Permission denied via ssh over ipv6

Bruce Ferrell bferrell at baywinds.org
Wed Feb 10 06:41:50 UTC 2021 

Check the /etc/ssh/sshd_config file for this parameter:

AddressFamily

if it is set to inet, only ipv4 will work

if it is set to any, both ipv4 and ipv6 will work

It can be set to inet6 to make only ipv6 work



On 2/9/21 10:30 PM, PstreeM China wrote:
> hi:
>
> thanks for your quickly reply.
> ssh -vvv log as below, we can see the connection has already established,
> but after input the password, it's not work..
> i'am sure the password is right, try modify the passwd has the same issue.
>
> about the DNS PTRs, how should i do ? the source is my home pc, not have
> DNS domain.
>
> --------------------------------
> rpi% ssh myuser at 2607:f130::6287 -vvv
> OpenSSH_7.9p1, OpenSSL 1.1.1h-freebsd  22 Sep 2020
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug2: resolve_canonicalize: hostname 2607:f130::6287 is address
> debug2: ssh_connect_direct
> debug1: Connecting to 2607:f130::6287 [2607:f130::6287] port 22.
> debug1: Connection established.
> debug1: identity file /home/myuser/.ssh/id_rsa type 0
> debug1: identity file /home/myuser/.ssh/id_rsa-cert type -1
> debug1: identity file /home/myuser/.ssh/id_dsa type -1
> debug1: identity file /home/myuser/.ssh/id_dsa-cert type -1
> debug1: identity file /home/myuser/.ssh/id_ecdsa type -1
> debug1: identity file /home/myuser/.ssh/id_ecdsa-cert type -1
> debug1: identity file /home/myuser/.ssh/id_ed25519 type -1
> debug1: identity file /home/myuser/.ssh/id_ed25519-cert type -1
> debug1: identity file /home/myuser/.ssh/id_xmss type -1
> debug1: identity file /home/myuser/.ssh/id_xmss-cert type -1
> debug1: Local version string SSH-2.0-OpenSSH_7.9 FreeBSD-20200214
> debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
> debug1: match: OpenSSH_7.4 pat
> OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7*
> compat 0x04000002
> debug2: fd 3 setting O_NONBLOCK
> debug1: Authenticating to 2607:f130::6287:22 as 'myuser'
> debug3: Fssh_hostkeys_foreach: reading file "/home/myuser/.ssh/known_hosts"
> debug3: Fssh_record_hostkey: found key type ECDSA in file
> /home/myuser/.ssh/known_hosts:21
> debug3: Fssh_load_hostkeys: loaded 1 keys from 2607:f130::6287
> debug3: order_hostkeyalgs: prefer hostkeyalgs:
> ecdsa-sha2-nistp256-cert-v01 at openssh.com,
> ecdsa-sha2-nistp384-cert-v01 at openssh.com
> ,ecdsa-sha2-nistp521-cert-v01 at openssh.
>   com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
> debug3: send packet: type 20
> debug1: SSH2_MSG_KEXINIT sent
> debug3: receive packet: type 20
> debug1: SSH2_MSG_KEXINIT received
> debug2: local client KEXINIT proposal
> debug2: KEX algorithms:
> curve25519-sha256,curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,d
>
>   iffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
> debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01 at openssh.com,
> ecdsa-sha2-nistp384-cert-v01 at openssh.com,
> ecdsa-sha2-nistp521-cert-v01 at openssh.com,ecdsa-sha2-nis
>           tp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
> ssh-ed25519-cert-v01 at openssh.com,rsa-sha2-512-cert-v01 at openssh.com,
> rsa-sha2-256-cert-v01 at openssh.com,ssh-rsa-cert-v01 at op
>         enssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
> debug2: ciphers ctos: chacha20-poly1305 at openssh.com
> ,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.com,
> aes256-gcm at openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
> debug2: ciphers stoc: chacha20-poly1305 at openssh.com
> ,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.com,
> aes256-gcm at openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
> debug2: MACs ctos: umac-64-etm at openssh.com,umac-128-etm at openssh.com,
> hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,
> hmac-sha1-etm at openssh.com,umac-64 at open                              ssh.com,
> umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
> debug2: MACs stoc: umac-64-etm at openssh.com,umac-128-etm at openssh.com,
> hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,
> hmac-sha1-etm at openssh.com,umac-64 at open                              ssh.com,
> umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
> debug2: compression ctos: none,zlib at openssh.com,zlib
> debug2: compression stoc: none,zlib at openssh.com,zlib
> debug2: languages ctos:
> debug2: languages stoc:
> debug2: first_kex_follows 0
> debug2: reserved 0
> debug2: peer server KEXINIT proposal
> debug2: KEX algorithms:
> curve25519-sha256,curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,d
>
>   iffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman
>                               -group1-sha1
> debug2: host key algorithms:
> ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
> debug2: ciphers ctos: chacha20-poly1305 at openssh.com
> ,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.com,
> aes256-gcm at openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,bl
>               owfish-cbc,cast128-cbc,3des-cbc
> debug2: ciphers stoc: chacha20-poly1305 at openssh.com
> ,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.com,
> aes256-gcm at openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,bl
>               owfish-cbc,cast128-cbc,3des-cbc
> debug2: MACs ctos: umac-64-etm at openssh.com,umac-128-etm at openssh.com,
> hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,
> hmac-sha1-etm at openssh.com,umac-64 at open                              ssh.com,
> umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
> debug2: MACs stoc: umac-64-etm at openssh.com,umac-128-etm at openssh.com,
> hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,
> hmac-sha1-etm at openssh.com,umac-64 at open                              ssh.com,
> umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
> debug2: compression ctos: none,zlib at openssh.com
> debug2: compression stoc: none,zlib at openssh.com
> debug2: languages ctos:
> debug2: languages stoc:
> debug2: first_kex_follows 0
> debug2: reserved 0
> debug1: kex: algorithm: curve25519-sha256
> debug1: kex: host key algorithm: ecdsa-sha2-nistp256
> debug1: kex: server->client cipher: chacha20-poly1305 at openssh.com MAC:
> <implicit> compression: none
> debug1: kex: client->server cipher: chacha20-poly1305 at openssh.com MAC:
> <implicit> compression: none
> debug3: send packet: type 30
> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
> debug3: receive packet: type 31
> debug1: Server host key: ecdsa-sha2-nistp256
> SHA256:9b7zNAYeCT72LITVCmeGsXsT5IEsPWXh0FGtzIaR7rw
> debug3: verify_host_key_dns
> debug1: skipped DNS lookup for numerical hostname
> debug3: Fssh_hostkeys_foreach: reading file "/home/myuser/.ssh/known_hosts"
> debug3: Fssh_record_hostkey: found key type ECDSA in file
> /home/myuser/.ssh/known_hosts:21
> debug3: Fssh_load_hostkeys: loaded 1 keys from 2607:f130::6287
> debug1: Host '2607:f130::6287' is known and matches the ECDSA host key.
> debug1: Found key in /home/myuser/.ssh/known_hosts:21
> debug3: send packet: type 21
> debug2: set_newkeys: mode 1
> debug1: rekey after 134217728 blocks
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug3: receive packet: type 21
> debug1: SSH2_MSG_NEWKEYS received
> debug2: set_newkeys: mode 0
> debug1: rekey after 134217728 blocks
> debug1: Will attempt key: /home/myuser/.ssh/id_rsa RSA
> SHA256:uJkEs7DCUCz5Rsn8sSrWFEeJo8VSHZRRkDKrER8Obic
