delorie.com/archives/browse.cgi   search  
Mail Archives: cygwin/2024/02/16/09:41:33

X-Recipient: archive-cygwin AT delorie DOT com
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 87A3738582B1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
s=default; t=1708094492;
bh=AM6t/jzt04rW30yZYZNJKCCYB3hsYJnY8jqW//yGuFs=;
h=To:Subject:Date:References:List-Id:List-Unsubscribe:List-Archive:
List-Post:List-Help:List-Subscribe:From:Reply-To:From;
b=f+e3KcXyhMo7qxW9qdKFWtvgSoB3t7Hc22QTnjPk+1x9f/Mf0zG/c3OW25RDITk1r
sR7g4g5G3uV/qPJZ/soVWKlkwrHQhWYwMfJg81io8/abAbJS7/rD+54cK5DhBk6ysK
lYCYMROl0ylX9CTlSD1jiLXhvTKRLoLNwg7uObkk=
X-Original-To: cygwin AT cygwin DOT com
Delivered-To: cygwin AT cygwin DOT com
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org BF94F3858008
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org BF94F3858008
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1708094407; cv=none;
b=yCkKBVU3LkUwJtP7cXiwnUm05xQPH1PIqZP+4r8iu7ZjWP21JBGagVqs1MDrv4gytAhxxejpTZ6lbFgGLT1fTa/oc2wxJOj3OY7u8ZNnRuSAlNlDZKI5Ii+d4rCKbLVElpWl/2Z6dJEPQY7tbTIq9E3/IcEjzCk4oS5WUSapxB4=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
t=1708094407; c=relaxed/simple;
bh=BRChq8InAXQJU/Pqz52kbOIpDtF0xqW/yOPzjiW7Gcg=;
h=To:From:Subject:Date:Message-ID:Mime-Version;
b=vk2jvPhhm8hJclC4aHUGBs9dRNqSp6DDuY8xgY7/LmwMr1neYPzFkygvwNyODKw7r7G+Ep2gnByVB856ma+w1RZuiqy9JNSgxJUHt0NezKpPaGAt2q/cYWS6e54dobH5StG7BfUQZAXrHPlFyipZ+jI2dDk2Dzv9K3UmAmi8PrI=
ARC-Authentication-Results: i=1; server2.sourceware.org
X-Injected-Via-Gmane: http://gmane.org/
To: cygwin AT cygwin DOT com
Subject: Re: ssh over stunnel hangs on second connection
Date: Fri, 16 Feb 2024 09:36:58 -0500
Message-ID: <2orusip0fcft7bvfemu05eb61l43vsnmj8@4ax.com>
References: <0100018dae3b46a4-ccc76b81-1814-421b-a81c-d00436297c10-000000 AT email DOT amazonses DOT com>
Mime-Version: 1.0
X-Newsreader: Forte Agent 4.2/32.1118
X-Archive: encrypt
X-Spam-Status: No, score=-0.3 required=5.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED,
FORGED_GMAIL_RCVD, FREEMAIL_FORGED_FROMDOMAIN, FREEMAIL_FROM,
HEADER_FROM_DIFFERENT_DOMAINS, KAM_DMARC_STATUS, NML_ADSP_CUSTOM_MED,
SPF_HELO_NONE, SPF_PASS, TXREP,
T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
server2.sourceware.org
X-BeenThere: cygwin AT cygwin DOT com
X-Mailman-Version: 2.1.30
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin>,
<mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From: Andrew Schulman via Cygwin <cygwin AT cygwin DOT com>
Reply-To: Andrew Schulman <andrex DOT e DOT schulman AT gmail DOT com>
Sender: "Cygwin" <cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com>

