From nobody Thu Sep 09 19:15:03 2021 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 7166E17B7D0F for ; Thu, 9 Sep 2021 19:15:33 +0000 (UTC) (envelope-from freebsd@walstatt-de.de) Received: from smtp4-2.goneo.de (smtp4-2.goneo.de [85.220.129.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4H57xw6D7tz3lBn for ; Thu, 9 Sep 2021 19:15:32 +0000 (UTC) (envelope-from freebsd@walstatt-de.de) Received: from thor.intern.walstatt.dynvpn.de (dynamic-078-054-046-104.78.54.pool.telefonica.de [78.54.46.104]) by smtp4.goneo.de (Postfix) with ESMTPSA id CFB112040D99 for ; Thu, 9 Sep 2021 21:15:30 +0200 (CEST) Date: Thu, 9 Sep 2021 21:15:03 +0200 From: FreeBSD User To: FreeBSD CURRENT Subject: OpenSSH issue: 14-Current rejects non-publickey scp/ssh/rsync connectiosn all of the sudden Message-ID: <20210909211530.5cf712d7@thor.intern.walstatt.dynvpn.de> Organization: walstatt-de.de List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4H57xw6D7tz3lBn X-Spamd-Bar: + Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of freebsd@walstatt-de.de has no SPF policy when checking 85.220.129.61) smtp.mailfrom=freebsd@walstatt-de.de X-Spamd-Result: default: False [1.67 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; RECEIVED_SPAMHAUS_PBL(0.00)[78.54.46.104:received]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_SPAM_SHORT(0.77)[0.771]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-current@freebsd.org]; DMARC_NA(0.00)[walstatt-de.de]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; HAS_ORG_HEADER(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; TO_DN_ALL(0.00)[]; NEURAL_SPAM_LONG(0.99)[0.994]; R_SPF_NA(0.00)[no SPF record]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_COUNT_TWO(0.00)[2]; ASN(0.00)[asn:25394, ipnet:85.220.128.0/17, country:DE]; RCVD_TLS_ALL(0.00)[]; RWL_MAILSPIKE_POSSIBLE(0.00)[85.220.129.61:from] X-ThisMailContainsUnwantedMimeParts: N Hello, after upgrading 14-CURRENT to recent sources September, the 8th 2021, we realizes today a strange non-standard behaviour when connecting attempts from several clients to 14-CURRENT based machines were made involving sshd. First discovered on 13-STABLE clients (NanoBSD, router/fw appliance). With non-public-key authentication we copy the config partition tar'ed over to a backup system. This worked great until yesterday. Today the connection is dropped immediately, /var/log/auth.log (sshd log on 14-CURRENT) states: Sep 9 19:19:10 <4.6> thor sshd[1350]: Failed password for user01 from 192.168.11.111 port 24332 ssh2 A usual ssh login attempt also fails this way: Permission denied, please try again. The same behaviour is to observe with Xubuntu 20.04 clients and several other FreeBSD 13.0-RELENG and 13-STABLE clients. Also 14-CURRENT-to-14-CURRENT connection attempts are negative! The only working scheme right now is public key authentication and that is for some scenarios not applicable. What has changed in the recent 14-CURRENT OpenSSH update that dramatically that working schematics do not work any more? By the way, on the target host's sshd, on all instances, settings like these [...] PasswordAuthentication yes ChallengeResponseAuthentication yes UsePAM yes are set explicitely, while "UsePAM" produces an error: /etc/ssh/sshd_config line 89: Unsupported option UsePAM this sound ridiculous, since the usage of that tag is documented in the man page as well as present in the example sshd_config and set yes by default. What is wrong here? How can the sshd issue be fixed? Kind regards and thanks in advance, O. Hartmann -- O. Hartmann