openssh bugs - Sep 2023 - [Bug 3615] New: Host Based Authentication is failing

https://bugzilla.mindrot.org/show_bug.cgi?id=3615

            Bug ID: 3615
           Summary: Host Based Authentication is failing
           Product: Portable OpenSSH
           Version: 9.4p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: critical
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: tunerooster at gmail.com

I don't suppose that I have really encountered a bug, but I have
meticulously setup everything that the documentation describes to use
host based authentication, but I cannot get it to work.

I don't know if this is the right place to get help, given that it is
likely something wrong with my configuration.  If not, I am hopeful
that you can at least point me to the appropriate place.

I am running OpenSSH_9.4p1, OpenSSL 3.1.2 1 Aug 2023 on Gentoo linux.

If you are willing to help me, I will send all the config file
information and debug output (showing failures I cannot resolve) from
ssh and sshd.

Thank you kindly!

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3615

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at dtucker.net

--- Comment #1 from Darren Tucker <dtucker at dtucker.net> ---
Please attach at client side debug trace (ssh -vvv -p 1023 yourserver)
and server side (/path/to/sshd -ddde p 1023) traces.

Hostbased is particularly picky about name resolution, you may need to
add HostbasedAuthentication=yes (client side) and
HostbasedUsesNameFromPacketOnly=yes (server side).

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3615

--- Comment #2 from Richard Kreutzer <tunerooster at gmail.com> ---
Created attachment 3731
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3731&action=edit
Requested debug/config information

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3615

--- Comment #3 from Richard Kreutzer <tunerooster at gmail.com> ---
Thank you so much for your help.  Let me know if there is anything else
you need.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3615

--- Comment #4 from Richard Kreutzer <tunerooster at gmail.com> ---
Created attachment 3732
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3732&action=edit
Resend...

Use this one...

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3615

--- Comment #5 from Darren Tucker <dtucker at dtucker.net> ---
Comment on attachment 3731
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3731
Requested debug/config information

[...]
>debug1: check_key_in_hostfiles: key for host basement-gentoo.krautclan.com
not found
>debug1: temporarily_use_uid: 1000/1000 (e=0/0)
>debug1: load_hostkeys: fopen /home/rwk/.ssh/known_hosts2: No such file or
directory
>debug1: restore_uid: 0/0
>debug1: check_key_in_hostfiles: key for host basement-gentoo.krautclan.com
not found
>debug3: mm_answer_keyallowed: hostbased authentication test: RSA key is not
allowed
>Failed hostbased for rwk from 192.168.1.17 port 47186 ssh2: RSA
SHA256:SaZOSakVXi3jdv18gjAEF67qvHHkNmroGZQHpYanN/o, client user "rwk",
client host "basement-gentoo.krautclan.com"
This looks like your problem: the server does not have the host key for
the client in any of its known_hosts files under the name
"basement-gentoo.krautclan.com".  If you want to use this for more
than
one user you probably want to put it in the system-wide ssh_known_hosts
file.

[...]
>debug1: Authentications that can continue: publickey,password,hostbased
>debug3: start over, passed a different list publickey,password,hostbased
>debug3: preferred hostbased,publickey,keyboard-interactive,password
While you're testing you might want to add -o
PreferredAuthentications=hostbased to your ssh command line.  That will
stop it trying to use the other auth methods and make it easier to read
the debug output.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3615

--- Comment #6 from Richard Kreutzer <tunerooster at gmail.com> ---
As you can see from the attachment, the system wide server
"ssh_known_hosts" file "/etc/ssh/ssh_known_hosts" contains:

ecdsa-sha2-nistp256
AAAAE2VjZHNhLXNoYTItbmlzdHAy......XS3md3R0NHMLQWw31fNw4w+yrp9QnZ9Qroot at
basement-gentoo
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKFcXDLipuVO......aWlJ6xQJhC
root at basement-gentoo
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABgQCfedQjNbC4......yxew4wj8afDkuQHS8AtZ8root at
basement-gentoo

Are you saying it should be:

ecdsa-sha2-nistp256
AAAAE2VjZHNhLXNoYTItbmlzdHAy......XS3md3R0NHMLQWw31fNw4w+yrp9QnZ9Qroot at
basement-gentoo.krautclan.com
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKFcXDLipuVO......aWlJ6xQJhC
root at basement-gentoo.krautclan.com
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABgQCfedQjNbC4......yxew4wj8afDkuQHS8AtZ8root at
basement-gentoo.krautclan.com

I.e., with "root at basement-gentoo.krautclan.com" instead of just
"root at basement-gentoo"?

I always thought that these were just comments so one would know where
they came from.  In any case I changed ssh_know_hosts on the server
with the added domain name.  Now when I run: "ssh -vvv -o
PreferredAuthentications=hostbased gemini pwd" I just get: "rwk at
gemini:
Permission denied (publickey,password,hostbased)."

Attached is the new server side debug output, and it contains the same
"Failed" message.  I must be misunderstanding something about what you
are saying.  Would it be safe to post here my public keys from the
client (e.g., /etc/ssh/ssh_host_ed25519_key.pub) and my
/etc/ssh/ssh_known_hosts file from the server?  Those are the files
involved, right?

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3615

--- Comment #7 from Richard Kreutzer <tunerooster at gmail.com> ---
Created attachment 3733
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3733&action=edit
Second sshd debug output

Second server side debug output from: /usr/sbin/sshd -dddep 1023

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3615

--- Comment #8 from Richard Kreutzer <tunerooster at gmail.com> ---
What do these debug lines mean:
debug3: mm_answer_keyallowed: hostbased authentication test: ED25519
key is not allowed
debug3: mm_answer_keyallowed: hostbased authentication test: ECDSA key
is not allowed
debug3: mm_answer_keyallowed: hostbased authentication test: RSA key is
not allowed

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3615

--- Comment #9 from Darren Tucker <dtucker at dtucker.net> ---
(In reply to Richard Kreutzer from comment #6)
> As you can see from the attachment, the system wide server
> "ssh_known_hosts" file "/etc/ssh/ssh_known_hosts"
contains:
[...]
> I.e., with "root at basement-gentoo.krautclan.com" instead of
just
> "root at basement-gentoo"?
No, the hostname is at the start of the line and yours are missing, so:

basement-gentoo.krautclan.com ssh-rsa 
AAAAB3NzaC1yc2EAAAADAQABAAABgQCfedQjNbC4......yxew4wj8afDkuQHS8AtZ8root at
basement-gentoo.krautclan.com

from sshd(8): SSH_KNOWN_HOSTS FILE FORMAT section:

     Each line in these files contains the following fields: marker
(optional), hostnames, key?
     type, base64-encoded key, comment.  The fields are separated by
spaces.
> I always thought that these were just comments
The parts at the end are comments.
> Attached is the new server side debug output, and it contains the
> same "Failed" message.  I must be misunderstanding something
about
> what you are saying.  Would it be safe to post here my public keys
> from the client (e.g., /etc/ssh/ssh_host_ed25519_key.pub) and my
> /etc/ssh/ssh_known_hosts file from the server?
It should be safe since they're public keys, I wouldn't unless you need
to and you don't need to.
> Those are the files involved, right?
Yes.  You would need to add the hostname before the contents of the
.pub file then put it in known_hosts.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3615

--- Comment #10 from Darren Tucker <dtucker at dtucker.net> ---
(In reply to Richard Kreutzer from comment #8)
> What do these debug lines mean:
> debug3: mm_answer_keyallowed: hostbased authentication test: ED25519
> key is not allowed
It means the key offered by the client was not accepted by the server,
probably because of the ssh_known_hosts format problem I mentioned
above.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3615

--- Comment #11 from Richard Kreutzer <tunerooster at gmail.com> ---
Well, the keys were all generated by: "ssh-keygen -A".  I just re-ran
it and it did not put host names at the start of the keys.  I will add
fully qualified domain names to the .pub files manually and retry.

Is this an issue?  Why isn't ssh-keygen creating public keys in the
required format?

Also, the public keys *do* work for the user based keys in ~rwk/.ssh/

User based passwordless authentication has always worked fine.  I am
trying to switch to host based because the maintenance of many machines
with many users all needing to have script access to each other is just
too cumbersome.

I will update you after testing with FQDN at the head of each public
key.  Thank you for your continued and prompt replies!

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3615

--- Comment #12 from Richard Kreutzer <tunerooster at gmail.com> ---
OK, for the sake of simplicity, I have tested with rsa only...

Here is basement-gentoo:/etc/ssh/ssh_host_rsa_key.pub

basement-gentoo.krautclan.com ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABgQDOCSF+Ne8C8xgar9DTNn8iTJETkv4SLHooY6qvQ5p7AeHiKSYhh1H4D65jtHUEb1jfuQltqWdHNu4z+GtMY6tJYwtbWwJcLs1mK7kHaFa3/84HsbnCfWUywHmK3kjRNmCwzYVZ2bhe2tJ+LvbgaC6FbXEZXkx924hzIcrXc3V53zWl8jgApS7bZV8fJ+P6sQk3fqybECU/xBTeFhL3c8tO0r8z212OQbqYWL+fRQVXszJz4OpTIP9E0mmgi7/jryLiwNTY+uBbWBA/69QGQPbEEhmbUf2wYh0nT7v+ZdTHJuP4XhIvzgVf6zRgFJ6L8ReJZWzRxj+QRFYgHOgSPZ9ARV51qLvmByVrLiVxeTxKNvsQ/OF9CPF5rjhmR8JNUDRK4ww4wHM2ALOrfTC3Ow2sBfl6Clh5H+2jr1YYUR1I8mv0TwMrwno5WcJrdNmBZ+A4mVqfj0FRsLUywu4ykfpfsmxN/Dt5M8y49I4Du33FpzsAOGubd3PEZdcyZiYsRQ8root
at basement-gentoo


Here is gemini:/etc/ssh/ssh_known_hosts

basement-gentoo.krautclan.com ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABgQDOCSF+Ne8C8xgar9DTNn8iTJETkv4SLHooY6qvQ5p7AeHiKSYhh1H4D65jtHUEb1jfuQltqWdHNu4z+GtMY6tJYwtbWwJcLs1mK7kHaFa3/84HsbnCfWUywHmK3kjRNmCwzYVZ2bhe2tJ+LvbgaC6FbXEZXkx924hzIcrXc3V53zWl8jgApS7bZV8fJ+P6sQk3fqybECU/xBTeFhL3c8tO0r8z212OQbqYWL+fRQVXszJz4OpTIP9E0mmgi7/jryLiwNTY+uBbWBA/69QGQPbEEhmbUf2wYh0nT7v+ZdTHJuP4XhIvzgVf6zRgFJ6L8ReJZWzRxj+QRFYgHOgSPZ9ARV51qLvmByVrLiVxeTxKNvsQ/OF9CPF5rjhmR8JNUDRK4ww4wHM2ALOrfTC3Ow2sBfl6Clh5H+2jr1YYUR1I8mv0TwMrwno5WcJrdNmBZ+A4mVqfj0FRsLUywu4ykfpfsmxN/Dt5M8y49I4Du33FpzsAOGubd3PEZdcyZiYsRQ8root
at basement-gentoo

Running this on basement-gentoo:

ssh -p 1023 -o PreferredAuthentications=hostbased gemini pwd 

And this on gemini:

/usr/sbin/sshd -dddep 1023

I get this from the server debug output:


