fatal: unknown message type {tinysshd.c:303} - KEEPALIVE not implemented

[itoffshore]

SSHv2 keepalive packets cause the connection to be reset intinysshd.c

(I was using ServerAliveInterval 60 in my ~/.ssh/config)

daemon.info: Jul 18 20:05:07 tinysshd: M2lhPXOB: info: kex: kex selected: curve25519-sha256@libssh.org {sshcrypto_kex.c:106}
daemon.info: Jul 18 20:05:07 tinysshd: M2lhPXOB: info: kex: key selected: ssh-ed25519 {sshcrypto_key.c:122}
daemon.info: Jul 18 20:05:07 tinysshd: M2lhPXOB: info: kex: cipher selected: chacha20-poly1305@openssh.com {sshcrypto_cipher.c:110}
daemon.info: Jul 18 20:05:07 tinysshd: M2lhPXOB: info: kex: mac selected: chacha20-poly1305@openssh.com {sshcrypto_cipher.c:111}
daemon.info: Jul 18 20:05:10 tinysshd: M2lhPXOB: info: auth: stuart: none rejected {packet_auth.c:144}
daemon.info: Jul 18 20:05:10 tinysshd: M2lhPXOB: info: auth: stuart: ssh-rsa rejected {packet_auth.c:144}
daemon.info: Jul 18 20:05:17 tinysshd: M2lhPXOB: info: auth: stuart: ssh-ed25519 accepted {packet_auth.c:158}
daemon.info: Jul 18 20:06:25 tinysshd: M2lhPXOB: fatal: unknown message type (temporary failure){tinysshd.c:303}
daemon.info: Jul 18 20:08:25 tinysshd: 5wbjLsha: info: kex: kex selected: curve25519-sha256@libssh.org {sshcrypto_kex.c:106}
daemon.info: Jul 18 20:08:25 tinysshd: 5wbjLsha: info: kex: key selected: ssh-ed25519 {sshcrypto_key.c:122}
daemon.info: Jul 18 20:08:25 tinysshd: 5wbjLsha: info: kex: cipher selected: chacha20-poly1305@openssh.com {sshcrypto_cipher.c:110}
daemon.info: Jul 18 20:08:25 tinysshd: 5wbjLsha: info: kex: mac selected: chacha20-poly1305@openssh.com {sshcrypto_cipher.c:111}
daemon.info: Jul 18 20:08:28 tinysshd: 5wbjLsha: info: auth: stuart: none rejected {packet_auth.c:144}
daemon.info: Jul 18 20:08:28 tinysshd: 5wbjLsha: info: auth: stuart: ssh-rsa rejected {packet_auth.c:144}
daemon.info: Jul 18 20:08:35 tinysshd: 5wbjLsha: info: auth: stuart: ssh-ed25519 accepted {packet_auth.c:158}
daemon.info: Jul 18 20:09:36 tinysshd: 5wbjLsha: fatal: unknown message type {tinysshd.c:303}

`sniffing the interface shows the SSHv2 packet that causes the reset:

No.     Time        Source                Destination           Protocol Length Info
    126 80.903015   LAN.IP            VPN.IP          TCP      54     22→61681 [FIN, ACK] Seq=1572 Ack=3961 Win=45664 Len=0

Frame 126: 54 bytes on wire (432 bits), 54 bytes captured (432 bits)
Ethernet II, Src: 76:3a:3e:a7:71:94 (76:3a:3e:a7:71:94), Dst: ReboxBV_f9:3e:39 (00:16:3c:f9:3e:39)
Internet Protocol Version 4, Src: LAN.IP(LAN.IP), Dst: VPN.IP (VPN.IP)
Transmission Control Protocol, Src Port: 22 (22), Dst Port: 61681 (61681), Seq: 1572, Ack: 3961, Len: 0

No.     Time        Source                Destination           Protocol Length Info
    127 80.928609   VPN.IP          LAN.IP            TCP      54     61681→22 [ACK] Seq=3961 Ack=1573 Win=59904 Len=0

Frame 127: 54 bytes on wire (432 bits), 54 bytes captured (432 bits)
Ethernet II, Src: ReboxBV_f9:3e:39 (00:16:3c:f9:3e:39), Dst: 76:3a:3e:a7:71:94 (76:3a:3e:a7:71:94)
Internet Protocol Version 4, Src: VPN.IP (VPN.IP), Dst: LAN.IP(LAN.IP)
Transmission Control Protocol, Src Port: 61681 (61681), Dst Port: 22 (22), Seq: 3961, Ack: 1573, Len: 0

