Discussion:
Tera Term, Unexpected SSH2 message(80) on current stage(6) [was
(too old to reply)
Bryan Drewery
2015-04-09 02:28:53 UTC
Permalink
When will it be added in?
It's already committed. It's in git now and will be in the next snapshot.
Is this an error that breaks the connection or a warning?
Break the connection; in this case Tera Type.
It seems to be crashing on a valid, but unexpected extension message, do
you know what identification tera type sends in its ssh banner?
I recently upgraded to 6.8 and ran into this. It breaks the client.
debug1: Client protocol version 2.0; client software version TTSSH/2.72
Win32
[...]
Received disconnect from 10.10.1.139: 11: Unexpected SSH2 message(80) on
current stage(6)
It seems that Tera Term has fixed this but not yet released a build with it.

http://en.sourceforge.jp/ticket/browse.php?group_id=1412&tid=35010
http://en.sourceforge.jp/projects/ttssh2/scm/svn/commits/5829

This patch fixes it in OpenSSH for me:

https://people.freebsd.org/~bdrewery/patches/ttssh-host-keys.diff

Regards,
Bryan Drewery
Darren Tucker
2015-04-09 02:39:58 UTC
Permalink
Received disconnect from 10.10.1.139: 11: Unexpected SSH2 message(80) on
current stage(6)
Message type 80 is SSH_MSG_GLOBAL_REQUEST, and RFC4254 section 4 says "Note
that both the client and server MAY send global requests at any time, and
the receiver MUST respond appropriately."

Any idea what the message is? It'd be nice if the client showed the whole
packet, but failing that you could build a server with "./configure
--with-cflags=-DPACKET_DEBUG" then pick the packet out of the server-side
debug logs.

The only global message I can think of is the protocol keepalives, in which
case you could try setting "ClientAliveInterval 0" in sshd_config to see if
that helps.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
Bryan Drewery
2015-04-09 03:07:57 UTC
Permalink
Post by Bryan Drewery
It seems that Tera Term has fixed this but not yet released a build
with it.
http://en.sourceforge.jp/ticket/browse.php?group_id=1412&tid=35010
http://en.sourceforge.jp/projects/ttssh2/scm/svn/commits/5829
Reading that change it looks like Tera Term before that change would
also crash when ClientAliveInterval is enabled on the server?
I see what you're saying but I am unable to create any error by enabling
ClientAliveInterval. I set it to 1 and get no errors on the client. sshd
debugging:

debug2: channel 0: request ***@openssh.com confirm 1
debug2: tcpwinsz: 65700 for connection: 3
debug2: tcpwinsz: 65700 for connection: 3
debug1: Got 100/16 for keepalive
debug2: tcpwinsz: 65700 for connection: 3
debug2: channel 0: request ***@openssh.com confirm 1
debug2: tcpwinsz: 65700 for connection: 3
debug2: tcpwinsz: 65700 for connection: 3
debug1: Got 100/17 for keepalive
debug2: tcpwinsz: 65700 for connection: 3
debug2: channel 0: request ***@openssh.com confirm 1
debug2: tcpwinsz: 65700 for connection: 3
debug2: tcpwinsz: 65700 for connection: 3
debug1: Got 100/18 for keepalive
debug2: tcpwinsz: 65700 for connection: 3
debug2: channel 0: request ***@openssh.com confirm 1
debug2: tcpwinsz: 65700 for connection: 3
debug2: tcpwinsz: 65700 for connection: 3
debug1: Got 100/19 for keepalive
debug2: tcpwinsz: 65700 for connection: 3

I think it just ignores the SSH2_MSG_GLOBAL_REQUEST packets once it is
fully connected. Seeing them before the full connection is unexpected to
it as the error seems to imply (Unexpected... on current stage). I don't
see anything in ssh.c handling keepalive messages.
Post by Bryan Drewery
https://people.freebsd.org/~bdrewery/patches/ttssh-host-keys.diff
Darren Tucker
2015-04-09 02:56:01 UTC
Permalink
Post by Bryan Drewery
It seems that Tera Term has fixed this but not yet released a build with
it.
http://en.sourceforge.jp/ticket/browse.php?group_id=1412&tid=35010
http://en.sourceforge.jp/projects/ttssh2/scm/svn/commits/5829
Reading that change it looks like Tera Term before that change would also
crash when ClientAliveInterval is enabled on the server?
Post by Bryan Drewery
https://people.freebsd.org/~bdrewery/patches/ttssh-host-keys.diff
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
Darren Tucker
2015-04-09 04:02:47 UTC
Permalink
On 4/8/2015 9:56 PM, Darren Tucker wrote:ading that change it looks like
Tera Term before that change would
Post by Bryan Drewery
also crash when ClientAliveInterval is enabled on the server?
I see what you're saying but I am unable to create any error by enabling
ClientAliveInterval. I set it to 1 and get no errors on the client. sshd
Those are channel requests not global requests. sshd does this in
serverloop.c:

if ((channel_id = channel_find_open()) == -1) {
packet_start(SSH2_MSG_GLOBAL_REQUEST);
packet_put_cstring("***@openssh.com");
packet_put_char(1); /* boolean: want reply */
} else {
channel_request_start(channel_id, "***@openssh.com",
1);
}

and Tera Term seems to handle the channel requests just fine. Presumably
if you could get a connection with no active channels (ie the equivalent of
ssh -N) then perhaps it'd have a problem, or perhaps that's not even
possible with that client.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
Damien Miller
2015-04-09 04:22:51 UTC
Permalink
Post by Darren Tucker
Any idea what the message is? It'd be nice if the client showed the whole
packet, but failing that you could build a server with "./configure
--with-cflags=-DPACKET_DEBUG" then pick the packet out of the server-side
debug logs.
It's almost certainly the recently-added ***@openssh.com hostkey
rotation extension.

-d
Bob Rasmussen
2015-04-09 05:54:21 UTC
Permalink
I agree it is hostkey rotation, as described in the change notes for
version 6.8 of SSH.

I ran into the same thing with Anzio, our own terminal emulator (SSH
client). We also have a fix available, but not packaged into an installer.
Post by Damien Miller
Post by Darren Tucker
Any idea what the message is? It'd be nice if the client showed the whole
packet, but failing that you could build a server with "./configure
--with-cflags=-DPACKET_DEBUG" then pick the packet out of the server-side
debug logs.
rotation extension.
-d
_______________________________________________
openssh-unix-dev mailing list
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Regards,
....Bob Rasmussen, President, Rasmussen Software, Inc.

personal e-mail: ***@anzio.com
company e-mail: ***@anzio.com
voice: (US) 503-624-0360 (9:00-6:00 Pacific Time)
fax: (US) 503-624-0760
web: http://www.anzio.com
street address: Rasmussen Software, Inc.
10240 SW Nimbus, Suite L9
Portland, OR 97223 USA
Bryan Drewery
2015-04-09 14:57:50 UTC
Permalink
Post by Damien Miller
Post by Darren Tucker
Any idea what the message is? It'd be nice if the client showed the whole
packet, but failing that you could build a server with "./configure
--with-cflags=-DPACKET_DEBUG" then pick the packet out of the server-side
debug logs.
rotation extension.
Yup. My patch disables for TTSSH*. Given the client has a fix they need
to release, I don't think it is critical to add support into OpenSSH for
working around it. Unless more clients show the issue then I think it,
or changes to the hostkey support, should be considered.

Either way I provided a patch if anyone else wants to workaround it for now.

Regards,
Bryan Drewery
IWAMOTO Kouichi
2015-04-09 19:45:56 UTC
Permalink
On Wed, 08 Apr 2015 21:28:53 -0500
Post by Bryan Drewery
https://people.freebsd.org/~bdrewery/patches/ttssh-host-keys.diff
In this change, hostkey rotation is not used if Tera Term supports it in future.
Could you change a modification to the compat.c as follows?

--- compat.c.orig 2015-03-17 14:49:20.000000000 +0900
+++ compat.c 2015-04-09 18:35:16.000000000 +0900
@@ -167,6 +167,17 @@
SSH_BUG_SCANNER },
{ "Probe-*",
SSH_BUG_PROBE },
+ { "TTSSH/1.5.*,"
+ "TeraTerm SSH*,"
+ "TTSSH/2.1*,"
+ "TTSSH/2.2*,"
+ "TTSSH/2.3*,"
+ "TTSSH/2.4*,"
+ "TTSSH/2.5*,"
+ "TTSSH/2.6*,"
+ "TTSSH/2.70*,"
+ "TTSSH/2.71*,"
+ "TTSSH/2.72*", SSH_BUG_HOSTKEYS },
{ NULL, 0 }
};
--
IWAMOTO Kouichi (***@iwmt.org/***@postfix.jp/***@TeraTerm.Net)
Bryan Drewery
2015-04-09 20:18:23 UTC
Permalink
Post by IWAMOTO Kouichi
On Wed, 08 Apr 2015 21:28:53 -0500
Post by Bryan Drewery
https://people.freebsd.org/~bdrewery/patches/ttssh-host-keys.diff
In this change, hostkey rotation is not used if Tera Term supports it in future.
Could you change a modification to the compat.c as follows?
Very good point. A poor oversight on my part. I've updated the patch.

Thanks,
Bryan Drewery
Damien Miller
2015-04-10 00:16:55 UTC
Permalink
Post by IWAMOTO Kouichi
On Wed, 08 Apr 2015 21:28:53 -0500
Post by Bryan Drewery
https://people.freebsd.org/~bdrewery/patches/ttssh-host-keys.diff
In this change, hostkey rotation is not used if Tera Term supports it in future.
Could you change a modification to the compat.c as follows?
so, something like:

Index: compat.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/compat.c,v
retrieving revision 1.88
diff -u -p -r1.88 compat.c
--- compat.c 7 Apr 2015 23:00:42 -0000 1.88
+++ compat.c 10 Apr 2015 00:15:27 -0000
@@ -165,6 +165,17 @@ compat_datafellows(const char *version)
SSH_BUG_SCANNER },
{ "Probe-*",
SSH_BUG_PROBE },
+ { "TTSSH/1.5.*,"
+ "TeraTerm SSH*,"
+ "TTSSH/2.1*,"
+ "TTSSH/2.2*,"
+ "TTSSH/2.3*,"
+ "TTSSH/2.4*,"
+ "TTSSH/2.5*,"
+ "TTSSH/2.6*,"
+ "TTSSH/2.70*,"
+ "TTSSH/2.71*,"
+ "TTSSH/2.72*", SSH_BUG_HOSTKEYS },
{ NULL, 0 }
};

Index: compat.h
===================================================================
RCS file: /cvs/src/usr.bin/ssh/compat.h,v
retrieving revision 1.46
diff -u -p -r1.46 compat.h
--- compat.h 19 Jan 2015 20:20:20 -0000 1.46
+++ compat.h 10 Apr 2015 00:15:27 -0000
@@ -60,6 +60,7 @@
#define SSH_NEW_OPENSSH 0x04000000
#define SSH_BUG_DYNAMIC_RPORT 0x08000000
#define SSH_BUG_CURVE25519PAD 0x10000000
+#define SSH_BUG_HOSTKEYS 0x20000000

void enable_compat13(void);
void enable_compat20(void);
Index: sshd.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/sshd.c,v
retrieving revision 1.445
diff -u -p -r1.445 sshd.c
--- sshd.c 31 Mar 2015 22:55:24 -0000 1.445
+++ sshd.c 10 Apr 2015 00:15:27 -0000
@@ -891,6 +891,8 @@ notify_hostkeys(struct ssh *ssh)
int i, nkeys, r;
char *fp;

