Created attachment 3629 [details] ssh_config fragment included from /etc/ssh/ssh_config I am trying get host-base authentication to work, unsuccessfully so far. As it appears to me, the host key is successfully retrieved from /etc/ssh/ssh_known_hosts and accepted, but authorization is rejected anyway for reasons I am unable to figure out. On the server side I can see that the client is unexpectedly termination the connection, so the problem is most likely with the client. I am using a /etc/ssh/shosts.equiv file containing just one single line with only a '+' character. Here is a transcript of the client output from a failed authentication attempt: OpenSSH_8.8p1, OpenSSL 3.0.5 5 Jul 2022 debug1: Reading configuration data /etc/ssh/ssh_config debug3: /etc/ssh/ssh_config line 55: Including file /etc/ssh/ssh_config.d/40-standard_user.conf depth 0 debug1: Reading configuration data /etc/ssh/ssh_config.d/40-standard_user.conf debug3: /etc/ssh/ssh_config line 55: Including file /etc/ssh/ssh_config.d/50-redhat.conf depth 0 debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf debug2: checking match for 'final all' host sarkovy.koeller.dyndns.org originally sarkovy.koeller.dyndns.org debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 3: not matched 'final' debug2: match not found debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1 (parse only) debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config debug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-] debug3: kex names ok: [curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512] debug1: configuration requests final Match pass debug1: re-parsing configuration debug1: Reading configuration data /etc/ssh/ssh_config debug3: /etc/ssh/ssh_config line 55: Including file /etc/ssh/ssh_config.d/40-standard_user.conf depth 0 debug1: Reading configuration data /etc/ssh/ssh_config.d/40-standard_user.conf debug3: /etc/ssh/ssh_config line 55: Including file /etc/ssh/ssh_config.d/50-redhat.conf depth 0 debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf debug2: checking match for 'final all' host sarkovy.koeller.dyndns.org originally sarkovy.koeller.dyndns.org debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 3: matched 'final' debug2: match found debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1 debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config debug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-] debug3: kex names ok: [curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512] debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/thomas/.ssh/known_hosts' debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/thomas/.ssh/known_hosts2' debug2: resolving "sarkovy.koeller.dyndns.org" port 22 debug3: resolve_host: lookup sarkovy.koeller.dyndns.org:22 debug3: ssh_connect_direct: entering debug1: Connecting to sarkovy.koeller.dyndns.org [fd46:1ffa:d8e0::1] port 22. debug3: set_sock_tos: set socket 4 IPV6_TCLASS 0x48 debug1: Connection established. debug1: identity file /home/thomas/.ssh/id_rsa type -1 debug1: identity file /home/thomas/.ssh/id_rsa-cert type -1 debug1: identity file /home/thomas/.ssh/id_dsa type -1 debug1: identity file /home/thomas/.ssh/id_dsa-cert type -1 debug1: identity file /home/thomas/.ssh/id_ecdsa type -1 debug1: identity file /home/thomas/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/thomas/.ssh/id_ecdsa_sk type -1 debug1: identity file /home/thomas/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /home/thomas/.ssh/id_ed25519 type -1 debug1: identity file /home/thomas/.ssh/id_ed25519-cert type -1 debug1: identity file /home/thomas/.ssh/id_ed25519_sk type -1 debug1: identity file /home/thomas/.ssh/id_ed25519_sk-cert type -1 debug1: identity file /home/thomas/.ssh/id_xmss type -1 debug1: identity file /home/thomas/.ssh/id_xmss-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_8.8 debug1: Remote protocol version 2.0, remote software version OpenSSH_8.8 debug1: compat_banner: match: OpenSSH_8.8 pat OpenSSH* compat 0x04000000 debug2: fd 4 setting O_NONBLOCK debug1: Authenticating to sarkovy.koeller.dyndns.org:22 as 'thomas' debug1: load_hostkeys: fopen /home/thomas/.ssh/known_hosts: No such file or directory debug1: load_hostkeys: fopen /home/thomas/.ssh/known_hosts2: No such file or directory debug3: record_hostkey: found key type ED25519 in file /etc/ssh/ssh_known_hosts:2 debug3: load_hostkeys_file: loaded 1 keys from sarkovy.koeller.dyndns.org debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory debug3: order_hostkeyalgs: have matching best-preference key type ssh-ed25519-cert-v01@openssh.com, using HostkeyAlgorithms verbatim debug3: send packet: type 20 debug1: SSH2_MSG_KEXINIT sent debug3: receive packet: type 20 debug1: SSH2_MSG_KEXINIT received debug2: local client KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ext-info-c debug2: host key algorithms: ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256 debug2: ciphers ctos: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr debug2: ciphers stoc: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 debug2: compression ctos: none,zlib@openssh.com,zlib debug2: compression stoc: none,zlib@openssh.com,zlib debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug2: peer server KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 debug2: host key algorithms: ssh-ed25519 debug2: ciphers ctos: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr debug2: ciphers stoc: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 debug2: compression ctos: none,zlib@openssh.com debug2: compression stoc: none,zlib@openssh.com debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: algorithm: curve25519-sha256 debug1: kex: host key algorithm: ssh-ed25519 debug1: kex: server->client cipher: aes256-gcm@openssh.com MAC: <implicit> compression: none debug1: kex: client->server cipher: aes256-gcm@openssh.com MAC: <implicit> compression: none debug1: kex: curve25519-sha256 need=32 dh_need=32 debug1: kex: curve25519-sha256 need=32 dh_need=32 debug3: send packet: type 30 debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug3: receive packet: type 31 debug1: SSH2_MSG_KEX_ECDH_REPLY received debug1: Server host key: ssh-ed25519 SHA256:csWU9fi5IWZ7AOmRGcYQJgHi5jk2jEG6x3Nl+EkadHk debug1: load_hostkeys: fopen /home/thomas/.ssh/known_hosts: No such file or directory debug1: load_hostkeys: fopen /home/thomas/.ssh/known_hosts2: No such file or directory debug3: record_hostkey: found key type ED25519 in file /etc/ssh/ssh_known_hosts:2 debug3: load_hostkeys_file: loaded 1 keys from sarkovy.koeller.dyndns.org debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory debug1: Host 'sarkovy.koeller.dyndns.org' is known and matches the ED25519 host key. debug1: Found key in /etc/ssh/ssh_known_hosts:2 debug3: check_host_key: host key found in GlobalKnownHostsFile; disabling UpdateHostkeys debug3: send packet: type 21 debug2: set_newkeys: mode 1 debug1: rekey out after 4294967296 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug3: receive packet: type 21 debug1: SSH2_MSG_NEWKEYS received debug2: set_newkeys: mode 0 debug1: rekey in after 4294967296 blocks debug1: Will attempt key: /home/thomas/.ssh/id_rsa debug1: Will attempt key: /home/thomas/.ssh/id_dsa debug1: Will attempt key: /home/thomas/.ssh/id_ecdsa debug1: Will attempt key: /home/thomas/.ssh/id_ecdsa_sk debug1: Will attempt key: /home/thomas/.ssh/id_ed25519 debug1: Will attempt key: /home/thomas/.ssh/id_ed25519_sk debug1: Will attempt key: /home/thomas/.ssh/id_xmss debug2: pubkey_prepare: done debug3: send packet: type 5 debug3: receive packet: type 7 debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com> debug3: receive packet: type 6 debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug3: send packet: type 50 debug3: receive packet: type 51 debug1: Authentications that can continue: hostbased debug3: start over, passed a different list hostbased debug3: preferred gssapi-with-mic,hostbased,password debug3: authmethod_lookup hostbased debug3: remaining preferred: password debug3: authmethod_is_enabled hostbased debug1: Next authentication method: hostbased debug3: userauth_hostbased: trying key type ssh-ed25519 debug3: userauth_hostbased: trying key type ssh-ed25519-cert-v01@openssh.com debug1: No more client hostkeys for hostbased authentication. debug2: we did not send a packet, disable method debug1: No more authentication methods to try. thomas@sarkovy.koeller.dyndns.org: Permission denied (hostbased).
Forgot to mention that both the server and the client execute on the same host, if that's significant.
The reason is likely in the server side log. Please run the server in debug mode (eg "/path/to/sshd -ddde -p222", connect to it on port 222 and attach the log.
Also, what's in sshd_config? Unless you have your DNS forward and reverse exactly right, you probably want "HostbasedUsesNameFromPacketOnly yes" in sshd_config.
Created attachment 3630 [details] server configuration
(In reply to Darren Tucker from comment #3) > Also, what's in sshd_config? Unless you have your DNS forward and > reverse exactly right, you probably want > "HostbasedUsesNameFromPacketOnly yes" in sshd_config. Attaching the sever configuration. Here is the result of a forward/reverse lookup of the host name in used, I think that should be o.k.? [thomas@sarkovy ~]$ dig +noall +keepopen +authority +answer sarkovy.koeller.dyndns.org any -x 192.168.0.1 -x fd46:1ffa:d8e0::1 sarkovy.koeller.dyndns.org. 259200 IN A 192.168.0.1 sarkovy.koeller.dyndns.org. 259200 IN AAAA fd46:1ffa:d8e0::1 sarkovy.koeller.dyndns.org. 259200 IN TXT "Thomas' computer" 1.0.168.192.in-addr.arpa. 259200 IN PTR sarkovy.koeller.dyndns.org. 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.e.8.d.a.f.f.1.6.4.d.f.ip6.arpa. 3600 IN PTR sarkovy.koeller.dyndns.org.
