Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 9 Feb 2021 22:41:41 -0800
From:      Bruce Ferrell <bferrell@baywinds.org>
To:        freebsd-questions@freebsd.org
Subject:   Re: Permission denied via ssh over ipv6
Message-ID:  <06077d2d-2eda-e27a-6b8c-1a4c5ef361aa@baywinds.org>
In-Reply-To: <CAPDFJPjL8EdVfeH43=35cLxRGyE388JYY9qD5JB=gsdwhTh6ag@mail.gmail.com>
References:  <CAPDFJPjF19_9kRG0ff5r0cmD=-GpnYjdZNaCTyJEj-Bogw0qEw@mail.gmail.com> <YCNsdWk019SBpLdg@geeks.org> <CAPDFJPjL8EdVfeH43=35cLxRGyE388JYY9qD5JB=gsdwhTh6ag@mail.gmail.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

Check the /etc/ssh/sshd_config file for this parameter:

AddressFamily

if it is set to inet, only ipv4 will work

if it is set to any, both ipv4 and ipv6 will work

It can be set to inet6 to make only ipv6 work



On 2/9/21 10:30 PM, PstreeM China wrote:
> hi:
>
> thanks for your quickly reply.
> ssh -vvv log as below, we can see the connection has already established,
> but after input the password, it's not work..
> i'am sure the password is right, try modify the passwd has the same issue.
>
> about the DNS PTRs, how should i do ? the source is my home pc, not have
> DNS domain.
>
> --------------------------------
> rpi% ssh myuser@2607:f130::6287 -vvv
> OpenSSH_7.9p1, OpenSSL 1.1.1h-freebsd  22 Sep 2020
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug2: resolve_canonicalize: hostname 2607:f130::6287 is address
> debug2: ssh_connect_direct
> debug1: Connecting to 2607:f130::6287 [2607:f130::6287] port 22.
> debug1: Connection established.
> debug1: identity file /home/myuser/.ssh/id_rsa type 0
> debug1: identity file /home/myuser/.ssh/id_rsa-cert type -1
> debug1: identity file /home/myuser/.ssh/id_dsa type -1
> debug1: identity file /home/myuser/.ssh/id_dsa-cert type -1
> debug1: identity file /home/myuser/.ssh/id_ecdsa type -1
> debug1: identity file /home/myuser/.ssh/id_ecdsa-cert type -1
> debug1: identity file /home/myuser/.ssh/id_ed25519 type -1
> debug1: identity file /home/myuser/.ssh/id_ed25519-cert type -1
> debug1: identity file /home/myuser/.ssh/id_xmss type -1
> debug1: identity file /home/myuser/.ssh/id_xmss-cert type -1
> debug1: Local version string SSH-2.0-OpenSSH_7.9 FreeBSD-20200214
> debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
> debug1: match: OpenSSH_7.4 pat
> OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7*
> compat 0x04000002
> debug2: fd 3 setting O_NONBLOCK
> debug1: Authenticating to 2607:f130::6287:22 as 'myuser'
> debug3: Fssh_hostkeys_foreach: reading file "/home/myuser/.ssh/known_hosts"
> debug3: Fssh_record_hostkey: found key type ECDSA in file
> /home/myuser/.ssh/known_hosts:21
> debug3: Fssh_load_hostkeys: loaded 1 keys from 2607:f130::6287
> debug3: order_hostkeyalgs: prefer hostkeyalgs:
> ecdsa-sha2-nistp256-cert-v01@openssh.com,
> ecdsa-sha2-nistp384-cert-v01@openssh.com
> ,ecdsa-sha2-nistp521-cert-v01@openssh.
>   com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
> debug3: send packet: type 20
> debug1: SSH2_MSG_KEXINIT sent
> debug3: receive packet: type 20
> debug1: SSH2_MSG_KEXINIT received
> debug2: local client KEXINIT proposal
> debug2: KEX algorithms:
> curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,d
>
>   iffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
> debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,
> ecdsa-sha2-nistp384-cert-v01@openssh.com,
> ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nis
>           tp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
> ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,
> rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@op
>         enssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
> debug2: ciphers ctos: chacha20-poly1305@openssh.com
> ,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,
> aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
> debug2: ciphers stoc: chacha20-poly1305@openssh.com
> ,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,
> aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
> debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,
> hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
> hmac-sha1-etm@openssh.com,umac-64@open                              ssh.com,
> umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
> debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,
> hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
> hmac-sha1-etm@openssh.com,umac-64@open                              ssh.com,
> umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
> debug2: compression ctos: none,zlib@openssh.com,zlib
> debug2: compression stoc: none,zlib@openssh.com,zlib
> debug2: languages ctos:
> debug2: languages stoc:
> debug2: first_kex_follows 0
> debug2: reserved 0
> debug2: peer server KEXINIT proposal
> debug2: KEX algorithms:
> curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,d
>
>   iffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman
>                               -group1-sha1
> debug2: host key algorithms:
> ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
> debug2: ciphers ctos: chacha20-poly1305@openssh.com
> ,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,
> aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,bl
>               owfish-cbc,cast128-cbc,3des-cbc
> debug2: ciphers stoc: chacha20-poly1305@openssh.com
> ,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,
> aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,bl
>               owfish-cbc,cast128-cbc,3des-cbc
> debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,
> hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
