[Bug 270668] ssh logons via public key fail after target upgraded to FreeBSD-12.4-p2

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 270668] ssh logons via public key fail after target upgraded to FreeBSD-12.4-p2"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 270668] ssh logons via public key fail after target upgraded to FreeBSD-12.4-p2"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 270668] ssh logons via public key fail after target upgraded to FreeBSD-12.4-p2"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 270668] ssh logons via public key fail after target upgraded to FreeBSD-12.4-p2"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: <bugzilla-noreply_at_freebsd.org>
Date: Thu, 06 Apr 2023 13:42:55 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=270668

            Bug ID: 270668
           Summary: ssh logons via public key fail after target upgraded
                    to FreeBSD-12.4-p2
           Product: Base System
           Version: 12.4-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: misc
          Assignee: bugs@FreeBSD.org
          Reporter: byrnejb@harte-lyne.ca

Service host:
FreeBSD 12.4-RELEASE-p1 FreeBSD 12.4-RELEASE-p1 GENERIC  amd64
  OpenSSH_9.1p1, OpenSSL 1.1.1q-freebsd  5 Jul 2022

Client host:
FreeBSD 13.1-RELEASE-p2 FreeBSD 13.1-RELEASE-p2 GENERIC amd64
  OpenSSL 1.1.1o-freebsd  3 May 2022

Following the update to the server host remote logins using RSA certificates
fail.  The host and client keys and certificates have not changed.  The
configuration files on both server and client have not been altered.

Connection details:

# ssh -vv vhost01
OpenSSH_8.8p1, OpenSSL 1.1.1o-freebsd  3 May 2022
debug1: Reading configuration data /root/.ssh/config
debug1: /root/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolving "vhost01.hamilton.harte-lyne.ca" port 22
debug1: Connecting to vhost01.hamilton.harte-lyne.ca [216.185.71.41] port 22.
debug1: Connection established.
debug1: identity file /root/.ssh/id_rsa type 0
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type 2
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa_sk type -1
debug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type 3
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: identity file /root/.ssh/id_ed25519_sk type -1
debug1: identity file /root/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /root/.ssh/id_xmss type -1
debug1: identity file /root/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.8 FreeBSD-20211221
debug1: Remote protocol version 2.0, remote software version OpenSSH_9.1
FreeBSD-20221019
debug1: Fssh_compat_banner: match: OpenSSH_9.1 FreeBSD-20221019 pat OpenSSH*
compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to vhost01.hamilton.harte-lyne.ca:22 as 'root'
debug1: Fssh_load_hostkeys: fopen /root/.ssh/known_hosts2: No such file or
directory
debug1: Fssh_load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or
directory
debug1: Fssh_load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or
directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms:
curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
debug2: host key algorithms:
ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos:
chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc:
chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos:
umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc:
umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms:
sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
debug2: host key algorithms:
rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos:
chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
debug2: ciphers stoc:
chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
debug2: MACs ctos:
umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc:
umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC:
<implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC:
<implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519
SHA256:q2N77sbjHlZ35RzCZCCP1+V/yqiVzS56oFhH4UzX0zk
debug2: ldns: got 8 answers from DNS
debug2: ldns: trying to validate RRset
debug2: ldns: got 1 signature(s) (RRTYPE 46) from DNS
debug2: ldns: RRset validation failed: General LDNS error
debug1: found 8 insecure fingerprints in DNS
debug1: Fssh_verify_host_key_dns: matched SSHFP type 4 fptype 2
debug1: Fssh_verify_host_key_dns: matched SSHFP type 4 fptype 1
debug1: matching host key fingerprint found in DNS
debug1: Fssh_load_hostkeys: fopen /root/.ssh/known_hosts2: No such file or
directory
debug1: Fssh_load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or
directory
debug1: Fssh_load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or
directory
debug1: Host 'vhost01.hamilton.harte-lyne.ca' is known and matches the ED25519
host key.
debug1: Found key in /root/.ssh/known_hosts:74
debug2: set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /root/.ssh/id_rsa RSA
SHA256:14qSPzqINY1ejGYgNGlkSMtVVBtek36Q/CrsM07+pgE
debug1: Will attempt key: /root/.ssh/id_dsa 
debug1: Will attempt key: /root/.ssh/id_ecdsa ECDSA
SHA256:9+DpY9vFXemvVeyR5JYVR+HKc2u9t+5I7J0YM0Jw5W8
debug1: Will attempt key: /root/.ssh/id_ecdsa_sk 
debug1: Will attempt key: /root/.ssh/id_ed25519 ED25519
SHA256:rg5CuR8qHh6U/SR1cUh/qWqof5TVXM4Ew1f1Fi/R20I
debug1: Will attempt key: /root/.ssh/id_ed25519_sk 
debug1: Will attempt key: /root/.ssh/id_xmss 
debug2: pubkey_prepare: done
debug1: SSH2_MSG_EXT_INFO received
debug1: Fssh_kex_input_ext_info:
server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com>
debug1: Fssh_kex_input_ext_info: publickey-hostbound@openssh.com (unrecognised)
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: /root/.ssh/id_rsa RSA
SHA256:14qSPzqINY1ejGYgNGlkSMtVVBtek36Q/CrsM07+pgE
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: /root/.ssh/id_rsa RSA
SHA256:14qSPzqINY1ejGYgNGlkSMtVVBtek36Q/CrsM07+pgE
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Offering public key: /root/.ssh/id_ecdsa ECDSA
SHA256:9+DpY9vFXemvVeyR5JYVR+HKc2u9t+5I7J0YM0Jw5W8
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: /root/.ssh/id_ecdsa ECDSA
SHA256:9+DpY9vFXemvVeyR5JYVR+HKc2u9t+5I7J0YM0Jw5W8
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Trying private key: /root/.ssh/id_ecdsa_sk
debug1: Offering public key: /root/.ssh/id_ed25519 ED25519
SHA256:rg5CuR8qHh6U/SR1cUh/qWqof5TVXM4Ew1f1Fi/R20I
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: /root/.ssh/id_ed25519 ED25519
SHA256:rg5CuR8qHh6U/SR1cUh/qWqof5TVXM4Ew1f1Fi/R20I
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Trying private key: /root/.ssh/id_ed25519_sk
debug1: Trying private key: /root/.ssh/id_xmss
debug2: we did not send a packet, disable method
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req: entering
debug2: input_userauth_info_req: num_prompts 1
(root@vhost01.hamilton.harte-lyne.ca) Password for
root@vhost01.hamilton.harte-lyne.ca:

-- 
You are receiving this mail because:
You are the assignee for the bug.