(In reply to Darren Tucker from comment #2) > The reason is likely in the server side log. Please run the server > in debug mode (eg "/path/to/sshd -ddde -p222", connect to it on port > 222 and attach the log. debug1: sshd version OpenSSH_8.8, OpenSSL 3.0.5 5 Jul 2022 debug1: private host key #0: ssh-ed25519 SHA256:csWU9fi5IWZ7AOmRGcYQJgHi5jk2jEG6x3Nl+EkadHk debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-d' debug1: Set /proc/self/oom_score_adj from 200 to -1000 debug1: Bind to port 22 on fd46:1ffa:d8e0::1. Server listening on fd46:1ffa:d8e0::1 port 22. debug1: Bind to port 22 on 192.168.0.1. Server listening on 192.168.0.1 port 22. debug1: Server will not fork when running in debugging mode. debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8 debug1: sshd version OpenSSH_8.8, OpenSSL 3.0.5 5 Jul 2022 debug1: private host key #0: ssh-ed25519 SHA256:csWU9fi5IWZ7AOmRGcYQJgHi5jk2jEG6x3Nl+EkadHk debug1: inetd sockets after dupping: 3, 3 Connection from fd46:1ffa:d8e0::1 port 51228 on fd46:1ffa:d8e0::1 port 22 rdomain "" debug1: Local version string SSH-2.0-OpenSSH_8.8 debug1: Remote protocol version 2.0, remote software version OpenSSH_8.8 debug1: compat_banner: match: OpenSSH_8.8 pat OpenSSH* compat 0x04000000 debug1: SELinux support enabled [preauth] debug1: ssh_selinux_change_context: setting context from 'unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023' to 'unconfined_u:unconfined_r:sshd_net_t:s0-s0:c0.c1023' [preauth] debug1: permanently_set_uid: 74/74 [preauth] debug1: list_hostkey_types: ssh-ed25519 [preauth] debug1: SSH2_MSG_KEXINIT sent [preauth] debug1: SSH2_MSG_KEXINIT received [preauth] debug1: kex: algorithm: curve25519-sha256 [preauth] debug1: kex: host key algorithm: ssh-ed25519 [preauth] debug1: kex: client->server cipher: aes256-gcm@openssh.com MAC: <implicit> compression: none [preauth] debug1: kex: server->client cipher: aes256-gcm@openssh.com MAC: <implicit> compression: none [preauth] debug1: kex: curve25519-sha256 need=32 dh_need=32 [preauth] debug1: kex: curve25519-sha256 need=32 dh_need=32 [preauth] debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth] debug1: SSH2_MSG_KEX_ECDH_INIT received [preauth] debug1: rekey out after 4294967296 blocks [preauth] debug1: SSH2_MSG_NEWKEYS sent [preauth] debug1: Sending SSH2_MSG_EXT_INFO [preauth] debug1: expecting SSH2_MSG_NEWKEYS [preauth] debug1: SSH2_MSG_NEWKEYS received [preauth] debug1: rekey in after 4294967296 blocks [preauth] debug1: KEX done [preauth] debug1: userauth-request for user thomas service ssh-connection method none [preauth] debug1: attempt 0 failures 0 [preauth] debug1: user thomas matched 'User thomas' at line 1 debug1: authentication methods list 0: hostbased debug1: PAM: initializing for "thomas" debug1: PAM: setting PAM_RHOST to "fd46:1ffa:d8e0::1" debug1: PAM: setting PAM_TTY to "ssh" debug1: authentication methods list 0: hostbased [preauth] Connection closed by authenticating user thomas fd46:1ffa:d8e0::1 port 51228 [preauth] debug1: do_cleanup [preauth] debug1: monitor_read_log: child log fd closed debug1: do_cleanup debug1: PAM: cleanup debug1: Killing privsep child 60899
(In reply to Darren Tucker from comment #2) > The reason is likely in the server side log. Please run the server > in debug mode (eg "/path/to/sshd -ddde -p222", connect to it on port > 222 and attach the log. Sory, missed the '-ddd' part. debug2: load_server_config: filename /etc/ssh/sshd_config debug2: load_server_config: done config len = 3744 debug2: parse_server_config_depth: config /etc/ssh/sshd_config len 3744 debug2: /etc/ssh/sshd_config line 15: new include /etc/ssh/sshd_config.d/*.conf debug2: /etc/ssh/sshd_config line 15: including /etc/ssh/sshd_config.d/40-sshvpn.conf debug2: load_server_config: filename /etc/ssh/sshd_config.d/40-sshvpn.conf debug2: load_server_config: done config len = 272 debug2: parse_server_config_depth: config /etc/ssh/sshd_config.d/40-sshvpn.conf len 272 debug3: checking syntax for 'Match Host=sshvpn.koeller.dyndns.org' debug2: /etc/ssh/sshd_config line 15: including /etc/ssh/sshd_config.d/40-standard-user.conf debug2: load_server_config: filename /etc/ssh/sshd_config.d/40-standard-user.conf debug2: load_server_config: done config len = 537 debug2: parse_server_config_depth: config /etc/ssh/sshd_config.d/40-standard-user.conf len 537 debug3: checking syntax for 'Match User=thomas' debug2: /etc/ssh/sshd_config line 15: including /etc/ssh/sshd_config.d/50-redhat.conf debug2: load_server_config: filename /etc/ssh/sshd_config.d/50-redhat.conf debug2: load_server_config: done config len = 720 debug2: parse_server_config_depth: config /etc/ssh/sshd_config.d/50-redhat.conf len 720 debug2: /etc/ssh/sshd_config.d/50-redhat.conf line 6: new include /etc/crypto-policies/back-ends/opensshserver.config debug2: /etc/ssh/sshd_config.d/50-redhat.conf line 6: including /etc/crypto-policies/back-ends/opensshserver.config debug2: load_server_config: filename /etc/crypto-policies/back-ends/opensshserver.config debug2: load_server_config: done config len = 1800 debug2: parse_server_config_depth: config /etc/crypto-policies/back-ends/opensshserver.config len 1800 debug3: /etc/crypto-policies/back-ends/opensshserver.config:1 setting Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr debug3: /etc/crypto-policies/back-ends/opensshserver.config:2 setting MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 debug3: /etc/crypto-policies/back-ends/opensshserver.config:3 setting GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- debug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-] debug3: /etc/crypto-policies/back-ends/opensshserver.config:4 setting KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 debug3: kex names ok: [curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512] debug3: /etc/crypto-policies/back-ends/opensshserver.config:5 setting HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com debug3: /etc/crypto-policies/back-ends/opensshserver.config:6 setting PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com debug3: /etc/crypto-policies/back-ends/opensshserver.config:7 setting CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512 debug3: /etc/crypto-policies/back-ends/opensshserver.config:8 setting RSAMinSize 2048 debug3: /etc/ssh/sshd_config.d/50-redhat.conf:8 setting SyslogFacility AUTHPRIV debug3: /etc/ssh/sshd_config.d/50-redhat.conf:10 setting ChallengeResponseAuthentication no debug3: /etc/ssh/sshd_config.d/50-redhat.conf:12 setting GSSAPIAuthentication yes debug3: /etc/ssh/sshd_config.d/50-redhat.conf:13 setting GSSAPICleanupCredentials no debug3: /etc/ssh/sshd_config.d/50-redhat.conf:15 setting UsePAM yes debug3: /etc/ssh/sshd_config.d/50-redhat.conf:17 setting X11Forwarding yes debug3: /etc/ssh/sshd_config.d/50-redhat.conf:21 setting PrintMotd no debug3: /etc/ssh/sshd_config:25 setting ListenAddress 192.168.0.1:22 debug3: /etc/ssh/sshd_config:26 setting ListenAddress [fd46:1ffa:d8e0::1]:22 debug3: /etc/ssh/sshd_config:28 setting HostKey /etc/ssh/ssh_host_ed25519_key debug3: /etc/ssh/sshd_config:30 setting HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com debug3: /etc/ssh/sshd_config:37 setting LogLevel DEBUG debug3: /etc/ssh/sshd_config:52 setting AuthorizedKeysFile .ssh/authorized_keys debug3: /etc/ssh/sshd_config:60 setting HostbasedAuthentication yes debug3: /etc/ssh/sshd_config:63 setting IgnoreUserKnownHosts yes debug3: /etc/ssh/sshd_config:65 setting IgnoreRhosts yes debug3: /etc/ssh/sshd_config:68 setting PasswordAuthentication no debug3: /etc/ssh/sshd_config:72 setting KbdInteractiveAuthentication no debug3: /etc/ssh/sshd_config:99 setting UsePAM yes debug3: /etc/ssh/sshd_config:108 setting PrintMotd no debug3: /etc/ssh/sshd_config:118 setting PermitTunnel yes debug3: /etc/ssh/sshd_config:126 setting Subsystem sftp /usr/libexec/openssh/sftp-server debug1: sshd version OpenSSH_8.8, OpenSSL 3.0.5 5 Jul 2022 debug1: private host key #0: ssh-ed25519 SHA256:csWU9fi5IWZ7AOmRGcYQJgHi5jk2jEG6x3Nl+EkadHk debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-ddd' debug3: oom_adjust_setup debug1: Set /proc/self/oom_score_adj from 200 to -1000 debug2: fd 3 setting O_NONBLOCK debug3: sock_set_v6only: set socket 3 IPV6_V6ONLY debug1: Bind to port 22 on fd46:1ffa:d8e0::1. Server listening on fd46:1ffa:d8e0::1 port 22. debug2: fd 4 setting O_NONBLOCK debug1: Bind to port 22 on 192.168.0.1. Server listening on 192.168.0.1 port 22. debug3: fd 5 is not O_NONBLOCK debug1: Server will not fork when running in debugging mode. debug3: send_rexec_state: entering fd = 8 config len 3744 debug3: ssh_msg_send: type 0 debug3: send_rexec_state: done debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8 debug3: recv_rexec_state: entering fd = 5 debug3: ssh_msg_recv entering debug3: recv_rexec_state: done debug2: parse_server_config_depth: config rexec len 3744 debug2: parse_server_config_depth: config /etc/ssh/sshd_config.d/40-sshvpn.conf len 272 debug3: checking syntax for 'Match Host=sshvpn.koeller.dyndns.org' debug2: parse_server_config_depth: config /etc/ssh/sshd_config.d/40-standard-user.conf len 537 debug3: checking syntax for 'Match User=thomas' debug2: parse_server_config_depth: config /etc/ssh/sshd_config.d/50-redhat.conf len 720 debug2: parse_server_config_depth: config /etc/crypto-policies/back-ends/opensshserver.config len 1800 debug3: /etc/crypto-policies/back-ends/opensshserver.config:1 setting Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr debug3: /etc/crypto-policies/back-ends/opensshserver.config:2 setting MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 debug3: /etc/crypto-policies/back-ends/opensshserver.config:3 setting GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- debug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-] debug3: /etc/crypto-policies/back-ends/opensshserver.config:4 setting KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 debug3: kex names ok: [curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512] debug3: /etc/crypto-policies/back-ends/opensshserver.config:5 setting HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com debug3: /etc/crypto-policies/back-ends/opensshserver.config:6 setting PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com debug3: /etc/crypto-policies/back-ends/opensshserver.config:7 setting CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512 