Bug 1067

Summary: ssh-keyscan does not work with F-Secure SSH 3.2.0 sometimes
Product: Portable OpenSSH Reporter: dave <dave>
Component: MiscellaneousAssignee: Damien Miller <djm>
Status: CLOSED FIXED    
Severity: normal    
Priority: P2    
Version: -current   
Hardware: All   
OS: Linux   
Bug Depends on:    
Bug Blocks: 1047    
Attachments:
Description Flags
Ignore leading junk from the server
none
Better patch none

Description dave 2005-08-09 21:24:49 AEST 
For some obscure reason F-Secure's SSH 3.2.0 redirects warnings down the
connection stream, so when you do a ssh connect you will have a response like:

sshd2[4036]: WARNING: Configuration option SshPAMClientPath is deprecated.
sshd2[4036]: WARNING: DNS lookup failed for "1.1.1.1".
SSH-2.0-3.2.0 F-SECURE SSH

ssh-keyscan, in the function "congreet" only examines the first line for the SSH
banner. This is different behaviour to the ssh connect command (which checks all
lines in the first 256 bytes) for the SSH banner.

Because of this you cannot use ssh-keyscan against hosts running this flavour of
SSH unless all of the warnings are cleared.

(There may also be a knock on effect to the ssh command if there are a lot of
warnings)
Comment 1 Darren Tucker 2005-08-09 21:57:04 AEST 
I'm not sure if it's intentional on the part of the server, but it seems within
the existing protocol spec:
(http://www.ietf.org/internet-drafts/draft-ietf-secsh-transport-24.txt section 4.2).

Looks like ssh and ssh-keyscan ought to read and ignore such lines.
Comment 2 Damien Miller 2005-10-10 21:41:36 AEST 
Created attachment 985 [details]
Ignore leading junk from the server

This patch ignores junk prior to the "SSH-" ident, like we do in the client.
Comment 3 Damien Miller 2005-10-11 19:55:12 AEST 
Created attachment 986 [details]
Better patch

This patch is better - it won't hang on servers that suddenly drop the connection before sending a SSH- ident.
Comment 4 Damien Miller 2005-10-30 15:00:25 AEDT 
fix applied, will be in openssh-4.3. thanks!
Comment 5 Darren Tucker 2006-10-07 11:41:29 AEST 
Change all RESOLVED bug to CLOSED with the exception of the ones fixed post-4.4.