bugzilla-daemon at mindrot.org
2022-Dec-07 09:48 UTC
[Bug 3507] New: Cannot get host-based authentication to work
https://bugzilla.mindrot.org/show_bug.cgi?id=3507 Bug ID: 3507 Summary: Cannot get host-based authentication to work Product: Portable OpenSSH Version: 8.8p1 Hardware: amd64 OS: Linux Status: NEW Severity: normal Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org Reporter: thomas at koeller.dyndns.org Created attachment 3629 --> https://bugzilla.mindrot.org/attachment.cgi?id=3629&action=edit ssh_config fragment included from /etc/ssh/ssh_config I am trying get host-base authentication to work, unsuccessfully so far. As it appears to me, the host key is successfully retrieved from /etc/ssh/ssh_known_hosts and accepted, but authorization is rejected anyway for reasons I am unable to figure out. On the server side I can see that the client is unexpectedly termination the connection, so the problem is most likely with the client. I am using a /etc/ssh/shosts.equiv file containing just one single line with only a '+' character. Here is a transcript of the client output from a failed authentication attempt: OpenSSH_8.8p1, OpenSSL 3.0.5 5 Jul 2022 debug1: Reading configuration data /etc/ssh/ssh_config debug3: /etc/ssh/ssh_config line 55: Including file /etc/ssh/ssh_config.d/40-standard_user.conf depth 0 debug1: Reading configuration data /etc/ssh/ssh_config.d/40-standard_user.conf debug3: /etc/ssh/ssh_config line 55: Including file /etc/ssh/ssh_config.d/50-redhat.conf depth 0 debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf debug2: checking match for 'final all' host sarkovy.koeller.dyndns.org originally sarkovy.koeller.dyndns.org debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 3: not matched 'final' debug2: match not found debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1 (parse only) debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config debug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-] debug3: kex names ok: [curve25519-sha256,curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512] debug1: configuration requests final Match pass debug1: re-parsing configuration debug1: Reading configuration data /etc/ssh/ssh_config debug3: /etc/ssh/ssh_config line 55: Including file /etc/ssh/ssh_config.d/40-standard_user.conf depth 0 debug1: Reading configuration data /etc/ssh/ssh_config.d/40-standard_user.conf debug3: /etc/ssh/ssh_config line 55: Including file /etc/ssh/ssh_config.d/50-redhat.conf depth 0 debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf debug2: checking match for 'final all' host sarkovy.koeller.dyndns.org originally sarkovy.koeller.dyndns.org debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 3: matched 'final' debug2: match found debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1 debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config debug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-] debug3: kex names ok: [curve25519-sha256,curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512] debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/thomas/.ssh/known_hosts' debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/thomas/.ssh/known_hosts2' debug2: resolving "sarkovy.koeller.dyndns.org" port 22 debug3: resolve_host: lookup sarkovy.koeller.dyndns.org:22 debug3: ssh_connect_direct: entering debug1: Connecting to sarkovy.koeller.dyndns.org [fd46:1ffa:d8e0::1] port 22. debug3: set_sock_tos: set socket 4 IPV6_TCLASS 0x48 debug1: Connection established. debug1: identity file /home/thomas/.ssh/id_rsa type -1 debug1: identity file /home/thomas/.ssh/id_rsa-cert type -1 debug1: identity file /home/thomas/.ssh/id_dsa type -1 debug1: identity file /home/thomas/.ssh/id_dsa-cert type -1 debug1: identity file /home/thomas/.ssh/id_ecdsa type -1 debug1: identity file /home/thomas/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/thomas/.ssh/id_ecdsa_sk type -1 debug1: identity file /home/thomas/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /home/thomas/.ssh/id_ed25519 type -1 debug1: identity file /home/thomas/.ssh/id_ed25519-cert type -1 debug1: identity file /home/thomas/.ssh/id_ed25519_sk type -1 debug1: identity file /home/thomas/.ssh/id_ed25519_sk-cert type -1 debug1: identity file /home/thomas/.ssh/id_xmss type -1 debug1: identity file /home/thomas/.ssh/id_xmss-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_8.8 debug1: Remote protocol version 2.0, remote software version OpenSSH_8.8 debug1: compat_banner: match: OpenSSH_8.8 pat OpenSSH* compat 0x04000000 debug2: fd 4 setting O_NONBLOCK debug1: Authenticating to sarkovy.koeller.dyndns.org:22 as 'thomas' debug1: load_hostkeys: fopen /home/thomas/.ssh/known_hosts: No such file or directory debug1: load_hostkeys: fopen /home/thomas/.ssh/known_hosts2: No such file or directory debug3: record_hostkey: found key type ED25519 in file /etc/ssh/ssh_known_hosts:2 debug3: load_hostkeys_file: loaded 1 keys from sarkovy.koeller.dyndns.org debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory debug3: order_hostkeyalgs: have matching best-preference key type ssh-ed25519-cert-v01 at openssh.com, using HostkeyAlgorithms verbatim debug3: send packet: type 20 debug1: SSH2_MSG_KEXINIT sent debug3: receive packet: type 20 debug1: SSH2_MSG_KEXINIT received debug2: local client KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ext-info-c debug2: host key algorithms: ssh-ed25519-cert-v01 at openssh.com,ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,sk-ssh-ed25519-cert-v01 at openssh.com,sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com,rsa-sha2-512-cert-v01 at openssh.com,rsa-sha2-256-cert-v01 at openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519 at openssh.com,sk-ecdsa-sha2-nistp256 at openssh.com,rsa-sha2-512,rsa-sha2-256 debug2: ciphers ctos: aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com,aes256-ctr,aes128-gcm at openssh.com,aes128-ctr debug2: ciphers stoc: aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com,aes256-ctr,aes128-gcm at openssh.com,aes128-ctr debug2: MACs ctos: hmac-sha2-256-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha2-256,hmac-sha1,umac-128 at openssh.com,hmac-sha2-512 debug2: MACs stoc: hmac-sha2-256-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha2-256,hmac-sha1,umac-128 at openssh.com,hmac-sha2-512 debug2: compression ctos: none,zlib at openssh.com,zlib debug2: compression stoc: none,zlib at openssh.com,zlib debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug2: peer server KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 debug2: host key algorithms: ssh-ed25519 debug2: ciphers ctos: aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com,aes256-ctr,aes128-gcm at openssh.com,aes128-ctr debug2: ciphers stoc: aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com,aes256-ctr,aes128-gcm at openssh.com,aes128-ctr debug2: MACs ctos: hmac-sha2-256-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha2-256,hmac-sha1,umac-128 at openssh.com,hmac-sha2-512 debug2: MACs stoc: hmac-sha2-256-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha2-256,hmac-sha1,umac-128 at openssh.com,hmac-sha2-512 debug2: compression ctos: none,zlib at openssh.com debug2: compression stoc: none,zlib at openssh.com debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: algorithm: curve25519-sha256 debug1: kex: host key algorithm: ssh-ed25519 debug1: kex: server->client cipher: aes256-gcm at openssh.com MAC: <implicit> compression: none debug1: kex: client->server cipher: aes256-gcm at openssh.com MAC: <implicit> compression: none debug1: kex: curve25519-sha256 need=32 dh_need=32 debug1: kex: curve25519-sha256 need=32 dh_need=32 debug3: send packet: type 30 debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug3: receive packet: type 31 debug1: SSH2_MSG_KEX_ECDH_REPLY received debug1: Server host key: ssh-ed25519 SHA256:csWU9fi5IWZ7AOmRGcYQJgHi5jk2jEG6x3Nl+EkadHk debug1: load_hostkeys: fopen /home/thomas/.ssh/known_hosts: No such file or directory debug1: load_hostkeys: fopen /home/thomas/.ssh/known_hosts2: No such file or directory debug3: record_hostkey: found key type ED25519 in file /etc/ssh/ssh_known_hosts:2 debug3: load_hostkeys_file: loaded 1 keys from sarkovy.koeller.dyndns.org debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory debug1: Host 'sarkovy.koeller.dyndns.org' is known and matches the ED25519 host key. debug1: Found key in /etc/ssh/ssh_known_hosts:2 debug3: check_host_key: host key found in GlobalKnownHostsFile; disabling UpdateHostkeys debug3: send packet: type 21 debug2: set_newkeys: mode 1 debug1: rekey out after 4294967296 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug3: receive packet: type 21 debug1: SSH2_MSG_NEWKEYS received debug2: set_newkeys: mode 0 debug1: rekey in after 4294967296 blocks debug1: Will attempt key: /home/thomas/.ssh/id_rsa debug1: Will attempt key: /home/thomas/.ssh/id_dsa debug1: Will attempt key: /home/thomas/.ssh/id_ecdsa debug1: Will attempt key: /home/thomas/.ssh/id_ecdsa_sk debug1: Will attempt key: /home/thomas/.ssh/id_ed25519 debug1: Will attempt key: /home/thomas/.ssh/id_ed25519_sk debug1: Will attempt key: /home/thomas/.ssh/id_xmss debug2: pubkey_prepare: done debug3: send packet: type 5 debug3: receive packet: type 7 debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519 at openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256 at openssh.com,webauthn-sk-ecdsa-sha2-nistp256 at openssh.com> debug3: receive packet: type 6 debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug3: send packet: type 50 debug3: receive packet: type 51 debug1: Authentications that can continue: hostbased debug3: start over, passed a different list hostbased debug3: preferred gssapi-with-mic,hostbased,password debug3: authmethod_lookup hostbased debug3: remaining preferred: password debug3: authmethod_is_enabled hostbased debug1: Next authentication method: hostbased debug3: userauth_hostbased: trying key type ssh-ed25519 debug3: userauth_hostbased: trying key type ssh-ed25519-cert-v01 at openssh.com debug1: No more client hostkeys for hostbased authentication. debug2: we did not send a packet, disable method debug1: No more authentication methods to try. thomas at sarkovy.koeller.dyndns.org: Permission denied (hostbased). -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2022-Dec-07 09:58 UTC
[Bug 3507] Cannot get host-based authentication to work
https://bugzilla.mindrot.org/show_bug.cgi?id=3507 --- Comment #1 from Thomas Koeller <thomas at koeller.dyndns.org> --- Forgot to mention that both the server and the client execute on the same host, if that's significant. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2022-Dec-07 10:34 UTC
[Bug 3507] Cannot get host-based authentication to work
https://bugzilla.mindrot.org/show_bug.cgi?id=3507 Darren Tucker <dtucker at dtucker.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dtucker at dtucker.net --- Comment #2 from Darren Tucker <dtucker at dtucker.net> --- The reason is likely in the server side log. Please run the server in debug mode (eg "/path/to/sshd -ddde -p222", connect to it on port 222 and attach the log. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2022-Dec-07 10:39 UTC
[Bug 3507] Cannot get host-based authentication to work
https://bugzilla.mindrot.org/show_bug.cgi?id=3507 --- Comment #3 from Darren Tucker <dtucker at dtucker.net> --- Also, what's in sshd_config? Unless you have your DNS forward and reverse exactly right, you probably want "HostbasedUsesNameFromPacketOnly yes" in sshd_config. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2022-Dec-07 11:04 UTC
[Bug 3507] Cannot get host-based authentication to work
https://bugzilla.mindrot.org/show_bug.cgi?id=3507 --- Comment #4 from Thomas Koeller <thomas at koeller.dyndns.org> --- Created attachment 3630 --> https://bugzilla.mindrot.org/attachment.cgi?id=3630&action=edit server configuration -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2022-Dec-07 11:04 UTC
[Bug 3507] Cannot get host-based authentication to work
https://bugzilla.mindrot.org/show_bug.cgi?id=3507 --- Comment #5 from Thomas Koeller <thomas at koeller.dyndns.org> --- (In reply to Darren Tucker from comment #3)> Also, what's in sshd_config? Unless you have your DNS forward and > reverse exactly right, you probably want > "HostbasedUsesNameFromPacketOnly yes" in sshd_config.Attaching the sever configuration. Here is the result of a forward/reverse lookup of the host name in used, I think that should be o.k.? [thomas at sarkovy ~]$ dig +noall +keepopen +authority +answer sarkovy.koeller.dyndns.org any -x 192.168.0.1 -x fd46:1ffa:d8e0::1 sarkovy.koeller.dyndns.org. 259200 IN A 192.168.0.1 sarkovy.koeller.dyndns.org. 259200 IN AAAA fd46:1ffa:d8e0::1 sarkovy.koeller.dyndns.org. 259200 IN TXT "Thomas' computer" 1.0.168.192.in-addr.arpa. 259200 IN PTR sarkovy.koeller.dyndns.org. 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.e.8.d.a.f.f.1.6.4.d.f.ip6.arpa. 3600 IN PTR sarkovy.koeller.dyndns.org. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2022-Dec-07 11:04 UTC
[Bug 3507] Cannot get host-based authentication to work
https://bugzilla.mindrot.org/show_bug.cgi?id=3507 Darren Tucker <dtucker at dtucker.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #3630|application/octet-stream |text/plain mime type| | -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2022-Dec-07 11:10 UTC
[Bug 3507] Cannot get host-based authentication to work
