I am trying to ssh to remote machine, the attempt fails: $ ssh -vvv admin@192.168.100.14 OpenSSH_7.7p1, OpenSSL 1.0.2o 27 Mar 2018 ..... debug2: ciphers ctos: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc debug2: ciphers stoc: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: compression ctos: none,zlib@openssh.com debug2: compression stoc: none,zlib@openssh.com debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: algorithm: curve25519-sha256 debug1: kex: host key algorithm: rsa-sha2-512 Unable to negotiate with 192.168.100.14 port 22: no matching cipher found. Their offer: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc As far as I understand the last string of the log, the server offers to use one of the following 4 cipher algorithms: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc. Looks like my ssh client doesn't support any of them, so the server and client are unable to negotiate further. But my client does support all the suggested algorithms: $ ssh -Q cipher 3des-cbc aes128-cbc aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se aes128-ctr ... and there are several more. And if I explicitly specify the algorithm like this: ssh -vvv -c aes256-cbc admin@192.168.100.14 I can successfully login to the server. My ~/.ssh/config doesn't contain any cipher-related directives (actually I removed it completely, but the problem remains). So, why client and server can't decide which cipher to use without my explicit instructions? The client understands that server supports aes256-cbc, client understands that he can use it himself, why not just use it? Some additional notes: - There was no such problem some time (about a month) ago. I've not changed any ssh configuration files since then. I did update installed packages though. - There is a question which describes very similar-looking problem, but there is no answer my question: https://unix.stackexchange.com/questions/402746 UPDATE: problem solved As telcoM explained the problem is with server: it suggests only the obsolete cipher algorithms. I was sure that both client and server are not outdated. I have logged into server (by the way, it's Synology, updated to latest available version), and examined the /etc/ssh/sshd_config. The very first (!) line of this file was: Ciphers aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc This is very strange (the fact that line is very first in the file), I am sure I've never touched the file before. However I've changed the line to: Ciphers aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc restarted the server (did not figure out how to restart the sshd service only), and now the problem is gone: I can ssh to server as usual.

ssh clients (by default, at least in Ubuntu 18.04 and FreeBSD 12) always check if server's key fingerprint is in the known_hosts file. I have a host in the LAN which has dual boot; both the OSs use the same static IP. I would like to connect through ssh to **both** of them, without encountering errors. This obviously violates the checks performed on known_hosts: if I accept one fingerprint, it will be related to the host IP; when OS is switched, the fingerprint changes, while the IP is the same, and I need to manually delete it in known_hosts before being able to connect again. I would like that one fingerprint, **or** the other, is accepted when considering that IP. Is there a **client side** solution to overcome this issue? I am using OpenSSH_7.8p1, OpenSSL 1.1.1a-freebsd 20 Nov 2018 and OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n 7 Dec 2017. **Note**: I do not want "no check" over the server's fingerprint. I am just wondering if it is possible to relate two alternative fingerprints (not just one) to server's IP address.

My Goal: restrict a jump users (into OpenSSH jumpbox) to only SSH to another server. Users should not be able to list directories, cd or anything else except ssh from jumpbox to another server. What I have: - Active directory users login into jump server then SSH to other servers - OpenSSH jump server configured on Ubuntu 20.04 What I've done: edited the /etc/ssh/sshd_config:

Match User testuser
  AllowTcpForwarding yes
  X11Forwarding no
  AllowAgentForwarding no
  ForceCommand /bin/false

When I add ForceCommand /bin/false, testuser cannot even ssh to jump server. Without it, user can login to jump server but can still list directories and cd.

The **link** talks about TCP over TCP when http is used over SOCKS via SSH. I am trying to browse from Firefox (on Ubuntu 14.04) after setting up the SOCKS5 proxy option via localhost. I created a SOCKS5 connection using SSH (created using SSH -D) to another host (which then takes the packets and routes them out). The **link** says that SSH can be made to work in a none encryption mode, but after applying the small patch suggested there to OpenSSH's cipher.c, I see encrypted packets in wireshark even though it says (encryption:none mac:umac-64@openssh.com compression:none) SSH Protocol SSH Version 2 (encryption:none mac:umac-64-etm@openssh.com compression:none) Packet Length: 48 Encrypted Packet: 0932000000076d696e696e65740000000e7373682d636f6e... MAC: 1a7bf2cfa15def0f I would like to verify if this is actually a TCP over TCP connection. Edit: does it matter that I get prompted for a password when I start the SSH -D (ssh user@host2 -D 8080). Somehow, I am unable to get host2 to not prompt me for a password (even though I added host1's key into host2).

