From nobody Mon Aug 25 06:43:01 2025 X-Original-To: net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4c9LpL2N7Wz65H8c for ; Mon, 25 Aug 2025 06:43:06 +0000 (UTC) (envelope-from gbe@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R13" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4c9LpL1kDCz3VPM; Mon, 25 Aug 2025 06:43:06 +0000 (UTC) (envelope-from gbe@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1756104186; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=u3G29/oB5uDPSnj8J8f59QGhHCAKzuLuyHzMMwZ8mOw=; b=fHgbLkLqJtOrKIQKgnDJSVdO02e+Io0Cm+rLMJj7x6HCOTpjWqEIPlFDjeOgv3fCWlRS+9 2zqg7xQgjH7/TzXOd/f+3+gu+lQeDlG+sK+68gfcgSV+DEA1TZEM+LKrvRrhY+MjaVd6DV K656dVrReB9mAND8yBOyg7qrXlzfLx6ug/a7RWhJ2KlcC9F8voSODXNbnwA/2QSw9/KvuG J+02DKKkTp8+bkHVH3Zp/sWKRWLnG1VL2JwdglHIAh72GnNj+Tm/sK0y/FHlQfdOGnXEx5 4XN/6O0D9RSBSnDjHtn1lXDNRhfwadS6zOOVlycb82Qp3J4hkaQAL4L6uBOH3g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1756104186; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=u3G29/oB5uDPSnj8J8f59QGhHCAKzuLuyHzMMwZ8mOw=; b=Bu1zZ3VZ/AEaHI19YFCBHzs35OX7cALd978LuUiGPH28Hx608JLduThsG16i4PtOwn1IlJ Ny1WphtLS/dSDGpFGzE5rTjEtzaOTVpstMDiDcf/FPpVjlBcpoki4PNFCu9cnF39egiBuh 6QTktysQ8txNetnGjpAaC2q+UgZ94Rc3DhCu9o5aWhVdkjIHZIWR2jveoS4n5cNWoajx1t MVjqnSUGr5JXCvE3CJwL+MpYoNetE5KjqYAmP32tY+JBbxEcWL7LI3RuS+6LF+BqbjYHxR nkN5QQLwYyExxxZweOkbde/gXgwT0OX0apI8LOaoBKSnff3ZxT1YjQUaQfqg4Q== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1756104186; a=rsa-sha256; cv=none; b=t5oSVueN5xaSmWC35/zkdau6DrDIM4tMOkfK0oJWjQ3kDm7i+71I97GdHM5JtC683VXFx7 DczIpp25O2oY8GiikCjioiUrZlJQ23rlyzBkfItFy6jeyv8lkZU/Tc5Fe8Jp7YDJAA9X64 TtE85L40wAmxH6QV091BN4hNMz8jKqwdq3OzcgXKUDVeru6IDGKfMbsdNGFP8LWQHhkAWX zzX/xbHCDxNV1n71XY0KW9iQ3VxyowHg6ykAurq4KukJhrQPAjWTntRnOoercNxpIi3XqD fJC0nIt8IdVkIC+x6Pz49BZwAKxIle563ErCkWpbVhF78gZ0BiYCTntpdzXnqg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from localhost (p200300cb873c309af475da50f5cbef58.dip0.t-ipconnect.de [IPv6:2003:cb:873c:309a:f475:da50:f5cb:ef58]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (prime256v1) server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: gbe) by smtp.freebsd.org (Postfix) with ESMTPSA id 4c9LpK4skNz1JWq; Mon, 25 Aug 2025 06:43:05 +0000 (UTC) (envelope-from gbe@FreeBSD.org) Date: Mon, 25 Aug 2025 08:43:01 +0200 From: Gordon Bergling To: Dave Cottlehuber Cc: net@freebsd.org Subject: Re: SSH connection problem to two FreeBSD VMs externaly hosted Message-ID: References: List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@FreeBSD.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="jpUXW4A6eksd+9ym" Content-Disposition: inline In-Reply-To: X-Url: X-Operating-System: Darwin 24.6.0 arm64 X-Host-Uptime: 8:36 up 4 days, 11:32, 3 users, load averages: 7.05 3.98 3.06 --jpUXW4A6eksd+9ym Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi Dave, thanks for your reply. It turns out that the with the upgrade from 14.2-REL= EASE to 14.3-RELEASE something went wrong. 