https://bugzilla.mindrot.org/show_bug.cgi?id=3507 --- Comment #6 from Thomas Koeller <thomas at koeller.dyndns.org> --- (In reply to Darren Tucker from comment #2)> The reason is likely in the server side log. Please run the server > in debug mode (eg "/path/to/sshd -ddde -p222", connect to it on port > 222 and attach the log.debug1: sshd version OpenSSH_8.8, OpenSSL 3.0.5 5 Jul 2022 debug1: private host key #0: ssh-ed25519 SHA256:csWU9fi5IWZ7AOmRGcYQJgHi5jk2jEG6x3Nl+EkadHk debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-d' debug1: Set /proc/self/oom_score_adj from 200 to -1000 debug1: Bind to port 22 on fd46:1ffa:d8e0::1. Server listening on fd46:1ffa:d8e0::1 port 22. debug1: Bind to port 22 on 192.168.0.1. Server listening on 192.168.0.1 port 22. debug1: Server will not fork when running in debugging mode. debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8 debug1: sshd version OpenSSH_8.8, OpenSSL 3.0.5 5 Jul 2022 debug1: private host key #0: ssh-ed25519 SHA256:csWU9fi5IWZ7AOmRGcYQJgHi5jk2jEG6x3Nl+EkadHk debug1: inetd sockets after dupping: 3, 3 Connection from fd46:1ffa:d8e0::1 port 51228 on fd46:1ffa:d8e0::1 port 22 rdomain "" debug1: Local version string SSH-2.0-OpenSSH_8.8 debug1: Remote protocol version 2.0, remote software version OpenSSH_8.8 debug1: compat_banner: match: OpenSSH_8.8 pat OpenSSH* compat 0x04000000 debug1: SELinux support enabled [preauth] debug1: ssh_selinux_change_context: setting context from 'unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023' to 'unconfined_u:unconfined_r:sshd_net_t:s0-s0:c0.c1023' [preauth] debug1: permanently_set_uid: 74/74 [preauth] debug1: list_hostkey_types: ssh-ed25519 [preauth] debug1: SSH2_MSG_KEXINIT sent [preauth] debug1: SSH2_MSG_KEXINIT received [preauth] debug1: kex: algorithm: curve25519-sha256 [preauth] debug1: kex: host key algorithm: ssh-ed25519 [preauth] debug1: kex: client->server cipher: aes256-gcm at openssh.com MAC: <implicit> compression: none [preauth] debug1: kex: server->client cipher: aes256-gcm at openssh.com MAC: <implicit> compression: none [preauth] debug1: kex: curve25519-sha256 need=32 dh_need=32 [preauth] debug1: kex: curve25519-sha256 need=32 dh_need=32 [preauth] debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth] debug1: SSH2_MSG_KEX_ECDH_INIT received [preauth] debug1: rekey out after 4294967296 blocks [preauth] debug1: SSH2_MSG_NEWKEYS sent [preauth] debug1: Sending SSH2_MSG_EXT_INFO [preauth] debug1: expecting SSH2_MSG_NEWKEYS [preauth] debug1: SSH2_MSG_NEWKEYS received [preauth] debug1: rekey in after 4294967296 blocks [preauth] debug1: KEX done [preauth] debug1: userauth-request for user thomas service ssh-connection method none [preauth] debug1: attempt 0 failures 0 [preauth] debug1: user thomas matched 'User thomas' at line 1 debug1: authentication methods list 0: hostbased debug1: PAM: initializing for "thomas" debug1: PAM: setting PAM_RHOST to "fd46:1ffa:d8e0::1" debug1: PAM: setting PAM_TTY to "ssh" debug1: authentication methods list 0: hostbased [preauth] Connection closed by authenticating user thomas fd46:1ffa:d8e0::1 port 51228 [preauth] debug1: do_cleanup [preauth] debug1: monitor_read_log: child log fd closed debug1: do_cleanup debug1: PAM: cleanup debug1: Killing privsep child 60899 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2022-Dec-07 11:18 UTC
[Bug 3507] Cannot get host-based authentication to work
https://bugzilla.mindrot.org/show_bug.cgi?id=3507 --- Comment #7 from Thomas Koeller <thomas at koeller.dyndns.org> --- (In reply to Darren Tucker from comment #2)> The reason is likely in the server side log. Please run the server > in debug mode (eg "/path/to/sshd -ddde -p222", connect to it on port > 222 and attach the log.Sory, missed the '-ddd' part. debug2: load_server_config: filename /etc/ssh/sshd_config debug2: load_server_config: done config len = 3744 debug2: parse_server_config_depth: config /etc/ssh/sshd_config len 3744 debug2: /etc/ssh/sshd_config line 15: new include /etc/ssh/sshd_config.d/*.conf debug2: /etc/ssh/sshd_config line 15: including /etc/ssh/sshd_config.d/40-sshvpn.conf debug2: load_server_config: filename /etc/ssh/sshd_config.d/40-sshvpn.conf debug2: load_server_config: done config len = 272 debug2: parse_server_config_depth: config /etc/ssh/sshd_config.d/40-sshvpn.conf len 272 debug3: checking syntax for 'Match Host=sshvpn.koeller.dyndns.org' debug2: /etc/ssh/sshd_config line 15: including /etc/ssh/sshd_config.d/40-standard-user.conf debug2: load_server_config: filename /etc/ssh/sshd_config.d/40-standard-user.conf debug2: load_server_config: done config len = 537 debug2: parse_server_config_depth: config /etc/ssh/sshd_config.d/40-standard-user.conf len 537 debug3: checking syntax for 'Match User=thomas' debug2: /etc/ssh/sshd_config line 15: including /etc/ssh/sshd_config.d/50-redhat.conf debug2: load_server_config: filename /etc/ssh/sshd_config.d/50-redhat.conf debug2: load_server_config: done config len = 720 debug2: parse_server_config_depth: config /etc/ssh/sshd_config.d/50-redhat.conf len 720 debug2: /etc/ssh/sshd_config.d/50-redhat.conf line 6: new include /etc/crypto-policies/back-ends/opensshserver.config debug2: /etc/ssh/sshd_config.d/50-redhat.conf line 6: including /etc/crypto-policies/back-ends/opensshserver.config debug2: load_server_config: filename /etc/crypto-policies/back-ends/opensshserver.config debug2: load_server_config: done config len = 1800 debug2: parse_server_config_depth: config /etc/crypto-policies/back-ends/opensshserver.config len 1800 debug3: /etc/crypto-policies/back-ends/opensshserver.config:1 setting Ciphers aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com,aes256-ctr,aes128-gcm at openssh.com,aes128-ctr debug3: /etc/crypto-policies/back-ends/opensshserver.config:2 setting MACs hmac-sha2-256-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha2-256,hmac-sha1,umac-128 at openssh.com,hmac-sha2-512 debug3: /etc/crypto-policies/back-ends/opensshserver.config:3 setting GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- debug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-] debug3: /etc/crypto-policies/back-ends/opensshserver.config:4 setting KexAlgorithms curve25519-sha256,curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 debug3: kex names ok: [curve25519-sha256,curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512] debug3: /etc/crypto-policies/back-ends/opensshserver.config:5 setting HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01 at openssh.com,sk-ecdsa-sha2-nistp256 at openssh.com,sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01 at openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ssh-ed25519,ssh-ed25519-cert-v01 at openssh.com,sk-ssh-ed25519 at openssh.com,sk-ssh-ed25519-cert-v01 at openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01 at openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01 at openssh.com debug3: /etc/crypto-policies/back-ends/opensshserver.config:6 setting PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01 at openssh.com,sk-ecdsa-sha2-nistp256 at openssh.com,sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01 at openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ssh-ed25519,ssh-ed25519-cert-v01 at openssh.com,sk-ssh-ed25519 at openssh.com,sk-ssh-ed25519-cert-v01 at openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01 at openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01 at openssh.com debug3: /etc/crypto-policies/back-ends/opensshserver.config:7 setting CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256 at openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519 