From nobody Thu Apr 06 13:42:55 2023 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PsjPD2J8nz44Ml0 for ; Thu, 6 Apr 2023 13:42:56 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4PsjPC67nCz4cRR for ; Thu, 6 Apr 2023 13:42:55 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1680788575; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=1O49kqh8h4hGtOgm5I+OoZ6yrFq4sTJGu6ZIDlyE38U=; b=KO30+irthlNg+o2qDuI5vUs6KuNNML56nAQXWbv1KSt7ksLUDuaDy6ulSPEQ8jXnOd/Vxt malypn1wHeBL92LlGh7/mmzKgBsdN2E+h9aQ+7fH71yIqtvTsy0EMjb1JF9lROz4DEn03a N1gCJ+lT8l3gutgJChTApqiNW+g/RRHDBK0gP+lRyF+ZXR8w324mVFJiZ9osnUEWLNRblq 8eR+fw9nNkVL3/mLR0pUZHA+iFhOrcNTu6x0Fyw2wzg/o8GQPzpUx2GtsiprkcHh2nRcm9 VR+HQaeQUvKsr4na16lCUkKUS454Cs30B6bWlhfCc6/f06klx07NDzlgxOXK/w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1680788575; a=rsa-sha256; cv=none; b=nVnWsui6TLIYZblexq2l2RwWGa0mWHxnuWTsMUyxbkK5j/uFnX9iZaHvRs8Ai8/34iAImP ITDMpDVvP/EJ2fZHwmmFftBkdryECnTuktp1p1xKDNeab75Ebb2Vf4rKRLKidvOYnqMsaX iHT9B/rMginCHn3ogwOQTTrUOoGHZErxbBmhDqbLbfmKepqTpnJMe5+vFP7gde0eXVE4uU L8q1sVg93eX0bvbJuc64zvX7E6Fq9RG0TDImhAmAh49KtdUoZDReEDEEzXunuB7A/8Ah2Y +1IqD+v/D28f6rVg+fGPIQw7PVf7DEiyBYI5UWBZifFLGFnMqTei12dJam9/FA== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4PsjPC2VTTz169n for ; Thu, 6 Apr 2023 13:42:55 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 336DgtOK084652 for ; Thu, 6 Apr 2023 13:42:55 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 336DgtbC084651 for bugs@FreeBSD.org; Thu, 6 Apr 2023 13:42:55 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 270668] ssh logons via public key fail after target upgraded to FreeBSD-12.4-p2 Date: Thu, 06 Apr 2023 13:42:55 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: misc X-Bugzilla-Version: 12.4-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: byrnejb@harte-lyne.ca X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D270668 Bug ID: 270668 Summary: ssh logons via public key fail after target upgraded to FreeBSD-12.4-p2 Product: Base System Version: 12.4-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: misc Assignee: bugs@FreeBSD.org Reporter: byrnejb@harte-lyne.ca Service host: FreeBSD 12.4-RELEASE-p1 FreeBSD 12.4-RELEASE-p1 GENERIC amd64 OpenSSH_9.1p1, OpenSSL 1.1.1q-freebsd 5 Jul 2022 Client host: FreeBSD 13.1-RELEASE-p2 FreeBSD 13.1-RELEASE-p2 GENERIC amd64 OpenSSL 1.1.1o-freebsd 3 May 2022 Following the update to the server host remote logins using RSA certificates fail. The host and client keys and certificates have not changed. The configuration files on both server and client have not been altered. Connection details: # ssh -vv vhost01 OpenSSH_8.8p1, OpenSSL 1.1.1o-freebsd 3 May 2022 debug1: Reading configuration data /root/.ssh/config debug1: /root/.ssh/config line 1: Applying options for * debug1: Reading configuration data /etc/ssh/ssh_config debug2: resolving "vhost01.hamilton.harte-lyne.ca" port 22 debug1: Connecting to vhost01.hamilton.harte-lyne.ca [216.185.71.41] port 2= 2. debug1: Connection established. debug1: identity file /root/.ssh/id_rsa type 0 debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: identity file /root/.ssh/id_dsa type -1 debug1: identity file /root/.ssh/id_dsa-cert type -1 debug1: identity file /root/.ssh/id_ecdsa type 2 debug1: identity file /root/.ssh/id_ecdsa-cert type -1 debug1: identity file /root/.ssh/id_ecdsa_sk type -1 debug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /root/.ssh/id_ed25519 type 3 debug1: identity file /root/.ssh/id_ed25519-cert type -1 debug1: identity file /root/.ssh/id_ed25519_sk type -1 debug1: identity file /root/.ssh/id_ed25519_sk-cert type -1 debug1: identity file /root/.ssh/id_xmss type -1 debug1: identity file /root/.ssh/id_xmss-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_8.8 FreeBSD-20211221 debug1: Remote protocol version 2.0, remote software version OpenSSH_9.1 FreeBSD-20221019 debug1: Fssh_compat_banner: match: OpenSSH_9.1 FreeBSD-20221019 pat OpenSSH* compat 0x04000000 debug2: fd 3 setting O_NONBLOCK debug1: Authenticating to vhost01.hamilton.harte-lyne.ca:22 as 'root' debug1: Fssh_load_hostkeys: fopen /root/.ssh/known_hosts2: No such file or directory debug1: Fssh_load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory debug1: Fssh_load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: local client KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2= -nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-he= llman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-s= ha256,ext-info-c debug2: host key algorithms: ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,e= cdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openss= h.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@o= penssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.= com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2= -nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nist= p256@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@o= penssh.com,aes256-gcm@openssh.com debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@o= penssh.com,aes256-gcm@openssh.com debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.