Re: Conectivity problems affecting openssh ssh clients but not other ssh clients

Tim Richardson wrote:
I want to ssh to a RedHat server running OpenSSH_3.9p1, OpenSSL 0.9.7a
Feb 19 2003
The server hosts several websites.

I have used three machines all from behind the same NAT
1) Debian unstable 4.6p1 OpenSSL 0.9.8e
2) Ubuntu 7.04: ssh -v = OpenSSH_4.3p2 Debian-8ubuntu1, OpenSSL 0.9.8c
05 Sep 2006
3) Mac OS X

The error log is below. The session hangs. Ctrl-C does not recover, I
have to kill the terminal window.

Note that a Windows machine running Putty succeeds, and on all
machines above, a Java ssh client succeeds.

The problem exists on two accounts on the server.
I can also duplicate the problem communicating the other way. That is,
on my home network I installed sshd on the Debian machine. Then using
the java ssh client, I shell in to the Red Hat remote machine. From
the shell, I use ssh to try to connect back to the Debian server at
home. The log is the same. Password authentication succeeds, but the
sessions hangs with the same final output from ssh -vvv

Meanwhile, I have a friend also using Debian who can shell into the
webserver machine.

So there is something about my network at home that kills multiple
versions of openssh but which does not affect other ssh clients. I
have a d-link router which acts as a firewall and NAT.

OpenSSH sets the IP TOS (to either "lowdelay" or "throughput") and some some routers have been known to choke on such packets.

debug2: fd 3 setting TCP_NODELAY
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
that is the last message. The terminal hangs. ctrl-c can not interrupt.

The TOS is set immediately after the TCP_NODELAY so it's a pretty good bet that's your culprit.

As a workaround, you can recompile ssh then you can insert a "return;" at the start of packet_set_tos() in packet.c. Alternatively you can use ssh's ProxyCommand to use a program such as netcat as an alternative transport that doesn't set those bits, eg:

ssh -o "ProxyCommand nc %h %p" yourserver

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Relevant Pages

  • Re: Debian vs. other firewall/server operating systems
    ... server level has so far been with a minimal command-line only Debian ... Stable installation. ... Debian list. ... Application support. ...
  • Re: unexpected script output
    ... For some of them, I perfectly understand why, and I do not even want to do workarounds: it would be stupid. ... I understand why it is useful on a server with ssh connection, but having no alternative for desktop use as single-user computers sounds strange for me. ... I knows about linux's existence since less that 10 years, and only started to use my own installation 4-5 years ago (if I except my failure with Debian potato, which I successfully installed the first time, but without X server. ... I protect important things: root access:) I mostly protect it against my own mistakes... ...
  • Re: debian-user-digest Digest V2011 #1691
    ... Any ideas as to how I can persuade my Debian system to cancel the ACM ... I recently had to do a new installation of squeeze on a production server. ... From days when we did not have any internet connectivity at home ...
  • RE: Debian LIVE CD
    ... Bootcd is very simple. ... it will boot to the same machine as it was created from. ... Creating a LIVE CD with Debian Testing ... PXE/TFTP Boot server within a M$ DHCP Environment ...
  • Community hostility [Was Recent spam increase]
    ... the most practical mail filtering or sorting is ... almost always done server side before your MUA even gets the mail. ... greatest problems with Debian or any other list. ... For example, for all the strange dislike between Debian and Ubuntu, I ...