debug3: fd 4 is not O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 7 config len 3337
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7
debug3: recv_rexec_state: entering fd = 5
debug3: ssh_msg_recv entering
debug3: recv_rexec_state: done
debug2: parse_server_config_depth: config rexec len 3337
debug3: rexec:15 setting AddressFamily inet
debug3: rexec:19 setting HostKey /etc/ssh/ssh_host_rsa_key
debug3: rexec:20 setting HostKey /etc/ssh/ssh_host_dsa_key
debug3: rexec:21 setting HostKey /etc/ssh/ssh_host_ecdsa_key
debug3: rexec:22 setting HostKey /etc/ssh/ssh_host_ed25519_key
debug3: rexec:34 setting PermitRootLogin yes
debug3: rexec:53 setting HostbasedAuthentication yes
debug3: rexec:54 setting HostbasedUsesNameFromPacketOnly yes
debug3: rexec:58 setting IgnoreRhosts no
debug3: rexec:66 setting ChallengeResponseAuthentication no
debug3: rexec:87 setting UsePAM yes
debug3: rexec:92 setting X11Forwarding yes
debug3: rexec:93 setting X11DisplayOffset 10
debug3: rexec:94 setting X11UseLocalhost yes
debug3: rexec:96 setting PrintMotd no
debug3: rexec:97 setting PrintLastLog no
debug3: rexec:114 setting Subsystem sftp       
/usr/lib64/misc/sftp-server
debug3: rexec:124 setting AcceptEnv LANG LC_*
debug3: rexec:126 setting UseDNS yes
debug1: sshd version OpenSSH_9.4, OpenSSL 3.1.2 1 Aug 2023
debug1: private host key #0: ssh-rsa
SHA256:RBjUkH7i6jeYKf3M6UdiArktuWuxFQxkbbd3RNkYmTc
debug1: private host key #1: ssh-dss
SHA256:QCavFBV4tIu+5+hai4IGqFZIF1hxkCTsagLiE05LlkQ
debug1: private host key #2: ecdsa-sha2-nistp256
SHA256:kJT1D+9lFXkt7xG/8Ix1eHQx0SYVqyU5K+euSHHX+vE
debug1: private host key #3: ssh-ed25519
SHA256:sHM5dcf+1bWQpNjiA5x+kkhWpMO5EdMIfh7TqeTHcY8
debug1: inetd sockets after dupping: 3, 3
debug3: process_channel_timeouts: setting 0 timeouts
debug3: channel_clear_timeouts: clearing
Connection from 192.168.1.17 port 46500 on 192.168.1.101 port 1023
rdomain ""
debug1: Local version string SSH-2.0-OpenSSH_9.4
debug1: Remote protocol version 2.0, remote software version
OpenSSH_9.4
debug1: compat_banner: match: OpenSSH_9.4 pat OpenSSH* compat
0x04000000
debug2: fd 3 setting O_NONBLOCK
debug3: ssh_sandbox_init: preparing seccomp filter sandbox
debug2: Network child is on pid 18370
debug3: preauth child monitor started
debug3: privsep user:group 22:22 [preauth]
debug1: permanently_set_uid: 22/22 [preauth]
debug3: ssh_sandbox_child: setting PR_SET_NO_NEW_PRIVS [preauth]
debug3: ssh_sandbox_child: attaching seccomp filter program [preauth]
debug3: append_hostkey_type: ssh-rsa key not permitted by
HostkeyAlgorithms [preauth]
debug3: append_hostkey_type: ssh-dss key not permitted by
HostkeyAlgorithms [preauth]
debug1: list_hostkey_types:
rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
debug3: send packet: type 20 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug3: receive packet: type 20 [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug2: local server KEXINIT proposal [preauth]
debug2: KEX algorithms:
sntrup761x25519-sha512 at openssh.com,curve25519-sha256,curve25519-sha256 at
libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
[preauth]
debug2: host key algorithms:
rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
debug2: ciphers ctos:
chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at
openssh.com,aes256-gcm at openssh.com
[preauth]
debug2: ciphers stoc:
chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at
openssh.com,aes256-gcm at openssh.com
[preauth]
debug2: MACs ctos:
umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at
openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at
openssh.com,umac-64 at openssh.com,umac-128 at
openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
[preauth]
debug2: MACs stoc:
umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at
openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at
openssh.com,umac-64 at openssh.com,umac-128 at
openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
[preauth]
debug2: compression ctos: none,zlib at openssh.com [preauth]
debug2: compression stoc: none,zlib at openssh.com [preauth]
debug2: languages ctos:  [preauth]
debug2: languages stoc:  [preauth]
debug2: first_kex_follows 0  [preauth]
debug2: reserved 0  [preauth]
debug2: peer client KEXINIT proposal [preauth]
debug2: KEX algorithms:
sntrup761x25519-sha512 at openssh.com,curve25519-sha256,curve25519-sha256 at
libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
[preauth]
debug2: host key algorithms:
ssh-ed25519-cert-v01 at openssh.com,ecdsa-sha2-nistp256-cert-v01 at
openssh.com,ecdsa-sha2-nistp384-cert-v01 at
openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,sk-ssh-ed25519-cert-v01
at openssh.com,sk-ecdsa-sha2-nistp256-cert-v01 at
openssh.com,rsa-sha2-512-cert-v01 at openssh.com,rsa-sha2-256-cert-v01 at
openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519
at openssh.com,sk-ecdsa-sha2-nistp256 at openssh.com,rsa-sha2-512,rsa-sha2-256
[preauth]
debug2: ciphers ctos:
chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at
openssh.com,aes256-gcm at openssh.com
[preauth]
debug2: ciphers stoc:
chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at
openssh.com,aes256-gcm at openssh.com
[preauth]
debug2: MACs ctos:
umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at
openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at
openssh.com,umac-64 at openssh.com,umac-128 at
openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
[preauth]
debug2: MACs stoc:
umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at
openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at
openssh.com,umac-64 at openssh.com,umac-128 at
openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
[preauth]
debug2: compression ctos: none,zlib at openssh.com,zlib [preauth]
debug2: compression stoc: none,zlib at openssh.com,zlib [preauth]
debug2: languages ctos:  [preauth]
debug2: languages stoc:  [preauth]
debug2: first_kex_follows 0  [preauth]
debug2: reserved 0  [preauth]
debug1: kex: algorithm: sntrup761x25519-sha512 at openssh.com [preauth]
debug1: kex: host key algorithm: ssh-ed25519 [preauth]
debug1: kex: client->server cipher: chacha20-poly1305 at openssh.com MAC:
<implicit> compression: none [preauth]
debug1: kex: server->client cipher: chacha20-poly1305 at openssh.com MAC:
<implicit> compression: none [preauth]
debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
debug3: receive packet: type 30 [preauth]
debug1: SSH2_MSG_KEX_ECDH_INIT received [preauth]
debug3: mm_sshkey_sign: entering [preauth]
debug3: mm_request_send: entering, type 6 [preauth]
debug3: mm_sshkey_sign: waiting for MONITOR_ANS_SIGN [preauth]
debug3: mm_request_receive_expect: entering, type 7 [preauth]
debug3: mm_request_receive: entering [preauth]
debug3: mm_request_receive: entering
debug3: monitor_read: checking request 6
debug3: mm_answer_sign: entering
debug3: mm_answer_sign: ssh-ed25519 KEX signature len=83
debug3: mm_request_send: entering, type 7
debug2: monitor_read: 6 used once, disabling now
debug3: send packet: type 31 [preauth]
debug3: send packet: type 21 [preauth]
debug2: ssh_set_newkeys: mode 1 [preauth]
debug1: rekey out after 134217728 blocks [preauth]
debug1: SSH2_MSG_NEWKEYS sent [preauth]
debug1: Sending SSH2_MSG_EXT_INFO [preauth]
debug3: send packet: type 7 [preauth]
debug1: expecting SSH2_MSG_NEWKEYS [preauth]
debug3: receive packet: type 21 [preauth]
debug1: SSH2_MSG_NEWKEYS received [preauth]
debug2: ssh_set_newkeys: mode 0 [preauth]
debug1: rekey in after 134217728 blocks [preauth]
debug1: KEX done [preauth]
debug3: receive packet: type 5 [preauth]
debug3: send packet: type 6 [preauth]
debug3: receive packet: type 50 [preauth]
debug1: userauth-request for user rwk service ssh-connection method
none [preauth]
debug1: attempt 0 failures 0 [preauth]
debug3: mm_getpwnamallow: entering [preauth]
debug3: mm_request_send: entering, type 8 [preauth]
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM [preauth]
debug3: mm_request_receive_expect: entering, type 9 [preauth]
debug3: mm_request_receive: entering [preauth]
debug3: mm_request_receive: entering
debug3: monitor_read: checking request 8
debug3: mm_answer_pwnamallow: entering
debug3: Trying to reverse map address 192.168.1.17.
debug2: parse_server_config_depth: config reprocess config len 3337
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
debug3: mm_request_send: entering, type 9
debug2: monitor_read: 8 used once, disabling now
debug3: process_channel_timeouts: setting 0 timeouts [preauth]
debug3: channel_clear_timeouts: clearing [preauth]
debug2: input_userauth_request: setting up authctxt for rwk [preauth]
debug3: mm_start_pam entering [preauth]
debug3: mm_request_send: entering, type 100 [preauth]
debug3: mm_inform_authserv: entering [preauth]
debug3: mm_request_send: entering, type 4 [preauth]
debug2: input_userauth_request: try method none [preauth]
debug3: user_specific_delay: user specific delay 0.000ms [preauth]
debug3: ensure_minimum_time_since: elapsed 6.643ms, delaying 0.551ms
(requested 7.194ms) [preauth]
debug3: mm_request_receive: entering
debug3: monitor_read: checking request 100
debug1: PAM: initializing for "rwk"
debug1: PAM: setting PAM_RHOST to "basement-gentoo.krautclan.com"
debug1: PAM: setting PAM_TTY to "ssh"
debug2: monitor_read: 100 used once, disabling now
debug3: userauth_finish: failure partial=0 next
methods="publickey,password,hostbased" [preauth]
debug3: send packet: type 51 [preauth]
Connection closed by authenticating user rwk 192.168.1.17 port 46500
[preauth]
debug1: do_cleanup [preauth]
debug3: PAM: sshpam_thread_cleanup entering [preauth]
debug1: monitor_read_log: child log fd closed
debug3: mm_request_receive: entering
debug3: monitor_read: checking request 4
debug3: mm_answer_authserv: service=ssh-connection, styledebug2: monitor_read: 4
used once, disabling now
debug3: mm_request_receive: entering
debug1: do_cleanup
debug1: PAM: cleanup
debug3: PAM: sshpam_thread_cleanup entering
debug1: Killing privsep child 18370

And basement-gentoo just says:

rwk at basement-gentoo /etc/ssh $ ssh -p 1023 -o
PreferredAuthentications=hostbased gemini pwd 
rwk at gemini: Permission denied (publickey,password,hostbased).

NOTE this line in the server debug output above:

debug3: append_hostkey_type: ssh-rsa key not permitted by
HostkeyAlgorithms [preauth]

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3615

--- Comment #13 from Richard Kreutzer <tunerooster at gmail.com> ---
P.S.  I am still using:

HostbasedUsesNameFromPacketOnly yes

I thought I read somewhere that this can cause a problem if DNS and
rDNS are working properly and UseDNS is yes.  Should I remove it?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3615

--- Comment #14 from Darren Tucker <dtucker at dtucker.net> ---
(In reply to Richard Kreutzer from comment #12)
> OK, for the sake of simplicity, I have tested with rsa only...
> 
> Here is basement-gentoo:/etc/ssh/ssh_host_rsa_key.pub
> basement-gentoo.krautclan.com ssh-rsa [...]
That's wrong, the host public keys don't have the name in them, only
when you add them to known_hosts.  I'm not sure if that'll actually
cause a problem since the public key can be derived from the private
key, but still I'd change it back...
> Here is gemini:/etc/ssh/ssh_known_hosts
> 
> basement-gentoo.krautclan.com ssh-rsa [...]
This format is right.

It's hard to tell what happened without the client side debugging, but
it looks like the client did not try hostbased for some reason.
> debug3: append_hostkey_type: ssh-rsa key not permitted by
> HostkeyAlgorithms [preauth]
That's a wrinkle: ssh-rsa *keys* are also usable by the SHA2-based RSA
*algorithms* such as rsa-sha2-512 which are enabled by default.  It is
one more variable though.

Here's what I suggest to reduce the number of variables:
 - test only with ssh-ed25519 keys since those have only one algorithm
 - keep HostbasedUsesNameFromPacketOnly yes and
PreferredAuthentications=hostbased
 - put two entries in ssh_known_hosts for your FQDN both with and
without a trailing dot
 - always use the FQDN on the SSH command line, since "ssh ... gemini"
would likely mean you're sending it without the domain name, and since
you have HostBasedUsesNameFromPacket that won't match the
ssh_known_hosts entry (again, without the client side debugging it's
hard to tell).

then once you get it working, start changing one thing at a time until
you get it to the config you want (eg by adding "Hostname $your_fqdn"
to your ~/.ssh/config).