= com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh= .com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.= com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh= .com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: compression ctos: none,zlib@openssh.com,zlib debug2: compression stoc: none,zlib@openssh.com,zlib debug2: languages ctos:=20 debug2: languages stoc:=20 debug2: first_kex_follows 0=20 debug2: reserved 0=20 debug2: peer server KEXINIT proposal debug2: KEX algorithms: sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libs= sh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hell= man-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-grou= p18-sha512,diffie-hellman-group14-sha256 debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@o= penssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@o= penssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.= com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh= .com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.= com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh= .com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: compression ctos: none,zlib@openssh.com debug2: compression stoc: none,zlib@openssh.com debug2: languages ctos:=20 debug2: languages stoc:=20 debug2: first_kex_follows 0=20 debug2: reserved 0=20 debug1: kex: algorithm: curve25519-sha256 debug1: kex: host key algorithm: ssh-ed25519 debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: compression: none debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: compression: none debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: SSH2_MSG_KEX_ECDH_REPLY received debug1: Server host key: ssh-ed25519 SHA256:q2N77sbjHlZ35RzCZCCP1+V/yqiVzS56oFhH4UzX0zk debug2: ldns: got 8 answers from DNS debug2: ldns: trying to validate RRset debug2: ldns: got 1 signature(s) (RRTYPE 46) from DNS debug2: ldns: RRset validation failed: General LDNS error debug1: found 8 insecure fingerprints in DNS debug1: Fssh_verify_host_key_dns: matched SSHFP type 4 fptype 2 debug1: Fssh_verify_host_key_dns: matched SSHFP type 4 fptype 1 debug1: matching host key fingerprint found in DNS debug1: Fssh_load_hostkeys: fopen /root/.ssh/known_hosts2: No such file or directory debug1: Fssh_load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory debug1: Fssh_load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory debug1: Host 'vhost01.hamilton.harte-lyne.ca' is known and matches the ED25= 519 host key. debug1: Found key in /root/.ssh/known_hosts:74 debug2: set_newkeys: mode 1 debug1: rekey out after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug2: set_newkeys: mode 0 debug1: rekey in after 134217728 blocks debug1: Will attempt key: /root/.ssh/id_rsa RSA SHA256:14qSPzqINY1ejGYgNGlkSMtVVBtek36Q/CrsM07+pgE debug1: Will attempt key: /root/.ssh/id_dsa=20 debug1: Will attempt key: /root/.ssh/id_ecdsa ECDSA SHA256:9+DpY9vFXemvVeyR5JYVR+HKc2u9t+5I7J0YM0Jw5W8 debug1: Will attempt key: /root/.ssh/id_ecdsa_sk=20 debug1: Will attempt key: /root/.ssh/id_ed25519 ED25519 SHA256:rg5CuR8qHh6U/SR1cUh/qWqof5TVXM4Ew1f1Fi/R20I debug1: Will attempt key: /root/.ssh/id_ed25519_sk=20 debug1: Will attempt key: /root/.ssh/id_xmss=20 debug2: pubkey_prepare: done debug1: SSH2_MSG_EXT_INFO received debug1: Fssh_kex_input_ext_info: server-sig-algs=3D debug1: Fssh_kex_input_ext_info: publickey-hostbound@openssh.com (unrecogni= sed) debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,keyboard-interactive debug1: Next authentication method: publickey debug1: Offering public key: /root/.ssh/id_rsa RSA SHA256:14qSPzqINY1ejGYgNGlkSMtVVBtek36Q/CrsM07+pgE debug2: we sent a publickey packet, wait for reply debug1: Server accepts key: /root/.ssh/id_rsa RSA SHA256:14qSPzqINY1ejGYgNGlkSMtVVBtek36Q/CrsM07+pgE debug1: Authentications that can continue: publickey,keyboard-interactive debug1: Trying private key: /root/.ssh/id_dsa debug1: Offering public key: /root/.ssh/id_ecdsa ECDSA SHA256:9+DpY9vFXemvVeyR5JYVR+HKc2u9t+5I7J0YM0Jw5W8 debug2: we sent a publickey packet, wait for reply debug1: Server accepts key: /root/.ssh/id_ecdsa ECDSA SHA256:9+DpY9vFXemvVeyR5JYVR+HKc2u9t+5I7J0YM0Jw5W8 debug1: Authentications that can continue: publickey,keyboard-interactive debug1: Trying private key: /root/.ssh/id_ecdsa_sk debug1: Offering public key: /root/.ssh/id_ed25519 ED25519 SHA256:rg5CuR8qHh6U/SR1cUh/qWqof5TVXM4Ew1f1Fi/R20I debug2: we sent a publickey packet, wait for reply debug1: Server accepts key: /root/.ssh/id_ed25519 ED25519 SHA256:rg5CuR8qHh6U/SR1cUh/qWqof5TVXM4Ew1f1Fi/R20I debug1: Authentications that can continue: publickey,keyboard-interactive debug1: Trying private key: /root/.ssh/id_ed25519_sk debug1: Trying private key: /root/.ssh/id_xmss debug2: we did not send a packet, disable method debug1: Next authentication method: keyboard-interactive debug2: userauth_kbdint debug2: we sent a keyboard-interactive packet, wait for reply debug2: input_userauth_info_req: entering debug2: input_userauth_info_req: num_prompts 1 (root@vhost01.hamilton.harte-lyne.ca) Password for root@vhost01.hamilton.harte-lyne.ca: --=20 You are receiving this mail because: You are the assignee for the bug.=