Hi,
I'd like to report a problem I found when trying to log in using ssh on IPv6, which results in the infamous "kex_exchange_identification: read: Connection reset by peer" error. This happened on ADM 3.5.0.R5D3 the AS6302T, but I don't think it's limited to that specific model. I also have a workaround at the end, in case someone is having a similar problem.
After enabling ssh access in Services/Terminal, I can correctly log in from a remote host using IPv4, but attempts to log in using IPv6 result in:
# ssh -p 4222 -vvv <user>@<hostname>
OpenSSH_8.2p1 Ubuntu-4, OpenSSL 1.1.1f 31 Mar 2020
debug1: Reading configuration data /root/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: resolving "<hostname>" port 4222
debug2: ssh_connect_direct
debug1: Connecting to <hostname> [<ipv6 addr>] port 4222.
debug1: Connection established.
debug1: identity file /root/.ssh/id_rsa type 0
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa_sk type -1
debug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: identity file /root/.ssh/id_ed25519_sk type -1
debug1: identity file /root/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /root/.ssh/id_xmss type -1
debug1: identity file /root/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4
kex_exchange_identification: read: Connection reset by peer
This was unexpected, so to understand what was going on here I ran the ssh server on the NAS in debug mode and I found the following:
admin@nas:/volume1 $ sudo /usr/sbin/sshd -Dde -p 4222
/usr/etc/ssh/sshd_config line 15: Deprecated option UsePrivilegeSeparation
debug1: sshd version OpenSSH_7.9, OpenSSL 1.0.2n 7 Dec 2017
debug1: private host key #0: ssh-rsa SHA256:<stuff>
debug1: private host key #1: ssh-dss SHA256:<stuff>
debug1: private host key #2: ecdsa-sha2-nistp256 SHA256:<stuff>
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-Dde'
debug1: rexec_argv[2]='-p'
debug1: rexec_argv[3]='4222'
debug1: Set /proc/self/oom_score_adj from 0 to -1000
debug1: Bind to port 4222 on 0.0.0.0.
Server listening on 0.0.0.0 port 4222.
debug1: Bind to port 4222 on ::.
Server listening on :: port 4222.
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
rexec line 15: Deprecated option UsePrivilegeSeparation
debug1: sshd version OpenSSH_7.9, OpenSSL 1.0.2n 7 Dec 2017
debug1: private host key #0: ssh-rsa SHA256:<stuff>
debug1: private host key #1: ssh-dss SHA256:<stuff>
debug1: private host key #2: ecdsa-sha2-nistp256 SHA256:<stuff>
debug1: inetd sockets after dupping: 3, 3
*** buffer overflow detected ***: sshd: [accepted] terminated
======= Backtrace: =========
/lib64/libc.so.6(+0x7047b)[0x7efcb051e47b]
/lib64/libc.so.6(__fortify_fail+0x37)[0x7efcb05a69a7]
/lib64/libc.so.6(+0xf69d0)[0x7efcb05a49d0]
/lib64/libc.so.6(+0xf5eb9)[0x7efcb05a3eb9]
/lib64/libc.so.6(_IO_default_xsputn+0x84)[0x7efcb0521c64]
/lib64/libc.so.6(_IO_vfprintf+0x1dce)[0x7efcb04f65de]
/lib64/libc.so.6(__vsprintf_chk+0x97)[0x7efcb05a3f57]
/lib64/libc.so.6(__sprintf_chk+0x7d)[0x7efcb05a3e9d]
sshd: [accepted](main+0x229a)[0x55f183592aaa]
/lib64/libc.so.6(__libc_start_main+0xed)[0x7efcb04ce0bd]
sshd: [accepted](+0xf919)[0x55f183593919]
======= Memory map: ========
55f183584000-55f18364b000 r-xp 00000000 00:02 2259 /usr/sbin/sshd
55f18384a000-55f18384d000 r--p 000c6000 00:02 2259 /usr/sbin/sshd
(...)
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
Aborted
My workaround for this problem was to run a different openssh server installed from entware, which works well in both IPv4 and IPv6 after you create a user for privilege separation, but I think Asustor folks may want to have a look at this and fix it.
sshd crash: connection reset by peer when using IPv6
-
- Posts: 5
- youtube meble na wymiar Warszawa
- Joined: Sat Jun 13, 2020 10:45 pm
- orion
- Posts: 3485
- Joined: Wed May 29, 2013 11:09 am
Re: sshd crash: connection reset by peer when using IPv6
Wow, I did not try it before. I think you should report it to asustor directly. https://support.asustor.com/
-
- Posts: 5
- Joined: Sat Jun 13, 2020 10:45 pm
Re: sshd crash: connection reset by peer when using IPv6
Yes, I think it's a good idea to report directly. I just sent them the traces, thanks!
-
- Posts: 1
- Joined: Fri Jan 21, 2022 11:35 am
Re: sshd crash: connection reset by peer when using IPv6
Hey, thank you for sharing. I kinda thought I have gone crazy in the meantime. because IPv6 link-local (fe08::) is working, while only the global IPv6 results in exactly this error on my AS4004T with ADM 4.0.2.RPL2.
Have you heard anything from the support when or if they will ever fix this?
EDIT:
It seems like they worked on the sshd. At least the version line changed for me:
Have you heard anything from the support when or if they will ever fix this?
EDIT:
It seems like they worked on the sshd. At least the version line changed for me:
Code: Select all
debug1: sshd version OpenSSH_8.2, OpenSSL 1.1.1l 24 Aug 2021