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3615

--- Comment #15 from Richard Kreutzer <tunerooster at gmail.com> ---
Ok, here are the logs for both sides.  And here is the suggested
ssh_known_hosts:

basement-gentoo.krautclan.com ssh-ed25519
AAAAC3NzaC1lZDI1NTE5AAAAIL7ScLQVn+2HvNUpLTdmfpKiduxvZS8s1HoHQV8OeOAH
root at basement-gentoo
basement-gentoo.krautclan.com. ssh-ed25519
AAAAC3NzaC1lZDI1NTE5AAAAIL7ScLQVn+2HvNUpLTdmfpKiduxvZS8s1HoHQV8OeOAH
root at basement-gentoo


gemini /etc/ssh # /usr/sbin/sshd -dddep 1023
debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 3337
debug2: parse_server_config_depth: config /etc/ssh/sshd_config len 3337
debug3: /etc/ssh/sshd_config:15 setting AddressFamily inet
debug3: /etc/ssh/sshd_config:19 setting HostKey
/etc/ssh/ssh_host_rsa_key
debug3: /etc/ssh/sshd_config:20 setting HostKey
/etc/ssh/ssh_host_dsa_key
debug3: /etc/ssh/sshd_config:21 setting HostKey
/etc/ssh/ssh_host_ecdsa_key
debug3: /etc/ssh/sshd_config:22 setting HostKey
/etc/ssh/ssh_host_ed25519_key
debug3: /etc/ssh/sshd_config:34 setting PermitRootLogin yes
debug3: /etc/ssh/sshd_config:53 setting HostbasedAuthentication yes
debug3: /etc/ssh/sshd_config:54 setting HostbasedUsesNameFromPacketOnly
yes
debug3: /etc/ssh/sshd_config:58 setting IgnoreRhosts no
debug3: /etc/ssh/sshd_config:66 setting ChallengeResponseAuthentication
no
debug3: /etc/ssh/sshd_config:87 setting UsePAM yes
debug3: /etc/ssh/sshd_config:92 setting X11Forwarding yes
debug3: /etc/ssh/sshd_config:93 setting X11DisplayOffset 10
debug3: /etc/ssh/sshd_config:94 setting X11UseLocalhost yes
debug3: /etc/ssh/sshd_config:96 setting PrintMotd no
debug3: /etc/ssh/sshd_config:97 setting PrintLastLog no
debug3: /etc/ssh/sshd_config:114 setting Subsystem sftp
/usr/lib64/misc/sftp-server
debug3: /etc/ssh/sshd_config:124 setting AcceptEnv LANG LC_*
debug3: /etc/ssh/sshd_config:126 setting UseDNS yes
debug1: sshd version OpenSSH_9.4, OpenSSL 3.1.2 1 Aug 2023
debug1: private host key #0: ssh-rsa
SHA256:RBjUkH7i6jeYKf3M6UdiArktuWuxFQxkbbd3RNkYmTc
debug1: private host key #1: ssh-dss
SHA256:QCavFBV4tIu+5+hai4IGqFZIF1hxkCTsagLiE05LlkQ
debug1: private host key #2: ecdsa-sha2-nistp256
SHA256:kJT1D+9lFXkt7xG/8Ix1eHQx0SYVqyU5K+euSHHX+vE
debug1: private host key #3: ssh-ed25519
SHA256:sHM5dcf+1bWQpNjiA5x+kkhWpMO5EdMIfh7TqeTHcY8
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-dddep'
debug1: rexec_argv[2]='1023'
debug3: oom_adjust_setup
debug1: Set /proc/self/oom_score_adj from 0 to -1000
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 1023 on 0.0.0.0.
Server listening on 0.0.0.0 port 1023.
debug3: fd 4 is not O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 7 config len 3337
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7
debug3: recv_rexec_state: entering fd = 5
debug3: ssh_msg_recv entering
debug3: recv_rexec_state: done
debug2: parse_server_config_depth: config rexec len 3337
debug3: rexec:15 setting AddressFamily inet
debug3: rexec:19 setting HostKey /etc/ssh/ssh_host_rsa_key
debug3: rexec:20 setting HostKey /etc/ssh/ssh_host_dsa_key
debug3: rexec:21 setting HostKey /etc/ssh/ssh_host_ecdsa_key
debug3: rexec:22 setting HostKey /etc/ssh/ssh_host_ed25519_key
debug3: rexec:34 setting PermitRootLogin yes
debug3: rexec:53 setting HostbasedAuthentication yes
debug3: rexec:54 setting HostbasedUsesNameFromPacketOnly yes
debug3: rexec:58 setting IgnoreRhosts no
debug3: rexec:66 setting ChallengeResponseAuthentication no
debug3: rexec:87 setting UsePAM yes
debug3: rexec:92 setting X11Forwarding yes
debug3: rexec:93 setting X11DisplayOffset 10
debug3: rexec:94 setting X11UseLocalhost yes
debug3: rexec:96 setting PrintMotd no
debug3: rexec:97 setting PrintLastLog no
debug3: rexec:114 setting Subsystem sftp       
/usr/lib64/misc/sftp-server
debug3: rexec:124 setting AcceptEnv LANG LC_*
debug3: rexec:126 setting UseDNS yes
debug1: sshd version OpenSSH_9.4, OpenSSL 3.1.2 1 Aug 2023
debug1: private host key #0: ssh-rsa
SHA256:RBjUkH7i6jeYKf3M6UdiArktuWuxFQxkbbd3RNkYmTc
debug1: private host key #1: ssh-dss
SHA256:QCavFBV4tIu+5+hai4IGqFZIF1hxkCTsagLiE05LlkQ
debug1: private host key #2: ecdsa-sha2-nistp256
SHA256:kJT1D+9lFXkt7xG/8Ix1eHQx0SYVqyU5K+euSHHX+vE
debug1: private host key #3: ssh-ed25519
SHA256:sHM5dcf+1bWQpNjiA5x+kkhWpMO5EdMIfh7TqeTHcY8
debug1: inetd sockets after dupping: 3, 3
debug3: process_channel_timeouts: setting 0 timeouts
debug3: channel_clear_timeouts: clearing
Connection from 192.168.1.17 port 36650 on 192.168.1.101 port 1023
rdomain ""
debug1: Local version string SSH-2.0-OpenSSH_9.4
debug1: Remote protocol version 2.0, remote software version
OpenSSH_9.4
debug1: compat_banner: match: OpenSSH_9.4 pat OpenSSH* compat
0x04000000
debug2: fd 3 setting O_NONBLOCK
debug3: ssh_sandbox_init: preparing seccomp filter sandbox
debug2: Network child is on pid 8428
debug3: preauth child monitor started
debug3: privsep user:group 22:22 [preauth]
debug1: permanently_set_uid: 22/22 [preauth]
debug3: ssh_sandbox_child: setting PR_SET_NO_NEW_PRIVS [preauth]
debug3: ssh_sandbox_child: attaching seccomp filter program [preauth]
debug3: append_hostkey_type: ssh-rsa key not permitted by
HostkeyAlgorithms [preauth]
debug3: append_hostkey_type: ssh-dss key not permitted by
HostkeyAlgorithms [preauth]
debug1: list_hostkey_types:
rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
debug3: send packet: type 20 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug3: receive packet: type 20 [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug2: local server KEXINIT proposal [preauth]
debug2: KEX algorithms:
sntrup761x25519-sha512 at openssh.com,curve25519-sha256,curve25519-sha256 at
libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
[preauth]
debug2: host key algorithms:
rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
debug2: ciphers ctos:
chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at
openssh.com,aes256-gcm at openssh.com
[preauth]
debug2: ciphers stoc:
chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at
openssh.com,aes256-gcm at openssh.com
[preauth]
debug2: MACs ctos:
umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at
openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at
openssh.com,umac-64 at openssh.com,umac-128 at
openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
