Mailing List Archive

https://bugzilla.mindrot.org/show_bug.cgi?id=3615

--- Comment #2 from Richard Kreutzer <tunerooster@gmail.com> ---
Created attachment 3731
--> https://bugzilla.mindrot.org/attachment.cgi?id=3731&action=edit
Requested debug/config information

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=3615

--- Comment #3 from Richard Kreutzer <tunerooster@gmail.com> ---
Thank you so much for your help. Let me know if there is anything else
you need.

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=3615

--- Comment #4 from Richard Kreutzer <tunerooster@gmail.com> ---
Created attachment 3732
--> https://bugzilla.mindrot.org/attachment.cgi?id=3732&action=edit
Resend...

Use this one...

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=3615

--- Comment #5 from Darren Tucker <dtucker@dtucker.net> ---
Comment on attachment 3731
--> https://bugzilla.mindrot.org/attachment.cgi?id=3731
Requested debug/config information

[...]
>debug1: check_key_in_hostfiles: key for host basement-gentoo.krautclan.com not found
>debug1: temporarily_use_uid: 1000/1000 (e=0/0)
>debug1: load_hostkeys: fopen /home/rwk/.ssh/known_hosts2: No such file or directory
>debug1: restore_uid: 0/0
>debug1: check_key_in_hostfiles: key for host basement-gentoo.krautclan.com not found
>debug3: mm_answer_keyallowed: hostbased authentication test: RSA key is not allowed
>Failed hostbased for rwk from 192.168.1.17 port 47186 ssh2: RSA SHA256:SaZOSakVXi3jdv18gjAEF67qvHHkNmroGZQHpYanN/o, client user "rwk", client host "basement-gentoo.krautclan.com"

This looks like your problem: the server does not have the host key for
the client in any of its known_hosts files under the name
"basement-gentoo.krautclan.com". If you want to use this for more than
one user you probably want to put it in the system-wide ssh_known_hosts
file.

[...]
>debug1: Authentications that can continue: publickey,password,hostbased
>debug3: start over, passed a different list publickey,password,hostbased
>debug3: preferred hostbased,publickey,keyboard-interactive,password

While you're testing you might want to add -o
PreferredAuthentications=hostbased to your ssh command line. That will
stop it trying to use the other auth methods and make it easier to read
the debug output.

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=3615

--- Comment #6 from Richard Kreutzer <tunerooster@gmail.com> ---
As you can see from the attachment, the system wide server
"ssh_known_hosts" file "/etc/ssh/ssh_known_hosts" contains:

ecdsa-sha2-nistp256
AAAAE2VjZHNhLXNoYTItbmlzdHAy......XS3md3R0NHMLQWw31fNw4w+yrp9QnZ9Q=
root@basement-gentoo
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKFcXDLipuVO......aWlJ6xQJhC
root@basement-gentoo
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABgQCfedQjNbC4......yxew4wj8afDkuQHS8AtZ8=
root@basement-gentoo

Are you saying it should be:

ecdsa-sha2-nistp256
AAAAE2VjZHNhLXNoYTItbmlzdHAy......XS3md3R0NHMLQWw31fNw4w+yrp9QnZ9Q=
root@basement-gentoo.krautclan.com
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKFcXDLipuVO......aWlJ6xQJhC
root@basement-gentoo.krautclan.com
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABgQCfedQjNbC4......yxew4wj8afDkuQHS8AtZ8=
root@basement-gentoo.krautclan.com

I.e., with "root@basement-gentoo.krautclan.com" instead of just
"root@basement-gentoo"?

I always thought that these were just comments so one would know where
they came from. In any case I changed ssh_know_hosts on the server
with the added domain name. Now when I run: "ssh -vvv -o
PreferredAuthentications=hostbased gemini pwd" I just get: "rwk@gemini:
Permission denied (publickey,password,hostbased)."

Attached is the new server side debug output, and it contains the same
"Failed" message. I must be misunderstanding something about what you
are saying. Would it be safe to post here my public keys from the
client (e.g., /etc/ssh/ssh_host_ed25519_key.pub) and my
/etc/ssh/ssh_known_hosts file from the server? Those are the files
involved, right?

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=3615

--- Comment #7 from Richard Kreutzer <tunerooster@gmail.com> ---
Created attachment 3733
--> https://bugzilla.mindrot.org/attachment.cgi?id=3733&action=edit
Second sshd debug output

Second server side debug output from: /usr/sbin/sshd -dddep 1023

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=3615

--- Comment #8 from Richard Kreutzer <tunerooster@gmail.com> ---
What do these debug lines mean:
debug3: mm_answer_keyallowed: hostbased authentication test: ED25519
key is not allowed
debug3: mm_answer_keyallowed: hostbased authentication test: ECDSA key
is not allowed
debug3: mm_answer_keyallowed: hostbased authentication test: RSA key is
not allowed

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=3615

--- Comment #9 from Darren Tucker <dtucker@dtucker.net> ---
(In reply to Richard Kreutzer from comment #6)
> As you can see from the attachment, the system wide server
> "ssh_known_hosts" file "/etc/ssh/ssh_known_hosts" contains:
[...]
> I.e., with "root@basement-gentoo.krautclan.com" instead of just
> "root@basement-gentoo"?

No, the hostname is at the start of the line and yours are missing, so:

basement-gentoo.krautclan.com ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABgQCfedQjNbC4......yxew4wj8afDkuQHS8AtZ8=
root@basement-gentoo.krautclan.com

from sshd(8): SSH_KNOWN_HOSTS FILE FORMAT section:

Each line in these files contains the following fields: marker
(optional), hostnames, key?
type, base64-encoded key, comment. The fields are separated by
spaces.

> I always thought that these were just comments

The parts at the end are comments.

> Attached is the new server side debug output, and it contains the
> same "Failed" message. I must be misunderstanding something about
> what you are saying. Would it be safe to post here my public keys
> from the client (e.g., /etc/ssh/ssh_host_ed25519_key.pub) and my
> /etc/ssh/ssh_known_hosts file from the server?

It should be safe since they're public keys, I wouldn't unless you need
to and you don't need to.

> Those are the files involved, right?

Yes. You would need to add the hostname before the contents of the
.pub file then put it in known_hosts.

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=3615

--- Comment #10 from Darren Tucker <dtucker@dtucker.net> ---
(In reply to Richard Kreutzer from comment #8)
> What do these debug lines mean:
> debug3: mm_answer_keyallowed: hostbased authentication test: ED25519
> key is not allowed

It means the key offered by the client was not accepted by the server,
probably because of the ssh_known_hosts format problem I mentioned
above.

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=3615

--- Comment #11 from Richard Kreutzer <tunerooster@gmail.com> ---
Well, the keys were all generated by: "ssh-keygen -A". I just re-ran
it and it did not put host names at the start of the keys. I will add
fully qualified domain names to the .pub files manually and retry.

Is this an issue? Why isn't ssh-keygen creating public keys in the
required format?