> hmac-sha1-etm@openssh.com,umac-64@open                              ssh.com,
> umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
> debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,
> hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
> hmac-sha1-etm@openssh.com,umac-64@open                              ssh.com,
> umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
> debug2: compression ctos: none,zlib@openssh.com
> debug2: compression stoc: none,zlib@openssh.com
> debug2: languages ctos:
> debug2: languages stoc:
> debug2: first_kex_follows 0
> debug2: reserved 0
> debug1: kex: algorithm: curve25519-sha256
> debug1: kex: host key algorithm: ecdsa-sha2-nistp256
> debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC:
> <implicit> compression: none
> debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC:
> <implicit> compression: none
> debug3: send packet: type 30
> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
> debug3: receive packet: type 31
> debug1: Server host key: ecdsa-sha2-nistp256
> SHA256:9b7zNAYeCT72LITVCmeGsXsT5IEsPWXh0FGtzIaR7rw
> debug3: verify_host_key_dns
> debug1: skipped DNS lookup for numerical hostname
> debug3: Fssh_hostkeys_foreach: reading file "/home/myuser/.ssh/known_hosts"
> debug3: Fssh_record_hostkey: found key type ECDSA in file
> /home/myuser/.ssh/known_hosts:21
> debug3: Fssh_load_hostkeys: loaded 1 keys from 2607:f130::6287
> debug1: Host '2607:f130::6287' is known and matches the ECDSA host key.
> debug1: Found key in /home/myuser/.ssh/known_hosts:21
> debug3: send packet: type 21
> debug2: set_newkeys: mode 1
> debug1: rekey after 134217728 blocks
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug3: receive packet: type 21
> debug1: SSH2_MSG_NEWKEYS received
> debug2: set_newkeys: mode 0
> debug1: rekey after 134217728 blocks
> debug1: Will attempt key: /home/myuser/.ssh/id_rsa RSA
> SHA256:uJkEs7DCUCz5Rsn8sSrWFEeJo8VSHZRRkDKrER8Obic
> debug1: Will attempt key: /home/myuser/.ssh/id_dsa
> debug1: Will attempt key: /home/myuser/.ssh/id_ecdsa
> debug1: Will attempt key: /home/myuser/.ssh/id_ed25519
> debug1: Will attempt key: /home/myuser/.ssh/id_xmss
> debug2: pubkey_prepare: done
> debug3: send packet: type 5
> debug3: receive packet: type 7
> debug1: SSH2_MSG_EXT_INFO received
> debug1: Fssh_kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
> debug3: receive packet: type 6
> debug2: service_accept: ssh-userauth
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug3: send packet: type 50
> debug3: receive packet: type 51
> debug1: Authentications that can continue:
> publickey,gssapi-keyex,gssapi-with-mic,password
> debug3: start over, passed a different list
> publickey,gssapi-keyex,gssapi-with-mic,password
> debug3: preferred publickey,keyboard-interactive,password
> debug3: authmethod_lookup publickey
> debug3: remaining preferred: keyboard-interactive,password
> debug3: authmethod_is_enabled publickey
> debug1: Next authentication method: publickey
> debug1: Offering public key: /home/myuser/.ssh/id_rsa RSA
> SHA256:uJkEs7DCUCz5Rsn8sSrWFEeJo8VSHZRRkDKrER8Obic
> debug3: send packet: type 50
> debug2: we sent a publickey packet, wait for reply
> debug3: receive packet: type 51
> debug1: Authentications that can continue:
> publickey,gssapi-keyex,gssapi-with-mic,password
> debug1: Trying private key: /home/myuser/.ssh/id_dsa
> debug3: no such identity: /home/myuser/.ssh/id_dsa: No such file or
> directory
> debug1: Trying private key: /home/myuser/.ssh/id_ecdsa
> debug3: no such identity: /home/myuser/.ssh/id_ecdsa: No such file or
> directory
> debug1: Trying private key: /home/myuser/.ssh/id_ed25519
> debug3: no such identity: /home/myuser/.ssh/id_ed25519: No such file or
> directory
> debug1: Trying private key: /home/myuser/.ssh/id_xmss
> debug3: no such identity: /home/myuser/.ssh/id_xmss: No such file or
> directory
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup password
> debug3: remaining preferred: ,password
> debug3: authmethod_is_enabled password
> debug1: Next authentication method: password
> myuser@2607:f130::6287's password:
> debug3: send packet: type 50
> debug2: we sent a password packet, wait for reply
> debug3: receive packet: type 51
> debug1: Authentications that can continue:
> publickey,gssapi-keyex,gssapi-with-mic,password
> Permission denied, please try again.
> myuser@2607:f130::6287's password:
> debug3: send packet: type 50
> debug2: we sent a password packet, wait for reply
> debug3: receive packet: type 51
> debug1: Authentications that can continue:
> publickey,gssapi-keyex,gssapi-with-mic,password
> Permission denied, please try again.
> myuser@2607:f130::6287's password:
>
> On Wed, Feb 10, 2021 at 1:18 PM Doug McIntyre <merlyn@geeks.org> wrote:
>
>> On Wed, Feb 10, 2021 at 11:47:08AM +0800, PstreeM China wrote:
>>> Very thanks, this problem has searched from google, but not find the
>>> solution to fix this issue.
>>>
>>> new install FreeBSD in virtual machine.
>>> Freebsd version is 12.2
>>> Duel stack support ipv4 and ipv6; enable sshd as default.
>>> I can ping the ipv4 and ipv6 address.
>>>
>>> The problem is:
>>> SSH over ipv4 is work well.
>>> But ssh over ipv6, Can be connected, but after input the password, it is
>>> failed , give the notify : permission denied.
>>> can not log into the server.
>>> I am sure the password is right.
>>
>> Have you run 'ssh -vvv' to see all the very verbose debug information?
>>
>> Do you have proper DNS PTRs setup for your IPv6 block? It could be
>> blocked by mismatch reverse DNS.
>>




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?06077d2d-2eda-e27a-6b8c-1a4c5ef361aa>