[preauth]
debug2: MACs stoc:
umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at
openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at
openssh.com,umac-64 at openssh.com,umac-128 at
openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
[preauth]
debug2: compression ctos: none,zlib at openssh.com [preauth]
debug2: compression stoc: none,zlib at openssh.com [preauth]
debug2: languages ctos:  [preauth]
debug2: languages stoc:  [preauth]
debug2: first_kex_follows 0  [preauth]
debug2: reserved 0  [preauth]
debug2: peer client KEXINIT proposal [preauth]
debug2: KEX algorithms:
sntrup761x25519-sha512 at openssh.com,curve25519-sha256,curve25519-sha256 at
libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
[preauth]
debug2: host key algorithms:
ssh-ed25519-cert-v01 at openssh.com,ecdsa-sha2-nistp256-cert-v01 at
openssh.com,ecdsa-sha2-nistp384-cert-v01 at
openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,sk-ssh-ed25519-cert-v01
at openssh.com,sk-ecdsa-sha2-nistp256-cert-v01 at
openssh.com,rsa-sha2-512-cert-v01 at openssh.com,rsa-sha2-256-cert-v01 at
openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519
at openssh.com,sk-ecdsa-sha2-nistp256 at openssh.com,rsa-sha2-512,rsa-sha2-256
[preauth]
debug2: ciphers ctos:
chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at
openssh.com,aes256-gcm at openssh.com
[preauth]
debug2: ciphers stoc:
chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at
openssh.com,aes256-gcm at openssh.com
[preauth]
debug2: MACs ctos:
umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at
openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at
openssh.com,umac-64 at openssh.com,umac-128 at
openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
[preauth]
debug2: MACs stoc:
umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at
openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at
openssh.com,umac-64 at openssh.com,umac-128 at
openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
[preauth]
debug2: compression ctos: none,zlib at openssh.com,zlib [preauth]
debug2: compression stoc: none,zlib at openssh.com,zlib [preauth]
debug2: languages ctos:  [preauth]
debug2: languages stoc:  [preauth]
debug2: first_kex_follows 0  [preauth]
debug2: reserved 0  [preauth]
debug1: kex: algorithm: sntrup761x25519-sha512 at openssh.com [preauth]
debug1: kex: host key algorithm: ssh-ed25519 [preauth]
debug1: kex: client->server cipher: chacha20-poly1305 at openssh.com MAC:
<implicit> compression: none [preauth]
debug1: kex: server->client cipher: chacha20-poly1305 at openssh.com MAC:
<implicit> compression: none [preauth]
debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
debug3: receive packet: type 30 [preauth]
debug1: SSH2_MSG_KEX_ECDH_INIT received [preauth]
debug3: mm_sshkey_sign: entering [preauth]
debug3: mm_request_send: entering, type 6 [preauth]
debug3: mm_sshkey_sign: waiting for MONITOR_ANS_SIGN [preauth]
debug3: mm_request_receive_expect: entering, type 7 [preauth]
debug3: mm_request_receive: entering [preauth]
debug3: mm_request_receive: entering
debug3: monitor_read: checking request 6
debug3: mm_answer_sign: entering
debug3: mm_answer_sign: ssh-ed25519 KEX signature len=83
debug3: mm_request_send: entering, type 7
debug2: monitor_read: 6 used once, disabling now
debug3: send packet: type 31 [preauth]
debug3: send packet: type 21 [preauth]
debug2: ssh_set_newkeys: mode 1 [preauth]
debug1: rekey out after 134217728 blocks [preauth]
debug1: SSH2_MSG_NEWKEYS sent [preauth]
debug1: Sending SSH2_MSG_EXT_INFO [preauth]
debug3: send packet: type 7 [preauth]
debug1: expecting SSH2_MSG_NEWKEYS [preauth]
debug3: receive packet: type 21 [preauth]
debug1: SSH2_MSG_NEWKEYS received [preauth]
debug2: ssh_set_newkeys: mode 0 [preauth]
debug1: rekey in after 134217728 blocks [preauth]
debug1: KEX done [preauth]
debug3: receive packet: type 5 [preauth]
debug3: send packet: type 6 [preauth]
debug3: receive packet: type 50 [preauth]
debug1: userauth-request for user rwk service ssh-connection method
none [preauth]
debug1: attempt 0 failures 0 [preauth]
debug3: mm_getpwnamallow: entering [preauth]
debug3: mm_request_send: entering, type 8 [preauth]
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM [preauth]
debug3: mm_request_receive_expect: entering, type 9 [preauth]
debug3: mm_request_receive: entering [preauth]
debug3: mm_request_receive: entering
debug3: monitor_read: checking request 8
debug3: mm_answer_pwnamallow: entering
debug3: Trying to reverse map address 192.168.1.17.
debug2: parse_server_config_depth: config reprocess config len 3337
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
debug3: mm_request_send: entering, type 9
debug2: monitor_read: 8 used once, disabling now
debug3: process_channel_timeouts: setting 0 timeouts [preauth]
debug3: channel_clear_timeouts: clearing [preauth]
debug2: input_userauth_request: setting up authctxt for rwk [preauth]
debug3: mm_start_pam entering [preauth]
debug3: mm_request_send: entering, type 100 [preauth]
debug3: mm_inform_authserv: entering [preauth]
debug3: mm_request_send: entering, type 4 [preauth]
debug2: input_userauth_request: try method none [preauth]
debug3: user_specific_delay: user specific delay 0.000ms [preauth]
debug3: ensure_minimum_time_since: elapsed 6.612ms, delaying 0.582ms
(requested 7.194ms) [preauth]
debug3: mm_request_receive: entering
debug3: monitor_read: checking request 100
debug1: PAM: initializing for "rwk"
debug1: PAM: setting PAM_RHOST to "basement-gentoo.krautclan.com"
debug1: PAM: setting PAM_TTY to "ssh"
debug2: monitor_read: 100 used once, disabling now
debug3: userauth_finish: failure partial=0 next
methods="publickey,password,hostbased" [preauth]
debug3: send packet: type 51 [preauth]
Connection closed by authenticating user rwk 192.168.1.17 port 36650
[preauth]
debug1: do_cleanup [preauth]
debug3: PAM: sshpam_thread_cleanup entering [preauth]
debug1: monitor_read_log: child log fd closed
debug3: mm_request_receive: entering
debug3: monitor_read: checking request 4
debug3: mm_answer_authserv: service=ssh-connection, styledebug2: monitor_read: 4
used once, disabling now
debug3: mm_request_receive: entering
debug1: do_cleanup
debug1: PAM: cleanup
debug3: PAM: sshpam_thread_cleanup entering
debug1: Killing privsep child 8428