Also, the public keys *do* work for the user based keys in ~rwk/.ssh/

User based passwordless authentication has always worked fine. I am
trying to switch to host based because the maintenance of many machines
with many users all needing to have script access to each other is just
too cumbersome.

I will update you after testing with FQDN at the head of each public
key. Thank you for your continued and prompt replies!

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=3615

--- Comment #12 from Richard Kreutzer <tunerooster@gmail.com> ---
OK, for the sake of simplicity, I have tested with rsa only...

Here is basement-gentoo:/etc/ssh/ssh_host_rsa_key.pub

basement-gentoo.krautclan.com ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABgQDOCSF+Ne8C8xgar9DTNn8iTJETkv4SLHooY6qvQ5p7AeHiKSYhh1H4D65jtHUEb1jfuQltqWdHNu4z+GtMY6tJYwtbWwJcLs1mK7kHaFa3/84HsbnCfWUywHmK3kjRNmCwzYVZ2bhe2tJ+LvbgaC6FbXEZXkx924hzIcrXc3V53zWl8jgApS7bZV8fJ+P6sQk3fqybECU/xBTeFhL3c8tO0r8z212OQbqYWL+fRQVXszJz4OpTIP9E0mmgi7/jryLiwNTY+uBbWBA/69QGQPbEEhmbUf2wYh0nT7v+ZdTHJuP4XhIvzgVf6zRgFJ6L8ReJZWzRxj+QRFYgHOgSPZ9ARV51qLvmByVrLiVxeTxKNvsQ/OF9CPF5rjhmR8JNUDRK4ww4wHM2ALOrfTC3Ow2sBfl6Clh5H+2jr1YYUR1I8mv0TwMrwno5WcJrdNmBZ+A4mVqfj0FRsLUywu4ykfpfsmxN/Dt5M8y49I4Du33FpzsAOGubd3PEZdcyZiYsRQ8=
root@basement-gentoo


Here is gemini:/etc/ssh/ssh_known_hosts

basement-gentoo.krautclan.com ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABgQDOCSF+Ne8C8xgar9DTNn8iTJETkv4SLHooY6qvQ5p7AeHiKSYhh1H4D65jtHUEb1jfuQltqWdHNu4z+GtMY6tJYwtbWwJcLs1mK7kHaFa3/84HsbnCfWUywHmK3kjRNmCwzYVZ2bhe2tJ+LvbgaC6FbXEZXkx924hzIcrXc3V53zWl8jgApS7bZV8fJ+P6sQk3fqybECU/xBTeFhL3c8tO0r8z212OQbqYWL+fRQVXszJz4OpTIP9E0mmgi7/jryLiwNTY+uBbWBA/69QGQPbEEhmbUf2wYh0nT7v+ZdTHJuP4XhIvzgVf6zRgFJ6L8ReJZWzRxj+QRFYgHOgSPZ9ARV51qLvmByVrLiVxeTxKNvsQ/OF9CPF5rjhmR8JNUDRK4ww4wHM2ALOrfTC3Ow2sBfl6Clh5H+2jr1YYUR1I8mv0TwMrwno5WcJrdNmBZ+A4mVqfj0FRsLUywu4ykfpfsmxN/Dt5M8y49I4Du33FpzsAOGubd3PEZdcyZiYsRQ8=
root@basement-gentoo

Running this on basement-gentoo:

ssh -p 1023 -o PreferredAuthentications=hostbased gemini pwd

And this on gemini:

/usr/sbin/sshd -dddep 1023

I get this from the server debug output:


debug3: fd 4 is not O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 7 config len 3337
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7
debug3: recv_rexec_state: entering fd = 5
debug3: ssh_msg_recv entering
debug3: recv_rexec_state: done
debug2: parse_server_config_depth: config rexec len 3337
debug3: rexec:15 setting AddressFamily inet
debug3: rexec:19 setting HostKey /etc/ssh/ssh_host_rsa_key
debug3: rexec:20 setting HostKey /etc/ssh/ssh_host_dsa_key
debug3: rexec:21 setting HostKey /etc/ssh/ssh_host_ecdsa_key
debug3: rexec:22 setting HostKey /etc/ssh/ssh_host_ed25519_key
debug3: rexec:34 setting PermitRootLogin yes
debug3: rexec:53 setting HostbasedAuthentication yes
debug3: rexec:54 setting HostbasedUsesNameFromPacketOnly yes
debug3: rexec:58 setting IgnoreRhosts no
debug3: rexec:66 setting ChallengeResponseAuthentication no
debug3: rexec:87 setting UsePAM yes
debug3: rexec:92 setting X11Forwarding yes
debug3: rexec:93 setting X11DisplayOffset 10
debug3: rexec:94 setting X11UseLocalhost yes
debug3: rexec:96 setting PrintMotd no
debug3: rexec:97 setting PrintLastLog no
debug3: rexec:114 setting Subsystem sftp
/usr/lib64/misc/sftp-server
debug3: rexec:124 setting AcceptEnv LANG LC_*
debug3: rexec:126 setting UseDNS yes
debug1: sshd version OpenSSH_9.4, OpenSSL 3.1.2 1 Aug 2023
debug1: private host key #0: ssh-rsa
SHA256:RBjUkH7i6jeYKf3M6UdiArktuWuxFQxkbbd3RNkYmTc
debug1: private host key #1: ssh-dss
SHA256:QCavFBV4tIu+5+hai4IGqFZIF1hxkCTsagLiE05LlkQ
debug1: private host key #2: ecdsa-sha2-nistp256
SHA256:kJT1D+9lFXkt7xG/8Ix1eHQx0SYVqyU5K+euSHHX+vE
debug1: private host key #3: ssh-ed25519
SHA256:sHM5dcf+1bWQpNjiA5x+kkhWpMO5EdMIfh7TqeTHcY8
debug1: inetd sockets after dupping: 3, 3
debug3: process_channel_timeouts: setting 0 timeouts
debug3: channel_clear_timeouts: clearing
Connection from 192.168.1.17 port 46500 on 192.168.1.101 port 1023
rdomain ""
debug1: Local version string SSH-2.0-OpenSSH_9.4
debug1: Remote protocol version 2.0, remote software version
OpenSSH_9.4
debug1: compat_banner: match: OpenSSH_9.4 pat OpenSSH* compat
0x04000000
debug2: fd 3 setting O_NONBLOCK
debug3: ssh_sandbox_init: preparing seccomp filter sandbox
debug2: Network child is on pid 18370
debug3: preauth child monitor started
debug3: privsep user:group 22:22 [preauth]
debug1: permanently_set_uid: 22/22 [preauth]
debug3: ssh_sandbox_child: setting PR_SET_NO_NEW_PRIVS [preauth]
debug3: ssh_sandbox_child: attaching seccomp filter program [preauth]
debug3: append_hostkey_type: ssh-rsa key not permitted by
HostkeyAlgorithms [preauth]
debug3: append_hostkey_type: ssh-dss key not permitted by
HostkeyAlgorithms [preauth]
debug1: list_hostkey_types:
rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
debug3: send packet: type 20 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug3: receive packet: type 20 [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug2: local server KEXINIT proposal [preauth]
debug2: KEX algorithms:
sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
[preauth]
debug2: host key algorithms:
rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
debug2: ciphers ctos:
chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
[preauth]
debug2: ciphers stoc:
chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
[preauth]
debug2: MACs ctos:
umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
[preauth]
debug2: MACs stoc:
umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
[preauth]
debug2: compression ctos: none,zlib@openssh.com [preauth]
debug2: compression stoc: none,zlib@openssh.com [preauth]
debug2: languages ctos: [preauth]
debug2: languages stoc: [preauth]
debug2: first_kex_follows 0 [preauth]
debug2: reserved 0 [preauth]
debug2: peer client KEXINIT proposal [preauth]
debug2: KEX algorithms:
sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
[preauth]
debug2: host key algorithms:
ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
[preauth]
debug2: ciphers ctos:
chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
[preauth]
debug2: ciphers stoc:
chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
[preauth]
debug2: MACs ctos:
umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
[preauth]
debug2: MACs stoc:
umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
[preauth]
debug2: compression ctos: none,zlib@openssh.com,zlib [preauth]
debug2: compression stoc: none,zlib@openssh.com,zlib [preauth]
debug2: languages ctos: [preauth]
debug2: languages stoc: [preauth]
debug2: first_kex_follows 0 [preauth]
debug2: reserved 0 [preauth]
debug1: kex: algorithm: sntrup761x25519-sha512@openssh.com [preauth]
debug1: kex: host key algorithm: ssh-ed25519 [preauth]
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC:
<implicit> compression: none [preauth]
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC:
<implicit> compression: none [preauth]
debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
debug3: receive packet: type 30 [preauth]
debug1: SSH2_MSG_KEX_ECDH_INIT received [preauth]
debug3: mm_sshkey_sign: entering [preauth]
debug3: mm_request_send: entering, type 6 [preauth]
debug3: mm_sshkey_sign: waiting for MONITOR_ANS_SIGN [preauth]
debug3: mm_request_receive_expect: entering, type 7 [preauth]
debug3: mm_request_receive: entering [preauth]
debug3: mm_request_receive: entering
debug3: monitor_read: checking request 6
debug3: mm_answer_sign: entering
debug3: mm_answer_sign: ssh-ed25519 KEX signature len=83
debug3: mm_request_send: entering, type 7
debug2: monitor_read: 6 used once, disabling now
debug3: send packet: type 31 [preauth]
debug3: send packet: type 21 [preauth]
debug2: ssh_set_newkeys: mode 1 [preauth]
debug1: rekey out after 134217728 blocks [preauth]
debug1: SSH2_MSG_NEWKEYS sent [preauth]
debug1: Sending SSH2_MSG_EXT_INFO [preauth]
debug3: send packet: type 7 [preauth]
debug1: expecting SSH2_MSG_NEWKEYS [preauth]
debug3: receive packet: type 21 [preauth]
debug1: SSH2_MSG_NEWKEYS received [preauth]
debug2: ssh_set_newkeys: mode 0 [preauth]
debug1: rekey in after 134217728 blocks [preauth]
debug1: KEX done [preauth]
debug3: receive packet: type 5 [preauth]
debug3: send packet: type 6 [preauth]
debug3: receive packet: type 50 [preauth]
debug1: userauth-request for user rwk service ssh-connection method
none [preauth]
debug1: attempt 0 failures 0 [preauth]
debug3: mm_getpwnamallow: entering [preauth]
debug3: mm_request_send: entering, type 8 [preauth]
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM [preauth]
debug3: mm_request_receive_expect: entering, type 9 [preauth]
debug3: mm_request_receive: entering [preauth]
debug3: mm_request_receive: entering
debug3: monitor_read: checking request 8
debug3: mm_answer_pwnamallow: entering
debug3: Trying to reverse map address 192.168.1.17.
debug2: parse_server_config_depth: config reprocess config len 3337
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
debug3: mm_request_send: entering, type 9
debug2: monitor_read: 8 used once, disabling now
debug3: process_channel_timeouts: setting 0 timeouts [preauth]
debug3: channel_clear_timeouts: clearing [preauth]
debug2: input_userauth_request: setting up authctxt for rwk [preauth]
debug3: mm_start_pam entering [preauth]
debug3: mm_request_send: entering, type 100 [preauth]
debug3: mm_inform_authserv: entering [preauth]
debug3: mm_request_send: entering, type 4 [preauth]
debug2: input_userauth_request: try method none [preauth]
debug3: user_specific_delay: user specific delay 0.000ms [preauth]
debug3: ensure_minimum_time_since: elapsed 6.643ms, delaying 0.551ms
(requested 7.194ms) [preauth]
debug3: mm_request_receive: entering
debug3: monitor_read: checking request 100
debug1: PAM: initializing for "rwk"
debug1: PAM: setting PAM_RHOST to "basement-gentoo.krautclan.com"
debug1: PAM: setting PAM_TTY to "ssh"
debug2: monitor_read: 100 used once, disabling now
debug3: userauth_finish: failure partial=0 next
methods="publickey,password,hostbased" [preauth]
debug3: send packet: type 51 [preauth]
Connection closed by authenticating user rwk 192.168.1.17 port 46500
[preauth]
debug1: do_cleanup [preauth]
debug3: PAM: sshpam_thread_cleanup entering [preauth]
debug1: monitor_read_log: child log fd closed
debug3: mm_request_receive: entering
debug3: monitor_read: checking request 4
debug3: mm_answer_authserv: service=ssh-connection, style=
debug2: monitor_read: 4 used once, disabling now
debug3: mm_request_receive: entering
debug1: do_cleanup
debug1: PAM: cleanup
debug3: PAM: sshpam_thread_cleanup entering
debug1: Killing privsep child 18370

And basement-gentoo just says:

rwk@basement-gentoo /etc/ssh $ ssh -p 1023 -o
PreferredAuthentications=hostbased gemini pwd
rwk@gemini: Permission denied (publickey,password,hostbased).

NOTE this line in the server debug output above:

debug3: append_hostkey_type: ssh-rsa key not permitted by
HostkeyAlgorithms [preauth]

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=3615

--- Comment #13 from Richard Kreutzer <tunerooster@gmail.com> ---
P.S. I am still using:

HostbasedUsesNameFromPacketOnly yes

I thought I read somewhere that this can cause a problem if DNS and
rDNS are working properly and UseDNS is yes. Should I remove it?

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=3615

--- Comment #14 from Darren Tucker <dtucker@dtucker.net> ---
(In reply to Richard Kreutzer from comment #12)
> OK, for the sake of simplicity, I have tested with rsa only...
>
> Here is basement-gentoo:/etc/ssh/ssh_host_rsa_key.pub
> basement-gentoo.krautclan.com ssh-rsa [...]