at openssh.com,rsa-sha2-256,rsa-sha2-512 debug3: /etc/crypto-policies/back-ends/opensshserver.config:8 setting RSAMinSize 2048 debug3: /etc/ssh/sshd_config.d/50-redhat.conf:8 setting SyslogFacility AUTHPRIV debug3: /etc/ssh/sshd_config.d/50-redhat.conf:10 setting ChallengeResponseAuthentication no debug3: /etc/ssh/sshd_config.d/50-redhat.conf:12 setting GSSAPIAuthentication yes debug3: /etc/ssh/sshd_config.d/50-redhat.conf:13 setting GSSAPICleanupCredentials no debug3: /etc/ssh/sshd_config.d/50-redhat.conf:15 setting UsePAM yes debug3: /etc/ssh/sshd_config.d/50-redhat.conf:17 setting X11Forwarding yes debug3: /etc/ssh/sshd_config.d/50-redhat.conf:21 setting PrintMotd no debug3: /etc/ssh/sshd_config:25 setting ListenAddress 192.168.0.1:22 debug3: /etc/ssh/sshd_config:26 setting ListenAddress [fd46:1ffa:d8e0::1]:22 debug3: /etc/ssh/sshd_config:28 setting HostKey /etc/ssh/ssh_host_ed25519_key debug3: /etc/ssh/sshd_config:30 setting HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01 at openssh.com debug3: /etc/ssh/sshd_config:37 setting LogLevel DEBUG debug3: /etc/ssh/sshd_config:52 setting AuthorizedKeysFile .ssh/authorized_keys debug3: /etc/ssh/sshd_config:60 setting HostbasedAuthentication yes debug3: /etc/ssh/sshd_config:63 setting IgnoreUserKnownHosts yes debug3: /etc/ssh/sshd_config:65 setting IgnoreRhosts yes debug3: /etc/ssh/sshd_config:68 setting PasswordAuthentication no debug3: /etc/ssh/sshd_config:72 setting KbdInteractiveAuthentication no debug3: /etc/ssh/sshd_config:99 setting UsePAM yes debug3: /etc/ssh/sshd_config:108 setting PrintMotd no debug3: /etc/ssh/sshd_config:118 setting PermitTunnel yes debug3: /etc/ssh/sshd_config:126 setting Subsystem sftp /usr/libexec/openssh/sftp-server debug1: sshd version OpenSSH_8.8, OpenSSL 3.0.5 5 Jul 2022 debug1: private host key #0: ssh-ed25519 SHA256:csWU9fi5IWZ7AOmRGcYQJgHi5jk2jEG6x3Nl+EkadHk debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-ddd' debug3: oom_adjust_setup debug1: Set /proc/self/oom_score_adj from 200 to -1000 debug2: fd 3 setting O_NONBLOCK debug3: sock_set_v6only: set socket 3 IPV6_V6ONLY debug1: Bind to port 22 on fd46:1ffa:d8e0::1. Server listening on fd46:1ffa:d8e0::1 port 22. debug2: fd 4 setting O_NONBLOCK debug1: Bind to port 22 on 192.168.0.1. Server listening on 192.168.0.1 port 22. debug3: fd 5 is not O_NONBLOCK debug1: Server will not fork when running in debugging mode. debug3: send_rexec_state: entering fd = 8 config len 3744 debug3: ssh_msg_send: type 0 debug3: send_rexec_state: done debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8 debug3: recv_rexec_state: entering fd = 5 debug3: ssh_msg_recv entering debug3: recv_rexec_state: done debug2: parse_server_config_depth: config rexec len 3744 debug2: parse_server_config_depth: config /etc/ssh/sshd_config.d/40-sshvpn.conf len 272 debug3: checking syntax for 'Match Host=sshvpn.koeller.dyndns.org' debug2: parse_server_config_depth: config /etc/ssh/sshd_config.d/40-standard-user.conf len 537 debug3: checking syntax for 'Match User=thomas' debug2: parse_server_config_depth: config /etc/ssh/sshd_config.d/50-redhat.conf len 720 debug2: parse_server_config_depth: config /etc/crypto-policies/back-ends/opensshserver.config len 1800 debug3: /etc/crypto-policies/back-ends/opensshserver.config:1 setting Ciphers aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com,aes256-ctr,aes128-gcm at openssh.com,aes128-ctr debug3: /etc/crypto-policies/back-ends/opensshserver.config:2 setting MACs hmac-sha2-256-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha2-256,hmac-sha1,umac-128 at openssh.com,hmac-sha2-512 debug3: /etc/crypto-policies/back-ends/opensshserver.config:3 setting GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512- debug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-] debug3: /etc/crypto-policies/back-ends/opensshserver.config:4 setting KexAlgorithms curve25519-sha256,curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 debug3: kex names ok: [curve25519-sha256,curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512] debug3: /etc/crypto-policies/back-ends/opensshserver.config:5 setting HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01 at openssh.com,sk-ecdsa-sha2-nistp256 at openssh.com,sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01 at openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ssh-ed25519,ssh-ed25519-cert-v01 at openssh.com,sk-ssh-ed25519 at openssh.com,sk-ssh-ed25519-cert-v01 at openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01 at openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01 at openssh.com debug3: /etc/crypto-policies/back-ends/opensshserver.config:6 setting PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01 at openssh.com,sk-ecdsa-sha2-nistp256 at openssh.com,sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01 at openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ssh-ed25519,ssh-ed25519-cert-v01 at openssh.com,sk-ssh-ed25519 at openssh.com,sk-ssh-ed25519-cert-v01 at openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01 at openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01 at openssh.com debug3: /etc/crypto-policies/back-ends/opensshserver.config:7 setting CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256 at openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519 at openssh.com,rsa-sha2-256,rsa-sha2-512 debug3: /etc/crypto-policies/back-ends/opensshserver.config:8 setting RSAMinSize 2048 debug3: /etc/ssh/sshd_config.d/50-redhat.conf:8 setting SyslogFacility AUTHPRIV debug3: /etc/ssh/sshd_config.d/50-redhat.conf:10 setting ChallengeResponseAuthentication no debug3: /etc/ssh/sshd_config.d/50-redhat.conf:12 setting GSSAPIAuthentication yes debug3: /etc/ssh/sshd_config.d/50-redhat.conf:13 setting GSSAPICleanupCredentials no debug3: /etc/ssh/sshd_config.d/50-redhat.conf:15 setting UsePAM yes debug3: /etc/ssh/sshd_config.d/50-redhat.conf:17 setting X11Forwarding yes debug3: /etc/ssh/sshd_config.d/50-redhat.conf:21 setting PrintMotd no debug3: rexec:25 setting ListenAddress 192.168.0.1:22 debug3: rexec:26 setting ListenAddress [fd46:1ffa:d8e0::1]:22 debug3: rexec:28 setting HostKey /etc/ssh/ssh_host_ed25519_key debug3: rexec:30 setting HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01 at openssh.com debug3: rexec:37 setting LogLevel DEBUG debug3: rexec:52 setting AuthorizedKeysFile .ssh/authorized_keys debug3: rexec:60 setting HostbasedAuthentication yes debug3: rexec:63 setting IgnoreUserKnownHosts yes debug3: rexec:65 setting IgnoreRhosts yes debug3: rexec:68 setting PasswordAuthentication no debug3: rexec:72 setting KbdInteractiveAuthentication no debug3: rexec:99 setting UsePAM yes debug3: rexec:108 setting PrintMotd no debug3: rexec:118 setting PermitTunnel yes debug3: rexec:126 setting Subsystem sftp /usr/libexec/openssh/sftp-server debug1: sshd version OpenSSH_8.8, OpenSSL 3.0.5 5 Jul 2022 debug1: private host key #0: ssh-ed25519 SHA256:csWU9fi5IWZ7AOmRGcYQJgHi5jk2jEG6x3Nl+EkadHk debug1: inetd sockets