Bug 2057

Summary:

ssh should treat "Received disconnect" messages as errors

Product:

Portable OpenSSH

Reporter:

Iain Morgan <imorgan>

Component:

ssh

Assignee:

Assigned to nobody <unassigned-bugs>

Status:

CLOSED FIXED

Severity:

minor

CC:

djm, dtucker

Priority:

Version:

-current

Hardware:

All

OS:

All

Bug Depends on:

Bug Blocks:

2035

Attachments:

Description	Flags
Use error() to report "Received disconnect" messages to the user	none
Hush sshd-side error for SSH2_DISCONNECT_BY_APPLICATION disconnects	none

Description Iain Morgan 2013-01-05 08:03:22 AEDT

Created attachment 2204 [details]
Use error() to report "Received disconnect" messages to the user

In packet.c, logit() is used to report SSH2_MSG_DISCONNECT and SSH_MSG_DISCONNECT messages to the user. This means that if the user has LogLevel set to "error," such messages will be suppressed. Since the circumstances which trigger packet_disconnect() to be called are really error conditions, it seems more appropriate to use error().

One scenario where this occurs is when a user has LogLevel=error to suppress the login banner of the remote system, but exceeds MaxAuthTries due to a combination of failed hostbased and public-key authentication attempts. In that case, the user receives no feedback.

Comment 1 Damien Miller 2013-02-08 11:16:50 AEDT

Comment on attachment 2204 [details]
Use error() to report "Received disconnect" messages to the user

I think this is a good idea. Darren?

Comment 2 Damien Miller 2013-02-11 10:36:37 AEDT

applied - this will be in openssh-6.2, due soon. Thanks again

Comment 3 Damien Miller 2013-03-22 12:02:18 AEDT

mark bugs closed by openssh-6.2 release as CLOSED

Comment 4 Darren Tucker 2013-04-08 19:31:42 AEST

hm.  one problem: the client does send this packet type at the normal end of a connection, although it doesn't use packet_disconnect() to do it:

        if (compat20) {
                packet_start(SSH2_MSG_DISCONNECT);
                packet_put_int(SSH2_DISCONNECT_BY_APPLICATION);
                packet_put_cstring("disconnected by user");
                packet_put_cstring(""); /* language tag */
                packet_send();
                packet_write_wait();
        }

resulting in a lot of this kind of thing in syslog:
sshd[12224]: error: Received disconnect from 192.168.32.1: 11: disconnected by user

Comment 5 Damien Miller 2013-04-09 13:08:13 AEST

Created attachment 2239 [details]
Hush sshd-side error for SSH2_DISCONNECT_BY_APPLICATION disconnects

Comment 6 Damien Miller 2013-04-09 13:09:52 AEST

Comment on attachment 2239 [details]
Hush sshd-side error for SSH2_DISCONNECT_BY_APPLICATION disconnects

Only the client generates SSH2_DISCONNECT_BY_APPLICATION exit notifications and AFAIK it is the only sensible code for client-initiated disconnects in the standard. I think it is safe to drop them back to debug()

Comment 7 Iain Morgan 2013-04-10 05:55:19 AEST

Sorry for overlooking this case. However, logging client-initiated disconnects with SYSLOG_LEVEL_DEBUG might be an issue with sites that expect a message to be logged at session termination.

The behaviour prior to 6.2 was to log such messages via logit() and thus
SYSLOG_LEVEL_INFO. So, it might be better to do:

	resaon == SSH2_DISCONNECT_BY_APPLICATION ?
	SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR

Comment 8 Darren Tucker 2013-04-10 13:42:42 AEST

I agree with Iain: it was logit() which was info, so the client disconnect case should go back to what it was (INFO).  Otherwise, ok.

Comment 9 Damien Miller 2013-05-10 14:01:08 AEST

I committed with SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR a couple of weeks back and it will be in 6.2p2

Comment 10 Damien Miller 2015-08-11 23:04:01 AEST

Set all RESOLVED bugs to CLOSED with release of OpenSSH 7.1