1118005 – fatal: monitor_read: unsupported request: 82 on server while attempting GSSAPI key exchange

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1118005 - fatal: monitor_read: unsupported request: 82 on server while attempting GSSAPI key exchange

Summary: fatal: monitor_read: unsupported request: 82 on server while attempting GSSAP...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	openssh
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Petr Lautrbach
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1162620
TreeView+	depends on / blocked

Reported:	2014-07-09 20:05 UTC by Nalin Dahyabhai
Modified:	2014-11-16 14:43 UTC (History)
CC List:	5 users (show)
Fixed In Version:	openssh-6.6.1p1-8.fc21
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1162620 (view as bug list)
Environment:
Last Closed:	2014-11-16 14:43:03 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Nalin Dahyabhai 2014-07-09 20:05:15 UTC

Description of problem:
Since updating to openssh-6.6.1p1-1.fc21, access fails when I try to log in using GSSAPI key exhange.  The server disconnects the client and logs:

  fatal: monitor_read: unsupported request: 82

Disabling the GSSAPIKeyExchange option on the client allows the login to succeed.

Version-Release number of selected component (if applicable):
  openssh-6.6.1p1-1.fc21.x86_64.rpm

How reproducible:
Always

Steps to Reproduce:

1. Set up a server on F21 with a keytab, say as an IPA server.
2. Use kinit on the server to get a TGT.
3. Try to ssh to the server with the client's GSSAPIAuthentication, GSSAPIDelegateCredentials, and GSSAPIKeyExchange options enabled.

Actual results:
OpenSSH_6.6.1, OpenSSL 1.0.1h-fips 5 Jun 2014
debug1: Reading configuration data /home/nalin/.ssh/config
debug1: /home/nalin/.ssh/config line 75: Applying options for blade
debug1: /home/nalin/.ssh/config line 154: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 51: Applying options for *
debug1: Hostname has changed; re-reading configuration
debug1: Reading configuration data /home/nalin/.ssh/config
debug1: /home/nalin/.ssh/config line 75: Applying options for blade.bos.redhat.com
debug1: /home/nalin/.ssh/config line 125: Applying options for *.bos.redhat.com
debug1: /home/nalin/.ssh/config line 154: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 51: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to blade.bos.redhat.com [10.18.57.10] port 22.
debug1: Connection established.
debug1: identity file /home/nalin/.ssh/id_rsa type 1
debug1: identity file /home/nalin/.ssh/id_rsa-cert type -1
debug1: identity file /home/nalin/.ssh/id_dsa type 2
debug1: identity file /home/nalin/.ssh/id_dsa-cert type -1
debug1: identity file /home/nalin/.ssh/id_ecdsa type -1
debug1: identity file /home/nalin/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/nalin/.ssh/id_ed25519 type -1
debug1: identity file /home/nalin/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1
debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Offering GSSAPI proposal: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group1-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group14-sha1-A/vxljAEU54gt9a48EiANQ==,gss-gex-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group1-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group14-sha1-bontcUwnM6aGfWCP21alxQ==,gss-gex-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-group1-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-group14-sha1-eipGX3TCiQSrx573bT1o1Q==
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-gex-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group1-sha1-A/vxljAEU54gt9a48EiANQ==,gss-group14-sha1-A/vxljAEU54gt9a48EiANQ==,gss-gex-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group1-sha1-bontcUwnM6aGfWCP21alxQ==,gss-group14-sha1-bontcUwnM6aGfWCP21alxQ==,gss-gex-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-group1-sha1-eipGX3TCiQSrx573bT1o1Q==,gss-group14-sha1-eipGX3TCiQSrx573bT1o1Q==,curve25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v01,ssh-rsa-cert-v00,ssh-rsa,ecdsa-sha2-nistp256-cert-v01,ecdsa-sha2-nistp384-cert-v01,ecdsa-sha2-nistp521-cert-v01,ssh-ed25519-cert-v01,ssh-dss-cert-v01,ssh-dss-cert-v00,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-dss,null
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm,aes256-gcm,chacha20-poly1305,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm,aes256-gcm,chacha20-poly1305,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc.se
debug2: kex_parse_kexinit: hmac-md5-etm,hmac-sha1-etm,umac-64-etm,umac-128-etm,hmac-sha2-256-etm,hmac-sha2-512-etm,hmac-ripemd160-etm,hmac-sha1-96-etm,hmac-md5-96-etm,hmac-md5,hmac-sha1,umac-64,umac-128,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5-etm,hmac-sha1-etm,umac-64-etm,umac-128-etm,hmac-sha2-256-etm,hmac-sha2-512-etm,hmac-ripemd160-etm,hmac-sha1-96-etm,hmac-md5-96-etm,hmac-md5,hmac-sha1,umac-64,umac-128,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib,zlib
debug2: kex_parse_kexinit: none,zlib,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,curve25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm,aes256-gcm,chacha20-poly1305,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm,aes256-gcm,chacha20-poly1305,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc.se
debug2: kex_parse_kexinit: hmac-md5-etm,hmac-sha1-etm,umac-64-etm,umac-128-etm,hmac-sha2-256-etm,hmac-sha2-512-etm,hmac-ripemd160-etm,hmac-sha1-96-etm,hmac-md5-96-etm,hmac-md5,hmac-sha1,umac-64,umac-128,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5-etm,hmac-sha1-etm,umac-64-etm,umac-128-etm,hmac-sha2-256-etm,hmac-sha2-512-etm,hmac-ripemd160-etm,hmac-sha1-96-etm,hmac-md5-96-etm,hmac-md5,hmac-sha1,umac-64,umac-128,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_setup: setup hmac-md5-etm
debug1: kex: server->client aes128-ctr hmac-md5-etm none
debug2: mac_setup: setup hmac-md5-etm
debug1: kex: client->server aes128-ctr hmac-md5-etm none
debug1: Doing group exchange