after dupping: 3, 3 Connection from fd46:1ffa:d8e0::1 port 37486 on fd46:1ffa:d8e0::1 port 22 rdomain "" debug1: Local version string SSH-2.0-OpenSSH_8.8 debug1: Remote protocol version 2.0, remote software version OpenSSH_8.8 debug1: compat_banner: match: OpenSSH_8.8 pat OpenSSH* compat 0x04000000 debug2: fd 3 setting O_NONBLOCK debug3: ssh_sandbox_init: preparing seccomp filter sandbox debug2: Network child is on pid 63940 debug3: preauth child monitor started debug1: SELinux support enabled [preauth] debug1: ssh_selinux_change_context: setting context from 'unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023' to 'unconfined_u:unconfined_r:sshd_net_t:s0-s0:c0.c1023' [preauth] debug3: ssh_selinux_change_context: setcon unconfined_u:unconfined_r:sshd_net_t:s0-s0:c0.c1023 from unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 failed with Invalid argument [preauth] debug3: privsep user:group 74:74 [preauth] debug1: permanently_set_uid: 74/74 [preauth] debug3: ssh_sandbox_child: setting PR_SET_NO_NEW_PRIVS [preauth] debug3: ssh_sandbox_child: attaching seccomp filter program [preauth] debug1: list_hostkey_types: ssh-ed25519 [preauth] debug3: send packet: type 20 [preauth] debug1: SSH2_MSG_KEXINIT sent [preauth] debug3: receive packet: type 20 [preauth] debug1: SSH2_MSG_KEXINIT received [preauth] debug2: local server KEXINIT proposal [preauth] debug2: KEX algorithms: curve25519-sha256,curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 [preauth] debug2: host key algorithms: ssh-ed25519 [preauth] debug2: ciphers ctos: aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com,aes256-ctr,aes128-gcm at openssh.com,aes128-ctr [preauth] debug2: ciphers stoc: aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com,aes256-ctr,aes128-gcm at openssh.com,aes128-ctr [preauth] debug2: MACs ctos: hmac-sha2-256-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha2-256,hmac-sha1,umac-128 at openssh.com,hmac-sha2-512 [preauth] debug2: MACs stoc: hmac-sha2-256-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha2-256,hmac-sha1,umac-128 at openssh.com,hmac-sha2-512 [preauth] debug2: compression ctos: none,zlib at openssh.com [preauth] debug2: compression stoc: none,zlib at openssh.com [preauth] debug2: languages ctos: [preauth] debug2: languages stoc: [preauth] debug2: first_kex_follows 0 [preauth] debug2: reserved 0 [preauth] debug2: peer client KEXINIT proposal [preauth] debug2: KEX algorithms: curve25519-sha256,curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ext-info-c [preauth] debug2: host key algorithms: ssh-ed25519-cert-v01 at openssh.com,ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,sk-ssh-ed25519-cert-v01 at openssh.com,sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com,rsa-sha2-512-cert-v01 at openssh.com,rsa-sha2-256-cert-v01 at openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519 at openssh.com,sk-ecdsa-sha2-nistp256 at openssh.com,rsa-sha2-512,rsa-sha2-256 [preauth] debug2: ciphers ctos: aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com,aes256-ctr,aes128-gcm at openssh.com,aes128-ctr [preauth] debug2: ciphers stoc: aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com,aes256-ctr,aes128-gcm at openssh.com,aes128-ctr [preauth] debug2: MACs ctos: hmac-sha2-256-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha2-256,hmac-sha1,umac-128 at openssh.com,hmac-sha2-512 [preauth] debug2: MACs stoc: hmac-sha2-256-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha2-256,hmac-sha1,umac-128 at openssh.com,hmac-sha2-512 [preauth] debug2: compression ctos: none,zlib at openssh.com,zlib [preauth] debug2: compression stoc: none,zlib at openssh.com,zlib [preauth] debug2: languages ctos: [preauth] debug2: languages stoc: [preauth] debug2: first_kex_follows 0 [preauth] debug2: reserved 0 [preauth] debug1: kex: algorithm: curve25519-sha256 [preauth] debug1: kex: host key algorithm: ssh-ed25519 [preauth] debug1: kex: client->server cipher: aes256-gcm at openssh.com MAC: <implicit> compression: none [preauth] debug1: kex: server->client cipher: aes256-gcm at openssh.com MAC: <implicit> compression: none [preauth] debug1: kex: curve25519-sha256 need=32 dh_need=32 [preauth] debug3: mm_request_send: entering, type 120 [preauth] debug3: mm_request_receive_expect: entering, type 121 [preauth] debug3: mm_request_receive: entering [preauth] debug3: mm_request_receive: entering debug3: monitor_read: checking request 120 debug3: mm_request_send: entering, type 121 debug1: kex: curve25519-sha256 need=32 dh_need=32 [preauth] debug3: mm_request_send: entering, type 120 [preauth] debug3: mm_request_receive_expect: entering, type 121 [preauth] debug3: mm_request_receive: entering [preauth] debug3: mm_request_receive: entering debug3: monitor_read: checking request 120 debug3: mm_request_send: entering, type 121 debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth] debug3: receive packet: type 30 [preauth] debug1: SSH2_MSG_KEX_ECDH_INIT received [preauth] debug3: mm_sshkey_sign: entering [preauth] debug3: mm_request_send: entering, type 6 [preauth] debug3: mm_sshkey_sign: waiting for MONITOR_ANS_SIGN [preauth] debug3: mm_request_receive_expect: entering, type 7 [preauth] debug3: mm_request_receive: entering [preauth] debug3: mm_request_receive: entering debug3: monitor_read: checking request 6 debug3: mm_answer_sign: entering debug3: mm_answer_sign: ssh-ed25519 KEX signature len=83 debug3: mm_request_send: entering, type 7 debug2: monitor_read: 6 used once, disabling now debug3: send packet: type 31 [preauth] debug3: send packet: type 21 [preauth] debug2: set_newkeys: mode 1 [preauth] debug1: rekey out after 4294967296 blocks [preauth] debug1: SSH2_MSG_NEWKEYS sent [preauth] debug1: Sending SSH2_MSG_EXT_INFO [preauth] debug3: send packet: type 7 [preauth] debug1: expecting SSH2_MSG_NEWKEYS [preauth] debug3: receive packet: type 21 [preauth] debug1: SSH2_MSG_NEWKEYS received [preauth] debug2: set_newkeys: mode 0 [preauth] debug1: rekey in after 4294967296 blocks [preauth] debug1: KEX done [preauth] debug3: receive packet: type 5 [preauth] debug3: send packet: type 6 [preauth] debug3: receive packet: type 50 [preauth] debug1: userauth-request for user thomas service ssh-connection method none [preauth] debug1: attempt 0 failures 0 [preauth] debug3: mm_getpwnamallow: entering [preauth] debug3: mm_request_send: entering, type 8 [preauth] debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM [preauth] debug3: mm_request_receive_expect: entering, type 9 [preauth] debug3: mm_request_receive: entering [preauth] debug3: mm_request_receive: entering debug3: monitor_read: checking request 8 debug3: mm_answer_pwnamallow: entering debug2: parse_server_config_depth: config reprocess config len 3744 debug2: parse_server_config_depth: config /etc/ssh/sshd_config.d/40-sshvpn.conf len 272 debug3: checking match for 'Host=sshvpn.koeller.dyndns.org' user thomas host fd46:1ffa:d8e0::1 addr fd46:1ffa:d8e0::1 laddr fd46:1ffa:d8e0::1 lport 22 debug3: match not found debug2: parse_server_config_depth: config /etc/ssh/sshd_config.d/40-standard-user.conf len 537 debug3: checking match for 'User=thomas' user thomas host fd46:1ffa:d8e0::1 addr fd46:1ffa:d8e0::1 laddr fd46:1ffa:d8e0::1 lport 22 debug1: user thomas matched 'User thomas' at line 1 debug3: match found debug3: /etc/ssh/sshd_config.d/40-standard-user.conf:4 setting AuthenticationMethods hostbased debug3: /etc/ssh/sshd_config.d/40-standard-user.conf:6 setting AllowUsers thomas debug3: /etc/ssh/sshd_config.d/40-standard-user.conf:7 setting DenyUsers none debug3: /etc/ssh/sshd_config.d/40-standard-user.conf:8 setting ForceCommand none debug3: /etc/ssh/sshd_config.d/40-standard-user.conf:9 setting GSSAPIAuthentication no debug3: /etc/ssh/sshd_config.d/40-standard-user.conf:10 setting HostbasedAcceptedAlgorithms ssh-ed25519-cert-v01 at openssh.com,ssh-ed25519 debug3: /etc/ssh/sshd_config.d/40-standard-user.conf:11 setting HostbasedAuthentication yes debug3: /etc/ssh/sshd_config.d/40-standard-user.conf:12 setting HostbasedUsesNameFromPacketOnly yes debug3: /etc/ssh/sshd_config.d/40-standard-user.conf:13 setting IgnoreRhosts yes debug3: /etc/ssh/sshd_config.d/40-standard-user.conf:14 setting KerberosAuthentication no debug3: /etc/ssh/sshd_config.d/40-standard-user.conf:15 setting PasswordAuthentication no debug3: /etc/ssh/sshd_config.d/40-standard-user.conf:16 setting PermitRootLogin no debug3: /etc/ssh/sshd_config.d/40-standard-user.conf:17 setting PermitTTY yes debug3: /etc/ssh/sshd_config.d/40-standard-user.conf:18 setting PermitTunnel no debug3: /etc/ssh/sshd_config.d/40-standard-user.conf:19 setting PermitUserRC yes debug3: /etc/ssh/sshd_config.d/40-standard-user.conf:20 setting PubkeyAuthentication no debug3: /etc/ssh/sshd_config.d/40-standard-user.conf:21 setting PubkeyAcceptedAlgorithms ssh-ed25519,ssh-ed25519-cert-v01 at openssh.com debug2: parse_server_config_depth: config /etc/ssh/sshd_config.d/50-redhat.conf len 720 debug2: parse_server_config_depth: config /etc/crypto-policies/back-ends/opensshserver.config len 1800 debug3: auth2_setup_methods_lists: checking methods debug1: authentication methods list 0: hostbased debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1 debug3: mm_request_send: entering, type 9 debug2: monitor_read: 8 used once, disabling now debug2: input_userauth_request: setting up authctxt for thomas [preauth] debug3: mm_start_pam entering [preauth] debug3: mm_request_send: entering, type 100 [preauth] debug3: mm_inform_authserv: entering [preauth] debug3: mm_request_send: entering, type 4 [preauth] debug3: mm_inform_authrole: entering [preauth] debug3: mm_request_send: entering, type 80 [preauth] debug3: auth2_setup_methods_lists: checking methods [preauth] debug1: authentication methods list 0: hostbased [preauth] debug2: Unrecognized authentication method name: none [preauth] debug3: user_specific_delay: user specific delay 0.000ms [preauth] debug3: ensure_minimum_time_since: elapsed 0.747ms, delaying 6.577ms (requested 7.323ms) [preauth] debug3: mm_request_receive: entering debug3: monitor_read: checking request 100 debug1: PAM: initializing for "thomas" debug1: PAM: setting PAM_RHOST to "fd46:1ffa:d8e0::1" debug1: PAM: setting PAM_TTY to "ssh" debug2: monitor_read: 100 used once, disabling now debug3: mm_request_receive: entering debug3: monitor_read: checking request 4 debug3: mm_answer_authserv: service=ssh-connection, styledebug2: monitor_read: 4 used once, disabling now debug3: mm_request_receive: entering debug3: monitor_read: checking request 80 debug3: mm_answer_authrole: roledebug2: monitor_read: 80 used once, disabling now debug3: userauth_finish: failure partial=0 next methods="hostbased" [preauth] debug3: send packet: type 51 [preauth] debug3: mm_request_send: entering, type 122 [preauth] debug3: mm_request_receive_expect: entering, type 123 [preauth] debug3: mm_request_receive: entering [preauth] debug3: mm_request_receive: entering debug3: monitor_read: checking request 122 debug3: mm_request_send: entering, type 123 Connection closed by authenticating user thomas fd46:1ffa:d8e0::1 port 37486 [preauth] debug1: do_cleanup [preauth] debug3: PAM: sshpam_thread_cleanup entering [preauth] debug3: mm_request_send: entering, type 124 [preauth] debug3: mm_request_receive: entering debug3: monitor_read: checking request 124 debug1: monitor_read_log: child log fd closed debug3: mm_request_receive: entering debug1: do_cleanup debug1: PAM: cleanup debug3: PAM: sshpam_thread_cleanup entering debug1: Killing privsep child 63940 [ -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2022-Dec-07 11:18 UTC
[Bug 3507] Cannot get host-based authentication to work
https://bugzilla.mindrot.org/show_bug.cgi?id=3507 --- Comment #8 from Darren Tucker <dtucker at dtucker.net> --- (In reply to Thomas Koeller from comment #5)> (In reply to Darren Tucker from comment #3) > > Also, what's in sshd_config? Unless you have your DNS forward and > > reverse exactly right, you probably want > > "HostbasedUsesNameFromPacketOnly yes" in sshd_config. > > Attaching the sever configuration. > > Here is the result of a forward/reverse lookup of the host name in > used, I think that should be o.k.?Hard to tell from here but I don't see anything obvious. Setting HostbasedUsesNameFromPacketOnly would remove name resolution as a variable, though. I note from the logs that this is a vendor-modified version of OpenSSH 8.8. Can you reproduce the problem with a current version of stock openssh from openssh.com? There were a couple of fixes to hostbased in 8.9, but I think only RSA keys were affected and you're not using those: * ssh(1): unbreak hostbased auth using RSA keys. Allow ssh(1) to select RSA keys when only RSA/SHA2 signature algorithms are configured (this is the default case). Previously RSA keys were not being considered in the default case. * ssh-keysign(1): make ssh-keysign use the requested signature algorithm and not the default for the key type. Part of unbreaking hostbased auth for RSA/SHA2 keys. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2022-Dec-07 11:22 UTC
[Bug 3507] Cannot get host-based authentication to work
https://bugzilla.mindrot.org/show_bug.cgi?id=3507 --- Comment #9 from Darren Tucker <dtucker at dtucker.net> --- (also: please use attachments for logs, pasting large logs into comments quickly makes things unreadable). -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2022-Dec-07 11:25 UTC
[Bug 3507] Cannot get host-based authentication to work
https://bugzilla.mindrot.org/show_bug.cgi?id=3507 --- Comment #10 from Thomas Koeller <thomas at koeller.dyndns.org> --- (In reply to Darren Tucker from comment #8)> (In reply to Thomas Koeller from comment #5) > > (In reply to Darren Tucker from comment #3) > I note from the logs that this is a vendor-modified version of > OpenSSH 8.8. Can you reproduce the problem with a current version > of stock openssh from openssh.com? >I can do that, though it may take some time. What would qualify as a 'current version', HEAD of git master branch or some release? -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2022-Dec-07 11:35 UTC