Updated sshd journal on both jumphost and jumptarget ---------- Full logs are too long to be pasted. uploaded to gist three files are logs that : Local -> Jumpper -> Debian by ssh -j Local -> Jumpper -> Debian by ssh Debian Local -> Jumpper by ssh jumpper Jumper -> Debian by ssh 10.10.10.3 FYI: During this time, the IP address was re-planned 10.10.1.3 -> 10.10.10.3, and a domain was added in the hosts. These shouldn't have any effect on the problem. ---------- A similar problem is [SSH ProxyJump on macOS Catalina is not working](https://superuser.com/q/1510997) . but the answer doesn't solve my case I'm configuring ssh jump with the following configures:

Host Jumper
	HostName domainName
	User username
	Port 1234

Host Debian
	HostName 10.10.1.3
	User username
	Port 22
	ProxyJump Jumper

The result of ssh Debian -vvv is

...
debug1: kex_exchange_identification: banner line 0: \033(B\033[mSSH-2.0-OpenSSH_9.2p1 Debian-2
kex_exchange_identification: banner line contains invalid characters
...

it shows OpenSSH, so I think the port should be correct ssh Jumper is fine, and manully ssh 10.10.1.3 on jumper is also fine. The local host is a Macos at OpenSSH_9.0p1 and the others are OpenSSH_9.2p2

I have a host behind a dynamic IP, so I used to have a script that would add its address to my .ssh/known_hosts file, recently though it seems like something has changed. My file looks like its been attacked by the hash monster: |1|Du0QWjqCUrdRK/pnE0PTww2O2Zk=|O31W+SPPLr9+sj1m1K7MfEb+xUQ= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILUT1234567Xu2vvCE1likgUSOXLzEV123456783asaA |1|K3vgE86MLJTHx8W2sPv1cgP4DI0=|Jattsr5sEW443bnyMKT6W0Noc+k= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILUT1234567Xu2vvCE1likgUSOXLzEV123456783asaA |1|UlAukzqGavXZvRtMzjvXmHoVeAQ=|0JVjq7YSFulCHmkF46VFwMV/ZBY= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILUT1234567Xu2vvCE1likgUSOXLzEV123456783asaA 1. Is there anyway to go back to the old, less secure method? 2. How can I easily create entries in this hashed format? (I want to write a script to tell ssh that any ip in the 10.0.0.0/24 range is should match the given fingerprint.)

Using ssh I am logging to another system and executing scripts there that creates new machines, and do some setups. It takes around 7-8 hours. So what happened is, the ssh connection keeps dropping and I always get timeout with unsuccessful execution of the script. So now I am using this argument along with ssh connection: ssh -o ServerAliveInterval=60 user@host .... This ssh is spawned multiple times. The problem is after few ssh connection, I am getting error : too many logins of user and the after ssh connections are getting closed just after successful logins. So is it the behavior of the **ServerAliveInterval**, that keeps the ssh user login session in remote machine alive even after ssh work is over and that's why my further logins are disconnected?

I have a server that runs multiple docker containers. I can access my server via SSH, and have set up my ssh_config to allow me to ssh into certain containers that I regularly access: Host some_container HostName my.server.com RemoteCommand docker compose -f /docker-compose.yml exec some_container fish RequestTTY force However, I now need to use a particular piece of software that uses ssh, and access my containers with it. This software sets the ssh command argument. Using the above configuration, this causes ssh to error out with Cannot execute command-line and remote command, due to the presence of RemoteCommand. I do NOT want to have to run an sshd server inside the container. I have attempted to replace RemoteCommand with ProxyCommand, but this reusults in me connecting to my server and the docker command being ignored: ProxyCommand ssh %h -W %h:%p \ -o "RequestTTY=force" \ -o "SessionType=default" \ -o "RemoteCommand=docker compose -f /docker-compose.yml exec some_container fish" (note that this is all one line in my ssh_config - I have split it up here to make it easier to read). Is there any way to ssh into my docker container without running sshd in the container or using RemoteCommand?

I can't find my sshd logs in the standard places. What I've tried: - Not in /var/log/auth.log - Not in /var/log/secure - Did a system search for 'auth.log' and found nothing - I've set /etc/ssh/sshd_config to explicitly use SyslogFacility AUTH and LogLevel INFO and restarted sshd and still can't find them. I'm using OpenSSH 6.5p1-2 on Arch Linux.

I have a computer server and a laptop guest, both running Ubuntu. I set SSH multiplexing and control master in the laptop's .ssh/config like the following: Host servername User username Port 22 HostName servername.ddns.net ControlMaster auto ControlPersist 1h ControlPath /tmp/ssh_mux_%r@%n:%p When the laptop connects to the server via ssh servername.ddns.net, a control file is created. However, if the laptop exists the connection to the server and tries to connect again while using a different Wifi network, the ssh attempt hangs. I suppose because there's some conflict with the control file that was created originally. How could I set up SSH multiplexing and control master in a way that is robust to connecting and re-connecting to the server using different WiFi networks?