That's wrong, the host public keys don't have the name in them, only
when you add them to known_hosts. I'm not sure if that'll actually
cause a problem since the public key can be derived from the private
key, but still I'd change it back...

> Here is gemini:/etc/ssh/ssh_known_hosts
>
> basement-gentoo.krautclan.com ssh-rsa [...]

This format is right.

It's hard to tell what happened without the client side debugging, but
it looks like the client did not try hostbased for some reason.

> debug3: append_hostkey_type: ssh-rsa key not permitted by
> HostkeyAlgorithms [preauth]

That's a wrinkle: ssh-rsa *keys* are also usable by the SHA2-based RSA
*algorithms* such as rsa-sha2-512 which are enabled by default. It is
one more variable though.

Here's what I suggest to reduce the number of variables:
- test only with ssh-ed25519 keys since those have only one algorithm
- keep HostbasedUsesNameFromPacketOnly yes and
PreferredAuthentications=hostbased
- put two entries in ssh_known_hosts for your FQDN both with and
without a trailing dot
- always use the FQDN on the SSH command line, since "ssh ... gemini"
would likely mean you're sending it without the domain name, and since
you have HostBasedUsesNameFromPacket that won't match the
ssh_known_hosts entry (again, without the client side debugging it's
hard to tell).

then once you get it working, start changing one thing at a time until
you get it to the config you want (eg by adding "Hostname $your_fqdn"
to your ~/.ssh/config).

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=3615

--- Comment #15 from Richard Kreutzer <tunerooster@gmail.com> ---
Ok, here are the logs for both sides. And here is the suggested
ssh_known_hosts:

basement-gentoo.krautclan.com ssh-ed25519
AAAAC3NzaC1lZDI1NTE5AAAAIL7ScLQVn+2HvNUpLTdmfpKiduxvZS8s1HoHQV8OeOAH
root@basement-gentoo
basement-gentoo.krautclan.com. ssh-ed25519
AAAAC3NzaC1lZDI1NTE5AAAAIL7ScLQVn+2HvNUpLTdmfpKiduxvZS8s1HoHQV8OeOAH
root@basement-gentoo