[Bug 3507] Cannot get host-based authentication to work
https://bugzilla.mindrot.org/show_bug.cgi?id=3507 --- Comment #11 from Darren Tucker <dtucker at dtucker.net> --- (In reply to Thomas Koeller from comment #10) [...]> What would qualify as a 'current version', HEAD of git master branch > or some release?Either the most recent release (9.1p1) or git HEAD, whichever you prefer. The main thing is to prevent what is typically a few hundred KB of vendor changes muddying the waters. The release has configure pre-built and doesn't need any fooling with autoconf. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2022-Dec-07 11:44 UTC
[Bug 3507] Cannot get host-based authentication to work
https://bugzilla.mindrot.org/show_bug.cgi?id=3507 --- Comment #12 from Darren Tucker <dtucker at dtucker.net> --- Oh, one other thing that might help: when I wrote the hostbased regress test I put the host setup steps in comments, and you can see the keywords I needed on both client and server sides: https://github.com/openssh/openssh-portable/blob/master/regress/hostbased.sh -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2022-Dec-07 18:30 UTC
[Bug 3507] Cannot get host-based authentication to work
https://bugzilla.mindrot.org/show_bug.cgi?id=3507 --- Comment #13 from Thomas Koeller <thomas at koeller.dyndns.org> --- Created attachment 3631 --> https://bugzilla.mindrot.org/attachment.cgi?id=3631&action=edit OpenSSH_9.1p1 server output -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2022-Dec-07 18:31 UTC
[Bug 3507] Cannot get host-based authentication to work
https://bugzilla.mindrot.org/show_bug.cgi?id=3507 --- Comment #14 from Thomas Koeller <thomas at koeller.dyndns.org> --- Created attachment 3632 --> https://bugzilla.mindrot.org/attachment.cgi?id=3632&action=edit OpenSSH_9.1p1client output -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2022-Dec-07 18:36 UTC
[Bug 3507] Cannot get host-based authentication to work
https://bugzilla.mindrot.org/show_bug.cgi?id=3507 Thomas Koeller <thomas at koeller.dyndns.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #3630|0 |1 is obsolete| | --- Comment #15 from Thomas Koeller <thomas at koeller.dyndns.org> --- Created attachment 3633 --> https://bugzilla.mindrot.org/attachment.cgi?id=3633&action=edit server configuration -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2022-Dec-07 18:37 UTC
[Bug 3507] Cannot get host-based authentication to work
https://bugzilla.mindrot.org/show_bug.cgi?id=3507 Thomas Koeller <thomas at koeller.dyndns.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #3629|0 |1 is obsolete| | --- Comment #16 from Thomas Koeller <thomas at koeller.dyndns.org> --- Created attachment 3634 --> https://bugzilla.mindrot.org/attachment.cgi?id=3634&action=edit client configuration -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2022-Dec-07 18:39 UTC
[Bug 3507] Cannot get host-based authentication to work
https://bugzilla.mindrot.org/show_bug.cgi?id=3507 --- Comment #17 from Thomas Koeller <thomas at koeller.dyndns.org> --- Built OpenSSH 9.1p1 from git sources. Results are virtually identical to those produced previously. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2022-Dec-07 18:51 UTC
[Bug 3507] Cannot get host-based authentication to work
https://bugzilla.mindrot.org/show_bug.cgi?id=3507 --- Comment #18 from Thomas Koeller <thomas at koeller.dyndns.org> --- (In reply to Darren Tucker from comment #12)> Oh, one other thing that might help: when I wrote the hostbased > regress test I put the host setup steps in comments, and you can see > the keywords I needed on both client and server sides: > > https://github.com/openssh/openssh-portable/blob/master/regress/ > hostbased.sh- 'EnableSSHKeysign yes' is set, see attached config file - shosts.equiv originally contained just a single '+' on a line by itself. I changed that to the host's fqdn 'sarkovy.koeller.dyndns.org', which did not make any difference. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2022-Dec-07 22:11 UTC
[Bug 3507] Cannot get host-based authentication to work
https://bugzilla.mindrot.org/show_bug.cgi?id=3507 Iain Morgan <imorgan at nas.nasa.gov> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |imorgan at nas.nasa.gov --- Comment #19 from Iain Morgan <imorgan at nas.nasa.gov> --- This looks like a client-side issue to me. The client logs indicate that no host based authentication packet was sent. Since EnableSSHKeysign is set in the ssh_config, this probably means that the permissions are incorrect on either the ssh-keyskgn executable or the private host keys. Note that on Red Hat, ssh-keyskgn is normally setgid to group ssh_keys, and the private keys are expected to be readable by that group. Whereas, stock OpenSSH expects the private keys to be readable only by root and thus ssh-keyskgn should be setuid root. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2022-Dec-08 00:32 UTC
[Bug 3507] Cannot get host-based authentication to work
https://bugzilla.mindrot.org/show_bug.cgi?id=3507 --- Comment #20 from Thomas Koeller <thomas at koeller.dyndns.org> --- (In reply to Iain Morgan from comment #19)> This looks like a client-side issue to me. > > The client logs indicate that no host based authentication packet > was sent. Since EnableSSHKeysign is set in the ssh_config, this > probably means that the permissions are incorrect on either the > ssh-keyskgn executable or the private host keys. > > Note that on Red Hat, ssh-keyskgn is normally setgid to group > ssh_keys, and the private keys are expected to be readable by that > group. Whereas, stock OpenSSH expects the private keys to be > readable only by root and thus ssh-keyskgn should be setuid root.This is correct, I figured that out, too: [root at sarkovy ssh]# ls -l /usr/libexec/openssh/ssh-keysign -r-xr-sr-x. 1 root ssh_keys 326064 29. Sep 13:45 /usr/libexec/openssh/ssh-keysign So I reset the permissions on the key accordingly: [root at sarkovy ssh]# ls -l /etc/ssh/ssh_host_ed25519_key -rw-r-----. 1 root ssh_keys 419 6. Dez 23:11 /etc/ssh/ssh_host_ed25519_key This did not help, and anyway, a fresh build of OpenSSH 9.1p1 exhibits the same behavior. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2022-Dec-08 01:16 UTC
[Bug 3507] Cannot get host-based authentication to work
https://bugzilla.mindrot.org/show_bug.cgi?id=3507 --- Comment #21 from Darren Tucker <dtucker at dtucker.net> --- Created attachment 3635 --> https://bugzilla.mindrot.org/attachment.cgi?id=3635&action=edit Add server side debugging for hostbased auth Please rerun the test after applying this patch, which will add some debugging to the server side, and attach the server side log here. (Only the server output will change so there's no need to include the client side from this.) -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2022-Dec-08 01:39 UTC
[Bug 3507] Cannot get host-based authentication to work