Previously asked this question on askubuntu.com but I thought this is rather a general linux question so I'm asking here again: I'm having trouble "sshing" to localhost and getting a permission denied. I have tried everything from root or using sudo as well. Ran the following: ssh-keygen -t rsa -P '' -f ~/.ssh/id_rsa cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys cat /root/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys chmod 0600 ~/.ssh/authorized_keys ssh localhost As the root user I have also done the following in case I use either user and the directories get mixed up: cat /root/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys cat /home/shervleradvm/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys First time was because the service was not running. So I did sudo service ssh start
I have also disabled the ufw for the test. sudo ufw disable
read/write permissions on the key files are drwx------ 2 shervleradvm shervleradvm 4096 Nov 21 23:15 . drwxr-xr-x 6 shervleradvm shervleradvm 4096 Nov 21 23:25 .. -rw-r----- 1 shervleradvm shervleradvm 1146 Nov 21 23:23 authorized_keys -r-------- 1 root shervleradvm 2610 Nov 18 13:17 id_rsa -r-------- 1 shervleradvm shervleradvm 577 Nov 18 13:17 id_rsa.pub -rw-r--r-- 1 shervleradvm shervleradvm 444 Nov 18 15:05 known_hosts sshd_config file was missing the following so I added and tested each and combinations of: - AllowUsers: added shervleradvm - AuthorizedKeysFile: added ~/.ssh/authorized_keys /root/.ssh/authorized_keys I then changed my config file a little after reading https://askubuntu.com/questions/783843/please-explain-the-complete-steps-involved-in-the-installation-of-openssh-server/783844#783844 so now it looks like: > # $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ > > # This is the sshd server system-wide configuration file. See > # sshd_config(5) for more information. > > # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin > > # The strategy used for options in the default sshd_config shipped with > # OpenSSH is to specify options with their default value where > # possible, but leave them commented. Uncommented options override the > # default value. > > Include /etc/ssh/sshd_config.d/*.conf > > #Port 22 > #AddressFamily any > #ListenAddress 0.0.0.0 > #ListenAddress :: > > #HostKey /etc/ssh/ssh_host_rsa_key > #HostKey /etc/ssh/ssh_host_ecdsa_key > #HostKey /etc/ssh/ssh_host_ed25519_key > > # Ciphers and keying > #RekeyLimit default none > > # Logging > #SyslogFacility AUTH > ########################################## EDITED > LogLevel VERBOSE > ################################################## > > # Authentication: > ############################################################## NEW STUFF ############ > AllowUsers shervleradvm root > ##################################################################################### > > > #LoginGraceTime 2m > ########################################### EDITED > PermitRootLogin yes > ################################################## > #StrictModes yes > #MaxAuthTries 6 > #MaxSessions 10 > > PubkeyAuthentication yes > > # Expect .ssh/authorized_keys2 to be disregarded by default in future. > ########################################################################### EDITED > AuthorizedKeysFile ~/.ssh/authorized_keys /root/.ssh/authorized_keys > > #AuthorizedPrincipalsFile none > > #AuthorizedKeysCommand none > #AuthorizedKeysCommandUser nobody > > # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts > #HostbasedAuthentication no > # Change to yes if you don't trust ~/.ssh/known_hosts for > # HostbasedAuthentication > #IgnoreUserKnownHosts no > # Don't read the user's ~/.rhosts and ~/.shosts files > #IgnoreRhosts yes > > # To disable tunneled clear text passwords, change to no here! > PasswordAuthentication no > #PermitEmptyPasswords no > > # Change to yes to enable challenge-response passwords (beware issues with > # some PAM modules and threads) > ChallengeResponseAuthentication no > > # Kerberos options > #KerberosAuthentication no > #KerberosOrLocalPasswd yes > #KerberosTicketCleanup yes > #KerberosGetAFSToken no > > # GSSAPI options > #GSSAPIAuthentication no > #GSSAPICleanupCredentials yes > #GSSAPIStrictAcceptorCheck yes > #GSSAPIKeyExchange no > > # Set this to 'yes' to enable PAM authentication, account processing, > # and session processing. If this is enabled, PAM authentication will > # be allowed through the ChallengeResponseAuthentication and > # PasswordAuthentication. Depending on your PAM configuration, > # PAM authentication via ChallengeResponseAuthentication may bypass > # the setting of "PermitRootLogin without-password". > # If you just want the PAM account and session checks to run without > # PAM authentication, then enable this but set PasswordAuthentication > # and ChallengeResponseAuthentication to 'no'. > UsePAM yes > > #AllowAgentForwarding yes > ############################################ EDITED > AllowTcpForwarding no > #################################################### > #GatewayPorts no > ############################################ EDITED > X11Forwarding no > #################################################### > #X11DisplayOffset 10 > #X11UseLocalhost yes > #PermitTTY yes > PrintMotd no > #PrintLastLog yes > #TCPKeepAlive yes > #PermitUserEnvironment no > #Compression delayed > #ClientAliveInterval 0 > #ClientAliveCountMax 3 > #UseDNS no > #PidFile /var/run/sshd.pid > #MaxStartups 10:30:100 > #PermitTunnel no > #ChrootDirectory none > #VersionAddendum none > > # no default banner path > ########################################## EDITED > Banner /etc/issue.net > ##################################################### > > # Allow client to pass locale environment variables > AcceptEnv LANG LC_* > > # override default of no subsystems > Subsystem sftp /usr/lib/openssh/sftp-server > > # Example of overriding settings on a per-user basis > #Match User anoncvs > # X11Forwarding no > # AllowTcpForwarding no > # PermitTTY no > # ForceCommand cvs server I'm not sure what else I can try I've been stuck on this for days and I have read all the other questions regarding ssh. The verbose output is: OpenSSH_8.2p1 Ubuntu-4ubuntu0.1, OpenSSL 1.1.1f 31 Mar 2020 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files debug1: /etc/ssh/ssh_config line 21: Applying options for * debug1: Connecting to localhost [127.0.0.1] port 22. debug1: Connection established. debug1: identity file /home/shervleradvm/.ssh/id_rsa type 0 debug1: identity file /home/shervleradvm/.ssh/id_rsa-cert type -1 debug1: identity file /home/shervleradvm/.ssh/id_dsa type -1 debug1: identity file /home/shervleradvm/.ssh/id_dsa-cert type -1 debug1: identity file /home/shervleradvm/.ssh/id_ecdsa type -1 debug1: identity file /home/shervleradvm/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/shervleradvm/.ssh/id_ecdsa_sk type -1 debug1: identity file /home/shervleradvm/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /home/shervleradvm/.ssh/id_ed25519 type -1 debug1: identity file /home/shervleradvm/.ssh/id_ed25519-cert type -1 debug1: identity file /home/shervleradvm/.ssh/id_ed25519_sk type -1 debug1: identity file /home/shervleradvm/.ssh/id_ed25519_sk-cert type -1 debug1: identity file /home/shervleradvm/.ssh/id_xmss type -1 debug1: identity file /home/shervleradvm/.ssh/id_xmss-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1 debug1: Remote protocol version 2.0, remote software version OpenSSH_8.2p1 Ubuntu-4ubuntu0.1 debug1: match: OpenSSH_8.2p1 Ubuntu-4ubuntu0.1 pat OpenSSH* compat 0x04000000 debug1: Authenticating to localhost:22 as 'shervleradvm' debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: curve25519-sha256 debug1: kex: host key algorithm: ecdsa-sha2-nistp256 debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: compression: none debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: compression: none debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ecdsa-sha2-nistp256 SHA256:RhXPmgq8gMMrSRv7+VlpLb84pRnXi2vDiqdg0EfocK0 debug1: Host 'localhost' is known and matches the ECDSA host key. debug1: Found key in /home/shervleradvm/.ssh/known_hosts:1 debug1: rekey out after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: rekey in after 134217728 blocks debug1: Will attempt key: /home/shervleradvm/.ssh/id_rsa RSA SHA256:WfkneDotRaioAvWLHi+4L0CpHg+EZ8cWMPPGbx/jUXQ debug1: Will attempt key: /home/shervleradvm/.ssh/id_dsa debug1: Will attempt key: /home/shervleradvm/.ssh/id_ecdsa debug1: Will attempt key: /home/shervleradvm/.ssh/id_ecdsa_sk debug1: Will attempt key: /home/shervleradvm/.ssh/id_ed25519 debug1: Will attempt key: /home/shervleradvm/.ssh/id_ed25519_sk debug1: Will attempt key: /home/shervleradvm/.ssh/id_xmss debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs= debug1: SSH2_MSG_SERVICE_ACCEPT received *************************************************************************** SOME BANNER I HAVE PUT This computer system is the private property of its owner, whether individual, corporate or government. It is for authorized use only. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy. Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to your employer, to authorized site, government, and law enforcement personnel, as well as authorized officials of government agencies, both domestic and foreign. By using this system, the user consents to such interception, monitoring, recording, copying, auditing, inspection, and disclosure at the discretion of such personnel or officials. Unauthorized or improper use of this system may result in civil and criminal penalties and administrative or disciplinary action, as appropriate. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning. **************************************************************************** debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Offering public key: /home/shervleradvm/.ssh/id_rsa RSA SHA256:WfkneDotRaioAvWLHi+4L0CpHg+EZ8cWMPPGbx/jUXQ debug1: Authentications that can continue: publickey debug1: Trying private key: /home/shervleradvm/.ssh/id_dsa debug1: Trying private key: /home/shervleradvm/.ssh/id_ecdsa debug1: Trying private key: /home/shervleradvm/.ssh/id_ecdsa_sk debug1: Trying private key: /home/shervleradvm/.ssh/id_ed25519 debug1: Trying private key: /home/shervleradvm/.ssh/id_ed25519_sk debug1: Trying private key: /home/shervleradvm/.ssh/id_xmss debug1: No more authentication methods to try. shervleradvm@localhost: Permission denied (publickey). **UPDATE 1**: the syslog in /var/log/syslog only says: Nov 20 01:05:54 ShervLeRad kernel: [35460.503034] WSL2: Performing memory compaction. Nov 20 01:06:55 ShervLeRad kernel: [35521.519400] WSL2: Performing memory compaction. Nov 20 01:07:56 ShervLeRad kernel: [35582.535366] WSL2: Performing memory compaction. Nov 20 01:08:57 ShervLeRad kernel: [35643.552061] WSL2: Performing memory compaction. Nov 20 01:09:58 ShervLeRad kernel: [35704.567029] WSL2: Performing memory compaction. Nov 20 01:10:59 ShervLeRad kernel: [35765.582427] WSL2: Performing memory compaction. Nov 20 01:12:00 ShervLeRad kernel: [35826.597374] WSL2: Performing memory compaction. the auth.log in /var/log/auth.log says: Nov 19 18:48:34 ShervLeRad sudo: shervleradvm : TTY=pts/0 ; PWD=/etc/ssh ; USER=root ; COMMAND=/usr/bin/ssh localhost Nov 19 18:48:34 ShervLeRad sudo: pam_unix(sudo:session): session opened for user root by (uid=0) Nov 19 18:48:34 ShervLeRad sshd: Connection closed by authenticating user root 127.0.0.1 port 39490 [preauth] Nov 19 18:48:34 ShervLeRad sudo: pam_unix(sudo:session): session closed for user root Nov 19 18:48:37 ShervLeRad sudo: shervleradvm : TTY=pts/0 ; PWD=/etc/ssh ; USER=root ; COMMAND=/usr/bin/vim sshd_config Nov 19 18:48:37 ShervLeRad sudo: pam_unix(sudo:session): session opened for user root by (uid=0) Nov 19 18:48:51 ShervLeRad sudo: pam_unix(sudo:session): session closed for user root **UPDATE 2**: I ran ssh with -vvv and the output is: OpenSSH_8.2p1 Ubuntu-4ubuntu0.1, OpenSSL 1.1.1f 31 Mar 2020 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files debug1: /etc/ssh/ssh_config line 21: Applying options for * debug2: resolving "localhost" port 22 debug2: ssh_connect_direct debug1: Connecting to localhost [127.0.0.1] port 22. debug1: Connection established. debug1: identity file /home/shervleradvm/.ssh/id_rsa type 0 debug1: identity file /home/shervleradvm/.ssh/id_rsa-cert type -1 debug1: identity file /home/shervleradvm/.ssh/id_dsa type -1 debug1: identity file /home/shervleradvm/.ssh/id_dsa-cert type -1 debug1: identity file /home/shervleradvm/.ssh/id_ecdsa type -1 debug1: identity file /home/shervleradvm/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/shervleradvm/.ssh/id_ecdsa_sk type -1 debug1: identity file /home/shervleradvm/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /home/shervleradvm/.ssh/id_ed25519 