From nobody Tue Sep 5 08:33:13 2023 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RfzKs1pwZz4s6b4 for ; Tue, 5 Sep 2023 08:33:21 +0000 (UTC) (envelope-from madis555@hot.ee) Received: from SMTPOUT02.DKA.mailcore.net (smtpout02.dka.mailcore.net [81.7.169.175]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtpout02.dka.mailcore.net", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RfzKq5754z3Bn4 for ; Tue, 5 Sep 2023 08:33:19 +0000 (UTC) (envelope-from madis555@hot.ee) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=online.ee header.s=mailcore header.b=waZ8QyMj; spf=pass (mx1.freebsd.org: domain of madis555@hot.ee designates 81.7.169.175 as permitted sender) smtp.mailfrom=madis555@hot.ee; dmarc=pass (policy=reject) header.from=hot.ee Received: from SMTP.DKA.mailcore.net (DKA-SMTP01.mailcore.local [10.1.0.51]) by SMTPOUT05.DKA.mailcore.net (Postfix) with ESMTP id 46BF3E0DEF for ; Tue, 5 Sep 2023 10:33:14 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=online.ee; s=mailcore; t=1693902794; bh=JV5sFdExZT6VYtXlEuBB/PxdzWt4CorFjmU5jQlwwHI=; h=In-Reply-To:References:From:Date:Subject:To:Cc:From; b=waZ8QyMjBYzUxmFWatTNpOX0iGY6p/d6GsZz6F2LpSGT05RfaTD9i19wgF5AYPs+L ky+xNqISjRMISsEiuDpBMmGTWuKhl5fE4nflndbYe8ecuiM5cr6UMJRHFP/vgg29VJ Me6QZxCIr4w5DVSPxEg0nVKvJrJ+esC8Th271v2NxrlRq/aBhpdLmHe8ZMdkF1gUc6 q+fiB3+rqlVtBu2p6OLcq1d40wYhiR7m/H/ChCgiFpwexqFCpDbR0O5JYxSYiN/fan xpCsmDPCAE456Jz+J7d2vvzz+Ks2NDnqAv5c0U9mOYj5IsrncsFKvT2re5KnNsf7iv agxHDhvxN9kMg== Received: from mail-pl1-f182.google.com (mail-pl1-f182.google.com [209.85.214.182]) by SMTP.DKA.mailcore.net (Postfix) with ESMTPSA id 6899B4015F for ; Tue, 5 Sep 2023 10:33:16 +0200 (CEST) Received: by mail-pl1-f182.google.com with SMTP id d9443c01a7336-1bc8a2f71eeso12882835ad.0 for ; Tue, 05 Sep 2023 01:33:16 -0700 (PDT) X-Gm-Message-State: AOJu0YzT2h4QOdOVriIXJn+zH1s7HxWHCUa+WuCyvEQK3dmP2wPX8zyB Fpm0VIyqI+tfD+i2ADpaBcCu3hm0qHLLpoJmXIU= X-Google-Smtp-Source: AGHT+IFLC2vZPTECAX/Fp9Sc7zbNY7AXWZN1QJYxcrC8LmLVQiGNlHJHyf/zEtGxGIlW+qCk9OAbfLGT0aXGB3JNw5Y= X-Received: by 2002:a17:90b:d94:b0:26b:e80:11de with SMTP id bg20-20020a17090b0d9400b0026b0e8011demr9077005pjb.25.1693902793869; Tue, 05 Sep 2023 01:33:13 -0700 (PDT) List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@freebsd.org MIME-Version: 1.0 Received: by 2002:a05:6a06:147:b0:624:beb4:2d with HTTP; Tue, 5 Sep 2023 01:33:13 -0700 (PDT) In-Reply-To: References: From: Sulev-Madis Silber Date: Tue, 5 Sep 2023 11:33:13 +0300 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: Stray characters in command history To: bob prohaska Cc: "freebsd-current@freebsd.org" Content-Type: multipart/alternative; boundary="0000000000005010290604987af2" X-Spamd-Bar: --- X-Spamd-Result: default: False [-3.54 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-0.997]; NEURAL_HAM_SHORT(-0.55)[-0.545]; DMARC_POLICY_ALLOW(-0.50)[hot.ee,reject]; R_SPF_ALLOW(-0.20)[+ip4:81.7.169.128/25]; R_DKIM_ALLOW(-0.20)[online.ee:s=mailcore]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; RCVD_IN_DNSWL_NONE(0.00)[209.85.214.182:received]; TO_DN_EQ_ADDR_SOME(0.00)[]; MLMMJ_DEST(0.00)[freebsd-current@freebsd.org]; FREEMAIL_ENVFROM(0.00)[hot.ee]; RCPT_COUNT_TWO(0.00)[2]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FROM_EQ_ENVFROM(0.00)[]; DKIM_TRACE(0.00)[online.ee:+]; RCVD_COUNT_THREE(0.00)[4]; ASN(0.00)[asn:47292, ipnet:81.7.128.0/18, country:DK]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; FROM_HAS_DN(0.00)[]; FREEMAIL_FROM(0.00)[hot.ee]; TO_DN_SOME(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-current@freebsd.org]; RCVD_TLS_LAST(0.00)[] X-Rspamd-Queue-Id: 4RfzKq5754z3Bn4 --0000000000005010290604987af2 Content-Type: text/plain; charset="UTF-8" i'm experiencing kind of similar issue. unsure why or how. i have 13.2. console is sc. the other side, via serial, is running current. uart is from usb serial adapter. other side has native soc uart. when i establish connection to that thing with cu, which is embedded board btw, and log in, i get weird random chars as if i've typed them in. if i do some input right after, i don't seem to get it. it gets worse, if i let cu run in other terminal and do some testing that involves lot of reboot cycles, while doing some tasks on other terminal, sometimes weird chars get injected into my input elsewhere. eg i run editor and it's annoying for something to appear as if i've typed it in. is it related? thankfully target isn't untrusted, otherwise it would be pretty bad? or where this thing even comes from? i know that you can do funny stuff with tiocsti and co but this looks pretty bad. both the fact that something makes it and the fact that they get injected elsewhere. there is also a some recent bug around this. so i'm not sure what to think of it all? On Sunday, May 21, 2023, bob prohaska wrote: > Here is another example, perhaps a bit clearer. > > The ssh connection to the first Pi3 in the chain had dropped, so it was > re-establishing via a regular user login, then su was invoked and tip run: > ..... > To change this login announcement, see motd(5). > Want to go the directory you were just in? > Type "cd -" > bob@pelorus:~ % su > Password: > # tip ucom > Stale lock on cuaU0 PID=2487... overriding. > connected > osed by r31 www s <<<< This appeared spontaneously, then I hit return. > osed: Command not found. <<<<< I didn't type anything. > bob@www:/usr/src % <<<<< The shell prompt on the 2nd Pi3's serial console. > .... > Clearly nothing to do with sshd, might it simply be a misdirected echo of console > output generated by a (dead or broken) tip connection? The first example looked > possibly malicious, this does not.... > > Thanks for reading, > > bob prohaska > > > > On Sun, May 21, 2023 at 06:49:33AM -0700, bob prohaska wrote: >> Lately I've been playing with buildworld on a Pi3 running -current. The same machine >> acts as a terminal server for a second Pi3 also running -current in my "cluster". >> I ssh into the first Pi3, su to root and run tip to pick up a serial connection to >> the second Pi's console. Both machines are within a week of up-to-date. >> >> While building world on the first Pi3 the ssh connection frequently drops and must be >> re-established. If there was a shell running on the serial console of the second >> Pi3 it typically keeps running and when the tip session is restarted disgorges a >> stream of accumulated console message. >> >> This morning the same thing happened, but I noticed something odd. The stream of >> messages (all login failure announcements from ssh) ended with >> >> .... >> May 21 06:15:00 www sshd[33562]: error: Fssh_kex_exchange_identification: banner line contains invalid characters >> *+May 21 06:15:19 www sshd[33565]: error: Fssh_kex_exchange_identification: Connection closed by remote host >> May 21 06:15:33 www sshd[33613]: error: Protocol major versions differ: 2 vs. 1 >> >> At that point I hit carriage return and got >> *+: No match. >> >> I did not type the *+ so it looks like the characters were somehow introduced elsewhere, >> possibly from the ssh failure message. How they got into the command stream is unclear. >> >> This strikes me as undesirable at best and possibly much worse. The shell reporting >> the "no match" was a regular user shell, but if I'd been su'd to root it appears that >> the unmatched characters would be seen by the root shell as input. >> >> This more-or-less fits with the pattern seen earlier with reboots observed via serial >> console halting on un-typed keystrokes. Those halts were attributed to electrical noise >> on the serial line, but this looks like something injected via part of the network >> login process. Reboot pauses have been an ongoing phenomenon for months, this is the >> first time I've noticed the "invalid characters" message from ssh on the console. >> >> Thanks for reading, apologies if I'm being a worrywart. >> >> bob prohaska >> >> >> > > --0000000000005010290604987af2 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable i'm experiencing kind of similar issue. unsure why or how. i have 13.2.= console is sc. the other side, via serial, is running current. uart is fro= m usb serial adapter. other side has native soc uart. when i establish conn= ection to that thing with cu, which is embedded board btw, and log in, i ge= t weird random chars as if i've typed them in. if i do some input right= after, i don't seem to get it. it gets worse, if i let cu run in other= terminal and do some testing that involves lot of reboot cycles, while doi= ng some tasks on other terminal, sometimes weird chars get injected into my= input elsewhere. eg i run editor and it's annoying for something to ap= pear as if i've typed it in. is it related? thankfully target isn't= untrusted, otherwise it would be pretty bad? or where this thing even come= s from? i know that you can do funny stuff with tiocsti and co but this loo= ks pretty bad. both the fact that something makes it and the fact that they= get injected elsewhere. there is also a some recent bug around this. so i&= #39;m not sure what to think of it all?


