New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Tunnel device forwarding (-w) broken in openssh 7.7p1, major issue for NixOps #48016

Closed
pvgoran opened this Issue Oct 7, 2018 · 1 comment

Comments

Projects
None yet
2 participants
@pvgoran
Contributor

pvgoran commented Oct 7, 2018

Issue description

In openssh 7.7p1 (which is currently a part of 18.09), the tunnel device forwarding feature is broken:

> ssh -i /root/.ssh/id_charon_vpn -x -o StrictHostKeyChecking=no -o PermitLocalCommand=yes -o ServerAliveInterval=20 -w any:any webserver-unencrypted -p 22
Tunnel device open failed.
Could not request tunnel forwarding.

The above command is a shortened version of what NixOps does to establish encrypted connections between machines in the network. So, after I upgraded to 18.09, all encrypted connections stopped working.

There is an upstream bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2855

It's fixed by openssh/openssh-portable@b81b2d1 (which is a part of the V_7_7 branch), so probably this can be fixed in nixpkgs by switching the package source to the latest commit of the V_7_7 branch.

Alternatively, openssh can be upgraded to 8.8p1, which doesn't have this bug, or downgraded to 7.6p1.

Steps to reproduce

Create a network in NixOps, use deployment.encryptedLinksTo to connect machines, see it fails.

Or just ssh somewhere where tunneling is enabled with the -w option, using root on both ends:

sudo ssh -w any:any root@somehost

Technical details

Please run nix-shell -p nix-info --run "nix-info -m" and paste the
results.

  • system: "x86_64-linux"
  • host os: Linux 4.14.74, NixOS, 18.09.783.299814b385d (Jellyfish)
  • multi-user?: yes
  • sandbox: yes
  • version: nix-env (Nix) 2.1.1
  • channels(paul): ""
  • channels(root): "nixos-18.09.783.299814b385d, nixos-unstable-19.03pre154487.0a7e258012b"
  • nixpkgs: /nix/var/nix/profiles/per-user/root/channels/nixos

pvgoran added a commit to pvgoran/nixpkgs that referenced this issue Oct 8, 2018

pvgoran added a commit to pvgoran/nixpkgs that referenced this issue Oct 8, 2018

@pvgoran pvgoran referenced this issue Oct 8, 2018

Closed

openssh: fix tunnel forwarding broken in 7.7p1 #48031

3 of 9 tasks complete

vcunat added a commit that referenced this issue Oct 8, 2018

openssh: fix tunnel forwarding (upstream patch)
Close #48031, fixes #48016.  I didn't use the PR commit
because I think it's better to fetch the patch.

vcunat added a commit that referenced this issue Oct 8, 2018

openssh: fix tunnel forwarding (upstream patch)
Close #48031, fixes #48016.  I didn't use the PR commit
because I think it's better to fetch the patch.

(cherry picked from commit c2e6ca5)

@vcunat vcunat self-assigned this Oct 8, 2018

@pvgoran

This comment has been minimized.

Show comment
Hide comment
@pvgoran

pvgoran Oct 9, 2018

Contributor

The fix hit the nixos-18.09 channel, tunnel device forwarding works again.

Contributor

pvgoran commented Oct 9, 2018

The fix hit the nixos-18.09 channel, tunnel device forwarding works again.

@pvgoran pvgoran closed this Oct 9, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment