Bug in OpenSSH / Config Checker

Page content

stumpled upon a bug in openssh … did a small config change in sshd_config, deployed it with ansible … and lost connectifity to all these boxes immediately … and of course, i did a config check before reloading the sshd daemon, and the config check was fine.

i can’t belife that nobody else found this before, as it’s really simple to reproduce. and it’s working with openbsd, debian, centos and mostly on all system which have opensshd implemented (and that’s a lot of …)

reproduce the bug

just add the following line to your sshd_config, do a config check and restart sshd. and you will not be able to login aging through ssh!

DON’T TEST THIS ON YOUR PRODUCTION SYSTEMS!

you need a console and root login/password (or do some recovery procedures in single user mode) to fix this !

root@debian:~# echo "Match Address 2001:db8::/16"  >> /etc/ssh/sshd_config
root@debian:~# echo "  AllowTcpForwarding yes"     >> /etc/ssh/sshd_config

check config and restart the service

root@debian:~# sshd -t
root@debian:~# systemctl restart sshd

and you will not be able to login through ssh again.

stoege@puffy200 ~$ ssh -l root debian
Connection closed by 10.1.2.3 port 22
stoege@puffy200 255 ~$

Problem

the problem is that you configured a host address instead of network address. this is not recognized by the config checker but by the sshd daemon itself.

so, a simple Typo can bring your ssh daemon down! Reboot safe :)

Examples

IPv4

  • Match Address 192.168.1.0/24 -> correct network statement

  • Match Address 192.168.1.1/32 -> correct host statement

  • Match Address 192.168.1.1/24 -> break your ssh daemon

    -> you have either a wrong network mask or a wrong subnet declaration

and the same with IPv6. and we’re all not that familiar with subnet calculation on v6, are we ?

IPv6

  • Match Address 2001:db8:1000:2000::/56 -> correct network statement

  • Match Address 2001:db8:1000:2001::/128 -> correct host statement

  • Match Address 2001:db8:1000:2001::/56 -> break you ssh

    -> you have either a wrong network mask or a wrong subnet declaration

affected Versions

hard to say. probably all OpenSSH Implemenations up to and including Version 8.3. So, all your SSH Boxes are definitly affected …

Patch from Darren

Check that the addresses supplied to Match Address and Match
LocalAddress are valid when parsing in config-test mode.  This will
catch address/mask mismatches before they cause problems at runtime.
Found by Daniel Stocker, ok djm@

https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/servconf.c.diff?r1=1.368&r2=1.369&only_with_tag=HEAD

Fixed

OpenBSD current got this patch included (29 Aug 2020) so the config checker will complain. OpenBSD 6.8, which will be released in Nov 2020 will not be affected anymore.

root@puffy201 ~# sysctl kern.version
kern.version=OpenBSD 6.7-current (GENERIC.MP) #48: Fri Aug 28 23:21:33 MDT 2020
    deraadt@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP

root@puffy201 ~# echo "Match Address 2001:db8::/16"  >> /etc/ssh/sshd_config

root@puffy201 ~# sshd -t
Invalid Match address argument '2001:db8::/16' at line 161

root@puffy201 255 ~#

More Info

if you wanna know more about ssh stuff and how to protect your machines from unauthoized access, read the man Pages or i can recommend the book “SSH Mastery: OpenSSH, PuTTY, Tunnels and Keys” from Michael W. Lucas

thanks

i reported this bug to the community and they fixed it within 3 hours! big thanks to OpenBSD Community (who are responsible for the OpenSSH Daemon) and specially Darren Tucker for this quick reaction and fix.

So, i will seriously care about my “Match Statements” in the near (and longer future) and you should do this as well !

happy hacking !

sha256: 7f71439b34f18786ac375fc356ee8b624a293f7c993196767753dba22c49496b