gemini /etc/ssh # /usr/sbin/sshd -dddep 1023
debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 3337
debug2: parse_server_config_depth: config /etc/ssh/sshd_config len 3337
debug3: /etc/ssh/sshd_config:15 setting AddressFamily inet
debug3: /etc/ssh/sshd_config:19 setting HostKey
/etc/ssh/ssh_host_rsa_key
debug3: /etc/ssh/sshd_config:20 setting HostKey
/etc/ssh/ssh_host_dsa_key
debug3: /etc/ssh/sshd_config:21 setting HostKey
/etc/ssh/ssh_host_ecdsa_key
debug3: /etc/ssh/sshd_config:22 setting HostKey
/etc/ssh/ssh_host_ed25519_key
debug3: /etc/ssh/sshd_config:34 setting PermitRootLogin yes
debug3: /etc/ssh/sshd_config:53 setting HostbasedAuthentication yes
debug3: /etc/ssh/sshd_config:54 setting HostbasedUsesNameFromPacketOnly
yes
debug3: /etc/ssh/sshd_config:58 setting IgnoreRhosts no
debug3: /etc/ssh/sshd_config:66 setting ChallengeResponseAuthentication
no
debug3: /etc/ssh/sshd_config:87 setting UsePAM yes
debug3: /etc/ssh/sshd_config:92 setting X11Forwarding yes
debug3: /etc/ssh/sshd_config:93 setting X11DisplayOffset 10
debug3: /etc/ssh/sshd_config:94 setting X11UseLocalhost yes
debug3: /etc/ssh/sshd_config:96 setting PrintMotd no
debug3: /etc/ssh/sshd_config:97 setting PrintLastLog no
debug3: /etc/ssh/sshd_config:114 setting Subsystem sftp
/usr/lib64/misc/sftp-server
debug3: /etc/ssh/sshd_config:124 setting AcceptEnv LANG LC_*
debug3: /etc/ssh/sshd_config:126 setting UseDNS yes
debug1: sshd version OpenSSH_9.4, OpenSSL 3.1.2 1 Aug 2023
debug1: private host key #0: ssh-rsa
SHA256:RBjUkH7i6jeYKf3M6UdiArktuWuxFQxkbbd3RNkYmTc
debug1: private host key #1: ssh-dss
SHA256:QCavFBV4tIu+5+hai4IGqFZIF1hxkCTsagLiE05LlkQ
debug1: private host key #2: ecdsa-sha2-nistp256
SHA256:kJT1D+9lFXkt7xG/8Ix1eHQx0SYVqyU5K+euSHHX+vE
debug1: private host key #3: ssh-ed25519
SHA256:sHM5dcf+1bWQpNjiA5x+kkhWpMO5EdMIfh7TqeTHcY8
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-dddep'
debug1: rexec_argv[2]='1023'
debug3: oom_adjust_setup
debug1: Set /proc/self/oom_score_adj from 0 to -1000
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 1023 on 0.0.0.0.
Server listening on 0.0.0.0 port 1023.
debug3: fd 4 is not O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 7 config len 3337
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7
debug3: recv_rexec_state: entering fd = 5
debug3: ssh_msg_recv entering
debug3: recv_rexec_state: done
debug2: parse_server_config_depth: config rexec len 3337
debug3: rexec:15 setting AddressFamily inet
debug3: rexec:19 setting HostKey /etc/ssh/ssh_host_rsa_key
debug3: rexec:20 setting HostKey /etc/ssh/ssh_host_dsa_key
debug3: rexec:21 setting HostKey /etc/ssh/ssh_host_ecdsa_key
debug3: rexec:22 setting HostKey /etc/ssh/ssh_host_ed25519_key
debug3: rexec:34 setting PermitRootLogin yes
debug3: rexec:53 setting HostbasedAuthentication yes
debug3: rexec:54 setting HostbasedUsesNameFromPacketOnly yes
debug3: rexec:58 setting IgnoreRhosts no
debug3: rexec:66 setting ChallengeResponseAuthentication no
debug3: rexec:87 setting UsePAM yes
debug3: rexec:92 setting X11Forwarding yes
debug3: rexec:93 setting X11DisplayOffset 10
debug3: rexec:94 setting X11UseLocalhost yes
debug3: rexec:96 setting PrintMotd no
debug3: rexec:97 setting PrintLastLog no
debug3: rexec:114 setting Subsystem sftp
/usr/lib64/misc/sftp-server
debug3: rexec:124 setting AcceptEnv LANG LC_*
debug3: rexec:126 setting UseDNS yes
debug1: sshd version OpenSSH_9.4, OpenSSL 3.1.2 1 Aug 2023
debug1: private host key #0: ssh-rsa
SHA256:RBjUkH7i6jeYKf3M6UdiArktuWuxFQxkbbd3RNkYmTc
debug1: private host key #1: ssh-dss
SHA256:QCavFBV4tIu+5+hai4IGqFZIF1hxkCTsagLiE05LlkQ
debug1: private host key #2: ecdsa-sha2-nistp256
SHA256:kJT1D+9lFXkt7xG/8Ix1eHQx0SYVqyU5K+euSHHX+vE
debug1: private host key #3: ssh-ed25519
SHA256:sHM5dcf+1bWQpNjiA5x+kkhWpMO5EdMIfh7TqeTHcY8
debug1: inetd sockets after dupping: 3, 3
debug3: process_channel_timeouts: setting 0 timeouts
debug3: channel_clear_timeouts: clearing
Connection from 192.168.1.17 port 36650 on 192.168.1.101 port 1023
rdomain ""
debug1: Local version string SSH-2.0-OpenSSH_9.4
debug1: Remote protocol version 2.0, remote software version
OpenSSH_9.4
debug1: compat_banner: match: OpenSSH_9.4 pat OpenSSH* compat
0x04000000
debug2: fd 3 setting O_NONBLOCK
debug3: ssh_sandbox_init: preparing seccomp filter sandbox
debug2: Network child is on pid 8428
debug3: preauth child monitor started
debug3: privsep user:group 22:22 [preauth]
debug1: permanently_set_uid: 22/22 [preauth]
debug3: ssh_sandbox_child: setting PR_SET_NO_NEW_PRIVS [preauth]
debug3: ssh_sandbox_child: attaching seccomp filter program [preauth]
debug3: append_hostkey_type: ssh-rsa key not permitted by
HostkeyAlgorithms [preauth]
debug3: append_hostkey_type: ssh-dss key not permitted by
HostkeyAlgorithms [preauth]
debug1: list_hostkey_types:
rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
debug3: send packet: type 20 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug3: receive packet: type 20 [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug2: local server KEXINIT proposal [preauth]
debug2: KEX algorithms:
sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
[preauth]
debug2: host key algorithms:
rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
debug2: ciphers ctos:
chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
[preauth]
debug2: ciphers stoc:
chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
[preauth]
debug2: MACs ctos:
umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
[preauth]
debug2: MACs stoc:
umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
[preauth]
debug2: compression ctos: none,zlib@openssh.com [preauth]
debug2: compression stoc: none,zlib@openssh.com [preauth]
debug2: languages ctos: [preauth]
debug2: languages stoc: [preauth]
debug2: first_kex_follows 0 [preauth]
debug2: reserved 0 [preauth]
debug2: peer client KEXINIT proposal [preauth]
debug2: KEX algorithms:
sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
[preauth]
debug2: host key algorithms:
ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
[preauth]
debug2: ciphers ctos:
chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
[preauth]
debug2: ciphers stoc:
chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
[preauth]
debug2: MACs ctos:
umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
[preauth]
debug2: MACs stoc:
umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
[preauth]
debug2: compression ctos: none,zlib@openssh.com,zlib [preauth]
debug2: compression stoc: none,zlib@openssh.com,zlib [preauth]
debug2: languages ctos: [preauth]
debug2: languages stoc: [preauth]
debug2: first_kex_follows 0 [preauth]
debug2: reserved 0 [preauth]
debug1: kex: algorithm: sntrup761x25519-sha512@openssh.com [preauth]
debug1: kex: host key algorithm: ssh-ed25519 [preauth]
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC:
<implicit> compression: none [preauth]
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC:
<implicit> compression: none [preauth]
debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
debug3: receive packet: type 30 [preauth]
debug1: SSH2_MSG_KEX_ECDH_INIT received [preauth]
debug3: mm_sshkey_sign: entering [preauth]
debug3: mm_request_send: entering, type 6 [preauth]
debug3: mm_sshkey_sign: waiting for MONITOR_ANS_SIGN [preauth]
debug3: mm_request_receive_expect: entering, type 7 [preauth]
debug3: mm_request_receive: entering [preauth]
debug3: mm_request_receive: entering
debug3: monitor_read: checking request 6
debug3: mm_answer_sign: entering
debug3: mm_answer_sign: ssh-ed25519 KEX signature len=83
debug3: mm_request_send: entering, type 7
debug2: monitor_read: 6 used once, disabling now
debug3: send packet: type 31 [preauth]
debug3: send packet: type 21 [preauth]
debug2: ssh_set_newkeys: mode 1 [preauth]
debug1: rekey out after 134217728 blocks [preauth]
debug1: SSH2_MSG_NEWKEYS sent [preauth]
debug1: Sending SSH2_MSG_EXT_INFO [preauth]
debug3: send packet: type 7 [preauth]
debug1: expecting SSH2_MSG_NEWKEYS [preauth]
debug3: receive packet: type 21 [preauth]
debug1: SSH2_MSG_NEWKEYS received [preauth]
debug2: ssh_set_newkeys: mode 0 [preauth]
debug1: rekey in after 134217728 blocks [preauth]
debug1: KEX done [preauth]
debug3: receive packet: type 5 [preauth]
debug3: send packet: type 6 [preauth]
debug3: receive packet: type 50 [preauth]
debug1: userauth-request for user rwk service ssh-connection method
none [preauth]
debug1: attempt 0 failures 0 [preauth]
debug3: mm_getpwnamallow: entering [preauth]
debug3: mm_request_send: entering, type 8 [preauth]
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM [preauth]
debug3: mm_request_receive_expect: entering, type 9 [preauth]
debug3: mm_request_receive: entering [preauth]
debug3: mm_request_receive: entering
debug3: monitor_read: checking request 8
debug3: mm_answer_pwnamallow: entering
debug3: Trying to reverse map address 192.168.1.17.
debug2: parse_server_config_depth: config reprocess config len 3337
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
debug3: mm_request_send: entering, type 9
debug2: monitor_read: 8 used once, disabling now
debug3: process_channel_timeouts: setting 0 timeouts [preauth]
debug3: channel_clear_timeouts: clearing [preauth]
debug2: input_userauth_request: setting up authctxt for rwk [preauth]
debug3: mm_start_pam entering [preauth]
debug3: mm_request_send: entering, type 100 [preauth]
debug3: mm_inform_authserv: entering [preauth]
debug3: mm_request_send: entering, type 4 [preauth]
debug2: input_userauth_request: try method none [preauth]
debug3: user_specific_delay: user specific delay 0.000ms [preauth]
debug3: ensure_minimum_time_since: elapsed 6.612ms, delaying 0.582ms
(requested 7.194ms) [preauth]
debug3: mm_request_receive: entering
debug3: monitor_read: checking request 100
debug1: PAM: initializing for "rwk"
debug1: PAM: setting PAM_RHOST to "basement-gentoo.krautclan.com"
debug1: PAM: setting PAM_TTY to "ssh"
debug2: monitor_read: 100 used once, disabling now
debug3: userauth_finish: failure partial=0 next
methods="publickey,password,hostbased" [preauth]
debug3: send packet: type 51 [preauth]
Connection closed by authenticating user rwk 192.168.1.17 port 36650
[preauth]
debug1: do_cleanup [preauth]
debug3: PAM: sshpam_thread_cleanup entering [preauth]
debug1: monitor_read_log: child log fd closed
debug3: mm_request_receive: entering
debug3: monitor_read: checking request 4
debug3: mm_answer_authserv: service=ssh-connection, style=
debug2: monitor_read: 4 used once, disabling now
debug3: mm_request_receive: entering
debug1: do_cleanup
debug1: PAM: cleanup
debug3: PAM: sshpam_thread_cleanup entering
debug1: Killing privsep child 8428

