e0
__explicit_bzero_chk(0x55ce81069a70, 256, -1, 5)                                                                     = 0x55ce81069a70
EVP_Cipher(0x55ce8101e490, 0x55ce81069a70, 0x55ce810687e0, 16)                                                       = 1
EVP_Cipher(0x55ce8101e490, 0x55ce81069a80, 0x55ce810687f0, 16)                                                       = 1
EVP_MD_CTX_copy_ex(0x55ce81041800, 0x55ce8103fca0, 0, 32)                                                            = 1

Click here to read the complete article
Subject: Re: Putty combined with CentOS 8 with 802.3ad bonding - lost keystrokes
From: MD Mikka
Newsgroups: comp.security.ssh
Date: Fri, 21 May 2021 10:28 UTC
References: 1
X-Received: by 2002:ac8:4812:: with SMTP id g18mr10607100qtq.16.1621592901970;
Fri, 21 May 2021 03:28:21 -0700 (PDT)
X-Received: by 2002:a05:6808:1304:: with SMTP id y4mr1680395oiv.20.1621592901712;
Fri, 21 May 2021 03:28:21 -0700 (PDT)
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!proxad.net!feeder1-2.proxad.net!209.85.160.216.MISMATCH!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.security.ssh
Date: Fri, 21 May 2021 03:28:21 -0700 (PDT)
In-Reply-To: <e5082012-018e-4e34-880e-fb029098f980n@googlegroups.com>
Injection-Info: google-groups.googlegroups.com; posting-host=213.229.248.10; posting-account=nMdlGAoAAABCMSckwPWNT07_g2WFoeN1
NNTP-Posting-Host: 213.229.248.10
References: <e5082012-018e-4e34-880e-fb029098f980n@googlegroups.com>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <32c2b185-bac1-4ab6-8892-ffb4662a1c4dn@googlegroups.com>
Subject: Re: Putty combined with CentOS 8 with 802.3ad bonding - lost keystrokes
From: md.mi...@gmail.com (MD Mikka)
Injection-Date: Fri, 21 May 2021 10:28:21 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
View all headers
Hello!

As it turns out the problem is using X11 Forwarding when X server is not running.

On Centos 8 (and probably on RHEL8) at login from Putty (with X11 forwarding) dbus-launches on the server (/etc/profile.d/ssh-x-forwarding.sh). If X11 server is not running the dbus-launch process remains alive on the same /dev/pts and it is stealing keystrokes from bash.

In terminal I enter keys a,b,c,d,e,f,g and in the terminal I get: abeg

strace of dbus-launch process:
root@baraba1: ~# strace -p 1276525
strace: Process 1276525 attached
select(1, [0], NULL, [0], NULL)         = 1 (in [0])
read(0, "c", 512)                       = 1
select(1, [0], NULL, [0], NULL)         = 1 (in [0])
read(0, "d", 512)                       = 1
select(1, [0], NULL, [0], NULL)         = 1 (in [0])
read(0, "f", 512)                       = 1
select(1, [0], NULL, [0], NULL


strace of bash:
root@baraba1: ~# strace -p 1276497
strace: Process 1276497 attached
read(0, "a", 1)                         = 1
select(1, [0], NULL, [0], {tv_sec=0, tv_usec=0}) = 0 (Timeout)
write(2, "a", 1)                        = 1
pselect6(1, [0], NULL, NULL, NULL, {[], 8}) = 1 (in [0])
read(0, "b", 1)                         = 1
select(1, [0], NULL, [0], {tv_sec=0, tv_usec=0}) = 0 (Timeout)
write(2, "b", 1)                        = 1
pselect6(1, [0], NULL, NULL, NULL, {[], 8}) = 1 (in [0])
read(0, "e", 1)                         = 1
select(1, [0], NULL, [0], {tv_sec=0, tv_usec=0}) = 0 (Timeout)
write(2, "e", 1)                        = 1
pselect6(1, [0], NULL, NULL, NULL, {[], 8}) = 1 (in [0])
read(0, "g", 1)                         = 1
select(1, [0], NULL, [0], {tv_sec=0, tv_usec=0}) = 0 (Timeout)
write(2, "g", 1)                        = 1
pselect6(1, [0], NULL, NULL, NULL, {[], 8}


If this terminal hijacking from dbus-launch happens there is an easy remedy: just press Ctrl-C several times and dbus-launch will hijack ^C and exit :)

Well, disabling X11 forwardin when not needed is a good rule of thumb but for a better server-side solution I'll have to dig around RHEL bugzilla.

Why did the sshd run without problems on port 80? Because I ran it directly

# /usr/sbin/sshd -p 80

and X11Forwarding is disabled by default :)

I learned a lot while researching this issue and next time I can be more efficient.

Take care,
Miha


1
rocksolid light 0.7.2
clearneti2ptor