debug3: /etc/crypto-policies/back-ends/opensshserver.config:8 setting RSAMinSize 2048 debug3: /etc/ssh/sshd_config.d/50-redhat.conf:8 setting SyslogFacility AUTHPRIV debug3: /etc/ssh/sshd_config.d/50-redhat.conf:10 setting ChallengeResponseAuthentication no debug3: /etc/ssh/sshd_config.d/50-redhat.conf:12 setting GSSAPIAuthentication yes debug3: /etc/ssh/sshd_config.d/50-redhat.conf:13 setting GSSAPICleanupCredentials no debug3: /etc/ssh/sshd_config.d/50-redhat.conf:15 setting UsePAM yes debug3: /etc/ssh/sshd_config.d/50-redhat.conf:17 setting X11Forwarding yes debug3: /etc/ssh/sshd_config.d/50-redhat.conf:21 setting PrintMotd no debug3: rexec:25 setting ListenAddress 192.168.0.1:22 debug3: rexec:26 setting ListenAddress [fd46:1ffa:d8e0::1]:22 debug3: rexec:28 setting HostKey /etc/ssh/ssh_host_ed25519_key debug3: rexec:30 setting HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com debug3: rexec:37 setting LogLevel DEBUG debug3: rexec:52 setting AuthorizedKeysFile .ssh/authorized_keys debug3: rexec:60 setting HostbasedAuthentication yes debug3: rexec:63 setting IgnoreUserKnownHosts yes debug3: rexec:65 setting IgnoreRhosts yes debug3: rexec:68 setting PasswordAuthentication no debug3: rexec:72 setting KbdInteractiveAuthentication no debug3: rexec:99 setting UsePAM yes debug3: rexec:108 setting PrintMotd no debug3: rexec:118 setting PermitTunnel yes debug3: rexec:126 setting Subsystem sftp /usr/libexec/openssh/sftp-server debug1: sshd version OpenSSH_8.8, OpenSSL 3.0.5 5 Jul 2022 debug1: private host key #0: ssh-ed25519 SHA256:csWU9fi5IWZ7AOmRGcYQJgHi5jk2jEG6x3Nl+EkadHk debug1: inetd sockets after dupping: 3, 3 Connection from fd46:1ffa:d8e0::1 port 37486 on fd46:1ffa:d8e0::1 port 22 rdomain "" debug1: Local version string SSH-2.0-OpenSSH_8.8 debug1: Remote protocol version 2.0, remote software version OpenSSH_8.8 debug1: compat_banner: match: OpenSSH_8.8 pat OpenSSH* compat 0x04000000 debug2: fd 3 setting O_NONBLOCK debug3: ssh_sandbox_init: preparing seccomp filter sandbox debug2: Network child is on pid 63940 debug3: preauth child monitor started debug1: SELinux support enabled [preauth] debug1: ssh_selinux_change_context: setting context from 'unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023' to 'unconfined_u:unconfined_r:sshd_net_t:s0-s0:c0.c1023' [preauth] debug3: ssh_selinux_change_context: setcon unconfined_u:unconfined_r:sshd_net_t:s0-s0:c0.c1023 from unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 failed with Invalid argument [preauth] debug3: privsep user:group 74:74 [preauth] debug1: permanently_set_uid: 74/74 [preauth] debug3: ssh_sandbox_child: setting PR_SET_NO_NEW_PRIVS [preauth] debug3: ssh_sandbox_child: attaching seccomp filter program [preauth] debug1: list_hostkey_types: ssh-ed25519 [preauth] debug3: send packet: type 20 [preauth] debug1: SSH2_MSG_KEXINIT sent [preauth] debug3: receive packet: type 20 [preauth] debug1: SSH2_MSG_KEXINIT received [preauth] debug2: local server KEXINIT proposal [preauth] debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 [preauth] debug2: host key algorithms: ssh-ed25519 [preauth] debug2: ciphers ctos: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr [preauth] debug2: ciphers stoc: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr [preauth] debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 [preauth] debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 [preauth] debug2: compression ctos: none,zlib@openssh.com [preauth] debug2: compression stoc: none,zlib@openssh.com [preauth] debug2: languages ctos: [preauth] debug2: languages stoc: [preauth] debug2: first_kex_follows 0 [preauth] debug2: reserved 0 [preauth] debug2: peer client KEXINIT proposal [preauth] debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ext-info-c [preauth] debug2: host key algorithms: ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256 [preauth] debug2: ciphers ctos: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr [preauth] debug2: ciphers stoc: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr [preauth] debug2: MACs ctos: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 [preauth] debug2: MACs stoc: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 [preauth] debug2: compression ctos: none,zlib@openssh.com,zlib [preauth] debug2: compression stoc: none,zlib@openssh.com,zlib [preauth] debug2: languages ctos: [preauth] debug2: languages stoc: [preauth] debug2: first_kex_follows 0 [preauth] debug2: reserved 0 [preauth] debug1: kex: algorithm: curve25519-sha256 [preauth] debug1: kex: host key algorithm: ssh-ed25519 [preauth] debug1: kex: client->server cipher: aes256-gcm@openssh.com MAC: <implicit> compression: none [preauth] debug1: kex: server->client cipher: aes256-gcm@openssh.com MAC: <implicit> compression: none [preauth] debug1: kex: curve25519-sha256 need=32 dh_need=32 [preauth] debug3: mm_request_send: entering, type 120 [preauth] debug3: mm_request_receive_expect: entering, type 121 [preauth] debug3: mm_request_receive: entering [preauth] debug3: mm_request_receive: entering debug3: monitor_read: checking request 120 debug3: mm_request_send: entering, type 121 debug1: kex: curve25519-sha256 