type -1 debug1: identity file /home/shervleradvm/.ssh/id_ed25519-cert type -1 debug1: identity file /home/shervleradvm/.ssh/id_ed25519_sk type -1 debug1: identity file /home/shervleradvm/.ssh/id_ed25519_sk-cert type -1 debug1: identity file /home/shervleradvm/.ssh/id_xmss type -1 debug1: identity file /home/shervleradvm/.ssh/id_xmss-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1 debug1: Remote protocol version 2.0, remote software version OpenSSH_8.2p1 Ubuntu-4ubuntu0.1 debug1: match: OpenSSH_8.2p1 Ubuntu-4ubuntu0.1 pat OpenSSH* compat 0x04000000 debug2: fd 3 setting O_NONBLOCK debug1: Authenticating to localhost:22 as 'shervleradvm' debug3: hostkeys_foreach: reading file "/home/shervleradvm/.ssh/known_hosts" debug3: record_hostkey: found key type ECDSA in file /home/shervleradvm/.ssh/known_hosts:1 debug3: load_hostkeys: loaded 1 keys from localhost debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521 debug3: send packet: type 20 debug1: SSH2_MSG_KEXINIT sent debug3: receive packet: type 20 debug1: SSH2_MSG_KEXINIT received debug2: local client KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: compression ctos: none,zlib@openssh.com,zlib debug2: compression stoc: none,zlib@openssh.com,zlib debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug2: peer server KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: compression ctos: none,zlib@openssh.com debug2: compression stoc: none,zlib@openssh.com debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: algorithm: curve25519-sha256 debug1: kex: host key algorithm: ecdsa-sha2-nistp256 debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: compression: none debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: compression: none debug3: send packet: type 30 debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug3: receive packet: type 31 debug1: Server host key: ecdsa-sha2-nistp256 SHA256:RhXPmgq8gMMrSRv7+VlpLb84pRnXi2vDiqdg0EfocK0 debug3: hostkeys_foreach: reading file "/home/shervleradvm/.ssh/known_hosts" debug3: record_hostkey: found key type ECDSA in file /home/shervleradvm/.ssh/known_hosts:1 debug3: load_hostkeys: loaded 1 keys from localhost debug1: Host 'localhost' is known and matches the ECDSA host key. debug1: Found key in /home/shervleradvm/.ssh/known_hosts:1 debug3: send packet: type 21 debug2: set_newkeys: mode 1 debug1: rekey out after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug3: receive packet: type 21 debug1: SSH2_MSG_NEWKEYS received debug2: set_newkeys: mode 0 debug1: rekey in after 134217728 blocks debug1: Will attempt key: /home/shervleradvm/.ssh/id_rsa RSA SHA256:WfkneDotRaioAvWLHi+4L0CpHg+EZ8cWMPPGbx/jUXQ debug1: Will attempt key: /home/shervleradvm/.ssh/id_dsa debug1: Will attempt key: /home/shervleradvm/.ssh/id_ecdsa debug1: Will attempt key: /home/shervleradvm/.ssh/id_ecdsa_sk debug1: Will attempt key: /home/shervleradvm/.ssh/id_ed25519 debug1: Will attempt key: /home/shervleradvm/.ssh/id_ed25519_sk debug1: Will attempt key: /home/shervleradvm/.ssh/id_xmss debug2: pubkey_prepare: done debug3: send packet: type 5 debug3: receive packet: type 7 debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs= debug3: receive packet: type 6 debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug3: send packet: type 50 debug3: receive packet: type 53 debug3: input_userauth_banner *************************************************************************** NOTICE TO USERS This computer system is the private property of its owner, whether individual, corporate or government. It is for authorized use only. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy. Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to your employer, to authorized site, government, and law enforcement personnel, as well as authorized officials of government agencies, both domestic and foreign. By using this system, the user consents to such interception, monitoring, recording, copying, auditing, inspection, and disclosure at the discretion of such personnel or officials. Unauthorized or improper use of this system may result in civil and criminal penalties and administrative or disciplinary action, as appropriate. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning. **************************************************************************** debug3: receive packet: type 51 debug1: Authentications that can continue: publickey debug3: start over, passed a different list publickey debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering public key: /home/shervleradvm/.ssh/id_rsa RSA SHA256:WfkneDotRaioAvWLHi+4L0CpHg+EZ8cWMPPGbx/jUXQ debug3: send packet: type 50 debug2: we sent a publickey packet, wait for reply debug3: receive packet: type 51 debug1: Authentications that can continue: publickey debug1: Trying private key: /home/shervleradvm/.ssh/id_dsa debug3: no such identity: /home/shervleradvm/.ssh/id_dsa: No such file or directory debug1: Trying private key: /home/shervleradvm/.ssh/id_ecdsa debug3: no such identity: /home/shervleradvm/.ssh/id_ecdsa: No such file or directory debug1: Trying private key: /home/shervleradvm/.ssh/id_ecdsa_sk debug3: no such identity: /home/shervleradvm/.ssh/id_ecdsa_sk: No such file or directory debug1: Trying private key: /home/shervleradvm/.ssh/id_ed25519 debug3: no such identity: /home/shervleradvm/.ssh/id_ed25519: No such file or directory debug1: Trying private key: /home/shervleradvm/.ssh/id_ed25519_sk debug3: no such identity: /home/shervleradvm/.ssh/id_ed25519_sk: No such file or directory debug1: Trying private key: /home/shervleradvm/.ssh/id_xmss debug3: no such identity: /home/shervleradvm/.ssh/id_xmss: No such file or directory debug2: we did not send a packet, disable method debug1: No more authentication methods to try. shervleradvm@localhost: Permission denied (publickey). **UPDATE 3**: I just tried ssh -i id_rsa localhost from ~/.ssh dir of shervleradvm user to try defining private_key to use. That didn't work. So I did touch config && vim config then I defined the private key for the localhost: Host localhost HostName localhost User shervleradvm IdentityFile ~/.ssh/id_rsa and then ran ssh localhost. The error presists. **UPDATE 4**: I changed the owner of the private key to shervleradvm and gave the following permissions: -rw------- 1 shervleradvm shervleradvm 2610 Nov 18 13:17 id_rsa -r-------- 1 shervleradvm shervleradvm 577 Nov 18 13:17 id_rsa.pub didn't help.