'file' told my that on the 14.3-RELEA= SE system was 'for FreeBSD 14.2', while my local VM is 'for FreeBSD 14.3'. After fiddling around with the BEs I had left after the update, I was able = to get a working 14.2-RELEASE booted. Deleted the leftover BEs and did=20 a fresh the upgrade to 14.3-RELEASE. After that the problem disappeared. --Gordon On Thu, Jul 17, 2025 at 02:17:26PM +0000, Dave Cottlehuber wrote: > On Thu, 17 Jul 2025, at 11:21, Gordon Bergling wrote: > > Hi, > > > > I have two FreeBSD externaly hosted, one at Hetzner and one on Azure. > > > > Both systems running latest 14.3-RELEASE, but I can't no long connect t= o them, > > wether from a local 14.2-RELEASE, or the latest macOS. Nothing has chan= ged in > > terms of configuration. All systems use public-key authentication. The = error > > I am getting is the following: > > > > sshd[10965]: error: Fssh_kex_input_kexinit: unknown kex type 10 [preaut= h] > > > > Has anyone an idea whould could cause this? > > > > Seeking out in forums about trying different KexAlgorithms options didn= 't > > solved the problem. > > > > Any help is much appreciated! > > > > --Gordon > > > > Attachments: > > * signature.asc >=20 > Odd. I have no issue from a 14.2 client -> 14.3 server connecting, > with defaults, and ed25519 private key. >=20 > My best guess is that your sshd binary (or config) isn't correctly > upgraded for some reason. What does file(1) report on server & client? >=20 > On 14.2-RELEASE: >=20 > root@picard:/ # file /usr/sbin/sshd > /usr/sbin/sshd: ELF 64-bit LSB pie executable, x86-64, version 1 (FreeBSD= ), dynamically linked, interpreter /libexec/ld-elf.so.1, for FreeBSD 14.2, = FreeBSD-style, stripped >=20 > root@picard:/ # file /usr/bin/ssh > /usr/bin/ssh: ELF 64-bit LSB pie executable, x86-64, version 1 (FreeBSD),= dynamically linked, interpreter /libexec/ld-elf.so.1, for FreeBSD 14.2, Fr= eeBSD-style, stripped > root@picard:/ # >=20 > If this is not correct, it's worth checking with `freebsd-update IDS` on = server & client, for what else is incorrect. >=20 > Are there any non-default settings in /etc/ssh/ssh_config for client, > and /etc/ssh/sshd_config for server? >=20 > Assuming that's sorted, please post output of `ssh -vv ...`, so we can se= e the negotiation, forcing key exchange algorithm on the client: >=20 > ssh -vv -o KexAlgorithms=3Dcurve25519-sha256,curve25519-sha256@libssh.org= ,diffie-hellman-group-exchange-sha256 you@there >=20 > BTW I assume the kex list comes from crypto/openssh/kex.h, so #10 would b= e=20 > KEX_KEM_SNTRUP761X25519_SHA512 >=20 > enum kex_exchange { > KEX_DH_GRP1_SHA1 =3D 1, > KEX_DH_GRP14_SHA1, > KEX_DH_GRP14_SHA256, > KEX_DH_GRP16_SHA512, > KEX_DH_GRP18_SHA512, > KEX_DH_GEX_SHA1, > KEX_DH_GEX_SHA256, > KEX_ECDH_SHA2, > KEX_C25519_SHA256, > KEX_KEM_SNTRUP761X25519_SHA512, <---- > KEX_KEM_MLKEM768X25519_SHA256, > KEX_MAX > }; >=20 > A+ > Dave --jpUXW4A6eksd+9ym Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEYbWI0KY5X7yH/Fy4OQX2V8rP09wFAmisBfQACgkQOQX2V8rP 09yBqAf+MReMZEzI5JTRcxka3KzQ3fIKbhaZdjn8F1EoOdTQZaCIv0+aerK2awO2 sRCWXfET4ieNEX5PIUmtCkOMxVr+HvoJbfip6yzIckt1cTefz0Cm/CmB3zztI9pX 7VCQBIWkPEVPePrO3yr0XehW7Wd3Y9tzVEbwqz8WRMTI5U5e/Z6XV286t70w5VdS /TF0hJBw6gCcJzoab5ar0yl/PGe7jam+yBOEECqbe5n57covAm+Y86u3JlOnOLB2 24ZgoSf8FDo+E5lpWNtZy9GL+hFfqOOGdlRyUlE/BXrqoBW9D2f01UhkjM15McPT zraDkUz4OPGTv0Y/aQQpwqObPk7P8Q== =PrF5 -----END PGP SIGNATURE----- --jpUXW4A6eksd+9ym--