New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bad packet received by server when hearbeat is enabled #910
Comments
I definitely think you're right about the timiwlng issue. Will have a look into it! |
This was referenced Nov 10, 2023
hierynomus
added a commit
that referenced
this issue
Apr 18, 2024
…abled (#911) * Fix for issue #910: Bad packet received by server when hearbeat is enabled * Address re-keying case too --------- Co-authored-by: Jeroen van Erp <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Occasionally, when enabling the default keep-alive (the heartbeater) and then connecting, the ssh server receives a bad packet immediately after the key exchange and closes the connection.
The sshd server logs show:
and the SSHJ logs show:
Based on the timings of these messages, I conjectured that the hearbeat (
SSH_MSG_IGNORE
=2) is sent by SSHJ to the server right after the server has sent and receivedSSG_MSG_NEWKEYS
and thus switched to the new keys (according to https://www.ietf.org/rfc/rfc4253.txt) but right before SSHJ itself has updated its keys, which happens atKeyExchanger.gotNewKeys
, when handling theSSG_MSG_NEWKEYS
from the server. As a consequence, the heartbeat is encoded with the old keys and the server tries to decode it with the new keys, which results in garbage (e.g.Bad packet length 2412619996
in the server log).I am able to reproduce the issue consistently by:
HeartBeater.doKeepAlive
.KeyExchanger.gotNewKeys
. Once this breakpoint is hit, the server has switched to the new keys but the SSHJ client hasn't yet.KeyExchanger.gotNewKeys
.After 4, the server logs will show
Bad packet length <garbage>
and after 5 the SSHJ client's reader thread or the hearbeater thread will detect a broken transport and close the connection.The text was updated successfully, but these errors were encountered: