FS#65517 - [openssh] upgrade to 8.2p1-1 breaks logins
Attached to Project:
Arch Linux
Opened by Erich Eckner (deepthought) - Sunday, 16 February 2020, 08:00 GMT
Last edited by Gaetan Bisson (vesath) - Monday, 17 February 2020, 01:34 GMT
Opened by Erich Eckner (deepthought) - Sunday, 16 February 2020, 08:00 GMT
Last edited by Gaetan Bisson (vesath) - Monday, 17 February 2020, 01:34 GMT
|
Details
Description:
I recently upgraded all packages, amongst which: upgraded openssh (8.1p1-2 -> 8.2p1-1) This broke remote logins via ssh: kex_exchange_identification: read: Connection reset by peer (This happened to me with the same version on archlinux, archlinux32 and archlinuxarm) Downgrading openssh to any earlier verions fixed it. Additional info: * package version(s) openssh 8.2p1-1 Steps to reproduce: > pacman -Syu # from remote > ssh the-other.host.name (there's probably more to this, but IDK) One thing, that all machines have in common, is that I mainly authenticate via key. |
This task depends upon
Closed by Gaetan Bisson (vesath)
Monday, 17 February 2020, 01:34 GMT
Reason for closing: Fixed
Additional comments about closing: openssh-8.2p1-3 in [core]
Monday, 17 February 2020, 01:34 GMT
Reason for closing: Fixed
Additional comments about closing: openssh-8.2p1-3 in [core]
I have just upgraded a remote host and cannot login any longer.
kex_exchange_identification: read: Connection reset by peer
https://www.openssh.com/txt/release-8.2
I suspect a lot of people will be logged out of their remote boxes.
kex_exchange_identification: read: Connection reset by peer
I'm gonna try have the remote Arch box rebooted once I get a chance.
The 8.2 sshd servers tell me:
Feb 16 08:44:33 server sshd[3104261]: fatal: recv_rexec_state: buffer error: incomplete message
Upgrading this package should make people aware with a message.
to old 8.1 ssh clients.
/etc/ssh/ssh_host_rsa* should maybe be deleted or people should be made aware that they have to be removed
(and eventually HostKey to be adapted in /etc/ssh/sshd_config). OTOH, there might be reasons to keep the rsa
keys for other distros with older ssh clients to still be able to log in).
I just tried this on another box in the building with physical access, same problem.
Rebooted the box manually solved the problem.
a safer one. So it's also consistent to keep the rsa server keys..
I've chosen to downgrade to previous version (pacman -U /var/cache/pacman/pkg/openssh-8.1p1-4-x86_64.pkg.tar.zst) (which solved temporarily the issue, without additional restart), as it is still quite not clear :
- if the problem is about RSA keys (i'm also using RSA keys)
- or if a restart of SSHD is enough
- or if a restart of the server is mandatory (which is not possible in my situation)
We need this issue to go on the frontpage of Arch ASAP, lots of people risk being logged out of remote systems.
sshd[23423]: fatal: recv_rexec_state: buffer error: incomplete message
The linked commit above is about the new "Include" feature, not related to deprecated keys, so login via a password is also broken.
I deeply regret that this issue had not been identified while openssh-8.2p1-1 was in [testing] or even earlier. I have just pushed a new openssh-8.2p1-3 package which will automatically restart existing sshd.service. I will also post a news announcement just in case.
My apologies for any inconvenience.