From owner-freebsd-questions@freebsd.org Wed Feb 10 06:41:50 2021 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 5C5EA53C01B for ; Wed, 10 Feb 2021 06:41:50 +0000 (UTC) (envelope-from bferrell@baywinds.org) Received: from baywinds.org (50-196-187-248-static.hfc.comcastbusiness.net [50.196.187.248]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "baywinds.org", Issuer "rr-v" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Db9Cd46rTz3HMm for ; Wed, 10 Feb 2021 06:41:49 +0000 (UTC) (envelope-from bferrell@baywinds.org) Received: from [192.0.2.130] (rr-iii [192.0.2.130]) by baywinds.org (8.14.4/8.14.4) with ESMTP id 11A6ffHH001658 for ; Tue, 9 Feb 2021 22:41:41 -0800 Subject: Re: Permission denied via ssh over ipv6 To: freebsd-questions@freebsd.org References: From: Bruce Ferrell Message-ID: <06077d2d-2eda-e27a-6b8c-1a4c5ef361aa@baywinds.org> Date: Tue, 9 Feb 2021 22:41:41 -0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.11.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-Greylist: inspected by milter-greylist-4.5.12 (baywinds.org [192.0.2.134]); Tue, 09 Feb 2021 22:41:41 -0800 (PST) for IP:'192.0.2.130' DOMAIN:'rr-iii' HELO:'[192.0.2.130]' FROM:'bferrell@baywinds.org' RCPT:'' X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.12 (baywinds.org [192.0.2.134]); Tue, 09 Feb 2021 22:41:41 -0800 (PST) X-Rspamd-Queue-Id: 4Db9Cd46rTz3HMm X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of bferrell@baywinds.org designates 50.196.187.248 as permitted sender) smtp.mailfrom=bferrell@baywinds.org X-Spamd-Result: default: False [-3.30 / 15.00]; RCVD_TLS_LAST(0.00)[]; ARC_NA(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[50.196.187.248:from]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+a]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[50.196.187.248:from:127.0.2.255]; DMARC_NA(0.00)[baywinds.org]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:7922, ipnet:50.128.0.0/9, country:US]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[freebsd-questions] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Feb 2021 06:41:50 -0000 Check the /etc/ssh/sshd_config file for this parameter: AddressFamily if it is set to inet, only ipv4 will work if it is set to any, both ipv4 and ipv6 will work It can be set to inet6 to make only ipv6 work On 2/9/21 10:30 PM, PstreeM China wrote: > hi: > > thanks for your quickly reply. > ssh -vvv log as below, we can see the connection has already established, > but after input the password, it's not work.. > i'am sure the password is right, try modify the passwd has the same issue. > > about the DNS PTRs, how should i do ? the source is my home pc, not have > DNS domain. > > -------------------------------- > rpi% ssh myuser@2607:f130::6287 -vvv > OpenSSH_7.9p1, OpenSSL 1.1.1h-freebsd 22 Sep 2020 > debug1: Reading configuration data /etc/ssh/ssh_config > debug2: resolve_canonicalize: hostname 2607:f130::6287 is address > debug2: ssh_connect_direct > debug1: Connecting to 2607:f130::6287 [2607:f130::6287] port 22. > debug1: Connection established. > debug1: identity file /home/myuser/.ssh/id_rsa type 0 > debug1: identity file /home/myuser/.ssh/id_rsa-cert type -1 > debug1: identity file /home/myuser/.ssh/id_dsa type -1 > debug1: identity file /home/myuser/.ssh/id_dsa-cert type -1 > debug1: identity file /home/myuser/.ssh/id_ecdsa type -1 > debug1: identity file /home/myuser/.ssh/id_ecdsa-cert type -1 > debug1: identity file /home/myuser/.ssh/id_ed25519 type -1 > debug1: identity file /home/myuser/.ssh/id_ed25519-cert type -1 > debug1: identity file /home/myuser/.ssh/id_xmss type -1 > debug1: identity file /home/myuser/.ssh/id_xmss-cert type -1 > debug1: Local version string SSH-2.0-OpenSSH_7.9 FreeBSD-20200214 > debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4 > debug1: match: OpenSSH_7.4 pat > OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* > compat 0x04000002 > debug2: fd 3 setting O_NONBLOCK > debug1: Authenticating to 2607:f130::6287:22 as 'myuser' > debug3: Fssh_hostkeys_foreach: reading file "/home/myuser/.ssh/known_hosts" > debug3: Fssh_record_hostkey: found key type ECDSA in file > /home/myuser/.ssh/known_hosts:21 > debug3: Fssh_load_hostkeys: loaded 1 keys from 2607:f130::6287 > debug3: order_hostkeyalgs: prefer hostkeyalgs: > ecdsa-sha2-nistp256-cert-v01@openssh.com, > ecdsa-sha2-nistp384-cert-v01@openssh.com > ,ecdsa-sha2-nistp521-cert-v01@openssh. > com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521 > debug3: send packet: type 20 > debug1: SSH2_MSG_KEXINIT sent > debug3: receive packet: type 20 > debug1: SSH2_MSG_KEXINIT received > debug2: local client KEXINIT proposal > debug2: KEX algorithms: > curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,d > > iffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c > debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com, > ecdsa-sha2-nistp384-cert-v01@openssh.com, > ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nis > tp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, > ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com, > rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@op > enssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa > debug2: ciphers ctos: chacha20-poly1305@openssh.com > ,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com, > aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc > debug2: ciphers stoc: chacha20-poly1305@openssh.com > ,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com, > aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc > debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com, > hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, > hmac-sha1-etm@openssh.com,umac-64@open ssh.com, > umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 > debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com, > hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, > hmac-sha1-etm@openssh.com,umac-64@open ssh.com, > umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 > debug2: compression ctos: none,zlib@openssh.com,zlib > debug2: compression stoc: none,zlib@openssh.com,zlib > debug2: languages ctos: > debug2: languages stoc: > debug2: first_kex_follows 0 > debug2: reserved 0 > debug2: peer server KEXINIT proposal > debug2: KEX algorithms: > curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,d > > iffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman > -group1-sha1 > debug2: host key algorithms: > ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 > debug2: ciphers ctos: chacha20-poly1305@openssh.com > ,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com, > aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,bl > owfish-cbc,cast128-cbc,3des-cbc > debug2: ciphers stoc: chacha20-poly1305@openssh.com > ,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com, > aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,bl > owfish-cbc,cast128-cbc,3des-cbc > debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com, > hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, > hmac-sha1-etm@openssh.com,umac-64@open ssh.com, > umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 > debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com, > hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, > hmac-sha1-etm@openssh.com,umac-64@open ssh.com, > umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 > debug2: compression ctos: none,zlib@openssh.com > debug2: compression stoc: none,zlib@openssh.com > debug2: languages ctos: > debug2: languages stoc: > debug2: first_kex_follows 0 > debug2: reserved 0 > debug1: kex: algorithm: curve25519-sha256 > debug1: kex: host key algorithm: ecdsa-sha2-nistp256 > debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: > compression: none > debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: > compression: none > debug3: send packet: type 30 > debug1: expecting SSH2_MSG_KEX_ECDH_REPLY > debug3: receive packet: type 31 > debug1: Server host key: ecdsa-sha2-nistp256 > SHA256:9b7zNAYeCT72LITVCmeGsXsT5IEsPWXh0FGtzIaR7rw > debug3: verify_host_key_dns > debug1: skipped DNS lookup for numerical hostname > debug3: Fssh_hostkeys_foreach: reading file "/home/myuser/.ssh/known_hosts" > debug3: Fssh_record_hostkey: found key type ECDSA in file > /home/myuser/.ssh/known_hosts:21 > debug3: Fssh_load_hostkeys: loaded 1 keys from 2607:f130::6287 > debug1: Host '2607:f130::6287' is known and matches the ECDSA host key. > debug1: Found key in /home/myuser/.ssh/known_hosts:21 > debug3: send packet: type 21 > debug2: set_newkeys: mode 1 > debug1: rekey after 134217728 blocks > debug1: SSH2_MSG_NEWKEYS sent > debug1: expecting SSH2_MSG_NEWKEYS > debug3: receive packet: type 21 > debug1: SSH2_MSG_NEWKEYS received > debug2: set_newkeys: mode 0 > debug1: rekey after 134217728 blocks > debug1: Will attempt key: /home/myuser/.ssh/id_rsa RSA > SHA256:uJkEs7DCUCz5Rsn8sSrWFEeJo8VSHZRRkDKrER8Obic > debug1: Will attempt key: /home/myuser/.ssh/id_dsa > debug1: Will attempt key: /home/myuser/.ssh/id_ecdsa > debug1: Will attempt key: /home/myuser/.ssh/id_ed25519 > debug1: Will attempt key: /home/myuser/.ssh/id_xmss > debug2: pubkey_prepare: done > debug3: send packet: type 5 > debug3: receive packet: type 7 > debug1: SSH2_MSG_EXT_INFO received > debug1: Fssh_kex_input_ext_info: server-sig-algs= > debug3: receive packet: type 6 > debug2: service_accept: ssh-userauth > debug1: SSH2_MSG_SERVICE_ACCEPT received > debug3: send packet: type 50 > debug3: receive packet: type 51 > debug1: Authentications that can continue: > publickey,gssapi-keyex,gssapi-with-mic,password > debug3: start over, passed a different list > publickey,gssapi-keyex,gssapi-with-mic,password > debug3: preferred publickey,keyboard-interactive,password > debug3: authmethod_lookup publickey > debug3: remaining preferred: keyboard-interactive,password > debug3: authmethod_is_enabled publickey > debug1: Next authentication method: publickey > debug1: Offering public key: /home/myuser/.ssh/id_rsa RSA > SHA256:uJkEs7DCUCz5Rsn8sSrWFEeJo8VSHZRRkDKrER8Obic > debug3: send packet: type 50 > debug2: we sent a publickey packet, wait for reply > debug3: receive packet: type 51 > debug1: Authentications that can continue: > publickey,gssapi-keyex,gssapi-with-mic,password > debug1: Trying private key: /home/myuser/.ssh/id_dsa > debug3: no such identity: /home/myuser/.ssh/id_dsa: No such file or > directory > debug1: Trying private key: /home/myuser/.ssh/id_ecdsa > debug3: no such identity: /home/myuser/.ssh/id_ecdsa: No such file or > directory > debug1: Trying private key: /home/myuser/.ssh/id_ed25519 > debug3: no such identity: /home/myuser/.ssh/id_ed25519: No such file or > directory > debug1: Trying private key: /home/myuser/.ssh/id_xmss > debug3: no such identity: /home/myuser/.ssh/id_xmss: No such file or > directory > debug2: we did not send a packet, disable method > debug3: authmethod_lookup password > debug3: remaining preferred: ,password > debug3: authmethod_is_enabled password > debug1: Next authentication method: password > myuser@2607:f130::6287's password: > debug3: send packet: type 50 > debug2: we sent a password packet, wait for reply > debug3: receive packet: type 51 > debug1: Authentications that can continue: > publickey,gssapi-keyex,gssapi-with-mic,password > Permission denied, please try again. > myuser@2607:f130::6287's password: > debug3: send packet: type 50 > debug2: we sent a password packet, wait for reply > debug3: receive packet: type 51 > debug1: Authentications that can continue: > publickey,gssapi-keyex,gssapi-with-mic,password > Permission denied, please try again. > myuser@2607:f130::6287's password: > > On Wed, Feb 10, 2021 at 1:18 PM Doug McIntyre wrote: > >> On Wed, Feb 10, 2021 at 11:47:08AM +0800, PstreeM China wrote: >>> Very thanks, this problem has searched from google, but not find the >>> solution to fix this issue. >>> >>> new install FreeBSD in virtual machine. >>> Freebsd version is 12.2 >>> Duel stack support ipv4 and ipv6; enable sshd as default. >>> I can ping the ipv4 and ipv6 address. >>> >>> The problem is: >>> SSH over ipv4 is work well. >>> But ssh over ipv6, Can be connected, but after input the password, it is >>> failed , give the notify : permission denied. >>> can not log into the server. >>> I am sure the password is right. >> >> Have you run 'ssh -vvv' to see all the very verbose debug information? >> >> Do you have proper DNS PTRs setup for your IPv6 block? It could be >> blocked by mismatch reverse DNS. >>