[grsec] grsec hanging ssh ?

[jnf]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi.

Okay I've spent a little over a week trouble shooting this and finally I
have reached the conclusion that it is in fact related to grsec.

The situation is that I have a series of bastion hosts, one in the dmz one
'on the other side', dmz is implemented via a pix. When I go through the
dmz host (any host in here will do the same) through the nat translation
into the other host (grsec 2.1.1 / 2.6.10 + sec fixes ) after about five
minutes of being idle the connection locks up- it does basically a half
close although at a network level it does not do a half close. I cannot
send data, however I can receive data (i.e. i cannot type however if
someone does a wall I can receive it). From a network perspective both
ends of the connection appear to think the connection is still open, (no
half closes or similar occur, they simply 'stop talking' to each other),
I've attached a debugger to both the client end and server end and have
not found anything I would call overly strange.

If I directly connect to either of the boxes or put one of them in the dmz
itself, it works fine- which initially led me to believe it was a nat
translation timeout or similar in the pix, however after rebooting into a
stock kernel image w/ no grsec/rbac, the connection never locks up.

In sshd keep alive is turned on, and I've run out of ideas. I run grsec on
several different servers with no problems so I wonder if its a combo of
the pix and grsec, has anyone encountered something similar?

thanks

jnf

- --

There are only two choices in life. You either conform the truth to your desire,
or you conform your desire to the truth. Which choice are you making?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFB/qFMHxbv0eGnlUwRAvrpAJsGZy5Wg/9Npw2dollEEo6Gb9GJGwCfYirD
P1wo/BisYYgZYQ3ovzIqw3M=
=MjMq
-----END PGP SIGNATURE-----