workaround for VMware WS NAT bug triggered by OpenSSH 7.8p1 changes

Yuri Pankov yuripv at yuripv.net
Fri Dec 21 23:55:21 UTC 2018 

Hi,

There's apparently a bug in VMware Workstation NAT implementation, made
visible by the change to default values of IPQoS in OpenSSH 7.8p1,
making all ssh connections from the guest behind the NAT to fail with
obscure "Fssh_packet_write_wait: Connection to 192.168.1.53 port 22:
Broken pipe".

I wonder if we could integrate the attached patch (or some smarter
version of it) for the time being as the bug affects several major WS
releases, and it's not immediately clear where the problem is.

The change itself:

https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/readconf.c#rev1.284

The bug reports (some of them):

https://bugzilla.redhat.com/show_bug.cgi?id=1624437
https://communities.vmware.com/message/2803219#2803219

The patch itself is attached.
-------------- next part --------------
diff --git a/crypto/openssh/readconf.c b/crypto/openssh/readconf.c
index f97a6ac72a95..9ed6902a0f46 100644
--- a/crypto/openssh/readconf.c
+++ b/crypto/openssh/readconf.c
@@ -16,6 +16,9 @@
 __RCSID("$FreeBSD$");
 
 #include <sys/types.h>
+#ifdef VMWARE_GUEST_WORKAROUND
+#include <sys/sysctl.h>
+#endif
 #include <sys/stat.h>
 #include <sys/socket.h>
 #include <sys/wait.h>
@@ -1954,6 +1957,15 @@ fill_default_options(Options * options)
 {
 	char *all_cipher, *all_mac, *all_kex, *all_key;
 	int r;
+#ifdef VMWARE_GUEST_WORKAROUND
+	char scval[7];	/* "vmware\0" */
+	size_t scsiz = sizeof(scval);
+	int vmwguest = 0;
+
+	if (sysctlbyname("kern.vm_guest", scval, &scsiz, NULL, 0) == 0 &&
+	    strcmp(scval, "vmware") == 0)
+		vmwguest = 1;
+#endif
 
 	if (options->forward_agent == -1)
 		options->forward_agent = 0;
@@ -2088,8 +2100,18 @@ fill_default_options(Options * options)
 	if (options->visual_host_key == -1)
 		options->visual_host_key = 0;
 	if (options->ip_qos_interactive == -1)
+#ifdef VMWARE_GUEST_WORKAROUND
+		if (vmwguest)
+			options->ip_qos_interactive = IPTOS_LOWDELAY;
+		else
+#endif
 		options->ip_qos_interactive = IPTOS_DSCP_AF21;
 	if (options->ip_qos_bulk == -1)
+#ifdef VMWARE_GUEST_WORKAROUND
+		if (vmwguest)
+			options->ip_qos_bulk = IPTOS_THROUGHPUT;
+		else
+#endif
 		options->ip_qos_bulk = IPTOS_DSCP_CS1;
 	if (options->request_tty == -1)
 		options->request_tty = REQUEST_TTY_AUTO;
diff --git a/secure/usr.bin/ssh/Makefile b/secure/usr.bin/ssh/Makefile
index 614cc7627fc5..023fa4a55be9 100644
--- a/secure/usr.bin/ssh/Makefile
+++ b/secure/usr.bin/ssh/Makefile
@@ -37,6 +37,9 @@ LIBADD+=	crypto
 CFLAGS+= -DXAUTH_PATH=\"${LOCALBASE}/bin/xauth\"
 .endif
 
+# Workaround VMware Workstation NAT bug
+CFLAGS+=-DVMWARE_GUEST_WORKAROUND
+
 .include <bsd.prog.mk>
 
 .PATH:	${SSHDIR}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-current/attachments/20181222/e599320e/attachment.sig>

More information about the freebsd-current mailing list