Hi,
There is a bug in OCI (Oracle Cloud Infrastructure) version of Rocky Linux 9.3 image that breaks openssh-server in single very common command.
One of the first thing I usually install on fresh Linux installations, is mc (Midnight Commander) to easily manage file system.
I wanted to try Rocky Linux for a new instance and as usual I have installed mc moment I logged in, but after I exit I was unable to login back on server using ssh anymore.
After launching few more rocky instances to test and investigating the issue, I find that mc installs OpenSSL as one of its dependency and it causes “OpenSSL version mismatch” issue for openssh-server and it makes impossible for users to login using ssh moment they install mc and end the existing session (I guess any other package with OpenSSL dependency will do the same as well).
This issue is really easy to replicate:
-
Launch instance with “Rocky-9-OCP-Base-9.3-20231113.5.x86_64” image;
-
Login to instance using ssh
-
Run “sudo dnf install -y mc”
-
exit session
-
Try to login again using ssh
That’s it, you will get "kex_exchange_identification: read: Connection reset by peer
Connection reset by xxx.xxx.xx.xxx port 22" error moment you try to login after that.
Temporary solution is that we can run “sudo dnf install openssh-server --refresh” right after installing mc, so it fixes OpenSSL mismatch issue and user is able to login again, but it must be done before current sessions is ended after installing mc.
Just to clarify, I’m not asking support or help on this issue since I already identified problem and found temporary fix, but reason I’m opening here is that either I’m being dumb and can’t find the way to register on your bug tracker (signup link sends me to login page), or your project made it impossible to report bugs from new users. OCI support send me to your bug tracker to report, your bug tracker won’t allow me to register and here I’m
I was only testing Rocky Linux instance and accidentally found this on a fresh install, but it can mess up many servers since mc is pretty popular software and used by many Linux users. Can you imagine if someone tried to install mc on a production server? Only way to gain access to prot server after this is OCI maintenace console, but you need to have password set on your users to login, but many people don’t do it since default method is key auth with NOPASSWORD sudo enabled.
I have tested version 9.5 in VirtualBox VM and I can’t replicate this issue.