Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/crypto/ssh: invalid packet length, packet too large #54719

Closed
marklaptenok opened this issue Aug 28, 2022 · 8 comments
Closed

x/crypto/ssh: invalid packet length, packet too large #54719

marklaptenok opened this issue Aug 28, 2022 · 8 comments
Labels
FrozenDueToAge
Milestone
Unreleased

Comments

@marklaptenok
Copy link

What version of Go are you using (go version)?

$ go version
go version go1.18.5 freebsd/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/root/.cache/go-build"
GOENV="/root/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="freebsd"
GOINSECURE=""
GOMODCACHE="/root/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="freebsd"
GOPATH="/root/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go118"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go118/pkg/tool/freebsd_amd64"
GOVCS=""
GOVERSION="go1.18.5"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="cc"
CXX="clang++"
CGO_ENABLED="1"
GOMOD="/root/deployer/go.mod"
GOWORK=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build2722818596=/tmp/go-build -gno-record-gcc-switches"

What did you do?

func send(private_key_path string, ftp_server_address_port string, ftp_user string) {
        key, error := os.ReadFile(private_key_path)
	if error != nil {
		logger.Fatalf("Can't open the private key to connect to runtime environment: %s", error.Error())
	}

	signer, error := ssh.ParsePrivateKeyWithPassphrase(key, []byte(ftp_user))
	if error != nil {
		logger.Fatalf("Can't parse the private key to connect to runtime environment: %s", error.Error())
	}

	ssh_configuration := &ssh.ClientConfig{
		User: ftp_user,
		Auth: []ssh.AuthMethod{
			ssh.PublicKeys(signer),
		},
		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
		Timeout:         0,
		ClientVersion:   "Deployer",
	}

	ssh_connection, error := ssh.Dial("tcp", ftp_server_address_port, ssh_configuration)
	if error != nil {
		logger.Fatalf("Can't connect to %s as %s: %s", ftp_server_address_port, ftp_user, error.Error())
	}
	defer ssh_connection.Close()

	logger.Printf("Connected to %s as %s", ftp_server_address_port, ftp_user)

         // ...
}

What did you expect to see?

"Connected to 10.0.3.15:22 as test_env"

What did you see instead?

"Can't connect to 10.0.3.15:22 as test_env: ssh: handshake failed: ssh: invalid packet length, packet too large"
@seankhliao
Copy link
Member

golang.org/x/crypto/ssh version?
sshd version?
sshd config?

without information on how to reproduce this report isn't very actionable

@seankhliao seankhliao added WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided. NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. labels Aug 28, 2022
@seankhliao seankhliao changed the title affected/package: golang.org/x/crypto/ssh x/crypto/ssh: invalid packet length, packet too large Aug 28, 2022
@gopherbot gopherbot added this to the Unreleased milestone Aug 28, 2022
@marklaptenok
Copy link
Author

@seankhliao
golang.org/x/crypto/ssh version

go get: upgraded golang.org/x/crypto v0.0.0-20220817201139-bc19a97f63c8 => v0.0.0-20220826181053-bd7e27e6170d
go get: upgraded golang.org/x/sys v0.0.0-20220818161305-2296e01440c6 => v0.0.0-20220825204002-c680a09ffe64

sshd version

OpenSSH_7.9p1, OpenSSL 1.1.1l-freebsd  24 Aug 2021

sshd config

#Port 22
#AddressFamily any
ListenAddress 10.0.3.15
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile	/etc/ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# Change to yes to enable built-in password authentication.
PasswordAuthentication no
#PermitEmptyPasswords no

# Change to no to disable PAM authentication
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'no' to disable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#UseBlacklist no
#VersionAddendum FreeBSD-20200214

# no default banner path
#Banner none

# override default of no subsystems
Subsystem	sftp	/usr/libexec/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	PermitTTY no
#	ForceCommand cvs server


without information on how to reproduce this report isn't very actionable

Yes, I know. I am a software engineer. I provide information you ask. No more. To not overload you with the details.

@marklaptenok
Copy link
Author

Hi @seankhliao, when the research will start? When could I estimate to have some results on the incident?

@5hir0kur0
Copy link

Hi @marklaptenok

I had the same problem and found this issue through a Google search. In my case, I could fix it by setting the ClientVersion (in the ssh.ClientConfig struct) to a string starting with SSH-2.0-.
Maybe you could try that as well. You can also just omit the ClientVersion in which case the default value of "SSH-2.0-Go" will be used.
Hope this helps.

@marklaptenok
Copy link
Author

Hi @5hir0kur0 ,

thank you for a workaround. It works for me.

@akmistry
Copy link

It's not a workaround, it's a requirement of the SSH protocol. The server config has this comment:

// Note that [RFC 4253 section 4.2](https://rfc-editor.org/rfc/rfc4253.html#section-4.2) requires that this string start with
// "SSH-2.0-".

This comment should probably be added to ClientConfig.ClientVersion too.

@joedian joedian removed WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided. NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. labels Nov 15, 2022
@joedian
Copy link

joedian commented Nov 15, 2022

Fixed.

@marklaptenok
Copy link
Author

It's not a workaround, it's a requirement of the SSH protocol. The server config has this comment:

// Note that [RFC 4253 section 4.2](https://rfc-editor.org/rfc/rfc4253.html#section-4.2) requires that this string start with
// "SSH-2.0-".

This comment should probably be added to ClientConfig.ClientVersion too.

Thank you for your remark. I have not known this.

@golang golang locked and limited conversation to collaborators Nov 20, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests
7 participants
@akmistry @ianlancetaylor @gopherbot @seankhliao @5hir0kur0 @joedian @marklaptenok