From nobody Thu Jul 17 14:17:26 2025
X-Original-To: net@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bjZl55rRZz61pLC
	for <net@mlmmj.nyi.freebsd.org>; Thu, 17 Jul 2025 14:17:53 +0000 (UTC)
	(envelope-from dch@skunkwerks.at)
Received: from fhigh-b7-smtp.messagingengine.com (fhigh-b7-smtp.messagingengine.com [202.12.124.158])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4bjZl528ljz3bLg;
	Thu, 17 Jul 2025 14:17:52 +0000 (UTC)
	(envelope-from dch@skunkwerks.at)
Authentication-Results: mx1.freebsd.org;
	none
Received: from phl-compute-02.internal (phl-compute-02.phl.internal [10.202.2.42])
	by mailfhigh.stl.internal (Postfix) with ESMTP id E33347A013D;
	Thu, 17 Jul 2025 10:17:51 -0400 (EDT)
Received: from phl-imap-16 ([10.202.2.88])
  by phl-compute-02.internal (MEProxy); Thu, 17 Jul 2025 10:17:51 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=skunkwerks.at;
	 h=cc:content-transfer-encoding:content-type:content-type:date
	:date:from:from:in-reply-to:in-reply-to:message-id:mime-version
	:references:reply-to:subject:subject:to:to; s=fm3; t=1752761871;
	 x=1752848271; bh=baBVo4jTxwSfAf+HxqOHsuLyPTG0IRgvl5Ga6h56u6g=; b=
	ZeHzhTpwwqvJ71o77bZSpf8iZdq5h2Pd/f0hAt0Y2GUwkfaxkWNXT1EH+pCu73Y9
	eA+xstRpa+sXd3fg0tWtBR9Yis+w5CuxH534q8eU0RAMEw/SpsjMYO3I9gSXcknz
	lFpjZCL1w/kXLhM8HtTMMBjYnalkyXtq4F9KufmOr/qrDx2lRjVEnmU0wCMYdcbL
	4f9i2pU171FqijrfiqBS9z6FN7fOd/wlntDYzGyMq4r7ImkbQRO2ddUhBIOZz4ci
	x5BOYjm5u0AI8wruR86s/basziPIZcBxyazh781Xa7V5sulKu+KSlOSEgmzPdsd5
	84bRM+n5TZjNeYuZHFQ/PA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:content-transfer-encoding:content-type
	:content-type:date:date:feedback-id:feedback-id:from:from
	:in-reply-to:in-reply-to:message-id:mime-version:references
	:reply-to:subject:subject:to:to:x-me-proxy:x-me-sender
	:x-me-sender:x-sasl-enc; s=fm2; t=1752761871; x=1752848271; bh=b
	aBVo4jTxwSfAf+HxqOHsuLyPTG0IRgvl5Ga6h56u6g=; b=bUfu1Yh3ItoHeiiaP
	fozu0Z6gpB7dqgyWFEujWXU3ygB4e/DJn/t67YzrGpYDSut8dHtoBcPTiwvgnurF
	my3/E9py8ZB5lsfx1LhP/YZ8qJ/fLOqU4cObDW3ZFgXV00+QCtROoXqSqSXOiRdt
	jp5Q0VOhNVacgcjfTOEQqXaJGxxczeTLMu4Hyki9QOSa9tgyrgwQc0khVlQuVHun
	0jyx8a9yad3gTafct3WGS6PYXgC5T9c/DYMxX2VRnLoBKIaipA4m8NwHWyE068oc
	ktZGWhKaQ/j75UeQaZbOYafKvRUzYDW19h4lRCmB4iWdzsaxNb9sJjrTKCJhO7Gy
	QFfEw==
X-ME-Sender: <xms:DwZ5aPeOA4nOGIaZyVNhYOIC2L5NrS-MLj7fQk-G_lnG3hMW3DzT1Q>
    <xme:DwZ5aFPln84X6GFMN0SP5Ly9DtBnQi3nWBSfMIYcAPnzZi_ImdDY8xR3Z0TPKXfq2
    LIHG0LFS_dm9x6EaQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtdefgdeitdejlecutefuodetggdotefrod
    ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpuffrtefokffrpgfnqfghnecuuegr
    ihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjug
    hrpefoggffhffvkfgjfhfutgfgsehtjeertdertddtnecuhfhrohhmpedfffgrvhgvucev
    ohhtthhlvghhuhgsvghrfdcuoegutghhsehskhhunhhkfigvrhhkshdrrghtqeenucggtf
    frrghtthgvrhhnpeejvdejleeghedvgfethfehueegueetudetiedvhefhleekudevfeeu
    gfejveeufeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhroh
    hmpegutghhsehskhhunhhkfigvrhhkshdrrghtpdhnsggprhgtphhtthhopedvpdhmohgu
    vgepshhmthhpohhuthdprhgtphhtthhopehgsggvsehfrhgvvggsshgurdhorhhgpdhrtg
    hpthhtohepnhgvthesfhhrvggvsghsugdrohhrgh
X-ME-Proxy: <xmx:DwZ5aFI33UWB8M7TYzE_F5QLJXaIyJ5Uex6P3TNv1bXsnQOTPz5zDw>
    <xmx:DwZ5aBUwxc5TDGq2ZE1lfs4FvGGmICX_rWFatBJSc2SxwrwktBQc0g>
    <xmx:DwZ5aPifXuTQ842jG1AXfZwq4hvGggY2ZuzFZ_0E-o3g2EbdLJpw6A>
    <xmx:DwZ5aE9qabKE_gMdqEmJSGBKgVILa1oO-vkBO0R8DNfHQVKbF-usfg>
    <xmx:DwZ5aH0F1doy5uMUssaV74QD2A-if0A9qK-4B1qRtdyE81G_W9nTfxh5>
Feedback-ID: ic0e84090:Fastmail
Received: by mailuser.phl.internal (Postfix, from userid 501)
	id 64E162CC0083; Thu, 17 Jul 2025 10:17:51 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-net
List-Help: <mailto:freebsd-net+help@freebsd.org>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Subscribe: <mailto:freebsd-net+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-net+unsubscribe@freebsd.org>
Sender: owner-freebsd-net@FreeBSD.org
MIME-Version: 1.0
X-ThreadId: Tfca7a687f69592e1
Date: Thu, 17 Jul 2025 14:17:26 +0000
From: "Dave Cottlehuber" <dch@skunkwerks.at>
To: "Gordon Bergling" <gbe@freebsd.org>, net@freebsd.org
Message-Id: <b7450f35-0b3e-44c3-8972-fccf0e7ec55a@app.fastmail.com>
In-Reply-To: <aHjc1rxFp7M3zmnT@GB-MBA.local>
References: <aHjc1rxFp7M3zmnT@GB-MBA.local>
Subject: Re: SSH connection problem to two FreeBSD VMs externaly hosted
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 4bjZl528ljz3bLg
X-Spamd-Bar: ----
X-Rspamd-Pre-Result: action=no action;
	module=replies;
	Message is reply to one we originated
X-Spamd-Result: default: False [-4.00 / 15.00];
	REPLY(-4.00)[];
	ASN(0.00)[asn:151847, ipnet:202.12.124.0/24, country:AU]

On Thu, 17 Jul 2025, at 11:21, Gordon Bergling wrote:
> Hi,
>
> I have two FreeBSD externaly hosted, one at Hetzner and one on Azure.
>
> Both systems running latest 14.3-RELEASE, but I can't no long connect to them,
> wether from a local 14.2-RELEASE, or the latest macOS. Nothing has changed in
> terms of configuration. All systems use public-key authentication. The error
> I am getting is the following:
>
> sshd[10965]: error: Fssh_kex_input_kexinit: unknown kex type 10 [preauth]
>
> Has anyone an idea whould could cause this?
>
> Seeking out in forums about trying different KexAlgorithms options didn't
> solved the problem.
>
> Any help is much appreciated!
>
> --Gordon
>
> Attachments:
> * signature.asc

Odd. I have no issue from a 14.2 client -> 14.3 server connecting,
with defaults, and ed25519 private key.

My best guess is that your sshd binary (or config) isn't correctly
upgraded for some reason. What does file(1) report on server & client?

On 14.2-RELEASE:

root@picard:/ # file /usr/sbin/sshd
/usr/sbin/sshd: ELF 64-bit LSB pie executable, x86-64, version 1 (FreeBSD), dynamically linked, interpreter /libexec/ld-elf.so.1, for FreeBSD 14.2, FreeBSD-style, stripped

root@picard:/ # file /usr/bin/ssh
/usr/bin/ssh: ELF 64-bit LSB pie executable, x86-64, version 1 (FreeBSD), dynamically linked, interpreter /libexec/ld-elf.so.1, for FreeBSD 14.2, FreeBSD-style, stripped
root@picard:/ #

If this is not correct, it's worth checking with `freebsd-update IDS` on server & client, for what else is incorrect.

Are there any non-default settings in /etc/ssh/ssh_config for client,
and /etc/ssh/sshd_config for server?

Assuming that's sorted, please post output of `ssh -vv ...`, so we can see the negotiation, forcing key exchange algorithm on the client:

ssh -vv -o KexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 you@there

BTW I assume the kex list comes from crypto/openssh/kex.h, so #10 would be 
KEX_KEM_SNTRUP761X25519_SHA512

enum kex_exchange {
	KEX_DH_GRP1_SHA1 = 1,
	KEX_DH_GRP14_SHA1,
	KEX_DH_GRP14_SHA256,
	KEX_DH_GRP16_SHA512,
	KEX_DH_GRP18_SHA512,
	KEX_DH_GEX_SHA1,
	KEX_DH_GEX_SHA256,
	KEX_ECDH_SHA2,
	KEX_C25519_SHA256,
	KEX_KEM_SNTRUP761X25519_SHA512,   <----
	KEX_KEM_MLKEM768X25519_SHA256,
	KEX_MAX
};

A+
Dave