View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0005095||Kali Linux||[All Projects] General Bug||public||2018-11-14 01:45||2019-01-18 15:09|
|Priority||normal||Severity||minor||Reproducibility||have not tried|
|Target Version||Fixed in Version|
|Summary||0005095: SSH over NAT fails with broken pipe message|
|Description||For all versions after OpenSSH_7.7p1, when using a NAT connection, any attempts to connect over SSH fail with an error message 'Broken pipe'|
It's hard to tell with a description this brief, but this is almost certainly related to a known VMware bug. If the reporter could confirm that this was observed in a VMware VM with NAT, that would be very helpful. That said, I was able to successfully reproduce the issue with those assumptions.
In short, as of OpenSSH 7.8 the default IPQoS values have changed to DSCP AF21 for interactive traffic and CS1 for bulk traffic. vmnat does not support these, and breaks the connection immediately after ssh auth completes.
As far as I can tell, there are four possible solutions:
1) Wait for VMware to fix vmnat (no sign of this happening in sight, this bug has been present for months)
2) Patch OpenSSH to revert the changes in  while waiting for 1) to happen.
3) Alter /etc/ssh/ssh_config to override the default QoS settings. "IPQoS throughput" will do the trick, and the QoS implications are minor.
4) Downgrade OpenSSH (which sounds like a bad idea, but it technically resolves the issue. It's what Ubuntu are doing, so it must be good, right?)
 - https://communities.vmware.com/thread/590825
 - https://www.openssh.com/txt/release-7.8
 - https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/readconf.c.diff?r1=1.283&r2=1.284&f=h
||This was using vmWare Fusion 8.5.10 on a Mac with a Kali VM with a NAT connection. I can confirm that using "IPQoS=throughput" on the command line when using SSH works. Thanks|