Re: SSH connection problem to two FreeBSD VMs externaly hosted

Reply: Gordon Bergling : "Re: SSH connection problem to two FreeBSD VMs externaly hosted"
In reply to: Gordon Bergling : "SSH connection problem to two FreeBSD VMs externaly hosted"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Dave Cottlehuber <dch_at_skunkwerks.at>
Date: Thu, 17 Jul 2025 14:17:26 UTC

On Thu, 17 Jul 2025, at 11:21, Gordon Bergling wrote:
> Hi,
>
> I have two FreeBSD externaly hosted, one at Hetzner and one on Azure.
>
> Both systems running latest 14.3-RELEASE, but I can't no long connect to them,
> wether from a local 14.2-RELEASE, or the latest macOS. Nothing has changed in
> terms of configuration. All systems use public-key authentication. The error
> I am getting is the following:
>
> sshd[10965]: error: Fssh_kex_input_kexinit: unknown kex type 10 [preauth]
>
> Has anyone an idea whould could cause this?
>
> Seeking out in forums about trying different KexAlgorithms options didn't
> solved the problem.
>
> Any help is much appreciated!
>
> --Gordon
>
> Attachments:
> * signature.asc

Odd. I have no issue from a 14.2 client -> 14.3 server connecting,
with defaults, and ed25519 private key.

My best guess is that your sshd binary (or config) isn't correctly
upgraded for some reason. What does file(1) report on server & client?

On 14.2-RELEASE:

root@picard:/ # file /usr/sbin/sshd
/usr/sbin/sshd: ELF 64-bit LSB pie executable, x86-64, version 1 (FreeBSD), dynamically linked, interpreter /libexec/ld-elf.so.1, for FreeBSD 14.2, FreeBSD-style, stripped

root@picard:/ # file /usr/bin/ssh
/usr/bin/ssh: ELF 64-bit LSB pie executable, x86-64, version 1 (FreeBSD), dynamically linked, interpreter /libexec/ld-elf.so.1, for FreeBSD 14.2, FreeBSD-style, stripped
root@picard:/ #

If this is not correct, it's worth checking with `freebsd-update IDS` on server & client, for what else is incorrect.

Are there any non-default settings in /etc/ssh/ssh_config for client,
and /etc/ssh/sshd_config for server?

Assuming that's sorted, please post output of `ssh -vv ...`, so we can see the negotiation, forcing key exchange algorithm on the client:

ssh -vv -o KexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 you@there

BTW I assume the kex list comes from crypto/openssh/kex.h, so #10 would be 
KEX_KEM_SNTRUP761X25519_SHA512

enum kex_exchange {
	KEX_DH_GRP1_SHA1 = 1,
	KEX_DH_GRP14_SHA1,
	KEX_DH_GRP14_SHA256,
	KEX_DH_GRP16_SHA512,
	KEX_DH_GRP18_SHA512,
	KEX_DH_GEX_SHA1,
	KEX_DH_GEX_SHA256,
	KEX_ECDH_SHA2,
	KEX_C25519_SHA256,
	KEX_KEM_SNTRUP761X25519_SHA512,   <----
	KEX_KEM_MLKEM768X25519_SHA256,
	KEX_MAX
};

A+
Dave