rwk at basement-gentoo /etc/ssh $ ssh -vvv -p 1023 -o
PreferredAuthentications=hostbased gemini.krautclan.com pwd 
OpenSSH_9.4p1, OpenSSL 3.1.2 1 Aug 2023
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: /etc/ssh/ssh_config line 51: Including file
/etc/ssh/ssh_config.d/9999999gentoo-security.conf depth 0
debug1: Reading configuration data
/etc/ssh/ssh_config.d/9999999gentoo-security.conf
debug3: /etc/ssh/ssh_config line 51: Including file
/etc/ssh/ssh_config.d/9999999gentoo.conf depth 0
debug1: Reading configuration data
/etc/ssh/ssh_config.d/9999999gentoo.conf
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' ->
'/home/rwk/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' ->
'/home/rwk/.ssh/known_hosts2'
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve;
disabling
debug2: resolving "gemini.krautclan.com" port 1023
debug3: resolve_host: lookup gemini.krautclan.com:1023
debug3: ssh_connect_direct: entering
debug1: Connecting to gemini.krautclan.com [192.168.1.101] port 1023.
debug3: set_sock_tos: set socket 3 IP_TOS 0x48
debug1: Connection established.
debug1: HostbasedAuthentication enabled but no local public host keys
could be loaded.
debug1: identity file /home/rwk/.ssh/id_rsa type 0
debug1: identity file /home/rwk/.ssh/id_rsa-cert type -1
debug1: identity file /home/rwk/.ssh/id_ecdsa type -1
debug1: identity file /home/rwk/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/rwk/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/rwk/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/rwk/.ssh/id_ed25519 type 3
debug1: identity file /home/rwk/.ssh/id_ed25519-cert type -1
debug1: identity file /home/rwk/.ssh/id_ed25519_sk type -1
debug1: identity file /home/rwk/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/rwk/.ssh/id_xmss type -1
debug1: identity file /home/rwk/.ssh/id_xmss-cert type -1
debug1: identity file /home/rwk/.ssh/id_dsa type -1
debug1: identity file /home/rwk/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.4
debug1: Remote protocol version 2.0, remote software version
OpenSSH_9.4
debug1: compat_banner: match: OpenSSH_9.4 pat OpenSSH* compat
0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to gemini.krautclan.com:1023 as 'rwk'
debug3: put_host_port: [gemini.krautclan.com]:1023
debug1: load_hostkeys: fopen /home/rwk/.ssh/known_hosts2: No such file
or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or
directory
debug3: order_hostkeyalgs: no algorithms matched; accept original
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms:
sntrup761x25519-sha512 at openssh.com,curve25519-sha256,curve25519-sha256 at
libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
debug2: host key algorithms:
ssh-ed25519-cert-v01 at openssh.com,ecdsa-sha2-nistp256-cert-v01 at
openssh.com,ecdsa-sha2-nistp384-cert-v01 at
openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,sk-ssh-ed25519-cert-v01
at openssh.com,sk-ecdsa-sha2-nistp256-cert-v01 at
openssh.com,rsa-sha2-512-cert-v01 at openssh.com,rsa-sha2-256-cert-v01 at
openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519
at openssh.com,sk-ecdsa-sha2-nistp256 at openssh.com,rsa-sha2-512,rsa-sha2-256
debug2: ciphers ctos:
chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at
openssh.com,aes256-gcm at openssh.com
debug2: ciphers stoc:
chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at
openssh.com,aes256-gcm at openssh.com
debug2: MACs ctos:
umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at
openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at
openssh.com,umac-64 at openssh.com,umac-128 at
openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc:
umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at
openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at
openssh.com,umac-64 at openssh.com,umac-128 at
openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib at openssh.com,zlib
debug2: compression stoc: none,zlib at openssh.com,zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms:
sntrup761x25519-sha512 at openssh.com,curve25519-sha256,curve25519-sha256 at
libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
debug2: host key algorithms:
rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos:
chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at
openssh.com,aes256-gcm at openssh.com
debug2: ciphers stoc:
chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at
openssh.com,aes256-gcm at openssh.com
debug2: MACs ctos:
umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at
openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at
openssh.com,umac-64 at openssh.com,umac-128 at
openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc:
umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at
openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at
openssh.com,umac-64 at openssh.com,umac-128 at
openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib at openssh.com
debug2: compression stoc: none,zlib at openssh.com
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug1: kex: algorithm: sntrup761x25519-sha512 at openssh.com
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305 at openssh.com MAC:
<implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305 at openssh.com MAC:
<implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519
SHA256:sHM5dcf+1bWQpNjiA5x+kkhWpMO5EdMIfh7TqeTHcY8
debug2: ssh_krl_from_blob: bad KRL magic header
debug3: put_host_port: [192.168.1.101]:1023
debug3: put_host_port: [gemini.krautclan.com]:1023
debug1: load_hostkeys: fopen /home/rwk/.ssh/known_hosts2: No such file
or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or
directory
debug1: checking without port identifier
debug3: record_hostkey: found key type ED25519 in file
/home/rwk/.ssh/known_hosts:63
debug3: load_hostkeys_file: loaded 1 keys from gemini.krautclan.com
debug1: load_hostkeys: fopen /home/rwk/.ssh/known_hosts2: No such file
or directory
debug3: record_hostkey: found key type RSA in file
/etc/ssh/ssh_known_hosts:1
debug3: record_hostkey: found key type ECDSA in file
/etc/ssh/ssh_known_hosts:2
debug3: record_hostkey: found key type ED25519 in file
/etc/ssh/ssh_known_hosts:3
debug3: load_hostkeys_file: loaded 3 keys from gemini.krautclan.com
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or
directory
debug1: Host 'gemini.krautclan.com' is known and matches the ED25519
host key.
debug1: Found key in /home/rwk/.ssh/known_hosts:63
debug1: found matching key w/out port
debug1: check_host_key: hostkey not known or explicitly trusted:
disabling UpdateHostkeys
debug3: send packet: type 21
debug2: ssh_set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: ssh_set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug3: ssh_get_authentication_socket_path: path
'/run/user/1000/keyring/ssh'
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: agent returned 2 keys
debug1: Will attempt key: /home/rwk/.ssh/id_rsa RSA
SHA256:qqqwwZXoFvDpyWoQcSpcIx3PkvPhR8cFrvNg9enmavo agent
debug1: Will attempt key: /home/rwk/.ssh/id_ed25519 ED25519
SHA256:VXeDL5JL/A8x7sJSD0PGVy05eCthkOkwrj3T4ppPYUc agent
debug1: Will attempt key: /home/rwk/.ssh/id_ecdsa 
debug1: Will attempt key: /home/rwk/.ssh/id_ecdsa_sk 
debug1: Will attempt key: /home/rwk/.ssh/id_ed25519_sk 
debug1: Will attempt key: /home/rwk/.ssh/id_xmss 
debug1: Will attempt key: /home/rwk/.ssh/id_dsa 
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info:
server-sig-algs=<ssh-ed25519,sk-ssh-ed25519 at
openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256
at openssh.com,webauthn-sk-ecdsa-sha2-nistp256 at
openssh.com,ssh-dss,ssh-rsa,rsa-sha2-256,rsa-sha2-512>
debug1: kex_input_ext_info: publickey-hostbound at openssh.com=<0>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password,hostbased
debug3: start over, passed a different list
publickey,password,hostbased
debug3: preferred hostbased
debug3: authmethod_lookup hostbased
debug3: remaining preferred: 
debug3: authmethod_is_enabled hostbased
debug1: Next authentication method: hostbased
debug3: userauth_hostbased: trying key type
ssh-ed25519-cert-v01 at openssh.com
debug3: userauth_hostbased: trying key type
ecdsa-sha2-nistp256-cert-v01 at openssh.com
debug3: userauth_hostbased: trying key type
ecdsa-sha2-nistp384-cert-v01 at openssh.com
debug3: userauth_hostbased: trying key type
ecdsa-sha2-nistp521-cert-v01 at openssh.com
debug3: userauth_hostbased: trying key type
sk-ssh-ed25519-cert-v01 at openssh.com
debug3: userauth_hostbased: trying key type
sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com
debug3: userauth_hostbased: trying key type
rsa-sha2-512-cert-v01 at openssh.com
debug3: userauth_hostbased: trying key type
rsa-sha2-256-cert-v01 at openssh.com
debug3: userauth_hostbased: trying key type ssh-ed25519
debug3: userauth_hostbased: trying key type ecdsa-sha2-nistp256
debug3: userauth_hostbased: trying key type ecdsa-sha2-nistp384
debug3: userauth_hostbased: trying key type ecdsa-sha2-nistp521
debug3: userauth_hostbased: trying key type sk-ssh-ed25519 at openssh.com
debug3: userauth_hostbased: trying key type
sk-ecdsa-sha2-nistp256 at openssh.com
debug3: userauth_hostbased: trying key type rsa-sha2-512
debug3: userauth_hostbased: trying key type rsa-sha2-256
debug1: No more client hostkeys for hostbased authentication.
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
rwk at gemini.krautclan.com: Permission denied
(publickey,password,hostbased).