Is it possible to set the AuthorizedKeysFile setting explicitly such that it covers the following cases: 1. standard user under /home/%u/.ssh/authorized_keys 1. system user under /var/lib/%u/.ssh/authorized_keys 1. root user under /root/.ssh/authorized_keys My question is, is there a variable that contains the user directory as specified in the Name Service Switch ?

A borgmatic backup command that runs for many hours: long_running_cmd &> file.txt I did Strg+Z then bg then disown to keep the command running I case my laptop goes to sleep or disconnects. I thought the whole command chain just gets executed in the background, but I notice it did not write into it any more. How do I ensure that the output of a command is written to the file even after I disconnect my ssh connection? (*if possible with default commands that can be found in a Debian headless server installation*)

I am asked for an upgrade OpenSSH version because of **CVE-2023-38408**, here is my process.:

yum groupinstall -y "Development Tools"
yum install -y zlib-devel openssl-devel wget

cp /etc/ssh/sshd_config  /etc/ssh/sshd_config.bak
chmod 600 /etc/ssh/ssh_host_rsa_key
chmod 600 /etc/ssh/ssh_host_ecdsa_key
chmod 600 /etc/ssh/ssh_host_ed25519_key

cd /tmp
wget -c https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.3p2.tar.gz 
tar -xzf  openssh-9.3p2.tar.gz
cd openssh-9.3p2
yum install -y pam-devel libselinux-devel

./configure --with-pam --with-selinux --with-privsep-path=/var/lib/sshd/ --sysconfdir=/etc/ssh

make && make install

It compiler ssh and sshd with 9.3p2 successfully in my os, so I got two versions of sshd: - /usr/sbin/sshd OpenSSH_7.4p1 - /usr/local/sbin/sshd OpenSSH_9.3 next I shoud change /usr/lib/systemd/system/sshd.service execute path for the new version of sshd.

