Re: Nmap Causing SSH Session to Prematurely End

From: Richard E. Silverman (res_at_qoxp.net)
Date: 06/09/05 

Date: 08 Jun 2005 23:56:38 -0400

This appears to be a bug in OpenSSH, which only shows up when a TCP
connection to a forwarded port is closed extremely quickly after being
opened. The problem is here:

[channels.c]

static void
port_open_helper(Channel *c, char *rtype)
{
        int direct;
        char buf[1024];
        char *remote_ipaddr = get_peer_ipaddr(c->sock);
>>> u_short remote_port = get_peer_port(c->sock);

This is called very shortly after processing a connection opened on a
forwarded port, channel_post_port_listener(). I couldn't replicate this
by telnetting to the port, or even with a simple Perl program to open and
immediately close a connection:

----------------------------------------------------------------------
#!/usr/bin/perl

use IO::Socket;
use Carp;

($server,$port) = @ARGV;

$socket = IO::Socket::INET->new(PeerAddr => $server,
                                PeerPort => $port)
    || croak(qq*cannot connect to "$server"*);

$socket->close();
----------------------------------------------------------------------

However, with nmap -sT, I get this:

debug1: Connection to port 2001 forwarding to localhost port 22 requested.
debug1: channel 2: new [direct-tcpip]
debug1: getpeername failed: Transport endpoint is not connected

Nmap is written in C so is faster, and also if you look at the network
traffic, it simply sends a RST after the TCP handshake, whereas these
other test do the more graceful FIN/ACK/FIN/ACK sequence. The upshot is
that the close happens extremely quickly. Now, ssh exits at this point
because get_peer_port() does this:

[canohost.c]
                if (getpeername(sock, (struct sockaddr *)&from, &fromlen) < 0) {
                        debug("getpeername failed: %.100s", strerror(errno));
                        cleanup_exit(255);
                }

So ssh immediately exits if getpeername() fails. This is a bad choice,
since here is a non-catastrophic (if uncommon) failure mode: the
connection may already closed by the time execution reaches this point.
The code should be changed so that OpenSSH handles this case and
continues. 

-- 
  Richard Silverman
  res@qoxp.net

Relevant Pages

  • RE: Configure Hardware Firewall for SBS 2003
    ... the corresponding ports to the SBS box. ... When a router is deployed at the SBS end, you must forward the port numbers ... TCP 110 This port is used for POP3 mail clients. ... TCP 1723 PPTP VPN connection ...
    (microsoft.public.windows.server.sbs)
  • Re: HTTP DDoS attack on our servers
    ... A quick googling for TCP port 45836 turns up the following page at ... The worm creates a remote access server by listening on TCP ... > Basically,> 8.000 IP numbers are sending HTTP requests to our server on ... > connection after the first sent line, ...
    (Incidents)
  • Re: .NET SqlConnection: connect error SQL Server 2005 DEV on same
    ... If I wanted to specify the port in the conenct string, ... enable TCP in the surface area configuration? ... Rick Byham, SQL Server Books Online ... An error has occurred while establishing a connection to the ...
    (microsoft.public.sqlserver.connect)
  • Re: Correction
    ... Normally to physically disconnect is just a matter of reaching for the ... >> I have an ADSL connection which polls my computer from time to time, ... > disallow each and every port with Windows Firewall? ...
    (microsoft.public.windowsxp.messenger)
  • Re: Using Remote Desktop From an SBS Domain
    ... when you tried to RDP while attached directly to a port on your router? ... Internet to initiate an IP conversation with your computer. ... This situation is different than if you ran your own NAT connection sharing ...
    (microsoft.public.windows.server.sbs)