P.S. Do you prefer the logs in an attachment?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3615

--- Comment #16 from Richard Kreutzer <tunerooster at gmail.com> ---
rwk at basement-gentoo /etc/ssh $ ssh -vvv -p 1023 -o
PreferredAuthentications=hostbased gemini.krautclan.com pwd 
OpenSSH_9.4p1, OpenSSL 3.1.2 1 Aug 2023
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: /etc/ssh/ssh_config line 51: Including file
/etc/ssh/ssh_config.d/9999999gentoo-security.conf depth 0
debug1: Reading configuration data
/etc/ssh/ssh_config.d/9999999gentoo-security.conf
debug3: /etc/ssh/ssh_config line 51: Including file
/etc/ssh/ssh_config.d/9999999gentoo.conf depth 0
debug1: Reading configuration data
/etc/ssh/ssh_config.d/9999999gentoo.conf
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' ->
'/home/rwk/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' ->
'/home/rwk/.ssh/known_hosts2'
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve;
disabling
debug2: resolving "gemini.krautclan.com" port 1023
debug3: resolve_host: lookup gemini.krautclan.com:1023
debug3: ssh_connect_direct: entering
debug1: Connecting to gemini.krautclan.com [192.168.1.101] port 1023.
debug3: set_sock_tos: set socket 3 IP_TOS 0x48
debug1: Connection established.
debug1: HostbasedAuthentication enabled but no local public host keys
could be loaded.
debug1: identity file /home/rwk/.ssh/id_rsa type 0
debug1: identity file /home/rwk/.ssh/id_rsa-cert type -1
debug1: identity file /home/rwk/.ssh/id_ecdsa type -1
debug1: identity file /home/rwk/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/rwk/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/rwk/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/rwk/.ssh/id_ed25519 type 3
debug1: identity file /home/rwk/.ssh/id_ed25519-cert type -1
debug1: identity file /home/rwk/.ssh/id_ed25519_sk type -1
debug1: identity file /home/rwk/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/rwk/.ssh/id_xmss type -1
debug1: identity file /home/rwk/.ssh/id_xmss-cert type -1
debug1: identity file /home/rwk/.ssh/id_dsa type -1
debug1: identity file /home/rwk/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.4
debug1: Remote protocol version 2.0, remote software version
OpenSSH_9.4
debug1: compat_banner: match: OpenSSH_9.4 pat OpenSSH* compat
0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to gemini.krautclan.com:1023 as 'rwk'
debug3: put_host_port: [gemini.krautclan.com]:1023
debug1: load_hostkeys: fopen /home/rwk/.ssh/known_hosts2: No such file
or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or
directory
debug3: order_hostkeyalgs: no algorithms matched; accept original
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms:
sntrup761x25519-sha512 at openssh.com,curve25519-sha256,curve25519-sha256 at
libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
debug2: host key algorithms:
ssh-ed25519-cert-v01 at openssh.com,ecdsa-sha2-nistp256-cert-v01 at
openssh.com,ecdsa-sha2-nistp384-cert-v01 at
openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,sk-ssh-ed25519-cert-v01
at openssh.com,sk-ecdsa-sha2-nistp256-cert-v01 at
openssh.com,rsa-sha2-512-cert-v01 at openssh.com,rsa-sha2-256-cert-v01 at
openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519
at openssh.com,sk-ecdsa-sha2-nistp256 at openssh.com,rsa-sha2-512,rsa-sha2-256
debug2: ciphers ctos:
chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at
openssh.com,aes256-gcm at openssh.com
debug2: ciphers stoc:
chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at
openssh.com,aes256-gcm at openssh.com
debug2: MACs ctos:
umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at
openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at
openssh.com,umac-64 at openssh.com,umac-128 at
openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc:
umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at
openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at
openssh.com,umac-64 at openssh.com,umac-128 at
openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib at openssh.com,zlib
debug2: compression stoc: none,zlib at openssh.com,zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms:
sntrup761x25519-sha512 at openssh.com,curve25519-sha256,curve25519-sha256 at
libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
debug2: host key algorithms:
rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos:
chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at
openssh.com,aes256-gcm at openssh.com
debug2: ciphers stoc:
chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at
openssh.com,aes256-gcm at openssh.com
debug2: MACs ctos:
umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at
openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at
openssh.com,umac-64 at openssh.com,umac-128 at
openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc:
umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at
openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at
openssh.com,umac-64 at openssh.com,umac-128 at
openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib at openssh.com
debug2: compression stoc: none,zlib at openssh.com
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug1: kex: algorithm: sntrup761x25519-sha512 at openssh.com
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305 at openssh.com MAC:
<implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305 at openssh.com MAC:
<implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519
SHA256:sHM5dcf+1bWQpNjiA5x+kkhWpMO5EdMIfh7TqeTHcY8
debug2: ssh_krl_from_blob: bad KRL magic header
debug3: put_host_port: [192.168.1.101]:1023
debug3: put_host_port: [gemini.krautclan.com]:1023
debug1: load_hostkeys: fopen /home/rwk/.ssh/known_hosts2: No such file
or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or
directory
debug1: checking without port identifier
debug3: record_hostkey: found key type ED25519 in file
/home/rwk/.ssh/known_hosts:63
debug3: load_hostkeys_file: loaded 1 keys from gemini.krautclan.com
debug1: load_hostkeys: fopen /home/rwk/.ssh/known_hosts2: No such file
or directory
debug3: record_hostkey: found key type RSA in file
/etc/ssh/ssh_known_hosts:1
debug3: record_hostkey: found key type ECDSA in file
/etc/ssh/ssh_known_hosts:2
debug3: record_hostkey: found key type ED25519 in file
/etc/ssh/ssh_known_hosts:3
debug3: load_hostkeys_file: loaded 3 keys from gemini.krautclan.com
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or
directory
debug1: Host 'gemini.krautclan.com' is known and matches the ED25519
host key.
debug1: Found key in /home/rwk/.ssh/known_hosts:63
debug1: found matching key w/out port
debug1: check_host_key: hostkey not known or explicitly trusted:
disabling UpdateHostkeys
debug3: send packet: type 21
debug2: ssh_set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: ssh_set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug3: ssh_get_authentication_socket_path: path
'/run/user/1000/keyring/ssh'
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: agent returned 2 keys
debug1: Will attempt key: /home/rwk/.ssh/id_rsa RSA
SHA256:qqqwwZXoFvDpyWoQcSpcIx3PkvPhR8cFrvNg9enmavo agent
debug1: Will attempt key: /home/rwk/.ssh/id_ed25519 ED25519
SHA256:VXeDL5JL/A8x7sJSD0PGVy05eCthkOkwrj3T4ppPYUc agent
debug1: Will attempt key: /home/rwk/.ssh/id_ecdsa 
debug1: Will attempt key: /home/rwk/.ssh/id_ecdsa_sk 
debug1: Will attempt key: /home/rwk/.ssh/id_ed25519_sk 
debug1: Will attempt key: /home/rwk/.ssh/id_xmss 
debug1: Will attempt key: /home/rwk/.ssh/id_dsa 
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info:
server-sig-algs=<ssh-ed25519,sk-ssh-ed25519 at
openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256
at openssh.com,webauthn-sk-ecdsa-sha2-nistp256 at
openssh.com,ssh-dss,ssh-rsa,rsa-sha2-256,rsa-sha2-512>
debug1: kex_input_ext_info: publickey-hostbound at openssh.com=<0>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password,hostbased
debug3: start over, passed a different list
publickey,password,hostbased
debug3: preferred hostbased
debug3: authmethod_lookup hostbased
debug3: remaining preferred: 
debug3: authmethod_is_enabled hostbased
debug1: Next authentication method: hostbased
debug3: userauth_hostbased: trying key type
ssh-ed25519-cert-v01 at openssh.com
debug3: userauth_hostbased: trying key type
ecdsa-sha2-nistp256-cert-v01 at openssh.com
debug3: userauth_hostbased: trying key type
ecdsa-sha2-nistp384-cert-v01 at openssh.com
debug3: userauth_hostbased: trying key type
ecdsa-sha2-nistp521-cert-v01 at openssh.com
debug3: userauth_hostbased: trying key type
sk-ssh-ed25519-cert-v01 at openssh.com
debug3: userauth_hostbased: trying key type
sk-ecdsa-sha2-nistp256-cert-v01 at openssh.com
debug3: userauth_hostbased: trying key type
rsa-sha2-512-cert-v01 at openssh.com
debug3: userauth_hostbased: trying key type
rsa-sha2-256-cert-v01 at openssh.com
debug3: userauth_hostbased: trying key type ssh-ed25519
debug3: userauth_hostbased: trying key type ecdsa-sha2-nistp256
debug3: userauth_hostbased: trying key type ecdsa-sha2-nistp384
debug3: userauth_hostbased: trying key type ecdsa-sha2-nistp521
debug3: userauth_hostbased: trying key type sk-ssh-ed25519 at openssh.com
debug3: userauth_hostbased: trying key type
sk-ecdsa-sha2-nistp256 at openssh.com
debug3: userauth_hostbased: trying key type rsa-sha2-512
debug3: userauth_hostbased: trying key type rsa-sha2-256
debug1: No more client hostkeys for hostbased authentication.
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
rwk at gemini.krautclan.com: Permission denied
(publickey,password,hostbased).