debug2: bits set: 1514/3072
debug1: Calling gss_init_sec_context
debug1: Delegating credentials
Connection closed by 10.18.57.10

Expected results:
Login succeeds.

Additional info:
Downgrading the server back to 6.4p1-4.fc21 works around it.

Comment 1 Petr Lautrbach 2014-07-10 17:57:36 UTC

Thanks for the report.

I'm not sure if I'm able to reproduce the same issue but I'm able to login using openssh-6.6.1p1-1.1.fc20.1 [1] on f20 and I can't do the same with the same package or with openssh-6.4p1-4.fc21.x86_64 on rawhide. But my rawhide host could be mis-configured since I get "wrong principal" error message. 

The patch with gsskex support hasn't changed at all between 6.4 and 6.6 so it could be some change in rebase package or in used libraries.

I'll try to setup clean environments and try to investigate it more.

[1] http://koji.fedoraproject.org/koji/taskinfo?taskID=7125711

Comment 2 Petr Lautrbach 2014-11-12 16:51:50 UTC

There was missing MONITOR_REQ_GSSSIGN in protocol 20 monitor table. I'll push an update to Rawhide and F21 soon.

Comment 3 Fedora Update System 2014-11-13 22:17:17 UTC

openssh-6.6.1p1-8.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/openssh-6.6.1p1-8.fc21

Comment 4 jjq 2014-11-14 00:28:41 UTC

Can confirm that openssh-6.6.1p1-8.fc21 fixes the issue with GSSAPI key exchange authentication (on Fedora 21 on x86_64 here).  Thanks.

Comment 5 Fedora Update System 2014-11-14 12:04:08 UTC

Package openssh-6.6.1p1-8.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing openssh-6.6.1p1-8.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-15016/openssh-6.6.1p1-8.fc21
then log in and leave karma (feedback).

Comment 6 Fedora Update System 2014-11-16 14:43:03 UTC

openssh-6.6.1p1-8.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.