> debug1: Will attempt key: /home/myuser/.ssh/id_dsa
> debug1: Will attempt key: /home/myuser/.ssh/id_ecdsa
> debug1: Will attempt key: /home/myuser/.ssh/id_ed25519
> debug1: Will attempt key: /home/myuser/.ssh/id_xmss
> debug2: pubkey_prepare: done
> debug3: send packet: type 5
> debug3: receive packet: type 7
> debug1: SSH2_MSG_EXT_INFO received
> debug1: Fssh_kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
> debug3: receive packet: type 6
> debug2: service_accept: ssh-userauth
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug3: send packet: type 50
> debug3: receive packet: type 51
> debug1: Authentications that can continue:
> publickey,gssapi-keyex,gssapi-with-mic,password
> debug3: start over, passed a different list
> publickey,gssapi-keyex,gssapi-with-mic,password
> debug3: preferred publickey,keyboard-interactive,password
> debug3: authmethod_lookup publickey
> debug3: remaining preferred: keyboard-interactive,password
> debug3: authmethod_is_enabled publickey
> debug1: Next authentication method: publickey
> debug1: Offering public key: /home/myuser/.ssh/id_rsa RSA
> SHA256:uJkEs7DCUCz5Rsn8sSrWFEeJo8VSHZRRkDKrER8Obic
> debug3: send packet: type 50
> debug2: we sent a publickey packet, wait for reply
> debug3: receive packet: type 51
> debug1: Authentications that can continue:
> publickey,gssapi-keyex,gssapi-with-mic,password
> debug1: Trying private key: /home/myuser/.ssh/id_dsa
> debug3: no such identity: /home/myuser/.ssh/id_dsa: No such file or
> directory
> debug1: Trying private key: /home/myuser/.ssh/id_ecdsa
> debug3: no such identity: /home/myuser/.ssh/id_ecdsa: No such file or
> directory
> debug1: Trying private key: /home/myuser/.ssh/id_ed25519
> debug3: no such identity: /home/myuser/.ssh/id_ed25519: No such file or
> directory
> debug1: Trying private key: /home/myuser/.ssh/id_xmss
> debug3: no such identity: /home/myuser/.ssh/id_xmss: No such file or
> directory
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup password
> debug3: remaining preferred: ,password
> debug3: authmethod_is_enabled password
> debug1: Next authentication method: password
> myuser at 2607:f130::6287's password:
> debug3: send packet: type 50
> debug2: we sent a password packet, wait for reply
> debug3: receive packet: type 51
> debug1: Authentications that can continue:
> publickey,gssapi-keyex,gssapi-with-mic,password
> Permission denied, please try again.
> myuser at 2607:f130::6287's password:
> debug3: send packet: type 50
> debug2: we sent a password packet, wait for reply
> debug3: receive packet: type 51
> debug1: Authentications that can continue:
> publickey,gssapi-keyex,gssapi-with-mic,password
> Permission denied, please try again.
> myuser at 2607:f130::6287's password:
>
> On Wed, Feb 10, 2021 at 1:18 PM Doug McIntyre <merlyn at geeks.org> wrote:
>
>> On Wed, Feb 10, 2021 at 11:47:08AM +0800, PstreeM China wrote:
>>> Very thanks, this problem has searched from google, but not find the
>>> solution to fix this issue.
>>>
>>> new install FreeBSD in virtual machine.
>>> Freebsd version is 12.2
>>> Duel stack support ipv4 and ipv6; enable sshd as default.
>>> I can ping the ipv4 and ipv6 address.
>>>
>>> The problem is:
>>> SSH over ipv4 is work well.
>>> But ssh over ipv6, Can be connected, but after input the password, it is
>>> failed , give the notify : permission denied.
>>> can not log into the server.
>>> I am sure the password is right.
>>
>> Have you run 'ssh -vvv' to see all the very verbose debug information?
>>
>> Do you have proper DNS PTRs setup for your IPv6 block? It could be
>> blocked by mismatch reverse DNS.
>>

More information about the freebsd-questions mailing list