[Unit]
Description=OpenSSH server daemon
Documentation=man:sshd(8) man:sshd_config(5)
After=network.target sshd-keygen.service
Wants=sshd-keygen.service

[Service]
Type=notify
EnvironmentFile=/etc/sysconfig/sshd
ExecStart=/usr/sbin/sshd -D $OPTIONS
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartSec=42s

[Install]
WantedBy=multi-user.target

I switched /usr/sbin/sshd to /usr/local/sbin/sshd, and did systemctl daemon-reload, service sshd restart, but it didn't work out, the message is:

Aug 25 07:37:57 localhost.localdomain systemd: sshd.service start operation timed out. Terminating.
Aug 25 07:37:57 localhost.localdomain sshd: Received signal 15; terminating.
Aug 25 07:37:57 localhost.localdomain systemd: Failed to start OpenSSH server daemon.
-- Subject: Unit sshd.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel 
--
-- Unit sshd.service has failed.
--
-- The result is failed.
Aug 25 07:37:57 localhost.localdomain systemd: Unit sshd.service entered failed state.
Aug 25 07:37:57 localhost.localdomain systemd: sshd.service failed.
Aug 25 07:37:57 localhost.localdomain polkitd: Unregistered Authentication Agent for unix-process:2259:84553 (system bus name :1.46, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_
Aug 25 07:38:39 localhost.localdomain systemd: sshd.service holdoff time over, scheduling restart.
Aug 25 07:38:39 localhost.localdomain systemd: Stopped OpenSSH server daemon.
-- Subject: Unit sshd.service has finished shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel 
--
-- Unit sshd.service has finished shutting down.
Aug 25 07:38:39 localhost.localdomain systemd: Starting OpenSSH server daemon...
-- Subject: Unit sshd.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel 
--
-- Unit sshd.service has begun starting up.
Aug 25 07:38:39 localhost.localdomain sshd: Server listening on 0.0.0.0 port 22.
Aug 25 07:38:39 localhost.localdomain sshd: Server listening on :: port 22.

Have no idea that the problem is on the file or the service config.

I have an issue where older clients aren't able to connect to current (v8.x) versions of openssh server. I'm familiar with adding ssh-rsa,ssh-dss to the list of available key types but that doesn't seem to work for this issue. One of our vendors is the client and there's no option of passing flags. When they try and connect, I get the following:

Apr 16 20:57:13 server sshd: Unable to negotiate with 10.0.3.39 port 49100: no matching host key type found. Their offer: ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss [preauth]

I've added the following to /etc/ssh/sshd_config.d/10-test.conf

KexAlgorithms=+diffie-hellman-group1-sha1
HostKeyAlgorithms=+ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa,ssh-dss
PubkeyAcceptedAlgorithms=+ssh-rsa,ssh-dss

As well as having no '=' but it has no effect. Here's the debug output:

[centos@ip-10-0-3-39 ~]$ ssh -vv -i test test@10.0.3.225
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 10.0.3.225 [10.0.3.225] port 22.
debug1: Connection established.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug2: key_type_from_name: unknown key type '-----END'
debug1: identity file test type -1
debug1: identity file test-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.7
debug1: match: OpenSSH_8.7 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96
debug2: kex_parse_kexinit: hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,kex-strict-s-v00@openssh.com
debug2: kex_parse_kexinit: ecdsa-sha2-nistp256,ssh-ed25519
debug2: kex_parse_kexinit: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
debug2: kex_parse_kexinit: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
debug2: kex_parse_kexinit: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
debug2: kex_parse_kexinit: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_setup: found hmac-sha1
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug2: mac_setup: found hmac-sha1
debug1: kex: client->server aes128-ctr hmac-sha1 none
no hostkey alg

Does anyone have any ideas here as I'm at a loss. Thanks!

I'm storing my ssh keys on a yubikey and hence I don't have any private key file on disk. This gives me a problem when I'm also using OpenSSH Certificates to authenticate. If I would like to bring the certificate with me using the ssh-agent I need to add it to the agent some how. This is done automatically if I have a private key called priv and a cert called priv-cert.pub. But since I don't have a file I cant find a way to add the certificate file to the agent. Does anyone have a clue how to do this? It seems there is no support for this, I found this feature request: https://bugzilla.mindrot.org/show_bug.cgi?id=2472

I want to disable all ssh connection from both IPv4 and IPv6 except certain IPs. I can set /etc/hosts.deny to deny all IPv4 ssh connection:

sshd: ALL

How to apply to IPv6? I tried below, and fail:

sshd: [*]

and

sshd: [ALL]

My sshd server version: PKIX-SSH 12.1, OpenSSH_8.0p1, OpenSSL 1.0.2g-fips 1 Mar 2016 And PKIX is configured with --with-tcp-wrappers

I have an issue while trying to use the SSH command on my Kali Linux system (version 16.0-kali6-amd64, 2022-03-23). I'm attempting to authenticate using an OpenSSH private key. I started by using the following command:

ssh -i id_rsa root@

However, this resulted in the following error: >Unable to negotiate with port 22: no matching host key type found. Their offer: ssh-rsa, ssh-dss After some research, I tried the following command to address the issue:

ssh -oHostKeyAlgorithms=+ssh-dss -i id_rsa root@

But with this command, it prompted me for a password even though I intended to use the id_rsa key for authentication. In the verbose output, I noticed the following messages: - "No such directory for 'load_hostkeys'" - "DSA host key found" - "Get agent_identities: agent contains no identities, will attempt some key (explicitly)" - "send_pubkey_test: no mutual signature algorithm" The authentication process then attempted to use a password and provided a prompt. I need assistance with using my OpenSSH private key for SSH authentication.

