x/crypto/ssh: concurrent call ssh.Dial will fail

[wangwd1991]

Please answer these questions before submitting your issue. Thanks!

What version of Go are you using (go version)?

1.8.3

Does this issue reproduce with the latest release?

https://github.com/golang/crypto.git
commit : 614d502

What operating system and processor architecture are you using (go env)?

centos 7

What did you do?

auth := make([]ssh.AuthMethod, 0)
auth = append(auth, ssh.Password("123456"))
config := &ssh.ClientConfig {
	User: "root",
	Auth: auth,
	HostKeyCallback: func(hostname string, remote net.Addr, key ssh.PublicKey) error {
		return nil
	},
	Timeout: 30 * time.Second,
}
for i:=0;i<2;i++ {
	go func() {
		client, err := ssh.Dial("tcp", "ip:port", config)
		fmt.Println(err) // the 2th thread (maybe 3th or other litter value) will error
		time.Sleep(5 * time.Second)
		// error is not here, it just a test code
		client.Close()
	}()
}

What did you expect to see?

run pass

What did you see instead?

ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain

the second thread error , other machines maybe 3 or ...

[meirf]

@wangwd1991:

• does this help you?
• can you elaborate what you mean by "the second thread error , other machines maybe 3 or ..." ? please show the exact output.

[wangwd1991]

@meirf
Thanks for your fast response.

1、That doesn't help me. The single thread, it works fine.

2、Sorry to unclear description.
“the second thread error , other machines maybe 3 or ..” means the cycle of the 'for' loop.
Using different number to reproduce the problem with different addr (ssh server)

  **for i:=0;i<2;i++** { //maybe 3 for dialing other server
     go func() {

Or. Should I use a 'lock' to call ssh.Dial then create ssh session to avoid this problem?

[crvv]

I can't reproduce this. The code is

package main

import (
	"fmt"
	"net"
	"time"

	"golang.org/x/crypto/ssh"
)

func main() {
	auth := []ssh.AuthMethod{ssh.Password("my password")}
	config := &ssh.ClientConfig{
		User: "my username",
		Auth: auth,
		HostKeyCallback: func(hostname string, remote net.Addr, key ssh.PublicKey) error {
			return nil
		},
		Timeout: 30 * time.Second,
	}
	for i := 0; i < 2; i++ {
		i := i
		go func() {
			client, err := ssh.Dial("tcp", "localhost:22", config)
			if err != nil {
				fmt.Println(i, err) // the 2th thread (maybe 3th or other litter value) will error
			} else {
				fmt.Println(i, "success")
				client.Close()
			}
		}()
	}
	select {}
}

And I got

1 success
0 success

If you can reproduce your problem with my code, please paste the exact output.

[wangwd1991]

@crvv
I run with the result:
1 success
0 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain

I think you can try with for i := 0; i < 3; i ++ { // with 3 or more.

[wangwd1991]

And My server /etc/ssh/sshd_config

MaxSession 10
PasswordAuthentication yes

[agnivade]

/cc @hanwen

[hanwen]

code looks OK to me. You could try to run with the race detector, but can you confirm it fails with all types of SSH servers?

[wangwd1991]

@hamaxx
I increase the number of loop , then go run -race main.go ? :

[root@my-server ssh]# go run -race main.go
15 ssh: handshake failed: read tcp ip1:port1->ip2:port2: read: connection reset by peer
17 ssh: handshake failed: EOF
19 ssh: handshake failed: EOF
9 success
0 success
6 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
1 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
4 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
11 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
2 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
8 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
7 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
18 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
16 ssh: handshake failed: ssh: unable to authenticate, attempted methods [password none], no supported methods remain
3 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
10 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
5 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
13 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain
14 ssh: handshake failed: ssh: unable to authenticate, attempted methods [password none], no supported methods remain
12 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain

My env:
my ssh is OpenSSH_6.6.1p1
Server : a VM CentOS Linux release 7.1.1503 (Core).
a Physical Machine CentOS Linux release 7.2.1511 (Core).

What I guess is that, client send the ssh package to the server quickly, the server will refuse or discard the package?

[hanwen]

probably. Maybe there is rate limiting for password logins to avoid brute-force attacks?

[wangwd1991]

@hanwen
Thanks for your reply.

Although, I should use it with thread safe.

Closing this.

[songtianyi]

Same problem #32705 when connecting a firewall device.
When connecting the firewall device with a single thread, no matter the frequency you connect, there is only a small probability that error happens. BUT when connect concurrently, the error will happen for sure!

[katiehockman]

/cc @hanwen re-opened this since another user had an issue. Can you PTAL?

[songtianyi]

auth fail but returned nothing from server side
See client_auth.go#L350

[rustyx]

@songtianyi are you saying that client_auth.go#L350 is causing this issue, or just commenting?

[songtianyi]

@songtianyi are you saying that client_auth.go#L350 is causing this issue, or just commenting?

Nope. What i'm pointing out here is the code client_auth.go#L350 does not return any error message when return auth_failed.

[mentaLwz]

Does this problem have been solved now? Or any other methods to deal with this?