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3615

--- Comment #17 from Richard Kreutzer <tunerooster at gmail.com> ---
Not sure why but my cut/paste logs are not getting to you correctly.  I
am reposting as an attachment.  Please wait for the attachment.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3615

--- Comment #18 from Richard Kreutzer <tunerooster at gmail.com> ---
Created attachment 3735
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3735&action=edit
ssh degug logs

Use this.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3615

--- Comment #19 from Darren Tucker <dtucker at dtucker.net> ---
I'll take a look at the logs, but one question: do you have
"EnableSSHKeysign yes" in /etc/ssh/ssh_config?  It needs to be in the
global section:

```
 EnableSSHKeysign
       Setting this option to yes in the global client configuration
       file /etc/ssh/ssh_config enables the use of the helper program
       ssh-keysign(8) during HostbasedAuthentication.  The argument
must
       be yes or no (the default).  This option should be placed in the
       non-hostspecific section.  See ssh-keysign(8) for more
information.
```

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3615

--- Comment #20 from Darren Tucker <dtucker at dtucker.net> ---
(In reply to Darren Tucker from comment #19)
> I'll take a look at the logs, but one question: do you have
> "EnableSSHKeysign yes" in /etc/ssh/ssh_config?  It needs to be in
> the global section
... on the client side.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3615

--- Comment #21 from Richard Kreutzer <tunerooster at gmail.com> ---
rwk at basement-gentoo /etc/ssh $ grep EnableSSHKeysign ssh_config
EnableSSHKeysign yes

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3615

--- Comment #22 from Darren Tucker <dtucker at dtucker.net> ---
(In reply to Richard Kreutzer from comment #16)
[...]
> debug1: HostbasedAuthentication enabled but no local public host
> keys could be loaded.
This means the client could not load any of the public key files in its
default paths.  1) did you undo your changes to the .pub files and 2)
are the .pub files world readable?  Your earlier debug traces did not
have this warning so it's new.

(The subsequent debugging indicated that the client had only RSA host
keys, but your server only has known_hosts for ed25519 keys.  Did you
put the client's host public keys in the server's ssh_known_hosts?)

(In reply to Richard Kreutzer from comment #15)
[...]
> P.S. Do you prefer the logs in an attachment?
Attachments are preferable.  You can easily quote the relevant parts if
necessary, but as you can see in this bug having logs in comments
quickly becomes unwieldy.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3615

--- Comment #23 from Richard Kreutzer <tunerooster at gmail.com> ---
1. No, the fqdn are still in the .pub files
2. Yes the .pub files are world readable

On the client (basement-gentoo):

rwk at basement-gentoo /etc/ssh $ ls -l *.pub
-rw-r--r-- 1 root root 212 Sep 21 18:42 ssh_host_ecdsa_key.pub
-rw-r--r-- 1 root root 132 Sep 21 18:42 ssh_host_ed25519_key.pub
-rw-r--r-- 1 root root 604 Sep 21 18:42 ssh_host_rsa_key.pub

rwk at basement-gentoo /etc/ssh $ cat ssh_host_ed25519_key.pub
basement-gentoo.krautclan.com ssh-ed25519
AAAAC3NzaC1lZDI1NTE5AAAAIL7ScLQVn+2HvNUpLTdmfpKiduxvZS8s1HoHQV8OeOAH
root at basement-gentoo

On the server (gemini):

gemini /etc/ssh # cat ssh_known_hosts
basement-gentoo.krautclan.com ssh-ed25519
AAAAC3NzaC1lZDI1NTE5AAAAIL7ScLQVn+2HvNUpLTdmfpKiduxvZS8s1HoHQV8OeOAH
root at basement-gentoo
basement-gentoo.krautclan.com. ssh-ed25519
AAAAC3NzaC1lZDI1NTE5AAAAIL7ScLQVn+2HvNUpLTdmfpKiduxvZS8s1HoHQV8OeOAH
root at basement-gentoo

OK, I will use attachment for the logs..

Again, thank you for your continued support!

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3615

--- Comment #24 from Darren Tucker <dtucker at dtucker.net> ---
(In reply to Richard Kreutzer from comment #23)
> 1. No, the fqdn are still in the .pub files
The fqdn should not be in the .pub files.  the line should start with
ssh-rsa, ssh-ed25519 or similar.  That would explain the "no local
public host keys" warning.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3615

--- Comment #25 from Richard Kreutzer <tunerooster at gmail.com> ---
So you are saying the fqdn should be in the ssh_known_host file on the
server, but *not* in the /etc/ssh/ssh_host_ed25519_key.pub file on the
client.

OMG, it worked!  It also works with just "ssh gemini", i.e., "ssh
gemini.krautclan.com" is not required.

I always just copied the contents of the .pub file on each machine to
the each server unchanged.  And this works of course, for the
authorized_keys file for each used.

I will now have to add the fqdn to the beginning of each key in the
.pub files after pasting then in them in the ssh_known_hosts file for
each server.  And since all the machines are both clients and servers,
that means every machine, which I certainly can do.

But it surprises me that there is not a built-in way to do this, or is
there?  Something like "ssh-copy-id".

Thank you so much!  I would never have found this requirement, as it
does not seem to be mentioned in any of the HBA guides I found.

Please confirm that my above strategy is correct, and that there is no
better way to do this, before I start writing a script to automate it.

Best regards!!!

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3615

--- Comment #26 from Richard Kreutzer <tunerooster at gmail.com> ---
P.S.  What about ssh-keyscan?  Is that what it is for?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3615

--- Comment #27 from Richard Kreutzer <tunerooster at gmail.com> ---
Yes, it looks like it is, and it works.  That will make it much easier!

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3615

--- Comment #28 from Darren Tucker <dtucker at dtucker.net> ---
(In reply to Richard Kreutzer from comment #25)
[...]
> I will now have to add the fqdn to the beginning of each key in the
> .pub files after pasting then in them in the ssh_known_hosts file
> for each server.  And since all the machines are both clients and
> servers, that means every machine, which I certainly can do.
Is there a reason you couldn't just list every machine in one file then
distribute that file to all machines?
> But it surprises me that there is not a built-in way to do this, or
> is there?  Something like "ssh-copy-id".
Not that I know of.  ssh-copy-id is as user-specific setup tool that
users can self-provision with, whereas hostbased authentication is a
system-wide configuration that affects all users and thus is part of
system administration.  You can use whatever you use for other system
administration tasks, be that vi or something like puppet or chef.

Anyway I suspect hostbased doesn't get used much an more.  It was a
drop-in replacement for rlogin hosts.equiv and that implies a bit more
trust than exists in most environments these days.
> Thank you so much!  I would never have found this requirement, as it
> does not seem to be mentioned in any of the HBA guides I found.
> 
> Please confirm that my above strategy is correct, and that there is
> no better way to do this, before I start writing a script to
> automate it.
What you describe looks correct to me.

(In reply to Richard Kreutzer from comment #26)
> P.S.  What about ssh-keyscan?  Is that what it is for?
ssh-keyscan is for populating known_hosts files over the network, eg
for bootstrapping one that you'll then change control.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3615

--- Comment #29 from Richard Kreutzer <tunerooster at gmail.com> ---
I much appreciate your help.  I was so used to transferring keys
verbatim from the .pub files to authorized keys, that I just missed the
requirement to have the host names at the front in the ssh_known_hosts
file.  ssh-keyscan does that for you.  If I had used it from the
beginning, it would have worked.  I learned the hard way.

I would close this if I could see a way.  Of course close it on you end
if that is appropriate.

Best regards and thanks again!

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.