On Sunday, May 21, 2023,= bob prohaska <fbsd@www.zefox.net<= /a>> wrote:
> Here is another example, perhaps a bit clearer.
&= gt;
> The ssh connection to the first Pi3 in the chain had dropped, s= o it was
> re-establishing via a regular user login, then su was invo= ked and tip run:
> .....
> To change this login announcement, s= ee motd(5).
> Want to go the directory you were just in?
> Type= "cd -"
> bob@pelorus:~ % su
> Password:
> # ti= p ucom
> Stale lock on cuaU0 PID=3D2487... overriding.
> connec= ted
> osed by r31 www s=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<<<= <=C2=A0 This appeared spontaneously, then I hit return.
> osed: Co= mmand not found.=C2=A0 <<<<< I didn't type anything.
= > bob@www:/usr/src %=C2=A0 =C2=A0 =C2=A0 =C2=A0 <<<<< The= shell prompt on the 2nd Pi3's serial console.
> ....
> Cle= arly nothing to do with sshd, might it simply be a misdirected echo of cons= ole
> output generated by a (dead or broken) tip connection? The firs= t example looked
> possibly malicious, this does not....
>
&= gt; Thanks for reading,
>
> bob prohaska
>
>
>= ;
> On Sun, May 21, 2023 at 06:49:33AM -0700, bob prohaska wrote:
= >> Lately I've been playing with buildworld on a Pi3 running -cur= rent. The same machine
>> acts as a terminal server for a second P= i3 also running -current in my "cluster".
>> I ssh into = the first Pi3, su to root and run tip to pick up a serial connection to
= >> the second Pi's console. Both machines are within a week of up= -to-date.
>>
>> While building world on the first Pi3 the= ssh connection frequently drops and must be
>> re-established. If= there was a shell running on the serial console of the second
>> = Pi3 it typically keeps running and when the tip session is restarted disgor= ges a
>> stream of accumulated console message.
>>
>= ;> This morning the same thing happened, but I noticed something odd. Th= e stream of
>> messages (all login failure announcements from ssh)= ended with
>>
>> ....
>> May 21 06:15:00 www ss= hd[33562]: error: Fssh_kex_exchange_identification: banner line contains in= valid characters
>> *+May 21 06:15:19 www sshd[33565]: error: Fssh= _kex_exchange_identification: Connection closed by remote host
>> = May 21 06:15:33 www sshd[33613]: error: Protocol major versions differ: 2 v= s. 1
>>
>> At that point I hit carriage return and got>> *+: No match.
>>
>> I did not type the *+ so it= looks like the characters were somehow introduced elsewhere,
>> p= ossibly from the ssh failure message. How they got into the command stream = is unclear.
>>
>> This strikes me as undesirable at best = and possibly much worse. The shell reporting
>> the "no match= " was a regular user shell, but if I'd been su'd to root it ap= pears that
>> the unmatched characters would be seen by the root s= hell as input.
>>
>> This more-or-less fits with the patt= ern seen earlier with reboots observed via serial
>> console halti= ng on un-typed keystrokes. Those halts were attributed to electrical noise<= br>>> on the serial line, but this looks like something injected via = part of the network
>> login process. Reboot pauses have been an o= ngoing phenomenon for months, this is the
>> first time I've n= oticed the "invalid characters" message from ssh on the console.<= br>>>
>> Thanks for reading, apologies if I'm being a wo= rrywart.
>>
>> bob prohaska
>>
>>=C2=A0=
>>
>
> --0000000000005010290604987af2--