At this moment i have installed freeradius and PAM radius properly. When i create an account on the system and set a password in /etc/raddb/users.conf the user can login. Sudo also works great with PAM radius. What i want to achieve is when i create a user in /etc/raddb/users.conf and reload the config. That the account and home dir will be created if the authentication for Radius succeeds. I tried many things including session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 The last log lines from the login without a system user account. Feb 23 18:59:17 localhost sshd: pam_unix(sshd:auth): check pass; user unknown Feb 23 18:59:18 localhost sshd: Failed password for invalid user pop from 192.168.0.115 port 53608 ssh2 Feb 23 18:59:18 localhost sshd: Connection closed by 192.168.0.115 [preauth] Feb 23 18:59:18 localhost sshd: PAM 3 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=danys-mbp.fritz.box Feb 23 18:59:18 localhost sshd: PAM service(sshd) ignoring max retries; 4 > 3 Feb 23 18:59:18 localhost sshd: Invalid user pop from 192.168.0.115 Feb 23 18:59:18 localhost sshd: input_userauth_request: invalid user pop [preauth] Feb 23 18:59:21 localhost sshd: pam_unix(sshd:auth): check pass; user unknown Feb 23 18:59:21 localhost sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=danys-mbp.fritz.box Feb 23 18:59:22 localhost sshd: Failed password for invalid user pop from 192.168.0.115 port 53609 ssh2 My config for PAM sshd #%PAM-1.0 auth required pam_sepermit.so auth sufficient pam_radius_auth.so auth substack password-auth auth include postlogin # Used with polkit to reauthorize users in remote sessions -auth optional pam_reauthorize.so prepare #account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth session include postlogin # Used with polkit to reauthorize users in remote sessions -session optional pam_reauthorize.so prepare Is it possible to create the system account and home directory on login when using freeradius and PAM radius? If so, how does this work? ps : I am using CentOS 7. Edit : I have tried with a bash script to check if the user exists. Then to create it if it does not exist, but this will not work and i do not see any log output for pam_exec.so failing. Edit : radtest tells me the username and password are correct

I'm trying to setup a sftp server using openssh builtin sftp.

Subsystem       sftp    /usr/lib/openssh/sftp-server

and I have created user by following (more or less (using ansible), I do use /sbin/nologin for shell and /dev/null is used as skel) https://sftpcloud.io/learn/sftp/how-to-setup-sftp-server-on-ubuntu-22-04 but when I try to connect

sftp myuser@myip

I get the prompt and enters password, but it fails

client_loop: send disconnect: Broken pipe
Connection closed.  
Connection closed

The thing is that now the home directory for the user is filled with crap.

$ ls -a
snap/  .cache  .local

and in syslog I see A LOT of things happening that more seems to relating to logging in as a normal user (I guess). Here are some stuff

systemd: Created slice user-1003.slice - User Slice of UID 1003.
systemd: Starting user-runtime-dir@1003.service - User Runtime Directory /run/user/1003...
snapd-desktop-i: Detected new session 42 at /org/freedesktop/login1/session/_342
systemd: Finished user-runtime-dir@1003.service - User Runtime Directory /run/user/1003.
systemd: Starting user@1003.service - User Manager for UID 1003...
systemd-xdg-autostart-generator: Exec binary 'start-pulseaudio-x11' does not exist: No such file or directory
systemd-xdg-autostart-generator: /etc/xdg/autostart/pulseaudio.desktop: not generating unit, executable specified in Exec= does not exist.
systemd: Queued start job for default target default.target.
systemd: Created slice app.slice - User Application Slice.
systemd: Created slice session.slice - User Core Session Slice.
systemd: Started ubuntu-report.path - Pending report trigger for Ubuntu Report.
systemd: Started launchpadlib-cache-clean.timer - Clean up old files in the Launchpadlib cache.
systemd: Starting gpg-agent-ssh.socket - GnuPG cryptographic agent (ssh-agent emulation)...
systemd: Started user@1003.service - User Manager for UID 1003.
systemd: Started session-42.scope - Session 42 of User myuser.
systemd: Starting gnome-initial-setup-copy-worker.service - GNOME Initial Setup Copy Worker...
systemd: Started pipewire.service - PipeWire Multimedia Service.
systemd: Started filter-chain.service - PipeWire filter chain daemon.
systemd: Started snap.snapd-desktop-integration.snapd-desktop-integration.service - Service for snap application snapd-desktop-integration.snapd-desktop-integration.
systemd: Started wireplumber.service - Multimedia Service Session Manager.
systemd: Started pipewire-pulse.service - PipeWire PulseAudio.
systemd: Startup finished in 270ms.
systemd: Starting dbus.service - D-Bus User Message Bus...
pipewire: mod.jackdbus-detect: Failed to receive jackdbus reply: org.freedesktop.DBus.Error.ServiceUnknown: The name org.jackaudio.service was not provided by any .service files
wireplumber: SPA handle 'api.libcamera.enum.manager' could not be loaded; is it installed?
systemd: snap.snapd-desktop-integration.snapd-desktop-integration.service: Main process exited, code=exited, status=1/FAILURE
systemd: snap.snapd-desktop-integration.snapd-desktop-integration.service: Failed with result 'exit-code'.

So I guess the login triggers "other stuff", how to disable the extra stuff that is happening and just have sftp? I do have other "regular" users loggin into the server that I'm trying to setup as a sftp server so I have to handle these sftp users in a special way. But how? I use Ubuntu 24.04. My sshd_config says:

UsePAM yes