need=32 dh_need=32 [preauth] debug3: mm_request_send: entering, type 120 [preauth] debug3: mm_request_receive_expect: entering, type 121 [preauth] debug3: mm_request_receive: entering [preauth] debug3: mm_request_receive: entering debug3: monitor_read: checking request 120 debug3: mm_request_send: entering, type 121 debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth] debug3: receive packet: type 30 [preauth] debug1: SSH2_MSG_KEX_ECDH_INIT received [preauth] debug3: mm_sshkey_sign: entering [preauth] debug3: mm_request_send: entering, type 6 [preauth] debug3: mm_sshkey_sign: waiting for MONITOR_ANS_SIGN [preauth] debug3: mm_request_receive_expect: entering, type 7 [preauth] debug3: mm_request_receive: entering [preauth] debug3: mm_request_receive: entering debug3: monitor_read: checking request 6 debug3: mm_answer_sign: entering debug3: mm_answer_sign: ssh-ed25519 KEX signature len=83 debug3: mm_request_send: entering, type 7 debug2: monitor_read: 6 used once, disabling now debug3: send packet: type 31 [preauth] debug3: send packet: type 21 [preauth] debug2: set_newkeys: mode 1 [preauth] debug1: rekey out after 4294967296 blocks [preauth] debug1: SSH2_MSG_NEWKEYS sent [preauth] debug1: Sending SSH2_MSG_EXT_INFO [preauth] debug3: send packet: type 7 [preauth] debug1: expecting SSH2_MSG_NEWKEYS [preauth] debug3: receive packet: type 21 [preauth] debug1: SSH2_MSG_NEWKEYS received [preauth] debug2: set_newkeys: mode 0 [preauth] debug1: rekey in after 4294967296 blocks [preauth] debug1: KEX done [preauth] debug3: receive packet: type 5 [preauth] debug3: send packet: type 6 [preauth] debug3: receive packet: type 50 [preauth] debug1: userauth-request for user thomas service ssh-connection method none [preauth] debug1: attempt 0 failures 0 [preauth] debug3: mm_getpwnamallow: entering [preauth] debug3: mm_request_send: entering, type 8 [preauth] debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM [preauth] debug3: mm_request_receive_expect: entering, type 9 [preauth] debug3: mm_request_receive: entering [preauth] debug3: mm_request_receive: entering debug3: monitor_read: checking request 8 debug3: mm_answer_pwnamallow: entering debug2: parse_server_config_depth: config reprocess config len 3744 debug2: parse_server_config_depth: config /etc/ssh/sshd_config.d/40-sshvpn.conf len 272 debug3: checking match for 'Host=sshvpn.koeller.dyndns.org' user thomas host fd46:1ffa:d8e0::1 addr fd46:1ffa:d8e0::1 laddr fd46:1ffa:d8e0::1 lport 22 debug3: match not found debug2: parse_server_config_depth: config /etc/ssh/sshd_config.d/40-standard-user.conf len 537 debug3: checking match for 'User=thomas' user thomas host fd46:1ffa:d8e0::1 addr fd46:1ffa:d8e0::1 laddr fd46:1ffa:d8e0::1 lport 22 debug1: user thomas matched 'User thomas' at line 1 debug3: match found debug3: /etc/ssh/sshd_config.d/40-standard-user.conf:4 setting AuthenticationMethods hostbased debug3: /etc/ssh/sshd_config.d/40-standard-user.conf:6 setting AllowUsers thomas debug3: /etc/ssh/sshd_config.d/40-standard-user.conf:7 setting DenyUsers none debug3: /etc/ssh/sshd_config.d/40-standard-user.conf:8 setting ForceCommand none debug3: /etc/ssh/sshd_config.d/40-standard-user.conf:9 setting GSSAPIAuthentication no debug3: /etc/ssh/sshd_config.d/40-standard-user.conf:10 setting HostbasedAcceptedAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519 debug3: /etc/ssh/sshd_config.d/40-standard-user.conf:11 setting HostbasedAuthentication yes debug3: /etc/ssh/sshd_config.d/40-standard-user.conf:12 setting HostbasedUsesNameFromPacketOnly yes debug3: /etc/ssh/sshd_config.d/40-standard-user.conf:13 setting IgnoreRhosts yes debug3: /etc/ssh/sshd_config.d/40-standard-user.conf:14 setting KerberosAuthentication no debug3: /etc/ssh/sshd_config.d/40-standard-user.conf:15 setting PasswordAuthentication no debug3: /etc/ssh/sshd_config.d/40-standard-user.conf:16 setting PermitRootLogin no debug3: /etc/ssh/sshd_config.d/40-standard-user.conf:17 setting PermitTTY yes debug3: /etc/ssh/sshd_config.d/40-standard-user.conf:18 setting PermitTunnel no debug3: /etc/ssh/sshd_config.d/40-standard-user.conf:19 setting PermitUserRC yes debug3: /etc/ssh/sshd_config.d/40-standard-user.conf:20 setting PubkeyAuthentication no debug3: /etc/ssh/sshd_config.d/40-standard-user.conf:21 setting PubkeyAcceptedAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com debug2: parse_server_config_depth: config /etc/ssh/sshd_config.d/50-redhat.conf len 720 debug2: parse_server_config_depth: config /etc/crypto-policies/back-ends/opensshserver.config len 1800 debug3: auth2_setup_methods_lists: checking methods debug1: authentication methods list 0: hostbased debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1 debug3: mm_request_send: entering, type 9 debug2: monitor_read: 8 used once, disabling now debug2: input_userauth_request: setting up authctxt for thomas [preauth] debug3: mm_start_pam entering [preauth] debug3: mm_request_send: entering, type 100 [preauth] debug3: mm_inform_authserv: entering [preauth] debug3: mm_request_send: entering, type 4 [preauth] debug3: mm_inform_authrole: entering [preauth] debug3: mm_request_send: entering, type 80 [preauth] debug3: auth2_setup_methods_lists: checking methods [preauth] debug1: authentication methods list 0: hostbased [preauth] debug2: Unrecognized authentication method name: none [preauth] debug3: user_specific_delay: user specific delay 0.000ms [preauth] debug3: ensure_minimum_time_since: elapsed 0.747ms, delaying 6.577ms (requested 7.323ms) [preauth] debug3: mm_request_receive: entering debug3: monitor_read: checking request 100 debug1: PAM: initializing for "thomas" debug1: PAM: setting PAM_RHOST to "fd46:1ffa:d8e0::1" debug1: PAM: setting PAM_TTY to "ssh" debug2: monitor_read: 100 used once, disabling now debug3: mm_request_receive: entering debug3: monitor_read: checking request 4 debug3: mm_answer_authserv: service=ssh-connection, style= debug2: monitor_read: 4 used once, disabling now debug3: mm_request_receive: entering debug3: monitor_read: checking request 80 debug3: mm_answer_authrole: role= debug2: monitor_read: 80 used once, disabling now debug3: userauth_finish: failure partial=0 next methods="hostbased" [preauth] debug3: send packet: type 51 [preauth] debug3: mm_request_send: entering, type 122 [preauth] debug3: mm_request_receive_expect: entering, type 123 [preauth] debug3: mm_request_receive: entering [preauth] debug3: mm_request_receive: entering debug3: monitor_read: checking request 122 debug3: mm_request_send: entering, type 123 Connection closed by authenticating user thomas fd46:1ffa:d8e0::1 port 37486 [preauth] debug1: do_cleanup [preauth] debug3: PAM: sshpam_thread_cleanup entering [preauth] debug3: mm_request_send: entering, type 124 [preauth] debug3: mm_request_receive: entering debug3: monitor_read: checking request 124 debug1: monitor_read_log: child log fd closed debug3: mm_request_receive: entering debug1: do_cleanup debug1: PAM: cleanup debug3: PAM: sshpam_thread_cleanup entering debug1: Killing privsep child 63940 [
(In reply to Thomas Koeller from comment #5) > (In reply to Darren Tucker from comment #3) > > Also, what's in sshd_config? Unless you have your DNS forward and > > reverse exactly right, you probably want > > "HostbasedUsesNameFromPacketOnly yes" in sshd_config. > > Attaching the sever configuration. > > Here is the result of a forward/reverse lookup of the host name in > used, I think that should be o.k.? Hard to tell from here but I don't see anything obvious. Setting HostbasedUsesNameFromPacketOnly would remove name resolution as a variable, though. I note from the logs that this is a vendor-modified version of OpenSSH 8.8. Can you reproduce the problem with a current version of stock openssh from openssh.com? There were a couple of fixes to hostbased in 8.9, but I think only RSA keys were affected and you're not using those: * ssh(1): unbreak hostbased auth using RSA keys. Allow ssh(1) to select RSA keys when only RSA/SHA2 signature algorithms are configured (this is the default case). Previously RSA keys were not being considered in the default case. * ssh-keysign(1): make ssh-keysign use the requested signature algorithm and not the default for the key type. Part of unbreaking hostbased auth for RSA/SHA2 keys.
(also: please use attachments for logs, pasting large logs into comments quickly makes things unreadable).
(In reply to Darren Tucker from comment #8) > (In reply to Thomas Koeller from comment #5) > > (In reply to Darren Tucker from comment #3) > I note from the logs that this is a vendor-modified version of > OpenSSH 8.8. Can you reproduce the problem with a current version > of stock openssh from openssh.com? > I can do that, though it may take some time. What would qualify as a 'current version', HEAD of git master branch or some release?
(In reply to Thomas Koeller from comment #10) [...] > What would qualify as a 'current version', HEAD of git master branch > or some release? Either the most recent release (9.1p1) or git HEAD, whichever you prefer. The main thing is to prevent what is typically a few hundred KB of vendor changes muddying the waters. The release has configure pre-built and doesn't need any fooling with autoconf.
Oh, one other thing that might help: when I wrote the hostbased regress test I put the host setup steps in comments, and you can see the keywords I needed on both client and server sides: https://github.com/openssh/openssh-portable/blob/master/regress/hostbased.sh
Created attachment 3631 [details] OpenSSH_9.1p1 server output
Created attachment 3632 [details] OpenSSH_9.1p1client output
Created attachment 3633 [details] server configuration
Created attachment 3634 [details] client configuration
Built OpenSSH 9.1p1 from git sources. Results are virtually identical to those produced previously.
(In reply to Darren Tucker from comment #12) > Oh, one other thing that might help: when I wrote the hostbased > regress test I put the host setup steps in comments, and you can see > the keywords I needed on both client and server sides: > > https://github.com/openssh/openssh-portable/blob/master/regress/ > hostbased.sh - 'EnableSSHKeysign yes' is set, see attached config file - shosts.equiv originally contained just a single '+' on a line by itself. I changed that to the host's fqdn 'sarkovy.koeller.dyndns.org', which did not make any difference.
This looks like a client-side issue to me. The client logs indicate that no host based authentication packet was sent. Since EnableSSHKeysign is set in the ssh_config, this probably means that the permissions are incorrect on either the ssh-keyskgn executable or the private host keys. Note that on Red Hat, ssh-keyskgn is normally setgid to group ssh_keys, and the private keys are expected to be readable by that group. Whereas, stock OpenSSH expects the private keys to be readable only by root and thus ssh-keyskgn should be setuid root.
(In reply to Iain Morgan from comment #19) > This looks like a client-side issue to me. > > The client logs indicate that no host based authentication packet > was sent. Since EnableSSHKeysign is set in the ssh_config, this > probably means that the permissions are incorrect on either the > ssh-keyskgn executable or the private host keys. > > Note that on Red Hat, ssh-keyskgn is normally setgid to group > ssh_keys, and the private keys are expected to be readable by that > group. Whereas, stock OpenSSH expects the private keys to be > readable only by root and thus ssh-keyskgn should be setuid root. This is correct, I figured that out, too: [root@sarkovy ssh]# ls -l /usr/libexec/openssh/ssh-keysign -r-xr-sr-x. 1 root ssh_keys 326064 29. Sep 13:45 /usr/libexec/openssh/ssh-keysign So I reset the permissions on the key accordingly: [root@sarkovy ssh]# ls -l /etc/ssh/ssh_host_ed25519_key -rw-r-----. 1 root ssh_keys 419 6. Dez 23:11 /etc/ssh/ssh_host_ed25519_key This did not help, and anyway, a fresh build of OpenSSH 9.1p1 exhibits the same behavior.
Created attachment 3635 [details] Add server side debugging for hostbased auth Please rerun the test after applying this patch, which will add some debugging to the server side, and attach the server side log here. (Only the server output will change so there's no need to include the client side from this.)
Created attachment 3636 [details] Working example sshd log for comparison I built a separate installation with this additional debugging, its own keys and set up hostbased on it. I have the following config files in ${prefix}/etc/: sshd_config: HostbasedAuthentication yes HostbasedUsesNameFromPacketOnly yes AuthorizedKeysFile /dev/null ssh_config: EnableSSHKeySign yes HostbasedAuthentication yes PreferredAuthentications hostbased shosts.equiv: gate.dtucker.net ssh_known_hosts: gate.dtucker.net ssh-ed25519 [...] and I'm attaching the logs for comparison.
Created attachment 3637 [details] Working example ssh log.
Comparing working and non-working, the working example has the following, which is missing from the non-working one: debug2: hostbased key 4: ecdsa-sha2-nistp256 key from "/opt/openssh-9.1p1/etc/ssh_host_ecdsa_key" debug2: hostbased key 5: ssh-ed25519 key from "/opt/openssh-9.1p1/etc/ssh_host_ed25519_key" debug2: hostbased key 6: ssh-rsa key from "/opt/openssh-9.1p1/etc/ssh_host_rsa_key" Later, you have: order_hostkeyalgs: have matching best-preference key type ssh-ed25519-cert-v01@openssh.com, using HostkeyAlgorithms verbatim Your host key is a cert? If so, does it work if you use a plain ed25519 host key?
(In reply to Darren Tucker from comment #24) > Comparing working and non-working, the working example has the > following, which is missing from the non-working one: > debug2: hostbased key 4: ecdsa-sha2-nistp256 key from > "/opt/openssh-9.1p1/etc/ssh_host_ecdsa_key" These loads are in ssh.c and are gated by "if (options.hostbased_authentication)" and do include certificates. I'd suggest: - checking that HostbasedAuthentication isn't disabled someplace, eg, a user config file ( check the effective setting with "ssh -G yourserver | grep hostbased"). - checking that the public portion of host keys are readable by unprivileged users (since this is done in the client).
Created attachment 3638 [details] Add more server side debugging for hostbased auth
(In reply to Darren Tucker from comment #24) > Your host key is a cert? If so, does it work if you use a plain > ed25519 host key? No it's just a plain key. I included ssh-ed25519-cert-v01@openssh.com only because I plan to use a cert in the future.
Created attachment 3639 [details] sshd output /w debug patch applied Patch applied. AFAICT none of the debug statements produced any output. I agree with Ian Morgan that it is most likely a client-side issue.
(In reply to Darren Tucker from comment #24) > Comparing working and non-working, the working example has the > following, which is missing from the non-working one: > debug2: hostbased key 4: ecdsa-sha2-nistp256 key from > "/opt/openssh-9.1p1/etc/ssh_host_ecdsa_key" > debug2: hostbased key 5: ssh-ed25519 key from > "/opt/openssh-9.1p1/etc/ssh_host_ed25519_key" > debug2: hostbased key 6: ssh-rsa key from > "/opt/openssh-9.1p1/etc/ssh_host_rsa_key" These keys do not exist, as I am not using them.
I finally found the reason for the problem, a rather trivial one: I failed to install the public host key. Sorry for all the fuzz.
(In reply to Thomas Koeller from comment #30) > I finally found the reason for the problem, a rather trivial one: > I failed to install the public host key. Sorry for all the fuzz. The second version of that patch should have had a warning about that in the debug output: debug1: Connection established. debug1: HostbasedAuthentication enabled but no keys could be loaded.
OpenSSH 9.3 has been released. Close resolved bugs