Date: Mon, 25 Aug 2025 08:43:01 +0200 From: Gordon Bergling <gbe@FreeBSD.org> To: Dave Cottlehuber <dch@skunkwerks.at> Cc: net@freebsd.org Subject: Re: SSH connection problem to two FreeBSD VMs externaly hosted Message-ID: <aKwF9YTEmycReN-A@GB-MBA.local> In-Reply-To: <b7450f35-0b3e-44c3-8972-fccf0e7ec55a@app.fastmail.com> References: <aHjc1rxFp7M3zmnT@GB-MBA.local> <b7450f35-0b3e-44c3-8972-fccf0e7ec55a@app.fastmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
Hi Dave,
thanks for your reply. It turns out that the with the upgrade from 14.2-RELEASE
to 14.3-RELEASE something went wrong. 'file' told my that on the 14.3-RELEASE
system was 'for FreeBSD 14.2', while my local VM is 'for FreeBSD 14.3'.
After fiddling around with the BEs I had left after the update, I was able to
get a working 14.2-RELEASE booted. Deleted the leftover BEs and did
a fresh the upgrade to 14.3-RELEASE. After that the problem disappeared.
--Gordon
On Thu, Jul 17, 2025 at 02:17:26PM +0000, Dave Cottlehuber wrote:
> On Thu, 17 Jul 2025, at 11:21, Gordon Bergling wrote:
> > Hi,
> >
> > I have two FreeBSD externaly hosted, one at Hetzner and one on Azure.
> >
> > Both systems running latest 14.3-RELEASE, but I can't no long connect to them,
> > wether from a local 14.2-RELEASE, or the latest macOS. Nothing has changed in
> > terms of configuration. All systems use public-key authentication. The error
> > I am getting is the following:
> >
> > sshd[10965]: error: Fssh_kex_input_kexinit: unknown kex type 10 [preauth]
> >
> > Has anyone an idea whould could cause this?
> >
> > Seeking out in forums about trying different KexAlgorithms options didn't
> > solved the problem.
> >
> > Any help is much appreciated!
> >
> > --Gordon
> >
> > Attachments:
> > * signature.asc
>
> Odd. I have no issue from a 14.2 client -> 14.3 server connecting,
> with defaults, and ed25519 private key.
>
> My best guess is that your sshd binary (or config) isn't correctly
> upgraded for some reason. What does file(1) report on server & client?
>
> On 14.2-RELEASE:
>
> root@picard:/ # file /usr/sbin/sshd
> /usr/sbin/sshd: ELF 64-bit LSB pie executable, x86-64, version 1 (FreeBSD), dynamically linked, interpreter /libexec/ld-elf.so.1, for FreeBSD 14.2, FreeBSD-style, stripped
>
> root@picard:/ # file /usr/bin/ssh
> /usr/bin/ssh: ELF 64-bit LSB pie executable, x86-64, version 1 (FreeBSD), dynamically linked, interpreter /libexec/ld-elf.so.1, for FreeBSD 14.2, FreeBSD-style, stripped
> root@picard:/ #
>
> If this is not correct, it's worth checking with `freebsd-update IDS` on server & client, for what else is incorrect.
>
> Are there any non-default settings in /etc/ssh/ssh_config for client,
> and /etc/ssh/sshd_config for server?
>
> Assuming that's sorted, please post output of `ssh -vv ...`, so we can see the negotiation, forcing key exchange algorithm on the client:
>
> ssh -vv -o KexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 you@there
>
> BTW I assume the kex list comes from crypto/openssh/kex.h, so #10 would be
> KEX_KEM_SNTRUP761X25519_SHA512
>
> enum kex_exchange {
> KEX_DH_GRP1_SHA1 = 1,
> KEX_DH_GRP14_SHA1,
> KEX_DH_GRP14_SHA256,
> KEX_DH_GRP16_SHA512,
> KEX_DH_GRP18_SHA512,
> KEX_DH_GEX_SHA1,
> KEX_DH_GEX_SHA256,
> KEX_ECDH_SHA2,
> KEX_C25519_SHA256,
> KEX_KEM_SNTRUP761X25519_SHA512, <----
> KEX_KEM_MLKEM768X25519_SHA256,
> KEX_MAX
> };
>
> A+
> Dave
[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEYbWI0KY5X7yH/Fy4OQX2V8rP09wFAmisBfQACgkQOQX2V8rP
09yBqAf+MReMZEzI5JTRcxka3KzQ3fIKbhaZdjn8F1EoOdTQZaCIv0+aerK2awO2
sRCWXfET4ieNEX5PIUmtCkOMxVr+HvoJbfip6yzIckt1cTefz0Cm/CmB3zztI9pX
7VCQBIWkPEVPePrO3yr0XehW7Wd3Y9tzVEbwqz8WRMTI5U5e/Z6XV286t70w5VdS
/TF0hJBw6gCcJzoab5ar0yl/PGe7jam+yBOEECqbe5n57covAm+Y86u3JlOnOLB2
24ZgoSf8FDo+E5lpWNtZy9GL+hFfqOOGdlRyUlE/BXrqoBW9D2f01UhkjM15McPT
zraDkUz4OPGTv0Y/aQQpwqObPk7P8Q==
=PrF5
-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?aKwF9YTEmycReN-A>