rwk@basement-gentoo /etc/ssh $ ssh -vvv -p 1023 -o
PreferredAuthentications=hostbased gemini.krautclan.com pwd
OpenSSH_9.4p1, OpenSSL 3.1.2 1 Aug 2023
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: /etc/ssh/ssh_config line 51: Including file
/etc/ssh/ssh_config.d/9999999gentoo-security.conf depth 0
debug1: Reading configuration data
/etc/ssh/ssh_config.d/9999999gentoo-security.conf
debug3: /etc/ssh/ssh_config line 51: Including file
/etc/ssh/ssh_config.d/9999999gentoo.conf depth 0
debug1: Reading configuration data
/etc/ssh/ssh_config.d/9999999gentoo.conf
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' ->
'/home/rwk/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' ->
'/home/rwk/.ssh/known_hosts2'
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve;
disabling
debug2: resolving "gemini.krautclan.com" port 1023
debug3: resolve_host: lookup gemini.krautclan.com:1023
debug3: ssh_connect_direct: entering
debug1: Connecting to gemini.krautclan.com [192.168.1.101] port 1023.
debug3: set_sock_tos: set socket 3 IP_TOS 0x48
debug1: Connection established.
debug1: HostbasedAuthentication enabled but no local public host keys
could be loaded.
debug1: identity file /home/rwk/.ssh/id_rsa type 0
debug1: identity file /home/rwk/.ssh/id_rsa-cert type -1
debug1: identity file /home/rwk/.ssh/id_ecdsa type -1
debug1: identity file /home/rwk/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/rwk/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/rwk/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/rwk/.ssh/id_ed25519 type 3
debug1: identity file /home/rwk/.ssh/id_ed25519-cert type -1
debug1: identity file /home/rwk/.ssh/id_ed25519_sk type -1
debug1: identity file /home/rwk/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/rwk/.ssh/id_xmss type -1
debug1: identity file /home/rwk/.ssh/id_xmss-cert type -1
debug1: identity file /home/rwk/.ssh/id_dsa type -1
debug1: identity file /home/rwk/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.4
debug1: Remote protocol version 2.0, remote software version
OpenSSH_9.4
debug1: compat_banner: match: OpenSSH_9.4 pat OpenSSH* compat
0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to gemini.krautclan.com:1023 as 'rwk'
debug3: put_host_port: [gemini.krautclan.com]:1023
debug1: load_hostkeys: fopen /home/rwk/.ssh/known_hosts2: No such file
or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or
directory
debug3: order_hostkeyalgs: no algorithms matched; accept original
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms:
sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
debug2: host key algorithms:
ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
debug2: ciphers ctos:
chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc:
chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos:
umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc:
umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms:
sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
debug2: host key algorithms:
rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos:
chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc:
chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos:
umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc:
umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: sntrup761x25519-sha512@openssh.com
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC:
<implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC:
<implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519
SHA256:sHM5dcf+1bWQpNjiA5x+kkhWpMO5EdMIfh7TqeTHcY8
debug2: ssh_krl_from_blob: bad KRL magic header
debug3: put_host_port: [192.168.1.101]:1023
debug3: put_host_port: [gemini.krautclan.com]:1023
debug1: load_hostkeys: fopen /home/rwk/.ssh/known_hosts2: No such file
or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or
directory
debug1: checking without port identifier
debug3: record_hostkey: found key type ED25519 in file
/home/rwk/.ssh/known_hosts:63
debug3: load_hostkeys_file: loaded 1 keys from gemini.krautclan.com
debug1: load_hostkeys: fopen /home/rwk/.ssh/known_hosts2: No such file
or directory
debug3: record_hostkey: found key type RSA in file
/etc/ssh/ssh_known_hosts:1
debug3: record_hostkey: found key type ECDSA in file
/etc/ssh/ssh_known_hosts:2
debug3: record_hostkey: found key type ED25519 in file
/etc/ssh/ssh_known_hosts:3
debug3: load_hostkeys_file: loaded 3 keys from gemini.krautclan.com
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or
directory
debug1: Host 'gemini.krautclan.com' is known and matches the ED25519
host key.
debug1: Found key in /home/rwk/.ssh/known_hosts:63
debug1: found matching key w/out port
debug1: check_host_key: hostkey not known or explicitly trusted:
disabling UpdateHostkeys
debug3: send packet: type 21
debug2: ssh_set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: ssh_set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug3: ssh_get_authentication_socket_path: path
'/run/user/1000/keyring/ssh'
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: agent returned 2 keys
debug1: Will attempt key: /home/rwk/.ssh/id_rsa RSA
SHA256:qqqwwZXoFvDpyWoQcSpcIx3PkvPhR8cFrvNg9enmavo agent
debug1: Will attempt key: /home/rwk/.ssh/id_ed25519 ED25519
SHA256:VXeDL5JL/A8x7sJSD0PGVy05eCthkOkwrj3T4ppPYUc agent
debug1: Will attempt key: /home/rwk/.ssh/id_ecdsa
debug1: Will attempt key: /home/rwk/.ssh/id_ecdsa_sk
debug1: Will attempt key: /home/rwk/.ssh/id_ed25519_sk
debug1: Will attempt key: /home/rwk/.ssh/id_xmss
debug1: Will attempt key: /home/rwk/.ssh/id_dsa
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info:
server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com,ssh-dss,ssh-rsa,rsa-sha2-256,rsa-sha2-512>
debug1: kex_input_ext_info: publickey-hostbound@openssh.com=<0>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password,hostbased
debug3: start over, passed a different list
publickey,password,hostbased
debug3: preferred hostbased
debug3: authmethod_lookup hostbased
debug3: remaining preferred:
debug3: authmethod_is_enabled hostbased
debug1: Next authentication method: hostbased
debug3: userauth_hostbased: trying key type
ssh-ed25519-cert-v01@openssh.com
debug3: userauth_hostbased: trying key type
ecdsa-sha2-nistp256-cert-v01@openssh.com
debug3: userauth_hostbased: trying key type
ecdsa-sha2-nistp384-cert-v01@openssh.com
debug3: userauth_hostbased: trying key type
ecdsa-sha2-nistp521-cert-v01@openssh.com
debug3: userauth_hostbased: trying key type
sk-ssh-ed25519-cert-v01@openssh.com
debug3: userauth_hostbased: trying key type
sk-ecdsa-sha2-nistp256-cert-v01@openssh.com
debug3: userauth_hostbased: trying key type
rsa-sha2-512-cert-v01@openssh.com
debug3: userauth_hostbased: trying key type
rsa-sha2-256-cert-v01@openssh.com
debug3: userauth_hostbased: trying key type ssh-ed25519
debug3: userauth_hostbased: trying key type ecdsa-sha2-nistp256
debug3: userauth_hostbased: trying key type ecdsa-sha2-nistp384
debug3: userauth_hostbased: trying key type ecdsa-sha2-nistp521
debug3: userauth_hostbased: trying key type sk-ssh-ed25519@openssh.com
debug3: userauth_hostbased: trying key type
sk-ecdsa-sha2-nistp256@openssh.com
debug3: userauth_hostbased: trying key type rsa-sha2-512
debug3: userauth_hostbased: trying key type rsa-sha2-256
debug1: No more client hostkeys for hostbased authentication.
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
rwk@gemini.krautclan.com: Permission denied
(publickey,password,hostbased).