> I am using Cygwin stunnel 5.71 on Windows 11 to connect to 'ssh' into my Ubuntu
> server over 'stunnel'.
> 
> - The first time I ssh via stunnel it works fine The second time, I
> - try to connect, it hangs with 'ssh -v' showing only the initial
>   local steps of connection:
> 
> 	OpenSSH_9.5p1, OpenSSL 3.0.12 24 Oct 2023
> 	debug1: Reading configuration data /home/myuser/.ssh/config
> 	debug1: Reading configuration data /etc/ssh_config
> 	debug1: Connecting to localhost [::1] port 2222.
> 	debug1: Connection established.
> 	debug1: identity file /home/myuser/.ssh/id_rsa type 0
> 	debug1: identity file /home/myuser/.ssh/id_rsa-cert type -1
> 	debug1: identity file /home/myuser/.ssh/id_ecdsa type -1
> 	debug1: identity file /home/myuser/.ssh/id_ecdsa-cert type -1
> 	debug1: identity file /home/myuser/.ssh/id_ecdsa_sk type -1
> 	debug1: identity file /home/myuser/.ssh/id_ecdsa_sk-cert type -1
> 	debug1: identity file /home/myuser/.ssh/id_ed25519 type -1
> 	debug1: identity file /home/myuser/.ssh/id_ed25519-cert type -1
> 	debug1: identity file /home/myuser/.ssh/id_ed25519_sk type -1
> 	debug1: identity file /home/myuser/.ssh/id_ed25519_sk-cert type -1
> 	debug1: identity file /home/myuser/.ssh/id_xmss type -1
> 	debug1: identity file /home/myuser/.ssh/id_xmss-cert type -1
> 	debug1: identity file /home/myuser/.ssh/id_dsa type -1
> 	debug1: identity file /home/myuser/.ssh/id_dsa-cert type -1
> 	debug1: Local version string SSH-2.0-OpenSSH_9.5
> 
>   and '/var/log/stunnel' on the Cygwin client failing early:
> 
>     LOG7[main]: Found 1 ready file descriptor(s)
> 	LOG7[main]: FD=4 events=0x1 revents=0x0
> 	LOG7[main]: FD=8 events=0x1 revents=0x1
> 	LOG7[main]: FD=10 events=0x1 revents=0x0
> 	LOG7[main]: Service [ssh] accepted (FD=3) from ::1:52718
> 
> 
> - If I connect a *third* (or more times), 'ssh -v' hangs with the same
>   output as above, but there is *no* additional logging in
>   '/var/log/stunnel' on the client.
> 
> 
> It thus is acting as if 'stunnel' on the Cygwin client itself somehow
> hangs/becomes unresponsive early in the second 'ssh' connection
> attempt.
> 
> Note that the client '/usr/bin/stunnel/ process continues to run so it
> doesn't crash.
> 
> Killing and relaunching /usr/bin/stunnel restarts the situation
> allowing me to ssh-over-stunel OK on the first attempt but again
> hanging on the 2nd and subsequent 'ssh' attempts
> 
> Also, the 'stunnel' server on Ubuntu continues to run throughout since
> I can continue to ssh-over-stunnel into it from other machines.
> 
> It doesn't *seem* to be a firewall problem, since it connects fine the
> first time. Nor does it seem to be a network or 'stunnel' server
> problem.
> 
> Any ideas on why this is happening?

Hi. I'm the stunnel maintainer for Cygwin. I don't know why stunnel would hang
as you describe, but I'll try to help.

I agree that your configuration of ssh over TLS is common - I used it myself for
years. However as matthew patton suggests, there are other ways to get the same
goal, that may let you work around this problem.

One possibility that matthew didn't mention, is to run your ssh server on port
443, and connect directly to it with ssh - no TLS wrapper. Yes, that's
non-standard, but if you can live with that, it might work fine for you and be
simpler. My best understanding is that ssh and TLS are indistinguishable to an
application firewall.

But supposing you keep your current configuration. Can you please clarify how
you're invoking stunnel? Do you have a ProxyCommand directive in your
.ssh/config, like:

ProxyCommand /usr/bin/stunnel stunnel.conf

or is it some other way? I ask this because with ProxyCommand as above, you
should get a separate stunnel process for each new ssh connection, and I can't
think why they would interfere with each other.

Andrew


-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

- Raw text -


  webmaster     delorie software   privacy  
  Copyright © 2019   by DJ Delorie     Updated Jul 2019