+ if ((compat & SSH_BUG_HOSTKEYS) != 0)
+ return;
if ((buf = sshbuf_new()) == NULL)
fatal("%s: sshbuf_new", __func__);
for (i = nkeys = 0; i < options.num_host_key_files; i++) {
Darren Tucker
2015-04-10 00:35:04 UTC
Permalink
Post by IWAMOTO Kouichi
On Wed, 08 Apr 2015 21:28:53 -0500
Post by Bryan Drewery
https://people.freebsd.org/~bdrewery/patches/ttssh-host-keys.diff
In this change, hostkey rotation is not used if Tera Term supports it in future.
Could you change a modification to the compat.c as follows?
--- compat.c.orig 2015-03-17 14:49:20.000000000 +0900
+++ compat.c 2015-04-09 18:35:16.000000000 +0900
@@ -167,6 +167,17 @@
SSH_BUG_SCANNER },
{ "Probe-*",
SSH_BUG_PROBE },
+ { "TTSSH/1.5.*,"
+ "TeraTerm SSH*,"
Should this match all of TTSSH/1.* rather than just 1.5? Also for
tidiness I'd rather keep the TTSSH entries grouped together and have the
compat check with the rest of the hostkey notification code rather than
inline with the main code. Does this still work?

Also, we're nearly out of bug bits, we might have to order some more :-)

Index: compat.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/compat.c,v
retrieving revision 1.88
diff -u -p -r1.88 compat.c
--- compat.c 7 Apr 2015 23:00:42 -0000 1.88
+++ compat.c 10 Apr 2015 00:21:23 -0000
@@ -165,6 +165,17 @@ compat_datafellows(const char *version)
SSH_BUG_SCANNER },
{ "Probe-*",
SSH_BUG_PROBE },
+ { "TeraTerm SSH*,"
+ "TTSSH/1.5.*,"
+ "TTSSH/2.1*,"
+ "TTSSH/2.2*,"
+ "TTSSH/2.3*,"
+ "TTSSH/2.4*,"
+ "TTSSH/2.5*,"
+ "TTSSH/2.6*,"
+ "TTSSH/2.70*,"
+ "TTSSH/2.71*,"
+ "TTSSH/2.72*", SSH_BUG_HOSTKEYS },
{ NULL, 0 }
};

Index: compat.h
===================================================================
RCS file: /cvs/src/usr.bin/ssh/compat.h,v
retrieving revision 1.46
diff -u -p -r1.46 compat.h
--- compat.h 19 Jan 2015 20:20:20 -0000 1.46
+++ compat.h 10 Apr 2015 00:21:23 -0000
@@ -60,6 +60,7 @@
#define SSH_NEW_OPENSSH 0x04000000
#define SSH_BUG_DYNAMIC_RPORT 0x08000000
#define SSH_BUG_CURVE25519PAD 0x10000000
+#define SSH_BUG_HOSTKEYS 0x20000000

void enable_compat13(void);
void enable_compat20(void);
Index: sshd.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/sshd.c,v
retrieving revision 1.445
diff -u -p -r1.445 sshd.c
--- sshd.c 31 Mar 2015 22:55:24 -0000 1.445
+++ sshd.c 10 Apr 2015 00:21:23 -0000
@@ -891,6 +891,10 @@ notify_hostkeys(struct ssh *ssh)
int i, nkeys, r;
char *fp;

+ /* Some clients cannot cope with the hostkeys message, skip those. */
+ if (datafellows & SSH_BUG_HOSTKEYS)
+ return;
+
if ((buf = sshbuf_new()) == NULL)
fatal("%s: sshbuf_new", __func__);
for (i = nkeys = 0; i < options.num_host_key_files; i++) {
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
Darren Tucker
2015-04-10 00:57:31 UTC
Permalink
On Fri, Apr 10, 2015 at 10:16:55AM +1000, Damien Miller wrote:
[...]
Heh, mails crossed in transit. Yep, pretty much like that.
+ { "TTSSH/1.5.*,"
+ "TeraTerm SSH*,"
I'd put those in the opposite order to group the "TTSSH" entries all
together, but ok dtucker either way.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
Damien Miller
2015-04-10 02:06:14 UTC
Permalink
ok djm
Post by Darren Tucker
Post by IWAMOTO Kouichi
On Wed, 08 Apr 2015 21:28:53 -0500
Post by Bryan Drewery
https://people.freebsd.org/~bdrewery/patches/ttssh-host-keys.diff
In this change, hostkey rotation is not used if Tera Term supports it in future.
Could you change a modification to the compat.c as follows?
--- compat.c.orig 2015-03-17 14:49:20.000000000 +0900
+++ compat.c 2015-04-09 18:35:16.000000000 +0900
@@ -167,6 +167,17 @@
SSH_BUG_SCANNER },
{ "Probe-*",
SSH_BUG_PROBE },
+ { "TTSSH/1.5.*,"
+ "TeraTerm SSH*,"
Should this match all of TTSSH/1.* rather than just 1.5? Also for
tidiness I'd rather keep the TTSSH entries grouped together and have the
compat check with the rest of the hostkey notification code rather than
inline with the main code. Does this still work?
Also, we're nearly out of bug bits, we might have to order some more :-)
Index: compat.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/compat.c,v
retrieving revision 1.88
diff -u -p -r1.88 compat.c
--- compat.c 7 Apr 2015 23:00:42 -0000 1.88
+++ compat.c 10 Apr 2015 00:21:23 -0000
@@ -165,6 +165,17 @@ compat_datafellows(const char *version)
SSH_BUG_SCANNER },
{ "Probe-*",
SSH_BUG_PROBE },
+ { "TeraTerm SSH*,"
+ "TTSSH/1.5.*,"
+ "TTSSH/2.1*,"
+ "TTSSH/2.2*,"
+ "TTSSH/2.3*,"
+ "TTSSH/2.4*,"
+ "TTSSH/2.5*,"
+ "TTSSH/2.6*,"
+ "TTSSH/2.70*,"
+ "TTSSH/2.71*,"
+ "TTSSH/2.72*", SSH_BUG_HOSTKEYS },
{ NULL, 0 }
};
Index: compat.h
===================================================================
RCS file: /cvs/src/usr.bin/ssh/compat.h,v
retrieving revision 1.46
diff -u -p -r1.46 compat.h
--- compat.h 19 Jan 2015 20:20:20 -0000 1.46
+++ compat.h 10 Apr 2015 00:21:23 -0000
@@ -60,6 +60,7 @@
#define SSH_NEW_OPENSSH 0x04000000
#define SSH_BUG_DYNAMIC_RPORT 0x08000000
#define SSH_BUG_CURVE25519PAD 0x10000000
+#define SSH_BUG_HOSTKEYS 0x20000000
void enable_compat13(void);
void enable_compat20(void);
Index: sshd.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/sshd.c,v
retrieving revision 1.445
diff -u -p -r1.445 sshd.c
--- sshd.c 31 Mar 2015 22:55:24 -0000 1.445
+++ sshd.c 10 Apr 2015 00:21:23 -0000
@@ -891,6 +891,10 @@ notify_hostkeys(struct ssh *ssh)
int i, nkeys, r;
char *fp;
+ /* Some clients cannot cope with the hostkeys message, skip those. */
+ if (datafellows & SSH_BUG_HOSTKEYS)
+ return;
+
if ((buf = sshbuf_new()) == NULL)
fatal("%s: sshbuf_new", __func__);
for (i = nkeys = 0; i < options.num_host_key_files; i++) {
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Darren Tucker
2015-04-10 05:17:25 UTC
Permalink
Post by Damien Miller
ok djm
committed. thanks to all.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
Loading...