# sshd 'Fssh_kex_exchange_identification: banner line 0: You are not welcome to use sshd'



## sko (Oct 17, 2022)

I have a 12.3-RELEASE-p6 server that I can no longer connect to via ssh from any host. output from `ssh -v host`:


```
% ssh -v stor1
OpenSSH_8.8p1, OpenSSL 1.1.1o-freebsd  3 May 2022
debug1: Reading configuration data /home/sko/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to stor1.mgmt.a.<redacted>.lan [10.50.50.101] port 22.
debug1: Connection established.
debug1: identity file /home/sko/.ssh/id_rsa type 0
debug1: identity file /home/sko/.ssh/id_rsa-cert type -1
debug1: identity file /home/sko/.ssh/id_dsa type -1
debug1: identity file /home/sko/.ssh/id_dsa-cert type -1
debug1: identity file /home/sko/.ssh/id_ecdsa type -1
debug1: identity file /home/sko/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/sko/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/sko/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/sko/.ssh/id_ed25519 type -1
debug1: identity file /home/sko/.ssh/id_ed25519-cert type -1
debug1: identity file /home/sko/.ssh/id_ed25519_sk type -1
debug1: identity file /home/sko/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/sko/.ssh/id_xmss type -1
debug1: identity file /home/sko/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.8 FreeBSD-20211221
debug1: Fssh_kex_exchange_identification: banner line 0: You are not welcome to use sshd from 10.50.50.98.
Fssh_kex_exchange_identification: Connection closed by remote host
Connection closed by 10.50.50.101 port 22
```

Even when using another host than my 13.1-RELEASE workstation (e.g. my jumphost running OpenBSD 7.1 or Laptop running 12.3-RELEASE) I always get the same error, so definately server side and not linked to my hosts IP as hinted from the error message...
That server isn't running PF, no changes regarding sshd for the last few months. I can still ping the host and all services, jails and bhyve VMs are running fine, I can even ssh into the jails that are running sshd, but not into the host.

The behaviour didn't change after a reboot, so thanks to broken IPMI on that host I'll have to drag a screen and keyboard to the server room in the basement tomorrow...


----------



## VladiBG (Oct 17, 2022)

check your /etc/hosts.allow on 10.50.50.101

The message came from "twist /bin/echo "You are not welcome to use %d from %h."


----------



## sko (Oct 17, 2022)

VladiBG said:


> check your hosts.allow on 10.50.50.101
> 
> The message came from "twist /bin/echo "You are not welcome to use %d from %h."


Thanks for that hint; I'll check that tomorrow. Although I can't remember changing that file for well over a year when I set up tftp...


----------



## sko (Oct 19, 2022)

Small update:
it was /etc/hosts.allow

strangely though, that file was last modified 6 weeks ago, yet the problem only arose 2 days ago...

I had a bunch of entries containing subnets with CIDR-notation (e.g. 10.50.50.0/24), which don't (no longer?) seem to work.
Changed everything to decimal masks (10.50.50.0/255.255.255.0) and everything worked again.

Thanks again VladiBG, you saved me quite some time down there!


----------



## VladiBG (Oct 19, 2022)

`man 5 hosts_access`





						hosts_access(5)
					






					www.freebsd.org
				




I personally doesn't use /etc/hosts_allow instead I'm using the firewall (ipfw/pf) to restrict this access.


----------

