# Can't ssh from a new upgraded FreeBSD 12.4 machine



## Sam9978 (Dec 23, 2022)

I have 7 servers all running FreeBSD 12.3 and just the other day upgraded one machine to FreeBSD 12.4 however I now can't SSH into any of the FreeBSD 12.3 machines from the 12.4 machine however, I can SSH from all the 12.3 machines to the 12.4 machine just fine. All the machines are setup and configured exactly the same with the only exception being the FreeBSD version.

I've been using the same setup on these machines for years and through several FreeBSD versions and I've never run into this issue. I know there is quite a big difference in SSH versions between these two versions of FreeBSD so I thought maybe that had something to do with it but I installed the latest version of OpenSSH on one of the FreeBSD 12.3 servers and generated new keys on both servers but it still doesn't work.

The error I'm getting is:


> user@machine: Permission denied (publickey).


There's nothing useful in the receiving server's auth log:


> sshd[56894]: Connection closed by authenticating user user 111.111.111.111 port 49203 [preauth]


Permissions are correct and exactly the same on all machines.

I'm going crazy trying to figure this out I've never had any issues with this before. Does anyone have any advice? The debug output of the ssh command is below.

Thank you for your help!

PS: after posting the debug output below I noticed these lines and figured this could be the problem


> debug3: Fssh_ssh_get_authentication_socket_path: path '/tmp/ssh-nqyEe2OVRT/agent.4080'
> debug2: get_agent_identities: ssh_agent_bind_hostkey: communication with agent failed
> debug1: get_agent_identities: ssh_fetch_identitylist: communication with agent failed


But I can't find anything useful online about it with most info being in regards to OpenSSH on Windows.



> machine7:~ $ ssh user@machine6
> The authenticity of host '[machine6]:22 ([111.111.111.111]:22)' can't be established.
> ED25519 key fingerprint is SHA256:
> No matching host key fingerprint found in DNS.
> ...


----------



## covacat (Dec 23, 2022)

you need to restart sshd after upgrading to 12.4 (after the last freebsd-update install/ after reboot)
login at console and restart sshd


----------



## Profighost (Dec 23, 2022)

My first look on ssh issues is always if 
`/etc/ssh/sshd_config`
is still okay.


----------



## richardtoohey2 (Dec 23, 2022)

See e.g. https://forums.freebsd.org/threads/sshd-had-to-be-restarted-after-upgrade-to-12-4.87454/#post-591839


----------



## Sam9978 (Dec 23, 2022)

Thanks for all the replies so far. I even did a clean install of 12.4 and have gone over all the configs, keys, home directories, and everything I can think of with a fine-tooth comb and everything matches how it was before and the other 12.3 servers as well but I can't for the life of me SSH out to those servers from the 12.4 server. I'm totally stumped.


----------



## mer (Dec 23, 2022)

the 12.4 machine can't connect to the 12.3 machines, is that the executive summary?
If so, can a 12.3 machine connect to the 12.4?
are both sides configured to use the same algorithms?  Reason for asking there was a point where a lot of servers disabled one of the older key types, so clients could not connect to them, solution was changing the servers to allow the disabled key type until the clients could be updated.

The "no such identity" lines are odd, not exactly sure what they mean in this case.


----------



## Sam9978 (Dec 23, 2022)

mer said:


> the 12.4 machine can't connect to the 12.3 machines, is that the executive summary? If so, can a 12.3 machine connect to the 12.4?



Correct. 12.4 to 12.3 does not work. 12.3 to 12.4 and 12.3 works.

I've looked over every single config, file permission, directory permission, and everything I can think of and it all looks the same to me so I can't figure out what is wrong. 

I think it has to be something with the ssh-agent as on the 12.4 server I get the error


> debug3: Fssh_ssh_get_authentication_socket_path: path '/tmp/ssh-Te6ORsCdfL/agent.6345'
> debug2: get_agent_identities: ssh_agent_bind_hostkey: communication with agent failed
> debug1: get_agent_identities: ssh_fetch_identitylist: communication with agent failed


But on the 12.3 servers, I see


> debug1: Will attempt key:  ED25519 SHA256:.... agent


And everything works from there.

I know there's quite a difference in OpenSSH versions with 12.4 using OpenSSH_9.1p1 and 12.3 using OpenSSH_7.9p1 but I can't see anything that really stands out when looking over the release notes but maybe I missed something.



mer said:


> are both sides configured to use the same algorithms?


That's a good question. I've never explicitly set this anywhere so I can't answer with any confidence and didn't even think to check as I've never had this issue before when upgrading to any major or minor FreeBSD version. I will look into it.


----------



## richardtoohey2 (Dec 23, 2022)

I’ve not got the details to hand but certainly newer OpenSSH releases deprecated older algorithms. So maybe 12.4 defaulting to newer algorithm and 12.3 can’t match that?

But re-reading your posts it looks like something else going on - as you say with ssh-agent. Can you try without ssh-agent? Might have to set-up simple 12.3 and 12.4 machines and start with basic SSH setup (e.g. with passwords) and then move to keys and then ssh-agent.

Or wait and see if someone comes along and says “a-ha just change line 3 in your config”!


----------



## cracauer@ (Dec 23, 2022)

Run sshd with -d (in a shell) to ask its opinion about what is wrong.


----------



## Sam9978 (Dec 24, 2022)

richardtoohey2 said:


> I’ve not got the details to hand but certainly newer OpenSSH releases deprecated older algorithms. So maybe 12.4 defaulting to newer algorithm and 12.3 can’t match that?
> 
> But re-reading your posts it looks like something else going on - as you say with ssh-agent. Can you try without ssh-agent? Might have to set-up simple 12.3 and 12.4 machines and start with basic SSH setup (e.g. with passwords) and then move to keys and then ssh-agent.
> 
> Or wait and see if someone comes along and says “a-ha just change line 3 in your config”!


Thank you for this! Your tip about "going back to the basics" helped and I was able to figure out the problem. 

Turns out there was a bug with the key agent I was using and OpenSSH 8.9+ servers. 

Thank you to everyone who replied for your help and time!


----------