P.S. Do you prefer the logs in an attachment?

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=3615

--- Comment #16 from Richard Kreutzer <tunerooster@gmail.com> ---
rwk@basement-gentoo /etc/ssh $ ssh -vvv -p 1023 -o
PreferredAuthentications=hostbased gemini.krautclan.com pwd
OpenSSH_9.4p1, OpenSSL 3.1.2 1 Aug 2023
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: /etc/ssh/ssh_config line 51: Including file
/etc/ssh/ssh_config.d/9999999gentoo-security.conf depth 0
debug1: Reading configuration data
/etc/ssh/ssh_config.d/9999999gentoo-security.conf
debug3: /etc/ssh/ssh_config line 51: Including file
/etc/ssh/ssh_config.d/9999999gentoo.conf depth 0
debug1: Reading configuration data
/etc/ssh/ssh_config.d/9999999gentoo.conf
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' ->
'/home/rwk/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' ->
'/home/rwk/.ssh/known_hosts2'
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve;
disabling
debug2: resolving "gemini.krautclan.com" port 1023
debug3: resolve_host: lookup gemini.krautclan.com:1023
debug3: ssh_connect_direct: entering
debug1: Connecting to gemini.krautclan.com [192.168.1.101] port 1023.
debug3: set_sock_tos: set socket 3 IP_TOS 0x48
debug1: Connection established.
debug1: HostbasedAuthentication enabled but no local public host keys
could be loaded.
debug1: identity file /home/rwk/.ssh/id_rsa type 0
debug1: identity file /home/rwk/.ssh/id_rsa-cert type -1
debug1: identity file /home/rwk/.ssh/id_ecdsa type -1
debug1: identity file /home/rwk/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/rwk/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/rwk/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/rwk/.ssh/id_ed25519 type 3
debug1: identity file /home/rwk/.ssh/id_ed25519-cert type -1
debug1: identity file /home/rwk/.ssh/id_ed25519_sk type -1
debug1: identity file /home/rwk/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/rwk/.ssh/id_xmss type -1
debug1: identity file /home/rwk/.ssh/id_xmss-cert type -1
debug1: identity file /home/rwk/.ssh/id_dsa type -1
debug1: identity file /home/rwk/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.4
debug1: Remote protocol version 2.0, remote software version
OpenSSH_9.4
debug1: compat_banner: match: OpenSSH_9.4 pat OpenSSH* compat
0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to gemini.krautclan.com:1023 as 'rwk'
debug3: put_host_port: [gemini.krautclan.com]:1023
debug1: load_hostkeys: fopen /home/rwk/.ssh/known_hosts2: No such file
or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or
directory
debug3: order_hostkeyalgs: no algorithms matched; accept original
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms:
sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
debug2: host key algorithms:
ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
debug2: ciphers ctos:
chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc:
chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos:
umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc:
umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms:
sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
debug2: host key algorithms:
rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos:
chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc:
chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos:
umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc:
umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: sntrup761x25519-sha512@openssh.com
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC:
<implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC:
<implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519
SHA256:sHM5dcf+1bWQpNjiA5x+kkhWpMO5EdMIfh7TqeTHcY8
debug2: ssh_krl_from_blob: bad KRL magic header
debug3: put_host_port: [192.168.1.101]:1023
debug3: put_host_port: [gemini.krautclan.com]:1023
debug1: load_hostkeys: fopen /home/rwk/.ssh/known_hosts2: No such file
or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or
directory
debug1: checking without port identifier
debug3: record_hostkey: found key type ED25519 in file
/home/rwk/.ssh/known_hosts:63
debug3: load_hostkeys_file: loaded 1 keys from gemini.krautclan.com
debug1: load_hostkeys: fopen /home/rwk/.ssh/known_hosts2: No such file
or directory
debug3: record_hostkey: found key type RSA in file
/etc/ssh/ssh_known_hosts:1
debug3: record_hostkey: found key type ECDSA in file
/etc/ssh/ssh_known_hosts:2
debug3: record_hostkey: found key type ED25519 in file
/etc/ssh/ssh_known_hosts:3
debug3: load_hostkeys_file: loaded 3 keys from gemini.krautclan.com
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or
directory
debug1: Host 'gemini.krautclan.com' is known and matches the ED25519
host key.
debug1: Found key in /home/rwk/.ssh/known_hosts:63
debug1: found matching key w/out port
debug1: check_host_key: hostkey not known or explicitly trusted:
disabling UpdateHostkeys
debug3: send packet: type 21
debug2: ssh_set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: ssh_set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug3: ssh_get_authentication_socket_path: path
'/run/user/1000/keyring/ssh'
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: agent returned 2 keys
debug1: Will attempt key: /home/rwk/.ssh/id_rsa RSA
SHA256:qqqwwZXoFvDpyWoQcSpcIx3PkvPhR8cFrvNg9enmavo agent
debug1: Will attempt key: /home/rwk/.ssh/id_ed25519 ED25519
SHA256:VXeDL5JL/A8x7sJSD0PGVy05eCthkOkwrj3T4ppPYUc agent
debug1: Will attempt key: /home/rwk/.ssh/id_ecdsa
debug1: Will attempt key: /home/rwk/.ssh/id_ecdsa_sk
debug1: Will attempt key: /home/rwk/.ssh/id_ed25519_sk
debug1: Will attempt key: /home/rwk/.ssh/id_xmss
debug1: Will attempt key: /home/rwk/.ssh/id_dsa
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info:
server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com,ssh-dss,ssh-rsa,rsa-sha2-256,rsa-sha2-512>
debug1: kex_input_ext_info: publickey-hostbound@openssh.com=<0>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password,hostbased
debug3: start over, passed a different list
publickey,password,hostbased
debug3: preferred hostbased
debug3: authmethod_lookup hostbased
debug3: remaining preferred:
debug3: authmethod_is_enabled hostbased
debug1: Next authentication method: hostbased
debug3: userauth_hostbased: trying key type
ssh-ed25519-cert-v01@openssh.com
debug3: userauth_hostbased: trying key type
ecdsa-sha2-nistp256-cert-v01@openssh.com
debug3: userauth_hostbased: trying key type
ecdsa-sha2-nistp384-cert-v01@openssh.com
debug3: userauth_hostbased: trying key type
ecdsa-sha2-nistp521-cert-v01@openssh.com
debug3: userauth_hostbased: trying key type
sk-ssh-ed25519-cert-v01@openssh.com
debug3: userauth_hostbased: trying key type
sk-ecdsa-sha2-nistp256-cert-v01@openssh.com
debug3: userauth_hostbased: trying key type
rsa-sha2-512-cert-v01@openssh.com
debug3: userauth_hostbased: trying key type
rsa-sha2-256-cert-v01@openssh.com
debug3: userauth_hostbased: trying key type ssh-ed25519
debug3: userauth_hostbased: trying key type ecdsa-sha2-nistp256
debug3: userauth_hostbased: trying key type ecdsa-sha2-nistp384
debug3: userauth_hostbased: trying key type ecdsa-sha2-nistp521
debug3: userauth_hostbased: trying key type sk-ssh-ed25519@openssh.com
debug3: userauth_hostbased: trying key type
sk-ecdsa-sha2-nistp256@openssh.com
debug3: userauth_hostbased: trying key type rsa-sha2-512
debug3: userauth_hostbased: trying key type rsa-sha2-256
debug1: No more client hostkeys for hostbased authentication.
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
rwk@gemini.krautclan.com: Permission denied
(publickey,password,hostbased).

