/cc @agl

can you send the stack trace dumps? Your description makes it hard to follow what is going on.

If you think key exchanges are to blame, you can make them happen more often by tuning down the rekeying data threshold.

Can you confirm that you are servicing all channels that the SSH library returns?

Regarding your question about servicing all channels. I think thats the case:

• chans returned by ssh.NewServerConn are handled here
• requests returned by ssh.NewServerConn are handled here
• requests returned by NewChannel.Accept() are handled here

if this is open source code, can you recreate the deadlock and SIGQUIT the process and send the resulting trace?

@hanwen Sure - I'll configure a lower threshold and see if it happens more quickly, and then grab a stack dump.

In the meantime you can find one linked to from here here: concourse/concourse#750 (comment) - they'll be the ones from "web", not "worker", though "worker" will show the client-side so that may be of interest too.

@hanwen Be sure to take one prefixed with concourse-web-issue-750- because I placed some stackdumps from other issues there as well.

studied your explanation for a bit more, and I think you are right: the deadlock is in the SSH package. To avoid deadlocks, we separate the reading and writing sides (see also https://codereview.appspot.com/62180043/).

Unfortunately, the spec requires that on reading a channelClose message, we should confirm it by sending a channelClose message back, so there is no way to make the read and write side independent.

I will have to think for a bit on how to fix this.

probably, we could have a

queuedPackets [][]byte

which can be written while a kex is in progress. We could then either let all writes succeed directly, or special case channelClose. The former will yield more testing coverage, but may not report I/O errors in the right place. The latter will be very hard to test for, since we'd have to make a test case that repros this hang.

I tried one simple minded solution, which didn't work. I need to think this through better. For now, I recommend jacking up the rekey interval to something really high.

The 1Gb default is suggested by the original RFC spec which is from 2006, and is exceedingly conservative. We're 10 years later now, so that number can probably safely be multiplied with 100 or 1000.

summary of deadlock:

1. some write to writePacket triggers a kex. All writes will now block.
2. the remote end is slow or sending lots of data. We happen to read a chanClose message before the remote end can send a kex message back.
3. the chanClose tries to echo a chanClose with writePacket, this blocks which kills the read loop.

@hanwen Thank for taking a deeper look into this. Regarding your suggested workaround of increasing the re-key interval by a factor of 100 or more: I'm not sure I understand the logic why its now safe to increase the re-key interval. Briefly looking at the spec it seems the main concern when choosing the recommended interval was the computational complexity of asymmetric encryption. Wouldn't this be an argument to decrease the re-key interval 10 years later with computers being a lot faster then when the spec was devised? In general isn't it at least a theoretical security concern to increase the interval by huge amounts as an attacker can observe way more data encrypted with the same key material?

from what I recall, there was no real justification given for the 1 Gb number (it's also just recommended). I put in because that's what the RFC said, but it seems ridiculously low, compared to throughput of the network nowadays, and the delay of doing a new handshake.

@hanwen You are right that the original rfc4253 did not provide detailed background how the recommended value was choosen. But rfc4344 Section 3 and 6.1 provides more detail on the re-keying interval and while I can't fully assess the provided math it definitely states that expanding the interval has negative implications on the security of the connection and the recommended value should be used.

thanks for that pointer. You shouldn't encrypt more than 4G packets because the counter wraps around.

L=128 for AES and block size is 16, so you should be OK for rekeying at 16 *2^32 = 64G.

Upping the interval was intended as a short-term workaround. The CL at https://go-review.googlesource.com/c/35012/ fixes this more reliably, hopefully.

@hanwen: Awesome, thanks for taking this on so quickly. Looking forward to the proper fix.

I have one more question: From your comments above it seems like the deadlock can be only caused by a channel close message while a key exchange in in-flight? Is that really the case? Because in the CI system where this is happening I wouldn't expect channel close message as each workers set up a single persistent connection that is not teared down until one of both ends shut down.

the stack traces I got for this bug were pointing to the line where closeChannel message was being sent.

But it could potentially happen in any function that responds to global/channel requests.

fixed in golang/crypto@2e74c77

@hanwen I'm now seeing handshakes fail occasionally with the following message:

input_userauth_error: bad message during authentication: type 20

Type 20 being KEXINIT. Maybe that's firing concurrently with the handshake or something? It appears to be flaky.

I can open another issue if you'd like.

@vito closed issues are not tracked. Open a new issue please.