Hi Team, For some remediate vulnerabilities, I have upgrade ssh from 7.4 to 8.1p1 on bastion "CentOS Linux release 7.7.1908 (Core)" After that we can't use ProxyCommand/ProxyJump with target server. We tried the following action: 1.with default 7.4 ssh to target instance with proxycommand, it works well. Host prd-bastion_host User centos IdentityFile ~/.ssh/Admins.pem Hostname xxx.xxx.xxx.xxx Port 22 Host 10.244.152.103 User centos IdentityFile ~/.ssh/Admins.pem ProxyJump prd-bastion_host 2.with upgrade bastion ssh to 8.1 ssh 10.244.152.103, return failed. 3.with upgrade bastion and target instance ssh to 8.1 still return failed: debug1: Authentication succeeded (publickey). Authenticated to X.X.X.X ([X.X.X.X]:22). debug3: ssh_init_stdio_forwarding: 10.244.152.103,:22 debug1: channel_connect_stdio_fwd 10.244.152.103,:22 debug1: channel 0: new [stdio-forward] debug2: fd 4 setting O_NONBLOCK debug2: fd 5 setting O_NONBLOCK debug1: getpeername failed: Bad file descriptor debug3: send packet: type 90 debug2: fd 3 setting TCP_NODELAY debug3: ssh_packet_set_tos: set IP_TOS 0x48 debug1: Requesting no-more-sessions@openssh.com debug3: send packet: type 80 debug1: Entering interactive session. debug1: pledge: network debug3: receive packet: type 80 debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0 debug3: receive packet: type 4 debug1: Remote: /home/centos/.ssh/authorized_keys:4: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding debug3: receive packet: type 4 debug1: Remote: /home/centos/.ssh/authorized_keys:4: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding debug3: receive packet: type 92 channel 0: open failed: connect failed: open failed debug2: channel_input_open_failure: channel 0: callback start stdio forwarding failed kex_exchange_identification: Connection closed by remote host
ssh -A bastion_ip , then ssh targetIP, it can works with sshd 8.1p1
"openssh-server-8.1p1-1.el7.x86_64" is a vendor-supplied package. Can you reproduce the problem with an openssh built from the source we ship at openssh.com? If not you need to report the problem to the vendor.
@Darren Tucker, thanks for the reminder. Actually these rpm build by myself. Today I also tried build by source code. We still have the same issue. # yum install wget gcc openssl-devel pam-devel rpm-build tcp_wrappers-devel -y # wget -P /usr/src/ https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-8.1p1.tar.gz cd /usr/src/ # tar xf openssh-8.1p1.tar.gz # cd openssh-8.1p1 # ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-md5-passwords --with-tcp-wrappers # make # make install # cp contrib/redhat/sshd.init /etc/init.d/sshd # echo "PasswordAuthentication yes" >> /etc/ssh/sshd_config # chkconfig --add sshd # chkconfig sshd on # service sshd restart git:(master) ✗ ssh 10.244.164.208 -v OpenSSH_8.1p1, OpenSSL 1.1.1d 10 Sep 2019 debug1: Reading configuration data /Users/haifeng.zhang/.ssh/config debug1: /Users/haifeng.zhang/.ssh/config line 120: Applying options for 10.244.16* debug1: Reading configuration data /usr/local/etc/ssh/ssh_config debug1: Executing proxy command: exec ssh -W 10.244.164.208:22 bastion_oed_qas debug1: identity file /Users/haifeng.zhang/.ssh/AlignAdmins.pem type -1 debug1: identity file /Users/haifeng.zhang/.ssh/AlignAdmins.pem-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_8.1 channel 0: open failed: connect failed: open failed stdio forwarding failed kex_exchange_identification: Connection closed by remote host [centos@ip-10-244-160-105 ~]$ openssl version OpenSSL 1.0.2k-fips 26 Jan 2017 [centos@ip-10-244-160-105 ~]$ rpm -qa|grep zlib zlib-devel-1.2.7-18.el7.x86_64 zlib-1.2.7-18.el7.i686 zlib-1.2.7-18.el7.x86_64