No.     Time        Source                Destination           Protocol Length Info
    128 80.929648   VPN.IP          LAN.IP            SSHv2    114    Client: Encrypted packet (len=60)

Frame 128: 114 bytes on wire (912 bits), 114 bytes captured (912 bits)
Ethernet II, Src: ReboxBV_f9:3e:39 (00:16:3c:f9:3e:39), Dst: 76:3a:3e:a7:71:94 (76:3a:3e:a7:71:94)
Internet Protocol Version 4, Src: VPN.IP (VPN.IP), Dst: LAN.IP(LAN.IP)
Transmission Control Protocol, Src Port: 61681 (61681), Dst Port: 22 (22), Seq: 3961, Ack: 1573, Len: 60
SSH Protocol

No.     Time        Source                Destination           Protocol Length Info
    129 80.929665   LAN.IP            VPN.IP          TCP      54     22→61681 [RST] Seq=1573 Win=0 Len=0

Frame 129: 54 bytes on wire (432 bits), 54 bytes captured (432 bits)
Ethernet II, Src: 76:3a:3e:a7:71:94 (76:3a:3e:a7:71:94), Dst: ReboxBV_f9:3e:39 (00:16:3c:f9:3e:39)
Internet Protocol Version 4, Src: LAN.IP(LAN.IP), Dst: VPN.IP (VPN.IP)
Transmission Control Protocol, Src Port: 22 (22), Dst Port: 61681 (61681), Seq: 1573, Len: 0

No.     Time        Source                Destination           Protocol Length Info
    130 80.930936   VPN.IP          LAN.IP            TCP      54     61681→22 [FIN, ACK] Seq=4021 Ack=1573 Win=59904 Len=0

Frame 130: 54 bytes on wire (432 bits), 54 bytes captured (432 bits)
Ethernet II, Src: ReboxBV_f9:3e:39 (00:16:3c:f9:3e:39), Dst: 76:3a:3e:a7:71:94 (76:3a:3e:a7:71:94)
Internet Protocol Version 4, Src: VPN.IP (VPN.IP), Dst: LAN.IP(LAN.IP)
Transmission Control Protocol, Src Port: 61681 (61681), Dst Port: 22 (22), Seq: 4021, Ack: 1573, Len: 0

No.     Time        Source                Destination           Protocol Length Info
    131 80.930950   LAN.IP            VPN.IP          TCP      54     22→61681 [RST] Seq=1573 Win=0 Len=0

Frame 131: 54 bytes on wire (432 bits), 54 bytes captured (432 bits)
Ethernet II, Src: 76:3a:3e:a7:71:94 (76:3a:3e:a7:71:94), Dst: ReboxBV_f9:3e:39 (00:16:3c:f9:3e:39)
Internet Protocol Version 4, Src: LAN.IP(LAN.IP), Dst: VPN.IP (VPN.IP)
Transmission Control Protocol, Src Port: 22 (22), Dst Port: 61681 (61681), Seq: 1573, Len: 0

Will ssh_send_keepalive be part of /* XXX TODO - send SSH_MSG_UNIMPLEMENTED */ ?

The automatic log out after 1 hour is nice. I've not had any problem with my build against libsodium.

I've also been testing tinysshd with fwknop & have automatic logins through nat into LXC containers working.

[janmojzis]

Thanks for report, the issue is fixed now.

Please try latest release '20150719'

[itoffshore]

fantastic - do you have a download URL please ? ( trying this gives a 404)

[janmojzis]

Please try latest from github.

[itoffshore]

Yes this stops the RST - I don't see any message in the logs from:

log_d1("unknown packet - sending SSH_MSG_UNIMPLEMENTED message");

(with busybox syslog or with socklog) - but this is probably a good thing. A log message every 60 seconds would be a bit annoying.

[janmojzis]

Yes this stops the RST - I don't see any message in the logs from: log_d1("unknown packet - sending SSH_MSG_UNIMPLEMENTED message"); The message is printed in debug mode ( tinysshd -vvv ... )

[itoffshore]

I've patched tinysshd with this fix - thank you for responding so quickly.

For the next release if you could make a github release it would be helpful for package maintainers (the checksums on master.zip change over time). It will also allow developers who "star" your repo to keep updated of changes via Sibbell.

[janmojzis]

ok, issue solved