From owner-freebsd-questions@freebsd.org Wed Feb 10 20:04:33 2021 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 28BA85292AB for ; Wed, 10 Feb 2021 20:04:33 +0000 (UTC) (envelope-from merlyn@geeks.org) Received: from mail.geeks.org (jacobs.geeks.org [204.153.247.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4DbW1r0trPz3GHH for ; Wed, 10 Feb 2021 20:04:31 +0000 (UTC) (envelope-from merlyn@geeks.org) Received: from mail.geeks.org (localhost [127.0.0.1]) by after-clamsmtpd.geeks.org (Postfix) with ESMTP id 56E8B13C6D for ; Wed, 10 Feb 2021 14:04:30 -0600 (CST) Received: by mail.geeks.org (Postfix, from userid 1003) id 494FC13C6C; Wed, 10 Feb 2021 14:04:30 -0600 (CST) Date: Wed, 10 Feb 2021 14:04:30 -0600 From: Doug McIntyre To: "freebsd-questions@freebsd.org" Subject: Re: Permission denied via ssh over ipv6 Message-ID: References: <65d54e7c-9d2c-ec74-1c1c-b0d87bfed6c1@yuripv.dev> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Virus-Scanned: ClamAV using ClamSMTP X-Rspamd-Queue-Id: 4DbW1r0trPz3GHH X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of merlyn@geeks.org designates 204.153.247.1 as permitted sender) smtp.mailfrom=merlyn@geeks.org X-Spamd-Result: default: False [-3.30 / 15.00]; MID_RHS_MATCH_FROM(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[204.153.247.1:from]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; SH_EMAIL_DBL_DONT_QUERY_IPS(0.00)[0.0.10.47:email]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ptr]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; DMARC_NA(0.00)[geeks.org]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[204.153.247.1:from:127.0.2.255]; RCVD_COUNT_THREE(0.00)[3]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; DBL_PROHIBIT(0.00)[0.0.10.47:email]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; TO_DN_EQ_ADDR_ALL(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:7753, ipnet:204.153.244.0/22, country:US]; RCVD_TLS_LAST(0.00)[]; MAILMAN_DEST(0.00)[freebsd-questions] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Feb 2021 20:04:33 -0000 And nothing interesting is logged into `/var/log/auth.log` ? Interesting. I can tell you that ssh works from 12.2 systems to other 12.2 systems over IPv6 for me. All my systems do have proper reverse-forward-reverse IPv6 DNS setup though. I don't know what the behavior is if it lacks reverse DNS in IPv6, but if there is a reverse that doesn't match a forward, then SSH will kick you out. You could always run a local nameserver that is authoritative for your IPv6 reverses as a test, but thats a large uptaking. On Wed, Feb 10, 2021 at 05:13:16PM +0800, PstreeM China wrote: > my fault. > the system i mentioned in the original question "FreeBSD 12.2" is the ssh > server. > for this case, the system which i used as the client is also FreeBSD 12.2. > > test from other host(from different network ) as the client to ssh to the " > 2607:f130::6287", it's the same issue. > test from the localhost (the host config the ipv6 address as 2607:f130::628 > ), use the command: %ssh myuser@2607:f130::628, it's work well. > > I don't know what is the problem, how to fix. > > BR//Ming > > > > On Wed, Feb 10, 2021 at 4:47 PM Yuri Pankov wrote: > > > PstreeM China wrote: > > > hi: > > > > > > thanks for your quickly reply. > > > ssh -vvv log as below, we can see the connection has already established, > > > but after input the password, it's not work.. > > > i'am sure the password is right, try modify the passwd has the same > > issue. > > > > > > about the DNS PTRs, how should i do ? the source is my home pc, not have > > > DNS domain. > > > > > > -------------------------------- > > > rpi% ssh myuser@2607:f130::6287 -vvv > > > OpenSSH_7.9p1, OpenSSL 1.1.1h-freebsd 22 Sep 2020 > > [...] > > > debug1: Local version string SSH-2.0-OpenSSH_7.9 FreeBSD-20200214 > > > debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4 > > [...] > > > Permission denied, please try again. > > > myuser@2607:f130::6287's password: > > > > From your original question it's not clear whether FreeBSD 12.2 system > > is the client or server, and given the above I'm guessing it's the > > former as remote version doesn't say "FreeBSD" and is otherwise > > outdated; correct? > > > > Also, are you able to connect to 2607:f130::6287 from any other host to > > make sure it's correct address to use and is accepting v6 connections? > > > > > On Wed, Feb 10, 2021 at 1:18 PM Doug McIntyre wrote: > > > > > >> On Wed, Feb 10, 2021 at 11:47:08AM +0800, PstreeM China wrote: > > >>> Very thanks, this problem has searched from google, but not find the > > >>> solution to fix this issue. > > >>> > > >>> new install FreeBSD in virtual machine. > > >>> Freebsd version is 12.2 > > >>> Duel stack support ipv4 and ipv6; enable sshd as default. > > >>> I can ping the ipv4 and ipv6 address. > > >>> > > >>> The problem is: > > >>> SSH over ipv4 is work well. > > >>> But ssh over ipv6, Can be connected, but after input the password, it > > is > > >>> failed , give the notify : permission denied. > > >>> can not log into the server. > > >>> I am sure the password is right. > > >> > > >> > > >> Have you run 'ssh -vvv' to see all the very verbose debug information? > > >> > > >> Do you have proper DNS PTRs setup for your IPv6 block? It could be > > >> blocked by mismatch reverse DNS. > >