NetBSD Problem Report #58420
From www@netbsd.org Thu Jul 11 19:15:08 2024
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
client-signature RSA-PSS (2048 bits) client-digest SHA256)
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 0659D1A923A
for <gnats-bugs@gnats.NetBSD.org>; Thu, 11 Jul 2024 19:15:08 +0000 (UTC)
Message-Id: <20240711191505.E18B41A923B@mollari.NetBSD.org>
Date: Thu, 11 Jul 2024 19:15:05 +0000 (UTC)
From: dgbulk@gmail.com
Reply-To: dgbulk@gmail.com
To: gnats-bugs@NetBSD.org
Subject: ssh silently fails attempting to authenticate from NetBSD to another host
X-Send-Pr-Version: www-1.0
>Number: 58420
>Category: misc
>Synopsis: ssh silently fails attempting to authenticate from NetBSD to another host
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: misc-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Thu Jul 11 19:20:00 +0000 2024
>Last-Modified: Sun Jul 14 22:55:01 +0000 2024
>Originator: DG
>Release: NetBSD 9.0
>Organization:
>Environment:
NetBSD localhost 9.0 NetBSD 9.0 (GENERIC) #0: Fri Feb 14 00:06:28 UTC 2020 mkrepro@mkrepro.NetBSD.org:/usr/src/sys/arch/amd64/compile/GENERIC amd64
-bash-5.2$ ssh -V
OpenSSH_8.0 NetBSD_Secure_Shell-20190418-hpn13v14-lpk, OpenSSL 1.1.1d 10 Sep 2019
-bash-5.2$ openssl version
OpenSSL 1.1.1d 10 Sep 2019
Also note - fresh NetBSD 9.0 install in QEMU/KVM VM; KVM itself is running in Ubuntu 22.04 LTS. Other VMs in this KVM (not running NetBSD) don't have the issue.
>Description:
When attempting to ssh to another host, ssh exits on login attempt without giving a reason, thus:
-bash-5.2$ ssh <username>@openbsd
The authenticity of host '<ip addr> (<ip addr>)' can't be established.
ECDSA key fingerprint is SHA256:<xxx>.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
-bash-5.2$
I have tried ssh-ing from netBSD to Linux, OpenBSD and FreeBSD target hosts, same result.
I can ping the target hosts from the NetBSD VM, no problem. I can ssh to the target hosts from other VMs that are _not_ running NetBSD, no problem. I can even ssh _to_ the NetBSD machine, no problem (of course, sshd is running on NetBSD in that case).
The problem occurs whether NetBSD is authenticating with the target host using password or public key.
The problem occurs whether ssh is being executed as a root or as a regular user.
Before it exits, as expected ssh prompts the user:
The authenticity of host '... (...)' can't be established.
ECDSA key fingerprint is SHA256:....
Are you sure you want to continue connecting (yes/no/[fingerprint])?
Although answering yes to the above question, nothing is written to ~/.ssh/known_hosts. Note: I tried with no known_hosts, and empty known_hosts, makes no difference.
When using public key auth, on the target host, nothing is written to the /var/log/authlog file as a result of the attempt to ssh from NetBSD.
When using password auth, on the target host, the following is written to the /var/log/authlog file as a result of the attempt to ssh from NetBSD:
Jul 10 19:07:20 <target host name> sshd[<process>]: Connection closed by <NetBSD IP> port <number> [preauth]
Using ktrace, the tail of the ktrace dump for the ssh run is as follows.
I hope this is not just some misconfiguration on my part, but in any case would appreciate any thoughts.
Thanks!
DG
ktrace dump tail:
...
1014 1 ssh CALL open(0x7e48d5b20880,0,0x1b6)
1014 1 ssh NAMI "/etc/ssh/ssh_known_hosts2"
1014 1 ssh RET open -1 errno 2 No such file or directory
1014 1 ssh CALL open(0x7e48d4c5940f,2,0xb)
1014 1 ssh NAMI "/dev/tty"
1014 1 ssh RET open 4
1014 1 ssh CALL write(4,0x7f7fffb53a53,1)
1014 1 ssh GIO fd 4 wrote 1 bytes
"\r"
1014 1 ssh RET write 1
1014 1 ssh CALL close(4)
1014 1 ssh RET close 0
1014 1 ssh CALL open(0x7e48d396ef93,0x400002,0x400)
1014 1 ssh NAMI "/dev/tty"
1014 1 ssh RET open 4
1014 1 ssh CALL ioctl(4,TIOCGETA,0x7f7fffb539a0)
1014 1 ssh GIO fd 4 read 44 bytes
"\^B+\0\0\a\0\0\0\0K\0\0\M-O\^E\0 \^D\M^?\M^?\^?\^W\^U\^R\M^?\n\^\\^Z\
\^Y\^Q\^S\^V\^O\^A\0\^T\M^?\0\M^V\0\0\0\M^V\0\0"
1014 1 ssh RET ioctl 0
1014 1 ssh CALL ioctl(4,TIOCSETAF,0x7f7fffb538f0)
1014 1 ssh GIO fd 4 wrote 44 bytes
"\^B+\0\0\a\0\0\0\^AK\0\0\0\^D\0 \^D\M^?\M^?\^?\^W\^U\^R\M^?\n\^\\^Z\^Y\
\^Q\^S\^V\^O\^A\0\^T\M^?\0\M^V\0\0\0\M^V\0\0"
1014 1 ssh RET ioctl 0
1014 1 ssh CALL write(4,0x7f7fffb543a0,0xe3)
1014 1 ssh GIO fd 4 wrote 227 bytes
"The authenticity of host '192.168.122.13 (192.168.122.13)' can't be es\
tablished.\nECDSA key fingerprint is SHA256:sUa+qOoJZXvrYf2bAFbreVtJJ7\
n2zD4ql2sMappghvg.\nAre you sure you want to continue connecting (yes/\
no/[fingerprint])? "
1014 1 ssh RET write 227/0xe3
1014 1 ssh CALL read(4,0x7f7fffb5398b,1)
1014 1 ssh GIO fd 4 read 1 bytes
"y"
1014 1 ssh RET read 1
1014 1 ssh CALL write(4,0x7f7fffb5398b,1)
1014 1 ssh GIO fd 4 wrote 1 bytes
"y"
1014 1 ssh RET write 1
1014 1 ssh CALL read(4,0x7f7fffb5398b,1)
1014 1 ssh GIO fd 4 read 1 bytes
"e"
1014 1 ssh RET read 1
1014 1 ssh CALL write(4,0x7f7fffb5398b,1)
1014 1 ssh GIO fd 4 wrote 1 bytes
"e"
1014 1 ssh RET write 1
1014 1 ssh CALL read(4,0x7f7fffb5398b,1)
1014 1 ssh GIO fd 4 read 1 bytes
"s"
1014 1 ssh RET read 1
1014 1 ssh CALL write(4,0x7f7fffb5398b,1)
1014 1 ssh GIO fd 4 wrote 1 bytes
"s"
1014 1 ssh RET write 1
1014 1 ssh CALL read(4,0x7f7fffb5398b,1)
1014 1 ssh GIO fd 4 read 1 bytes
"\n"
1014 1 ssh RET read 1
1014 1 ssh CALL ioctl(4,TIOCSETAF,0x7f7fffb538f0)
1014 1 ssh GIO fd 4 wrote 44 bytes
"\^B+\0\0\a\0\0\0\^AK\0\0\M-O\^E\0 \^D\M^?\M^?\^?\^W\^U\^R\M^?\n\^\\^Z\
\^Y\^Q\^S\^V\^O\^A\0\^T\M^?\0\M^V\0\0\0\M^V\0\0"
1014 1 ssh RET ioctl 0
1014 1 ssh CALL close(4)
1014 1 ssh RET close 0
1014 1 ssh CALL _lwp_self
1014 1 ssh RET _lwp_self 1
1014 1 ssh CALL _lwp_kill(1,2)
1014 1 ssh RET _lwp_kill 0
1014 1 ssh PSIG SIGINT SIG_DFL: code=SI_LWP sent by pid=1014, uid=1000)
>How-To-Repeat:
Attempt to ssh to a BSD or Linux host on the local subnet
>Fix:
>Audit-Trail:
From: Martin Husemann <martin@duskware.de>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: misc/58420: ssh silently fails attempting to authenticate from
NetBSD to another host
Date: Fri, 12 Jul 2024 08:16:18 +0200
Why NetBSD 9.0?
That is ancient and outdated. Please at least use 9.4 (or the latest
9.4_STABLE from the daily builds). Even better would be 10.0 or 10.0_STABLE.
Martin
From: Duncan Greatwood <dgbulk@gmail.com>
To: gnats-bugs@netbsd.org
Cc: misc-bug-people@netbsd.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Subject: Re: misc/58420: ssh silently fails attempting to authenticate from
NetBSD to another host
Date: Sat, 13 Jul 2024 17:26:26 -0700
--000000000000639f01061d2a2a66
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Hi Martin -
Thanks for the response.
The specific answer to your question is that NetBSD 9.0 is the most recent
version of NetBSD explicitly supported by the default version of QEMU/KVM
on Ubuntu 22.04 LTS which is (for the next few weeks anyway) the current
Ubuntu LTS release (Standard support until 2027, Pro Support until 2032,
Legacy support until 2034).
Nonetheless. I cloned the VM and upgraded it to NetBSD 9.4 using:
sudo sysupgrade auto https://cdn.NetBSD.org/pub/NetBSD/NetBSD-9.4/amd64
Upgrade was just fine.
Unfortunately, it is still exhibiting the same behaviour (fails silently)
when using ssh to a nearby host.
Your further thoughts appreciated.
Updated environment info:
-bash-5.2$ uname -a
NetBSD localhost 9.4 NetBSD 9.4 (GENERIC) #0: Sat Apr 20 13:32:22 UTC 2024
mkrepro@mkrepro.NetBSD.org:/usr/src/sys/arch/amd64/compile/GENERIC amd64
-bash-5.2$ ssh -V
OpenSSH_9.6 NetBSD_Secure_Shell-20231220-hpn13v14-lpk, OpenSSL 1.1.1t 7
Feb 2023
-bash-5.2$ openssl version
OpenSSL 1.1.1t 7 Feb 2023
And on the Ubuntu machine:
$: virt-manager --version
4.0.0
$: virsh --version
8.0.0
$: apt show qemu-system-x86
Package: qemu-system-x86
Version: 1:6.2+dfsg-2ubuntu6.21
On Thu, Jul 11, 2024 at 11:20=E2=80=AFPM Martin Husemann <martin@duskware.d=
e> wrote:
> The following reply was made to PR misc/58420; it has been noted by GNATS=
.
>
> From: Martin Husemann <martin@duskware.de>
> To: gnats-bugs@netbsd.org
> Cc:
> Subject: Re: misc/58420: ssh silently fails attempting to authenticate fr=
om
> NetBSD to another host
> Date: Fri, 12 Jul 2024 08:16:18 +0200
>
> Why NetBSD 9.0?
> That is ancient and outdated. Please at least use 9.4 (or the latest
> 9.4_STABLE from the daily builds). Even better would be 10.0 or
> 10.0_STABLE.
>
> Martin
>
>
--000000000000639f01061d2a2a66
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div dir=3D"ltr">Hi Martin -<div><br></div><div>Thanks=C2=
=A0for the response.</div><div><br></div><div>The specific answer to your q=
uestion is that NetBSD 9.0 is the most recent version of NetBSD explicitly =
supported by the default version of QEMU/KVM on Ubuntu 22.04 LTS which is (=
for the next few weeks anyway) the current Ubuntu LTS release (Standard sup=
port until 2027, Pro Support until 2032, Legacy support until 2034).=C2=A0<=
/div><div><br></div><div>Nonetheless. I cloned=C2=A0the VM and upgraded it =
to NetBSD 9.4 using:<br><blockquote style=3D"margin:0px 0px 0px 40px;border=
:none;padding:0px"><div>sudo sysupgrade auto <a href=3D"https://cdn.NetBSD.=
org/pub/NetBSD/NetBSD-9.4/amd64" target=3D"_blank">https://cdn.NetBSD.org/p=
ub/NetBSD/NetBSD-9.4/amd64</a><br></div></blockquote>Upgrade was just fine.=
</div><div><br></div><div>Unfortunately, it is still exhibiting the=C2=A0sa=
me behaviour (fails silently) when using ssh to a nearby host.</div><div><b=
r></div><div>Your further thoughts appreciated.</div><div><br></div><div>Up=
dated environment info:<br>-bash-5.2$ uname -a<br>NetBSD localhost 9.4 NetB=
SD 9.4 (GENERIC) #0: Sat Apr 20 13:32:22 UTC 2024 =C2=A0mkrepro@mkrepro.Net=
BSD.org:/usr/src/sys/arch/amd64/compile/GENERIC amd64<br>-bash-5.2$ ssh -V<=
br>OpenSSH_9.6 NetBSD_Secure_Shell-20231220-hpn13v14-lpk, OpenSSL 1.1.1t =
=C2=A07 Feb 2023<br>-bash-5.2$ openssl version<br>OpenSSL 1.1.1t =C2=A07 Fe=
b 2023<br></div><div><br></div><div>And on the Ubuntu machine:</div><div>$:=
virt-manager =C2=A0--version<br>4.0.0<br>$: virsh =C2=A0--version<br>8.0.0=
<br></div><div>$: apt show qemu-system-x86</div>Package: qemu-system-x86<br=
>Version: 1:6.2+dfsg-2ubuntu6.21<div><br></div></div><br><div class=3D"gmai=
l_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Thu, Jul 11, 2024 at 11:2=
0=E2=80=AFPM Martin Husemann <<a href=3D"mailto:martin@duskware.de" targ=
et=3D"_blank">martin@duskware.de</a>> wrote:<br></div><blockquote class=
=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rg=
b(204,204,204);padding-left:1ex">The following reply was made to PR misc/58=
420; it has been noted by GNATS.<br>
<br>
From: Martin Husemann <<a href=3D"mailto:martin@duskware.de" target=3D"_=
blank">martin@duskware.de</a>><br>
To: <a href=3D"mailto:gnats-bugs@netbsd.org" target=3D"_blank">gnats-bugs@n=
etbsd.org</a><br>
Cc: <br>
Subject: Re: misc/58420: ssh silently fails attempting to authenticate from=
<br>
=C2=A0NetBSD to another host<br>
Date: Fri, 12 Jul 2024 08:16:18 +0200<br>
<br>
=C2=A0Why NetBSD 9.0?<br>
=C2=A0That is ancient and outdated. Please at least use 9.4 (or the latest =
<br>
=C2=A09.4_STABLE from the daily builds). Even better would be 10.0 or 10.0_=
STABLE.<br>
<br>
=C2=A0Martin<br>
<br>
</blockquote></div>
</div>
--000000000000639f01061d2a2a66--
From: Martin Husemann <martin@duskware.de>
To: Duncan Greatwood <dgbulk@gmail.com>
Cc: gnats-bugs@netbsd.org
Subject: Re: misc/58420: ssh silently fails attempting to authenticate from
NetBSD to another host
Date: Sun, 14 Jul 2024 09:18:33 +0200
On Sat, Jul 13, 2024 at 05:26:26PM -0700, Duncan Greatwood wrote:
> The specific answer to your question is that NetBSD 9.0 is the most recent
> version of NetBSD explicitly supported by the default version of QEMU/KVM
I am not sure what "explicitly supported" here means, but that is not
very important for this PR.
> Nonetheless. I cloned the VM and upgraded it to NetBSD 9.4 using:
Thanks. Can you show the output of
ssh -vvvv user@somehost
for the non-working case?
Since your ssh shows the host key fingerprint it obviously is already talking
to the peer (so anything on the network layer works), and the problem must
be something local (like wrong permissions on your ~/.ssh directory).
The more verbose output should point at that.
Martin
From: Duncan Greatwood <dgbulk@gmail.com>
To: Martin Husemann <martin@duskware.de>
Cc: gnats-bugs@netbsd.org
Subject: Re: misc/58420: ssh silently fails attempting to authenticate from
NetBSD to another host
Date: Sun, 14 Jul 2024 10:17:42 -0700
--000000000000fc9ccb061d384aa7
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
>
> I am not sure what "explicitly supported" here means
[DG] When a new VM is created in Ubuntu Virtual Manager, before accessing
the to-be-installed OS's iso, Virtual Manager offers a drop down to allow
the user to specify exactly which OS is being installed, and so to have the
install go ahead with the best virtualization configuration for that OS.
The newest NetBSD on that dropdown list is NetBSD 9.0.
Can you show the output of ssh -vvvv user@somehost
[DG] Sure - please see below. Do you see anything there?
BTW, looking at permissions in .ssh, pub keys are:
-rw-r--r--
while private keys are:
-rw-------
which is what I would expect.
Also, noting again that the same failing behaviour shows up when trying to
ssh as root.
-bash-5.2$ ssh -vvvv <username>@<host>
OpenSSH_9.6 NetBSD_Secure_Shell-20231220-hpn13v14-lpk, OpenSSL 1.1.1t 7
Feb 2023
debug1: Reading configuration data /home/<username>/.ssh/config
debug1: /home/<username>/.ssh/config line 41: Applying options for <host>
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolve_canonicalize: hostname <host IP> is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' ->
'/home/<username>/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' ->
'/home/<username>/.ssh/known_hosts2'
debug3: channel_clear_timeouts: clearing
debug3: ssh_connect_direct: entering
debug1: Connecting to <host IP> [<host IP>] port 22.
debug3: ssh_set_sock_tos: set socket 3 IP_TOS 0x48
debug1: Connection established.
debug1: identity file /home/<username>/.ssh/xps131-pair.pem type -1
debug1: identity file /home/<username>/.ssh/xps131-pair.pem-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.6
NetBSD_Secure_Shell-20231220-hpn13v14-lpk
debug1: Remote protocol version 2.0, remote software version OpenSSH_9.3
debug1: compat_banner: match: OpenSSH_9.3 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to <host IP>:22 as '<username>'
debug1: load_hostkeys: fopen /home/<username>/.ssh/known_hosts2: No such
file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or
directory
debug3: order_hostkeyalgs: no algorithms matched; accept original
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: sntrup761x25519-sha512@openssh.com
,curve25519-sha256,curve25519-sha256@libssh.org
,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-gr=
oup-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sh=
a512,diffie-hellman-group14-sha256,ext-info-c,
kex-strict-c-v00@openssh.com
debug2: host key algorithms: ssh-ed25519-cert-v01@openssh.com,
ecdsa-sha2-nistp256-cert-v01@openssh.com,
ecdsa-sha2-nistp384-cert-v01@openssh.com,
ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.co=
m
,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com
,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com
,rsa-sha2-512,rsa-sha2-256
debug2: ciphers ctos: chacha20-poly1305@openssh.com
,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,
aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com
,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,
aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,
hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com
,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,
hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com
,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: sntrup761x25519-sha512@openssh.com
,curve25519-sha256,curve25519-sha256@libssh.org
,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-gr=
oup-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sh=
a512,diffie-hellman-group14-sha256,
kex-strict-s-v00@openssh.com
debug2: host key algorithms:
rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com
,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,
aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com
,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,
aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,
hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com
,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,
hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com
,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug3: kex_choose_conf: will use strict KEX ordering
debug1: kex: algorithm: sntrup761x25519-sha512@openssh.com
debug1: kex: host key algorithm: ssh-ed25519
debug1: REQUESTED ENC.NAME is 'chacha20-poly1305@openssh.com'
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC:
<implicit> compression: none
debug1: REQUESTED ENC.NAME is 'chacha20-poly1305@openssh.com'
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC:
<implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:<sha256>
debug1: load_hostkeys: fopen /home/<username>/.ssh/known_hosts2: No such
file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or
directory
debug3: hostkeys_find_by_key_hostfile: trying user hostfile
"/home/<username>/.ssh/known_hosts"
debug3: ssh_hostkeys_foreach: reading file
"/home/<username>/.ssh/known_hosts"
debug3: hostkeys_find_by_key_hostfile: trying user hostfile
"/home/<username>/.ssh/known_hosts2"
debug1: hostkeys_find_by_key_hostfile: hostkeys file
/home/<username>/.ssh/known_hosts2 does not exist
debug3: hostkeys_find_by_key_hostfile: trying system hostfile
"/etc/ssh/ssh_known_hosts"
debug3: ssh_hostkeys_foreach: reading file "/etc/ssh/ssh_known_hosts"
debug3: hostkeys_find_by_key_hostfile: trying system hostfile
"/etc/ssh/ssh_known_hosts2"
debug1: hostkeys_find_by_key_hostfile: hostkeys file
/etc/ssh/ssh_known_hosts2 does not exist
The authenticity of host '<host IP> (<host IP>)' can't be established.
ED25519 key fingerprint is SHA256:<sha256>.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
-bash-5.2$
Also note zero size known_hosts after the above:
-bash-5.2$ ls -l .ssh/known_hosts
-rw-r--r-- 1 <username> users 0 Jul 11 11:55 .ssh/known_hosts
If I now remove .ssh/known_hosts and run ssh again, it once again
prompts for "continue connecting" and then exits silently, but no
known_hosts is created.
On Sun, Jul 14, 2024 at 12:18=E2=80=AFAM Martin Husemann <martin@duskware.d=
e> wrote:
> On Sat, Jul 13, 2024 at 05:26:26PM -0700, Duncan Greatwood wrote:
> > The specific answer to your question is that NetBSD 9.0 is the most
> recent
> > version of NetBSD explicitly supported by the default version of QEMU/K=
VM
>
> I am not sure what "explicitly supported" here means, but that is not
> very important for this PR.
>
> > Nonetheless. I cloned the VM and upgraded it to NetBSD 9.4 using:
>
> Thanks. Can you show the output of
>
> ssh -vvvv user@somehost
>
> for the non-working case?
>
> Since your ssh shows the host key fingerprint it obviously is already
> talking
> to the peer (so anything on the network layer works), and the problem mus=
t
> be something local (like wrong permissions on your ~/.ssh directory).
>
> The more verbose output should point at that.
>
> Martin
>
--000000000000fc9ccb061d384aa7
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px =
0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">I am not=
sure what "explicitly supported" here means</blockquote><div>[DG=
] When a new VM is created in Ubuntu Virtual Manager, before accessing the =
to-be-installed OS's iso, Virtual Manager offers a drop down to allow t=
he user to specify exactly which OS is being installed, and so=C2=A0to=C2=
=A0have the install go ahead with the best virtualization configuration for=
that OS. The newest NetBSD on that dropdown list is NetBSD 9.0.</div><div>=
<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8=
ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Can you show th=
e output of=C2=A0ssh -vvvv user@somehost</blockquote><div>[DG] Sure - pleas=
e see below. Do you see anything there?</div><div><br></div><div>BTW, looki=
ng at permissions in .ssh, pub keys are:</div><div><blockquote style=3D"mar=
gin:0 0 0 40px;border:none;padding:0px"><div>-rw-r--r--<br></div></blockquo=
te></div><div>while private keys are:</div><div><blockquote style=3D"margin=
:0 0 0 40px;border:none;padding:0px"><div>-rw-------<br></div></blockquote>=
</div><div>which is what I would expect.</div><div><br></div><div>Also, not=
ing again that the same failing behaviour shows up when trying to ssh as ro=
ot.</div><div><br></div><div>-bash-5.2$ ssh -vvvv <username>@<host=
><br>OpenSSH_9.6 NetBSD_Secure_Shell-20231220-hpn13v14-lpk, OpenSSL 1.1.=
1t =C2=A07 Feb 2023<br>debug1: Reading configuration data /home/<usernam=
e>/.ssh/config<br>debug1: /home/<username>/.ssh/config line 41: Ap=
plying options for <host><br>debug1: Reading configuration data /etc/=
ssh/ssh_config<br>debug2: resolve_canonicalize: hostname <host IP> is=
address<br>debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts'=
; -> '/home/<username>/.ssh/known_hosts'<br>debug3: expand=
ed UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/<us=
ername>/.ssh/known_hosts2'<br>debug3: channel_clear_timeouts: cleari=
ng<br>debug3: ssh_connect_direct: entering<br>debug1: Connecting to <hos=
t IP> [<host IP>] port 22.<br>debug3: ssh_set_sock_tos: set socket=
3 IP_TOS 0x48<br>debug1: Connection established.<br>debug1: identity file =
/home/<username>/.ssh/xps131-pair.pem type -1<br>debug1: identity fil=
e /home/<username>/.ssh/xps131-pair.pem-cert type -1<br>debug1: Local=
version string SSH-2.0-OpenSSH_9.6 NetBSD_Secure_Shell-20231220-hpn13v14-l=
pk<br>debug1: Remote protocol version 2.0, remote software version OpenSSH_=
9.3<br>debug1: compat_banner: match: OpenSSH_9.3 pat OpenSSH* compat 0x0400=
0000<br>debug2: fd 3 setting O_NONBLOCK<br>debug1: Authenticating to <ho=
st IP>:22 as '<username>'<br>debug1: load_hostkeys: fopen =
/home/<username>/.ssh/known_hosts2: No such file or directory<br>debu=
g1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directo=
ry<br>debug3: order_hostkeyalgs: no algorithms matched; accept original<br>=
debug3: send packet: type 20<br>debug1: SSH2_MSG_KEXINIT sent<br>debug3: re=
ceive packet: type 20<br>debug1: SSH2_MSG_KEXINIT received<br>debug2: local=
client KEXINIT proposal<br>debug2: KEX algorithms: <a href=3D"mailto:sntru=
p761x25519-sha512@openssh.com">sntrup761x25519-sha512@openssh.com</a>,curve=
25519-sha256,<a href=3D"mailto:curve25519-sha256@libssh.org">curve25519-sha=
256@libssh.org</a>,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521=
,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-=
hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c,<a href=3D"=
mailto:kex-strict-c-v00@openssh.com">kex-strict-c-v00@openssh.com</a><br>de=
bug2: host key algorithms: <a href=3D"mailto:ssh-ed25519-cert-v01@openssh.c=
om">ssh-ed25519-cert-v01@openssh.com</a>,<a href=3D"mailto:ecdsa-sha2-nistp=
256-cert-v01@openssh.com">ecdsa-sha2-nistp256-cert-v01@openssh.com</a>,<a h=
ref=3D"mailto:ecdsa-sha2-nistp384-cert-v01@openssh.com">ecdsa-sha2-nistp384=
-cert-v01@openssh.com</a>,<a href=3D"mailto:ecdsa-sha2-nistp521-cert-v01@op=
enssh.com">ecdsa-sha2-nistp521-cert-v01@openssh.com</a>,<a href=3D"mailto:s=
k-ssh-ed25519-cert-v01@openssh.com">sk-ssh-ed25519-cert-v01@openssh.com</a>=
,<a href=3D"mailto:sk-ecdsa-sha2-nistp256-cert-v01@openssh.com">sk-ecdsa-sh=
a2-nistp256-cert-v01@openssh.com</a>,<a href=3D"mailto:rsa-sha2-512-cert-v0=
1@openssh.com">rsa-sha2-512-cert-v01@openssh.com</a>,<a href=3D"mailto:rsa-=
sha2-256-cert-v01@openssh.com">rsa-sha2-256-cert-v01@openssh.com</a>,ssh-ed=
25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,<a href=
=3D"mailto:sk-ssh-ed25519@openssh.com">sk-ssh-ed25519@openssh.com</a>,<a hr=
ef=3D"mailto:sk-ecdsa-sha2-nistp256@openssh.com">sk-ecdsa-sha2-nistp256@ope=
nssh.com</a>,rsa-sha2-512,rsa-sha2-256<br>debug2: ciphers ctos: <a href=3D"=
mailto:chacha20-poly1305@openssh.com">chacha20-poly1305@openssh.com</a>,aes=
128-ctr,aes192-ctr,aes256-ctr,<a href=3D"mailto:aes128-gcm@openssh.com">aes=
128-gcm@openssh.com</a>,<a href=3D"mailto:aes256-gcm@openssh.com">aes256-gc=
m@openssh.com</a><br>debug2: ciphers stoc: <a href=3D"mailto:chacha20-poly1=
305@openssh.com">chacha20-poly1305@openssh.com</a>,aes128-ctr,aes192-ctr,ae=
s256-ctr,<a href=3D"mailto:aes128-gcm@openssh.com">aes128-gcm@openssh.com</=
a>,<a href=3D"mailto:aes256-gcm@openssh.com">aes256-gcm@openssh.com</a><br>=
debug2: MACs ctos: <a href=3D"mailto:umac-64-etm@openssh.com">umac-64-etm@o=
penssh.com</a>,<a href=3D"mailto:umac-128-etm@openssh.com">umac-128-etm@ope=
nssh.com</a>,<a href=3D"mailto:hmac-sha2-256-etm@openssh.com">hmac-sha2-256=
-etm@openssh.com</a>,<a href=3D"mailto:hmac-sha2-512-etm@openssh.com">hmac-=
sha2-512-etm@openssh.com</a>,<a href=3D"mailto:hmac-sha1-etm@openssh.com">h=
mac-sha1-etm@openssh.com</a>,<a href=3D"mailto:umac-64@openssh.com">umac-64=
@openssh.com</a>,<a href=3D"mailto:umac-128@openssh.com">umac-128@openssh.c=
om</a>,hmac-sha2-256,hmac-sha2-512,hmac-sha1<br>debug2: MACs stoc: <a href=
=3D"mailto:umac-64-etm@openssh.com">umac-64-etm@openssh.com</a>,<a href=3D"=
mailto:umac-128-etm@openssh.com">umac-128-etm@openssh.com</a>,<a href=3D"ma=
ilto:hmac-sha2-256-etm@openssh.com">hmac-sha2-256-etm@openssh.com</a>,<a hr=
ef=3D"mailto:hmac-sha2-512-etm@openssh.com">hmac-sha2-512-etm@openssh.com</=
a>,<a href=3D"mailto:hmac-sha1-etm@openssh.com">hmac-sha1-etm@openssh.com</=
a>,<a href=3D"mailto:umac-64@openssh.com">umac-64@openssh.com</a>,<a href=
=3D"mailto:umac-128@openssh.com">umac-128@openssh.com</a>,hmac-sha2-256,hma=
c-sha2-512,hmac-sha1<br>debug2: compression ctos: none,<a href=3D"mailto:zl=
ib@openssh.com">zlib@openssh.com</a>,zlib<br>debug2: compression stoc: none=
,<a href=3D"mailto:zlib@openssh.com">zlib@openssh.com</a>,zlib<br>debug2: l=
anguages ctos:<br>debug2: languages stoc:<br>debug2: first_kex_follows 0<br=
>debug2: reserved 0<br>debug2: peer server KEXINIT proposal<br>debug2: KEX =
algorithms: <a href=3D"mailto:sntrup761x25519-sha512@openssh.com">sntrup761=
x25519-sha512@openssh.com</a>,curve25519-sha256,<a href=3D"mailto:curve2551=
9-sha256@libssh.org">curve25519-sha256@libssh.org</a>,ecdh-sha2-nistp256,ec=
dh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,di=
ffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-gr=
oup14-sha256,<a href=3D"mailto:kex-strict-s-v00@openssh.com">kex-strict-s-v=
00@openssh.com</a><br>debug2: host key algorithms: rsa-sha2-512,rsa-sha2-25=
6,ecdsa-sha2-nistp256,ssh-ed25519<br>debug2: ciphers ctos: <a href=3D"mailt=
o:chacha20-poly1305@openssh.com">chacha20-poly1305@openssh.com</a>,aes128-c=
tr,aes192-ctr,aes256-ctr,<a href=3D"mailto:aes128-gcm@openssh.com">aes128-g=
cm@openssh.com</a>,<a href=3D"mailto:aes256-gcm@openssh.com">aes256-gcm@ope=
nssh.com</a><br>debug2: ciphers stoc: <a href=3D"mailto:chacha20-poly1305@o=
penssh.com">chacha20-poly1305@openssh.com</a>,aes128-ctr,aes192-ctr,aes256-=
ctr,<a href=3D"mailto:aes128-gcm@openssh.com">aes128-gcm@openssh.com</a>,<a=
href=3D"mailto:aes256-gcm@openssh.com">aes256-gcm@openssh.com</a><br>debug=
2: MACs ctos: <a href=3D"mailto:umac-64-etm@openssh.com">umac-64-etm@openss=
h.com</a>,<a href=3D"mailto:umac-128-etm@openssh.com">umac-128-etm@openssh.=
com</a>,<a href=3D"mailto:hmac-sha2-256-etm@openssh.com">hmac-sha2-256-etm@=
openssh.com</a>,<a href=3D"mailto:hmac-sha2-512-etm@openssh.com">hmac-sha2-=
512-etm@openssh.com</a>,<a href=3D"mailto:hmac-sha1-etm@openssh.com">hmac-s=
ha1-etm@openssh.com</a>,<a href=3D"mailto:umac-64@openssh.com">umac-64@open=
ssh.com</a>,<a href=3D"mailto:umac-128@openssh.com">umac-128@openssh.com</a=
>,hmac-sha2-256,hmac-sha2-512,hmac-sha1<br>debug2: MACs stoc: <a href=3D"ma=
ilto:umac-64-etm@openssh.com">umac-64-etm@openssh.com</a>,<a href=3D"mailto=
:umac-128-etm@openssh.com">umac-128-etm@openssh.com</a>,<a href=3D"mailto:h=
mac-sha2-256-etm@openssh.com">hmac-sha2-256-etm@openssh.com</a>,<a href=3D"=
mailto:hmac-sha2-512-etm@openssh.com">hmac-sha2-512-etm@openssh.com</a>,<a =
href=3D"mailto:hmac-sha1-etm@openssh.com">hmac-sha1-etm@openssh.com</a>,<a =
href=3D"mailto:umac-64@openssh.com">umac-64@openssh.com</a>,<a href=3D"mail=
to:umac-128@openssh.com">umac-128@openssh.com</a>,hmac-sha2-256,hmac-sha2-5=
12,hmac-sha1<br>debug2: compression ctos: none,<a href=3D"mailto:zlib@opens=
sh.com">zlib@openssh.com</a><br>debug2: compression stoc: none,<a href=3D"m=
ailto:zlib@openssh.com">zlib@openssh.com</a><br>debug2: languages ctos:<br>=
debug2: languages stoc:<br>debug2: first_kex_follows 0<br>debug2: reserved =
0<br>debug3: kex_choose_conf: will use strict KEX ordering<br>debug1: kex: =
algorithm: <a href=3D"mailto:sntrup761x25519-sha512@openssh.com">sntrup761x=
25519-sha512@openssh.com</a><br>debug1: kex: host key algorithm: ssh-ed2551=
9<br>debug1: REQUESTED <a href=3D"http://ENC.NAME">ENC.NAME</a> is '<a =
href=3D"mailto:chacha20-poly1305@openssh.com">chacha20-poly1305@openssh.com=
</a>'<br>debug1: kex: server->client cipher: <a href=3D"mailto:chach=
a20-poly1305@openssh.com">chacha20-poly1305@openssh.com</a> MAC: <implic=
it> compression: none<br>debug1: REQUESTED <a href=3D"http://ENC.NAME">E=
NC.NAME</a> is '<a href=3D"mailto:chacha20-poly1305@openssh.com">chacha=
20-poly1305@openssh.com</a>'<br>debug1: kex: client->server cipher: =
<a href=3D"mailto:chacha20-poly1305@openssh.com">chacha20-poly1305@openssh.=
com</a> MAC: <implicit> compression: none<br>debug3: send packet: typ=
e 30<br>debug1: expecting SSH2_MSG_KEX_ECDH_REPLY<br>debug3: receive packet=
: type 31<br>debug1: SSH2_MSG_KEX_ECDH_REPLY received<br>debug1: Server hos=
t key: ssh-ed25519 SHA256:<sha256><br>debug1: load_hostkeys: fopen /h=
ome/<username>/.ssh/known_hosts2: No such file or directory<br>debug1=
: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory=
<br>debug3: hostkeys_find_by_key_hostfile: trying user hostfile "/home=
/<username>/.ssh/known_hosts"<br>debug3: ssh_hostkeys_foreach: r=
eading file "/home/<username>/.ssh/known_hosts"<br>debug3: =
hostkeys_find_by_key_hostfile: trying user hostfile "/home/<usernam=
e>/.ssh/known_hosts2"<br>debug1: hostkeys_find_by_key_hostfile: hos=
tkeys file /home/<username>/.ssh/known_hosts2 does not exist<br>debug=
3: hostkeys_find_by_key_hostfile: trying system hostfile "/etc/ssh/ssh=
_known_hosts"<br>debug3: ssh_hostkeys_foreach: reading file "/etc=
/ssh/ssh_known_hosts"<br>debug3: hostkeys_find_by_key_hostfile: trying=
system hostfile "/etc/ssh/ssh_known_hosts2"<br>debug1: hostkeys_=
find_by_key_hostfile: hostkeys file /etc/ssh/ssh_known_hosts2 does not exis=
t<br>The authenticity of host '<host IP> (<host IP>)' c=
an't be established.<br>ED25519 key fingerprint is SHA256:<sha256>=
;.<br>This key is not known by any other names.<br>Are you sure you want to=
continue connecting (yes/no/[fingerprint])? yes<br>-bash-5.2$<br></div><di=
v><br></div><div>Also note zero size=C2=A0known_hosts=C2=A0after the above:=
</div><div>-bash-5.2$ ls -l .ssh/known_hosts<br>-rw-r--r-- =C2=A01 <user=
name>=C2=A0 users =C2=A00 Jul 11 11:55 .ssh/known_hosts<br></div><div>If=
I now remove .ssh/known_hosts and run ssh again, it once again prompts=C2=
=A0for "continue connecting" and then exits silently, but no know=
n_hosts is created.</div></div><br><div class=3D"gmail_quote"><div dir=3D"l=
tr" class=3D"gmail_attr">On Sun, Jul 14, 2024 at 12:18=E2=80=AFAM Martin Hu=
semann <<a href=3D"mailto:martin@duskware.de">martin@duskware.de</a>>=
wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px =
0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Sat, =
Jul 13, 2024 at 05:26:26PM -0700, Duncan Greatwood wrote:<br>
> The specific answer to your question is that NetBSD 9.0 is the most re=
cent<br>
> version of NetBSD explicitly supported by the default version of QEMU/=
KVM<br>
<br>
I am not sure what "explicitly supported" here means, but that is=
not<br>
very important for this PR.<br>
<br>
> Nonetheless. I cloned the VM and upgraded it to NetBSD 9.4 using:<br>
<br>
Thanks. Can you show the output of<br>
<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 ssh -vvvv user@somehost<br>
<br>
for the non-working case?<br>
<br>
Since your ssh shows the host key fingerprint it obviously is already talki=
ng<br>
to the peer (so anything on the network layer works), and the problem must<=
br>
be something local (like wrong permissions on your ~/.ssh directory).<br>
<br>
The more verbose output should point at that.<br>
<br>
Martin<br>
</blockquote></div>
--000000000000fc9ccb061d384aa7--
From: RVP <rvp@SDF.ORG>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: misc/58420: ssh silently fails attempting to authenticate from
NetBSD to another host
Date: Sun, 14 Jul 2024 22:52:35 +0000 (UTC)
On Sun, 14 Jul 2024, Duncan Greatwood wrote:
> Also note zero size known_hosts after the above:
> -bash-5.2$ ls -l .ssh/known_hosts
> -rw-r--r-- 1 <username> users 0 Jul 11 11:55 .ssh/known_hosts
> If I now remove .ssh/known_hosts and run ssh again, it once again
> prompts for "continue connecting" and then exits silently, but no
> known_hosts is created.
>
Can we see the permissions for the directory _itself_?
ls -ld ~/.ssh
and show whatever custom ssh_config you're using (after redacting sensitive
info.).
-RVP
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2024
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.