https://bugzilla.mindrot.org/show_bug.cgi?id=3507 --- Comment #22 from Darren Tucker <dtucker at dtucker.net> --- Created attachment 3636 --> https://bugzilla.mindrot.org/attachment.cgi?id=3636&action=edit Working example sshd log for comparison I built a separate installation with this additional debugging, its own keys and set up hostbased on it. I have the following config files in ${prefix}/etc/: sshd_config: HostbasedAuthentication yes HostbasedUsesNameFromPacketOnly yes AuthorizedKeysFile /dev/null ssh_config: EnableSSHKeySign yes HostbasedAuthentication yes PreferredAuthentications hostbased shosts.equiv: gate.dtucker.net ssh_known_hosts: gate.dtucker.net ssh-ed25519 [...] and I'm attaching the logs for comparison. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2022-Dec-08 01:39 UTC
[Bug 3507] Cannot get host-based authentication to work
https://bugzilla.mindrot.org/show_bug.cgi?id=3507 --- Comment #23 from Darren Tucker <dtucker at dtucker.net> --- Created attachment 3637 --> https://bugzilla.mindrot.org/attachment.cgi?id=3637&action=edit Working example ssh log. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2022-Dec-08 07:46 UTC
[Bug 3507] Cannot get host-based authentication to work
https://bugzilla.mindrot.org/show_bug.cgi?id=3507 --- Comment #24 from Darren Tucker <dtucker at dtucker.net> --- Comparing working and non-working, the working example has the following, which is missing from the non-working one: debug2: hostbased key 4: ecdsa-sha2-nistp256 key from "/opt/openssh-9.1p1/etc/ssh_host_ecdsa_key" debug2: hostbased key 5: ssh-ed25519 key from "/opt/openssh-9.1p1/etc/ssh_host_ed25519_key" debug2: hostbased key 6: ssh-rsa key from "/opt/openssh-9.1p1/etc/ssh_host_rsa_key" Later, you have: order_hostkeyalgs: have matching best-preference key type ssh-ed25519-cert-v01 at openssh.com, using HostkeyAlgorithms verbatim Your host key is a cert? If so, does it work if you use a plain ed25519 host key? -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2022-Dec-08 08:21 UTC
[Bug 3507] Cannot get host-based authentication to work
https://bugzilla.mindrot.org/show_bug.cgi?id=3507 --- Comment #25 from Darren Tucker <dtucker at dtucker.net> --- (In reply to Darren Tucker from comment #24)> Comparing working and non-working, the working example has the > following, which is missing from the non-working one: > debug2: hostbased key 4: ecdsa-sha2-nistp256 key from > "/opt/openssh-9.1p1/etc/ssh_host_ecdsa_key"These loads are in ssh.c and are gated by "if (options.hostbased_authentication)" and do include certificates. I'd suggest: - checking that HostbasedAuthentication isn't disabled someplace, eg, a user config file ( check the effective setting with "ssh -G yourserver | grep hostbased"). - checking that the public portion of host keys are readable by unprivileged users (since this is done in the client). -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2022-Dec-08 09:18 UTC
[Bug 3507] Cannot get host-based authentication to work
https://bugzilla.mindrot.org/show_bug.cgi?id=3507 Darren Tucker <dtucker at dtucker.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #3635|0 |1 is obsolete| | --- Comment #26 from Darren Tucker <dtucker at dtucker.net> --- Created attachment 3638 --> https://bugzilla.mindrot.org/attachment.cgi?id=3638&action=edit Add more server side debugging for hostbased auth -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2022-Dec-08 14:03 UTC
[Bug 3507] Cannot get host-based authentication to work
https://bugzilla.mindrot.org/show_bug.cgi?id=3507 --- Comment #27 from Thomas Koeller <thomas at koeller.dyndns.org> --- (In reply to Darren Tucker from comment #24)> Your host key is a cert? If so, does it work if you use a plain > ed25519 host key?No it's just a plain key. I included ssh-ed25519-cert-v01 at openssh.com only because I plan to use a cert in the future. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2022-Dec-08 14:09 UTC
[Bug 3507] Cannot get host-based authentication to work
https://bugzilla.mindrot.org/show_bug.cgi?id=3507 Thomas Koeller <thomas at koeller.dyndns.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #3631|0 |1 is obsolete| | --- Comment #28 from Thomas Koeller <thomas at koeller.dyndns.org> --- Created attachment 3639 --> https://bugzilla.mindrot.org/attachment.cgi?id=3639&action=edit sshd output /w debug patch applied Patch applied. AFAICT none of the debug statements produced any output. I agree with Ian Morgan that it is most likely a client-side issue. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2022-Dec-08 14:20 UTC
[Bug 3507] Cannot get host-based authentication to work
https://bugzilla.mindrot.org/show_bug.cgi?id=3507 --- Comment #29 from Thomas Koeller <thomas at koeller.dyndns.org> --- (In reply to Darren Tucker from comment #24)> Comparing working and non-working, the working example has the > following, which is missing from the non-working one: > debug2: hostbased key 4: ecdsa-sha2-nistp256 key from > "/opt/openssh-9.1p1/etc/ssh_host_ecdsa_key" > debug2: hostbased key 5: ssh-ed25519 key from > "/opt/openssh-9.1p1/etc/ssh_host_ed25519_key" > debug2: hostbased key 6: ssh-rsa key from > "/opt/openssh-9.1p1/etc/ssh_host_rsa_key"These keys do not exist, as I am not using them. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2022-Dec-08 14:38 UTC
[Bug 3507] Cannot get host-based authentication to work
https://bugzilla.mindrot.org/show_bug.cgi?id=3507 Thomas Koeller <thomas at koeller.dyndns.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |INVALID --- Comment #30 from Thomas Koeller <thomas at koeller.dyndns.org> --- I finally found the reason for the problem, a rather trivial one: I failed to install the public host key. Sorry for all the fuzz. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2022-Dec-08 23:07 UTC
[Bug 3507] Cannot get host-based authentication to work
https://bugzilla.mindrot.org/show_bug.cgi?id=3507 --- Comment #31 from Darren Tucker <dtucker at dtucker.net> --- (In reply to Thomas Koeller from comment #30)> I finally found the reason for the problem, a rather trivial one: > I failed to install the public host key. Sorry for all the fuzz.The second version of that patch should have had a warning about that in the debug output: debug1: Connection established. debug1: HostbasedAuthentication enabled but no keys could be loaded. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2022-Dec-09 00:31 UTC
[Bug 3507] Cannot get host-based authentication to work
https://bugzilla.mindrot.org/show_bug.cgi?id=3507 Darren Tucker <dtucker at dtucker.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #3633|application/octet-stream |text/plain mime type| | -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2023-Mar-17 02:39 UTC
[Bug 3507] Cannot get host-based authentication to work
https://bugzilla.mindrot.org/show_bug.cgi?id=3507 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #32 from Damien Miller <djm at mindrot.org> --- OpenSSH 9.3 has been released. Close resolved bugs -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.