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=3615

--- Comment #17 from Richard Kreutzer <tunerooster@gmail.com> ---
Not sure why but my cut/paste logs are not getting to you correctly. I
am reposting as an attachment. Please wait for the attachment.

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=3615

--- Comment #18 from Richard Kreutzer <tunerooster@gmail.com> ---
Created attachment 3735
--> https://bugzilla.mindrot.org/attachment.cgi?id=3735&action=edit
ssh degug logs

Use this.

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=3615

--- Comment #19 from Darren Tucker <dtucker@dtucker.net> ---
I'll take a look at the logs, but one question: do you have
"EnableSSHKeysign yes" in /etc/ssh/ssh_config? It needs to be in the
global section:

```
EnableSSHKeysign
Setting this option to yes in the global client configuration
file /etc/ssh/ssh_config enables the use of the helper program
ssh-keysign(8) during HostbasedAuthentication. The argument
must
be yes or no (the default). This option should be placed in the
non-hostspecific section. See ssh-keysign(8) for more
information.
```

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=3615

--- Comment #20 from Darren Tucker <dtucker@dtucker.net> ---
(In reply to Darren Tucker from comment #19)
> I'll take a look at the logs, but one question: do you have
> "EnableSSHKeysign yes" in /etc/ssh/ssh_config? It needs to be in
> the global section

... on the client side.

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=3615

--- Comment #21 from Richard Kreutzer <tunerooster@gmail.com> ---
rwk@basement-gentoo /etc/ssh $ grep EnableSSHKeysign ssh_config
EnableSSHKeysign yes

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=3615

--- Comment #22 from Darren Tucker <dtucker@dtucker.net> ---
(In reply to Richard Kreutzer from comment #16)
[...]
> debug1: HostbasedAuthentication enabled but no local public host
> keys could be loaded.

This means the client could not load any of the public key files in its
default paths. 1) did you undo your changes to the .pub files and 2)
are the .pub files world readable? Your earlier debug traces did not
have this warning so it's new.

(The subsequent debugging indicated that the client had only RSA host
keys, but your server only has known_hosts for ed25519 keys. Did you
put the client's host public keys in the server's ssh_known_hosts?)

(In reply to Richard Kreutzer from comment #15)
[...]
> P.S. Do you prefer the logs in an attachment?

Attachments are preferable. You can easily quote the relevant parts if
necessary, but as you can see in this bug having logs in comments
quickly becomes unwieldy.

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=3615

--- Comment #23 from Richard Kreutzer <tunerooster@gmail.com> ---
1. No, the fqdn are still in the .pub files
2. Yes the .pub files are world readable

On the client (basement-gentoo):

rwk@basement-gentoo /etc/ssh $ ls -l *.pub
-rw-r--r-- 1 root root 212 Sep 21 18:42 ssh_host_ecdsa_key.pub
-rw-r--r-- 1 root root 132 Sep 21 18:42 ssh_host_ed25519_key.pub
-rw-r--r-- 1 root root 604 Sep 21 18:42 ssh_host_rsa_key.pub

rwk@basement-gentoo /etc/ssh $ cat ssh_host_ed25519_key.pub
basement-gentoo.krautclan.com ssh-ed25519
AAAAC3NzaC1lZDI1NTE5AAAAIL7ScLQVn+2HvNUpLTdmfpKiduxvZS8s1HoHQV8OeOAH
root@basement-gentoo

On the server (gemini):

gemini /etc/ssh # cat ssh_known_hosts
basement-gentoo.krautclan.com ssh-ed25519
AAAAC3NzaC1lZDI1NTE5AAAAIL7ScLQVn+2HvNUpLTdmfpKiduxvZS8s1HoHQV8OeOAH
root@basement-gentoo
basement-gentoo.krautclan.com. ssh-ed25519
AAAAC3NzaC1lZDI1NTE5AAAAIL7ScLQVn+2HvNUpLTdmfpKiduxvZS8s1HoHQV8OeOAH
root@basement-gentoo

OK, I will use attachment for the logs..

Again, thank you for your continued support!

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=3615

--- Comment #24 from Darren Tucker <dtucker@dtucker.net> ---
(In reply to Richard Kreutzer from comment #23)
> 1. No, the fqdn are still in the .pub files

The fqdn should not be in the .pub files. the line should start with
ssh-rsa, ssh-ed25519 or similar. That would explain the "no local
public host keys" warning.

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

https://bugzilla.mindrot.org/show_bug.cgi?id=3615

--- Comment #25 from Richard Kreutzer <tunerooster@gmail.com> ---
So you are saying the fqdn should be in the ssh_known_host file on the
server, but *not* in the /etc/ssh/ssh_host_ed25519_key.pub file on the
client.

OMG, it worked! It also works with just "ssh gemini", i.e., "ssh
gemini.krautclan.com" is not required.

I always just copied the contents of the .pub file on each machine to
the each server unchanged. And this works of course, for the
authorized_keys file for each used.

I will now have to add the fqdn to the beginning of each key in the
.pub files after pasting then in them in the ssh_known_hosts file for
each server. And since all the machines are both clients and servers,
that means every machine, which I certainly can do.

But it surprises me that there is not a built-in way to do this, or is
there? Something like "ssh-copy-id".

Thank you so much! I would never have found this requirement, as it
does not seem to be mentioned in any of the HBA guides I found.

Please confirm that my above strategy is correct, and that there is no
better way to do this, before I start writing a script to automate it.

Best regards!!!

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs