[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: The key algorithm 'ssh-rsa' is not allowed in V 0.10.4
[Thread Prev] | [Thread Next]
- Subject: Re: The key algorithm 'ssh-rsa' is not allowed in V 0.10.4
- From: g4-lisz@xxxxxxxxxxxx
- Reply-to: libssh@xxxxxxxxxx
- Date: Wed, 21 May 2025 13:43:00 +0200
- To: Jakub Jelen <jjelen@xxxxxxxxxx>
- Cc: libssh@xxxxxxxxxx
Hi On 5/21/25 09:44, Jakub Jelen wrote:
Hi, the strace does not show much what libssh does.It just confirms the check is failing locally, without sending the public key to server. But the signature algorithm depends on the extensions negotiated during key exchange, which should be logged in verbose log.I meant setting the log level using something like this: int verbosity = SSH_LOG_TRACE; ssh_options_set(session, SSH_OPTIONS_LOG_VERBOSITY, &verbosity);
Ah sure, but you don't need strace to read the log ;) I disabled it on purpose so you see the essential filehandling...
Here you go again (attached).
It is also possible that the global configuration from cryptographic policies overrides the `SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES`. The strace log shows that the OpenSSH configuration is read before connecting:openat(AT_FDCWD, "/etc/crypto-policies/back-ends/openssh.config", O_RDONLY) = 5This file does not have the ssh-rsa (SHA1) mechanisms in accepted types: $ cat /etc/crypto-policies/back-ends/openssh.config | grep ssh-rsa
If this is the case, is there a option to keep libssh from reading systemwide configs? In my case that would be neater than enabling SHA for the whole system...
But as far as I remember, the RHEL9 versions of OpenSSL and OpenSSH were not very pedantic so I think the OpenSSH is using the SHA1 anyway if the server does not advertise the SHA2 variants while libssh does not.Looking at the RHEL9 sources, I see the + sign was backported so sorry for the confusion in the previous email.
That explains why I didn't get the error "algorithm not known" (or alike) on RHEL..
Cheers Till
On Tue, May 20, 2025 at 8:56 PM <g4-lisz@xxxxxxxxxxxx> wrote: Hi Jakub, I run this little program (see below). There was only the output "Authentication failed: The key algorithm 'ssh-rsa' is not allowed to be used by PUBLICKEY_ACCEPTED_TYPES configuration option" So ssh_options_set() was successful. I attached the strace output. This will probably not go to the list but you will see it... Cheers Till #include <stdio.h> #include <libssh/libssh.h> int main() { ssh_session session; int rc; const char *hostname = "10.10.10.10"; const char *keyfile = "/home/useruser/id_rsa"; int port = 2222; session = ssh_new(); if (session == NULL) { fprintf(stderr, "Failed to create SSH session\n"); return 1; } //ssh_set_log_level(SSH_LOG_PACKET); ssh_set_log_level(0); if (ssh_options_set(session, SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES, "ssh-rsa,rsa-sha2-256,rsa-sha2-512") < 0) { fprintf(stderr, "ssh_options_set failed: %s\n", ssh_get_error(session)); } ssh_options_set(session, SSH_OPTIONS_HOST, hostname); ssh_options_set(session, SSH_OPTIONS_PORT, &port); ssh_options_set(session, SSH_OPTIONS_IDENTITY, keyfile); rc = ssh_connect(session); if (rc != SSH_OK) { fprintf(stderr, "Error connecting to %s: %s\n", hostname, ssh_get_error(session)); ssh_free(session); return 1; } rc = ssh_userauth_publickey_auto(session, NULL, NULL); if (rc != SSH_AUTH_SUCCESS) { fprintf(stderr, "Authentication failed: %s\n", ssh_get_error(session)); ssh_disconnect(session); ssh_free(session); return 1; } printf("Connected and authenticated with key!\n"); ssh_disconnect(session); ssh_free(session); return 0; } May 20, 2025 2:15 PM, "Jakub Jelen" <jjelen@xxxxxxxxxx <mailto:jjelen@xxxxxxxxxx?to=%22Jakub%20Jelen%22%20%3Cjjelen@xxxxxxxxxx%3E>> wrote: Hi, the libssh 0.9.7 should support SHA2 with RSA already so it might be there is some bug in the client not correctly detecting this or there is something else in play (configuration file forcing the ssh-rsa mechanism?). Do you have a full debug log (TRACE) to share (either here or privately)? Regarding the test code you shared, the line ` ssh_options_set(session, SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES, "+ssh-rsa");` will most likely fail in 0.10 and older as the + sign is not implemented there (and without checking the return value we never learn that). You can try without that sign, which will allow only this mechanism (which is again not recommended as insecure and it will also not work without the crypto-policy change on RHEL9). Jakub On Tue, May 20, 2025 at 1:55 PM <g4-lisz@xxxxxxxxxxxx> wrote: Hi Jakub, the server is built on libssh V 0.9.7 on Windows using MinGW. What would it mean when it supports SHA2 RSA? Would this be used as "upgraded" algorithm for ssh-rsa? BTW Connecting to the server from RHEL with openssh client worked also with crypto policy set do DEFAULT... Cheers Till May 20, 2025 10:34 AM, "Jakub Jelen" <jjelen@xxxxxxxxxx <mailto:jjelen@xxxxxxxxxx?to=%22Jakub%20Jelen%22%20%3Cjjelen@xxxxxxxxxx%3E>> wrote: Hi. what is the SSH running on the server? Does it support for the SHA2 RSA (rfc8332)? If not, you need to go with the suggestion mentioned by Andreas -- changing the crypto policies to LEGACY or enabling SHA1 in signatures globally. If the SSH server supports the RFC 8332, then everything should work (unless you force the use of SHA1 signatures somewhere in your code). Showing the debug log from the connection can give more hints. Jakub On Tue, May 20, 2025 at 9:37 AM Andreas Schneider <asn@xxxxxxxxxxxxxx> wrote: On Tuesday, 20 May 2025 02:56:28 CEST g4-lisz@xxxxxxxxxxxx wrote: > Sorry, I missed a few important lines: My guess would be that the crypto policy is preventing the use of SHA-1 and you need to enable it. libssh has support for crypto policies with 0.10. https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/ security_hardening/using-the-system-wide-cryptographic-policies_security- <https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/security_hardening/using-the-system-wide-cryptographic-policies_security-> hardening https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/ security_hardening/using-the-system-wide-cryptographic-policies_security- hardening#proc_re-enabling-sha-1_using-the-system-wide-cryptographic-policies <https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#proc_re-enabling-sha-1_using-the-system-wide-cryptographic-policies> > int ssh_key_algorithm_allowed(ssh_session session, const char *type) > { > const char *allowed_list; > > if (session->client) { > ===>> allowed_list = session->opts.pubkey_accepted_types; <<=== > if (allowed_list == NULL) { > if (ssh_fips_mode()) { > allowed_list = ssh_kex_get_fips_methods(SSH_HOSTKEYS); > } else { > allowed_list = ssh_kex_get_default_methods(SSH_HOSTKEYS); > } > I.e. it only uses the defaults if session->opts.pubkey_accepted_types is > undefined. > > Back to the beginning. Why doesn't it work? My guess is that Redhat changed > the list of supported methods... > > May 20, 2025 2:44 AM, g4-lisz@xxxxxxxxxxxx (mailto:g4-lisz@xxxxxxxxxxxx) > wrote: I wonder if this is a bug... > > I did some digging in the code (0.10.4). > > The error message "The key algorithm 'ssh-rsa' is not allowed to be used by > PUBLICKEY_ACCEPTED_TYPES" comes from: ssh_userauth_try_publickey(). This > uses: > > auth.c:531: rc = ssh_key_algorithm_allowed(session, sig_type_c); > > But ssh_key_algorithm_allowed() checks again ssh_kex_get_default_methods() > > pki.c:371: allowed_list = ssh_kex_get_default_methods(SSH_HOSTKEYS); > > ssh_kex_get_default_methods() returns a constant list > DEFAULT_PUBLIC_KEY_ALGORITHMS from static const char *default_methods[] > (kex.c:242). > > Therefore ssh_userauth_try_publickey() always returns SSH_AUTH_DENIED if the > algorithm is not in the DEFAULT list. > > How does this make sense? It doesn't respect the additional algorithms added > through the SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES option. > > rsa-ssh would actually be supported. It's in the list supported_methods[] in > kex.c:240. This is used for ssh_keep_known_algos() (kex.c:957) and allows > to set the option to the session (options.c): > > case SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES: > v = value; > if (v == NULL || v[0] == '') { > ssh_set_error_invalid(session); > return -1; > } else { > if (ssh_fips_mode()) { > p = ssh_keep_fips_algos(SSH_HOSTKEYS, v); > } else { > p = ssh_keep_known_algos(SSH_HOSTKEYS, v); > } > if (p == NULL) { > ssh_set_error(session, SSH_REQUEST_DENIED, > "Setting method: no known public key algorithm (%s)", > v); > return -1; > } > > SAFE_FREE(session->opts.pubkey_accepted_types); > session->opts.pubkey_accepted_types = p; > } > > So what's the sense of allowing to add the algorithm through the option, but > then denying the key because it's algorithm is not in the default list? > IMHO SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES makes no sense this way... > > Cheers > Till > > May 20, 2025 1:48 AM, g4-lisz@xxxxxxxxxxxx (mailto:g4-lisz@xxxxxxxxxxxx) > wrote: Nice hint to use 'strings'. But from the output it's hard to tell. > There are a few appearances: rsa-sha2-512 > rsa-sha2-512,rsa-sha2-256,ssh-rsa > ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx > (mailto:ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx),ecdsa-sha2-nistp384-cert- > v01@xxxxxxxxxxx > (mailto:ecdsa-sha2-nistp384-cert-v01@xxxxxxxxxxx),ecdsa-sha2-nistp256-cert- > v01@xxxxxxxxxxx > (mailto:ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx),rsa-sha2-512-cert-v01@ope > nssh.com <http://nssh.com> > (mailto:rsa-sha2-512-cert-v01@xxxxxxxxxxx),rsa-sha2-256-cert-v01@xxxxxxxxxx > m > (mailto:rsa-sha2-256-cert-v01@xxxxxxxxxxx),ecdsa-sha2-nistp521,ecdsa-sha2-n > istp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256 > ssh-ed25519-cert-v01@xxxxxxxxxxx > (mailto:ssh-ed25519-cert-v01@xxxxxxxxxxx),ecdsa-sha2-nistp521-cert-v01@open > ssh.com <http://ssh.com> > (mailto:ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx),ecdsa-sha2-nistp384-cert- > v01@xxxxxxxxxxx > (mailto:ecdsa-sha2-nistp384-cert-v01@xxxxxxxxxxx),ecdsa-sha2-nistp256-cert- > v01@xxxxxxxxxxx > (mailto:ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx),sk-ecdsa-sha2-nistp256-ce > rt-v01@xxxxxxxxxxx > (mailto:sk-ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx),rsa-sha2-512-cert-v01@ > openssh.com <http://openssh.com> > (mailto:rsa-sha2-512-cert-v01@xxxxxxxxxxx),rsa-sha2-256-cert-v01@xxxxxxxxxx > m > (mailto:rsa-sha2-256-cert-v01@xxxxxxxxxxx),ssh-ed25519,ecdsa-sha2-nistp521, > ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,sk-ssh-ed25519@xxxxxxxxxxx > (mailto:sk-ssh-ed25519@xxxxxxxxxxx),sk-ecdsa-sha2-nistp256@xxxxxxxxxxx > (mailto:sk-ecdsa-sha2-nistp256@xxxxxxxxxxx),rsa-sha2-512,rsa-sha2-256 > ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,sk- > ssh-ed25519@xxxxxxxxxxx > (mailto:sk-ssh-ed25519@xxxxxxxxxxx),sk-ecdsa-sha2-nistp256@xxxxxxxxxxx > (mailto:sk-ecdsa-sha2-nistp256@xxxxxxxxxxx),rsa-sha2-512,rsa-sha2-256,ssh-r > sa The provided value (%u) for minimal RSA key size is too small. Use at > least 768 bits. Either RSA or DSS must be chosen > ssh-ed25519-cert-v01@xxxxxxxxxxx > (mailto:ssh-ed25519-cert-v01@xxxxxxxxxxx),sk-ssh-ed25519-cert-v01@openssh.c > om > (mailto:sk-ssh-ed25519-cert-v01@xxxxxxxxxxx),ecdsa-sha2-nistp521-cert-v01@o > penssh.com <http://penssh.com> > (mailto:ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx),ecdsa-sha2-nistp384-cert- > v01@xxxxxxxxxxx > (mailto:ecdsa-sha2-nistp384-cert-v01@xxxxxxxxxxx),ecdsa-sha2-nistp256-cert- > v01@xxxxxxxxxxx > (mailto:ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx),sk-ecdsa-sha2-nistp256-ce > rt-v01@xxxxxxxxxxx > (mailto:sk-ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx),rsa-sha2-512-cert-v01@ > openssh.com <http://openssh.com> > (mailto:rsa-sha2-512-cert-v01@xxxxxxxxxxx),rsa-sha2-256-cert-v01@xxxxxxxxxx > m (mailto:rsa-sha2-256-cert-v01@xxxxxxxxxxx),ssh-rsa-cert-v01@xxxxxxxxxxx > (mailto:ssh-rsa-cert-v01@xxxxxxxxxxx),ssh-ed25519,ecdsa-sha2-nistp521,ecdsa > -sha2-nistp384,ecdsa-sha2-nistp256,sk-ssh-ed25519@xxxxxxxxxxx > (mailto:sk-ssh-ed25519@xxxxxxxxxxx),sk-ecdsa-sha2-nistp256@xxxxxxxxxxx > (mailto:sk-ecdsa-sha2-nistp256@xxxxxxxxxxx),rsa-sha2-512,rsa-sha2-256,ssh-r > sa rsa-sha2-256-cert-v01@xxxxxxxxxxx > (mailto:rsa-sha2-256-cert-v01@xxxxxxxxxxx) > rsa-sha2-512-cert-v01@xxxxxxxxxxx > (mailto:rsa-sha2-512-cert-v01@xxxxxxxxxxx) Failed to build RSA public key > The '%s' key of size %d is not allowd by RSA_MIN_SIZE > Failed to build RSA private key > ssh-rsa > ssh-rsa-cert-v01@xxxxxxxxxxx (mailto:ssh-rsa-cert-v01@xxxxxxxxxxx) > > I'm using a minimalistic code now for testing. But still the same result: > > int main() { > ssh_session session; > int rc; > const char *hostname = "10.10.10.10"; > const char *username = "user"; > const char *keyfile = "/home/user/id_rsa"; > int port = 22; > > session = ssh_new(); > if (session == NULL) { > fprintf(stderr, "Failed to create SSH sessionn"); > return 1; > } > > ssh_set_log_level(SSH_LOG_FUNCTIONS); > ssh_options_set(session, SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES, "+ssh-rsa"); > ssh_options_set(session, SSH_OPTIONS_HOST, hostname); > ssh_options_set(session, SSH_OPTIONS_PORT, &port); > ssh_options_set(session, SSH_OPTIONS_USER, username); > ssh_options_set(session, SSH_OPTIONS_IDENTITY, keyfile); > > rc = ssh_connect(session); > if (rc != SSH_OK) { > fprintf(stderr, "Error connecting to %s: %sn", hostname, > ssh_get_error(session)); ssh_free(session); > return 1; > } > > rc = ssh_userauth_publickey_auto(session, NULL, NULL); > if (rc != SSH_AUTH_SUCCESS) { > fprintf(stderr, "Authentication failed: %sn", ssh_get_error(session)); > ssh_disconnect(session); > ssh_free(session); > return 1; > } > > printf("Connected and authenticated with key!n"); > > ssh_disconnect(session); > ssh_free(session); > return 0; > } > > Output: > ssh_userauth_publickey_auto: Trying to authenticate with > /home/remadmin/id_rsa ssh_key_algorithm_allowed: Checking rsa-sha2-512 with > list <ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx > (mailto:ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx),ecdsa-sha2-nistp384,ecdsa > -sha2-nistp384-cert-v01@xxxxxxxxxxx > (mailto:ecdsa-sha2-nistp384-cert-v01@xxxxxxxxxxx),ecdsa-sha2-nistp521,ecdsa > -sha2-nistp521-cert-v01@xxxxxxxxxxx > (mailto:ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx),ssh-ed25519,ssh-ed25519-c > ert-v01@xxxxxxxxxxx > (mailto:ssh-ed25519-cert-v01@xxxxxxxxxxx),rsa-sha2-256,rsa-sha2-256-cert-v0 > 1@xxxxxxxxxxx > (mailto:rsa-sha2-256-cert-v01@xxxxxxxxxxx),rsa-sha2-512,rsa-sha2-512-cert-v > 01@xxxxxxxxxxx (mailto:rsa-sha2-512-cert-v01@xxxxxxxxxxx)> > ssh_key_algorithm_allowed: Checking rsa-sha2-256 with list > <ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx > (mailto:ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx),ecdsa-sha2-nistp384,ecdsa > -sha2-nistp384-cert-v01@xxxxxxxxxxx > (mailto:ecdsa-sha2-nistp384-cert-v01@xxxxxxxxxxx),ecdsa-sha2-nistp521,ecdsa > -sha2-nistp521-cert-v01@xxxxxxxxxxx > (mailto:ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx),ssh-ed25519,ssh-ed25519-c > ert-v01@xxxxxxxxxxx > (mailto:ssh-ed25519-cert-v01@xxxxxxxxxxx),rsa-sha2-256,rsa-sha2-256-cert-v0 > 1@xxxxxxxxxxx > (mailto:rsa-sha2-256-cert-v01@xxxxxxxxxxx),rsa-sha2-512,rsa-sha2-512-cert-v > 01@xxxxxxxxxxx (mailto:rsa-sha2-512-cert-v01@xxxxxxxxxxx)> > ssh_key_algorithm_allowed: Checking ssh-rsa with list > <ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx > (mailto:ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx),ecdsa-sha2-nistp384,ecdsa > -sha2-nistp384-cert-v01@xxxxxxxxxxx > (mailto:ecdsa-sha2-nistp384-cert-v01@xxxxxxxxxxx),ecdsa-sha2-nistp521,ecdsa > -sha2-nistp521-cert-v01@xxxxxxxxxxx > (mailto:ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx),ssh-ed25519,ssh-ed25519-c > ert-v01@xxxxxxxxxxx > (mailto:ssh-ed25519-cert-v01@xxxxxxxxxxx),rsa-sha2-256,rsa-sha2-256-cert-v0 > 1@xxxxxxxxxxx > (mailto:rsa-sha2-256-cert-v01@xxxxxxxxxxx),rsa-sha2-512,rsa-sha2-512-cert-v > 01@xxxxxxxxxxx (mailto:rsa-sha2-512-cert-v01@xxxxxxxxxxx)> > ssh_userauth_try_publickey: The key algorithm 'ssh-rsa' is not allowed to > be used by PUBLICKEY_ACCEPTED_TYPES configuration option > ssh_userauth_publickey_auto: Public key for /home/remadmin/id_rsa refused > by server > > To your last question: I'm simply talking to the libssh mailing list! My > name is Till. > > Cheers > > May 19, 2025 11:59 PM, "Malak Bouaksa" <bouaksamalak@xxxxxxxxx > (mailto:bouaksamalak@xxxxxxxxx?to=%22Malak%20Bouaksa%22%20<bouaksamalak@gma > il.com <http://il.com>>)> wrote: You're absolutely right to be confused — that error message > is really misleading. When libssh says the key was “refused by server,” it > often doesn’t actually mean the server rejected it. In your case, the > message "The key algorithm 'ssh-rsa' is not allowed to be used by > PUBLICKEY_ACCEPTED_TYPES configuration option" shows that it’s the client > itself, not the server, refusing the key. It’s likely that libssh 0.10.4 is > filtering out ssh-rsa internally before it even tries to use it. This is a > new default behavior introduced for security reasons, since ssh-rsa uses > SHA-1, which is considered weak. To allow it, make sure you're calling > ssh_options_set(session, SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES, "+ssh-rsa") > (without a space after the plus) before calling ssh_connect(). If you set > it too late, the option won’t take effect. Also consider setting > SSH_OPTIONS_HOSTKEYS to include +ssh-rsa, just in case host key filtering > is also in play. Finally, it’s worth checking whether your system’s libssh > was compiled with ssh-rsa support disabled entirely — some distros remove > it completely. A quick way to test that is by running strings on the libssh > shared library to see if ssh-rsa appears at all. So no, the server probably > isn’t refusing the key — your client just won’t let it be used unless you > configure it properly, and sometimes not even then if it’s compiled out. > > And can I know who is talking to me and how you got my email? > > Thank you and I hope I helped with your problem. > On Mon, May 19, 2025 at 10:14 PM <g4-lisz@xxxxxxxxxxxx > (mailto:g4-lisz@xxxxxxxxxxxx)> wrote: Hi there and thanks for your reply! > > You mean ' ssh-rsa' i.e. without any space? I also tried that, and with a > complete list, too: sh_options_set(session, > SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES, > "rsa-sha2-256,rsa-sha2-512,ecdh-sha2-nistp256,ssh-rsa" > > Nothing seems to help so far... > > It actually says (with debug log level); > ssh_userauth_publickey_auto: ssh_userauth_publickey_auto: Public key for > /opt/myproxy/.ssh/id_rsa refused by server ssh_userauth_publickey_auto: > Access denied: Tried every public key, none matched > ssh_userauth_publickey_auto Instance #11 failed: The key algorithm > 'ssh-rsa' is not allowed to be used by PUBLICKEY_ACCEPTED_TYPES > configuration option > > The last line comes from ssh_get_error(session): > if(ssh_userauth_publickey_auto(session, NULL, NULL) != SSH_AUTH_SUCCESS) { > tlog_error("ssh_userauth_password Instance #%d failed: %s", > inst->instance_id, ssh_get_error(session)); ... > But why it says: refused by server? Is this just a bad wording? Or is it > really rejected by the peer? > > May 19, 2025 10:19 PM, "Malak Bouaksa" <bouaksamalak@xxxxxxxxx > (mailto:bouaksamalak@xxxxxxxxx?to=%22Malak%20Bouaksa%22%20%3Cbouaksamalak@g > mail.com <http://mail.com>%3E)> wrote: Hey there, > > What you're running into is actually a common issue when jumping from > libssh 0.9.x to 0.10.x. Starting with version 0.10, libssh made a > security-related change: it no longer allows the 'ssh-rsa' key type by > default because it's based on SHA-1, which is considered weak by modern > cryptographic standards. That’s why everything worked fine with version > 0.9.6, but with 0.10.4 on RHEL9 > > That’s why everything worked fine with version 0.9.6, but with 0.10.4 on > RHEL9 but here’s the catch: the space after the + is messing it up. It > should be: ssh_options_set(session, SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES, > "+ ssh-rsa"); On Mon, May 19, 2025 at 8:58 PM <g4-lisz@xxxxxxxxxxxx > (mailto:g4-lisz@xxxxxxxxxxxx)> wrote: Hi there, > > I wrote a client (TCP forwarding) that connects to a server which uses > libssh V 0.9.7. > > When I compile the client with 0.9.6 (this is what I get with libssh-dev on > Pop!_OS 22.04) then all works fine. > > However, on RHEL9, libssh-dev brings v0.10.4. And compiled with that version > the client can't connect anymore: > > "ssh_userauth_try_publickey: The key algorithm 'ssh-rsa' is not allowed to > be used by PUBLICKEY_ACCEPTED_TYPES configuration option" > > At first I was confused: Who says this? The server? But it accepted the key > when using a client with version 0.9.6. So I tried to add 'ssh-rsa' to the > client's allowed key types: > > if (ssh_options_set(session, SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES, "+ > ssh-rsa") < 0) { fprintf(stderr, "ssh_options_set failed: %sn", > ssh_get_error(session); } > > ssh_options_set(...) seems to succeed. However, everything else remains the > same. The key algorithm 'ssh-rsa' is not allowed to be used... > > How can this be solved? What is the right way to convince libssh that it can > use public keys of type ssh-rsa? > > The remote account only knows my ssh-rsa public key and this can't be > changed easily. That's why I have to stick with that type... > > Cheers > Till -- Andreas Schneider asn@xxxxxxxxxxxxxx GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
[2025/05/21 13:34:27.590787, 3] ssh_config_parse_file: Reading configuration data from /etc/ssh/ssh_config [2025/05/21 13:34:27.593152, 3] local_parse_file: Reading additional configuration data from /etc/ssh/ssh_config.d/50-redhat.conf [2025/05/21 13:34:27.593752, 2] ssh_config_parse_line: line 3: Unsupported Match keyword 'final', skipping [2025/05/21 13:34:27.594435, 3] local_parse_file: Reading additional configuration data from /etc/crypto-policies/back-ends/openssh.config [2025/05/21 13:34:27.595007, 2] ssh_config_parse_line: Unknown option: GSSAPIKexAlgorithms, line: 3 [2025/05/21 13:34:27.595462, 2] ssh_config_parse_line: Unknown option: CASignatureAlgorithms, line: 6 [2025/05/21 13:34:27.595836, 2] ssh_config_parse_line: Unknown option: RequiredRSASize, line: 7 [2025/05/21 13:34:27.596448, 2] ssh_config_parse_line: Unapplicable option: ForwardX11Trusted, line: 12 [2025/05/21 13:34:27.599300, 2] ssh_connect: libssh 0.10.4 (c) 2003-2022 Aris Adamantiadis, Andreas Schneider and libssh contributors. Distributed under the LGPL, please refer to COPYING file for information about your rights, using threading threads_pthread [2025/05/21 13:34:27.599665, 3] getai: host 10.10.10.108 matches an IP address [2025/05/21 13:34:27.600535, 2] ssh_socket_connect: Nonblocking connection socket: 3 [2025/05/21 13:34:27.600870, 2] ssh_connect: Socket connecting, now waiting for the callbacks to work [2025/05/21 13:34:27.601443, 3] ssh_connect: Actual timeout : 10000 [2025/05/21 13:34:27.601920, 3] ssh_socket_pollcallback: Received POLLOUT in connecting state [2025/05/21 13:34:27.602437, 1] socket_callback_connected: Socket connection callback: 1 (0) [2025/05/21 13:34:27.603181, 3] ssh_socket_unbuffered_write: Enabling POLLOUT for socket [2025/05/21 13:34:27.603965, 3] callback_receive_banner: Received banner: SSH-2.0-libssh_0.9.7 [2025/05/21 13:34:27.604345, 2] ssh_client_connection_callback: SSH server banner: SSH-2.0-libssh_0.9.7 [2025/05/21 13:34:27.604644, 2] ssh_analyze_banner: Analyzing banner: SSH-2.0-libssh_0.9.7 [2025/05/21 13:34:27.607601, 3] ssh_client_select_hostkeys: Order of wanted host keys: "ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256" [2025/05/21 13:34:27.608765, 1] ssh_known_hosts_read_entries: Failed to open the known_hosts file '/etc/ssh/ssh_known_hosts': No such file or directory [2025/05/21 13:34:27.609206, 3] ssh_client_select_hostkeys: No key found in known_hosts; changing host key method to "ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,rsa-sha2-512,rsa-sha2-256" [2025/05/21 13:34:27.609572, 3] packet_send2: packet: wrote [type=20, len=900, padding_size=7, comp=892, payload=892] [2025/05/21 13:34:27.609926, 3] ssh_send_kex: SSH_MSG_KEXINIT sent [2025/05/21 13:34:27.610313, 3] ssh_packet_socket_callback: packet: read type 20 [len=884,padding=9,comp=874,payload=874] [2025/05/21 13:34:27.610620, 3] ssh_packet_process: Dispatching handler for packet type 20 [2025/05/21 13:34:27.610968, 2] ssh_kex_select_methods: Negotiated curve25519-sha256,rsa-sha2-512,aes256-gcm@xxxxxxxxxxx,aes256-gcm@xxxxxxxxxxx,aead-gcm,aead-gcm,none,none,, [2025/05/21 13:34:27.611859, 3] packet_send2: packet: wrote [type=30, len=44, padding_size=6, comp=37, payload=37] [2025/05/21 13:34:27.612518, 3] ssh_socket_unbuffered_write: Enabling POLLOUT for socket [2025/05/21 13:34:27.631691, 3] ssh_packet_socket_callback: packet: read type 31 [len=612,padding=11,comp=600,payload=600] [2025/05/21 13:34:27.632382, 3] ssh_packet_process: Dispatching handler for packet type 31 [2025/05/21 13:34:27.633561, 3] ssh_socket_unbuffered_write: Enabling POLLOUT for socket [2025/05/21 13:34:27.634140, 3] packet_send2: packet: wrote [type=21, len=12, padding_size=10, comp=1, payload=1] [2025/05/21 13:34:27.634969, 3] crypt_set_algorithms2: Set output algorithm to aes256-gcm@xxxxxxxxxxx [2025/05/21 13:34:27.635493, 3] crypt_set_algorithms2: Set HMAC output algorithm to aead-gcm [2025/05/21 13:34:27.635990, 3] crypt_set_algorithms2: Set input algorithm to aes256-gcm@xxxxxxxxxxx [2025/05/21 13:34:27.636496, 3] crypt_set_algorithms2: Set HMAC input algorithm to aead-gcm [2025/05/21 13:34:27.637092, 2] ssh_init_rekey_state: Set rekey after 4294967296 blocks [2025/05/21 13:34:27.637618, 2] ssh_init_rekey_state: Set rekey after 4294967296 blocks [2025/05/21 13:34:27.638153, 2] ssh_packet_client_curve25519_reply: SSH_MSG_NEWKEYS sent [2025/05/21 13:34:27.638975, 3] ssh_packet_socket_callback: packet: read type 21 [len=12,padding=10,comp=1,payload=1] [2025/05/21 13:34:27.639485, 3] ssh_packet_process: Dispatching handler for packet type 21 [2025/05/21 13:34:27.640101, 2] ssh_packet_newkeys: Received SSH_MSG_NEWKEYS [2025/05/21 13:34:27.641171, 2] ssh_packet_newkeys: Signature verified and valid [2025/05/21 13:34:27.641688, 3] ssh_connect: current state : 7 [2025/05/21 13:34:27.642211, 3] ssh_userauth_publickey_auto: Trying to authenticate with /home/useruser/id_rsa [2025/05/21 13:34:27.643466, 3] ssh_key_algorithm_allowed: Checking rsa-sha2-512 with list <ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx,ssh-ed25519,ssh-ed25519-cert-v01@xxxxxxxxxxx,rsa-sha2-256,rsa-sha2-256-cert-v01@xxxxxxxxxxx,rsa-sha2-512,rsa-sha2-512-cert-v01@xxxxxxxxxxx> [2025/05/21 13:34:27.643865, 3] ssh_key_algorithm_allowed: Checking rsa-sha2-256 with list <ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx,ssh-ed25519,ssh-ed25519-cert-v01@xxxxxxxxxxx,rsa-sha2-256,rsa-sha2-256-cert-v01@xxxxxxxxxxx,rsa-sha2-512,rsa-sha2-512-cert-v01@xxxxxxxxxxx> [2025/05/21 13:34:27.644243, 3] ssh_key_algorithm_allowed: Checking ssh-rsa with list <ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx,ssh-ed25519,ssh-ed25519-cert-v01@xxxxxxxxxxx,rsa-sha2-256,rsa-sha2-256-cert-v01@xxxxxxxxxxx,rsa-sha2-512,rsa-sha2-512-cert-v01@xxxxxxxxxxx> [2025/05/21 13:34:27.644552, 1] ssh_userauth_try_publickey: The key algorithm 'ssh-rsa' is not allowed to be used by PUBLICKEY_ACCEPTED_TYPES configuration option [2025/05/21 13:34:27.644855, 3] ssh_userauth_publickey_auto: Public key for /home/useruser/id_rsa refused by server [2025/05/21 13:34:27.645245, 3] ssh_userauth_publickey_auto: Trying to authenticate with /home/useruser/.ssh/id_ed25519 [2025/05/21 13:34:27.645697, 1] ssh_pki_import_pubkey_file: Error opening /home/useruser/.ssh/id_ed25519.pub: No such file or directory [2025/05/21 13:34:27.646195, 1] ssh_pki_import_privkey_file: Error opening /home/useruser/.ssh/id_ed25519: No such file or directory [2025/05/21 13:34:27.646548, 3] ssh_userauth_publickey_auto: Private key /home/useruser/.ssh/id_ed25519 doesn't exist. [2025/05/21 13:34:27.646885, 3] ssh_userauth_publickey_auto: Trying to authenticate with /home/useruser/.ssh/id_ecdsa [2025/05/21 13:34:27.647375, 1] ssh_pki_import_pubkey_file: Error opening /home/useruser/.ssh/id_ecdsa.pub: No such file or directory [2025/05/21 13:34:27.647845, 1] ssh_pki_import_privkey_file: Error opening /home/useruser/.ssh/id_ecdsa: No such file or directory [2025/05/21 13:34:27.648234, 3] ssh_userauth_publickey_auto: Private key /home/useruser/.ssh/id_ecdsa doesn't exist. [2025/05/21 13:34:27.648576, 3] ssh_userauth_publickey_auto: Trying to authenticate with /home/useruser/.ssh/id_rsa [2025/05/21 13:34:27.649043, 1] ssh_pki_import_pubkey_file: Error opening /home/useruser/.ssh/id_rsa.pub: No such file or directory [2025/05/21 13:34:27.649489, 1] ssh_pki_import_privkey_file: Error opening /home/useruser/.ssh/id_rsa: No such file or directory [2025/05/21 13:34:27.649795, 3] ssh_userauth_publickey_auto: Private key /home/useruser/.ssh/id_rsa doesn't exist. [2025/05/21 13:34:27.650163, 2] ssh_userauth_publickey_auto: Tried every public key, none matched Authentication failed: The key algorithm 'ssh-rsa' is not allowed to be used by PUBLICKEY_ACCEPTED_TYPES configuration option [2025/05/21 13:34:27.650956, 3] ssh_socket_unbuffered_write: Enabling POLLOUT for socket [2025/05/21 13:34:27.651442, 3] packet_send2: packet: wrote [type=1, len=32, padding_size=11, comp=20, payload=20]
execve("./testkey", ["./testkey"], 0x7ffc4cd90f50 /* 42 vars */) = 0 brk(NULL) = 0x2345000 arch_prctl(0x3001 /* ARCH_??? */, 0x7fff7fdcf290) = -1 EINVAL (Invalid argument) access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=54843, ...}) = 0 mmap(NULL, 54843, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f7b98abf000 close(3) = 0 openat(AT_FDCWD, "/lib64/libssh.so.4", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\375\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=1328072, ...}) = 0 mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7b98abd000 mmap(NULL, 576888, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f7b98a30000 mmap(0x7f7b98a3e000, 393216, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xe000) = 0x7f7b98a3e000 mmap(0x7f7b98a9e000, 110592, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6e000) = 0x7f7b98a9e000 mmap(0x7f7b98ab9000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x88000) = 0x7f7b98ab9000 close(3) = 0 openat(AT_FDCWD, "/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\220\227\2\0\0\0\0\0"..., 832) = 832 pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784 pread64(3, "\4\0\0\0 \0\0\0\5\0\0\0GNU\0\2\0\0\300\4\0\0\0\3\0\0\0\0\0\0\0"..., 48, 848) = 48 pread64(3, "\4\0\0\0\24\0\0\0\3\0\0\0GNU\0z@\242,\232\202\205O=fvr2\2566J"..., 68, 896) = 68 fstat(3, {st_mode=S_IFREG|0755, st_size=2539832, ...}) = 0 pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784 mmap(NULL, 2125744, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f7b98800000 mmap(0x7f7b98828000, 1523712, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x28000) = 0x7f7b98828000 mmap(0x7f7b9899c000, 360448, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x19c000) = 0x7f7b9899c000 mmap(0x7f7b989f4000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1f4000) = 0x7f7b989f4000 mmap(0x7f7b989fa000, 53168, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f7b989fa000 close(3) = 0 openat(AT_FDCWD, "/lib64/libcrypto.so.3", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0`\v\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=5436640, ...}) = 0 mmap(NULL, 5344208, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f7b98200000 mmap(0x7f7b982b4000, 3334144, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xb4000) = 0x7f7b982b4000 mmap(0x7f7b985e2000, 876544, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3e2000) = 0x7f7b985e2000 mmap(0x7f7b986b8000, 385024, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x4b7000) = 0x7f7b986b8000 mmap(0x7f7b98716000, 11216, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f7b98716000 close(3) = 0 openat(AT_FDCWD, "/lib64/libz.so.1", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\3605\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=102552, ...}) = 0 mmap(NULL, 102408, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f7b98a16000 mprotect(0x7f7b98a19000, 86016, PROT_NONE) = 0 mmap(0x7f7b98a19000, 57344, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0x7f7b98a19000 mmap(0x7f7b98a27000, 24576, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x11000) = 0x7f7b98a27000 mmap(0x7f7b98a2e000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x17000) = 0x7f7b98a2e000 mmap(0x7f7b98a2f000, 8, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f7b98a2f000 close(3) = 0 openat(AT_FDCWD, "/lib64/libgssapi_krb5.so.2", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320\355\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=358576, ...}) = 0 mmap(NULL, 350944, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f7b987aa000 mmap(0x7f7b987b6000, 241664, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xc000) = 0x7f7b987b6000 mmap(0x7f7b987f1000, 49152, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x47000) = 0x7f7b987f1000 mmap(0x7f7b987fd000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x53000) = 0x7f7b987fd000 close(3) = 0 openat(AT_FDCWD, "/lib64/libkrb5.so.3", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0000p\2\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=906400, ...}) = 0 mmap(NULL, 889616, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f7b98126000 mmap(0x7f7b98148000, 434176, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x22000) = 0x7f7b98148000 mmap(0x7f7b981b2000, 253952, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x8c000) = 0x7f7b981b2000 mmap(0x7f7b981f0000, 61440, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xca000) = 0x7f7b981f0000 mmap(0x7f7b981ff000, 784, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f7b981ff000 close(3) = 0 openat(AT_FDCWD, "/lib64/libk5crypto.so.3", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0p_\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=99120, ...}) = 0 mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7b98a14000 mmap(NULL, 98352, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f7b98791000 mmap(0x7f7b98796000, 53248, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x5000) = 0x7f7b98796000 mmap(0x7f7b987a3000, 16384, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x12000) = 0x7f7b987a3000 mmap(0x7f7b987a7000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x15000) = 0x7f7b987a7000 mmap(0x7f7b987a9000, 48, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f7b987a9000 close(3) = 0 openat(AT_FDCWD, "/lib64/libcom_err.so.2", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\220$\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=23872, ...}) = 0 mmap(NULL, 24640, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f7b98a0d000 mmap(0x7f7b98a0f000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f7b98a0f000 mmap(0x7f7b98a11000, 4096, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x4000) = 0x7f7b98a11000 mmap(0x7f7b98a12000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x4000) = 0x7f7b98a12000 close(3) = 0 openat(AT_FDCWD, "/lib64/libkrb5support.so.0", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0PO\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=66320, ...}) = 0 mmap(NULL, 66192, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f7b98780000 mmap(0x7f7b98784000, 32768, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x4000) = 0x7f7b98784000 mmap(0x7f7b9878c000, 12288, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xc000) = 0x7f7b9878c000 mmap(0x7f7b9878f000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xe000) = 0x7f7b9878f000 close(3) = 0 openat(AT_FDCWD, "/lib64/libkeyutils.so.1", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260$\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=23992, ...}) = 0 mmap(NULL, 24584, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f7b98779000 mmap(0x7f7b9877b000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f7b9877b000 mmap(0x7f7b9877d000, 4096, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x4000) = 0x7f7b9877d000 mmap(0x7f7b9877e000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x4000) = 0x7f7b9877e000 mmap(0x7f7b9877f000, 8, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f7b9877f000 close(3) = 0 openat(AT_FDCWD, "/lib64/libresolv.so.2", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320F\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=70880, ...}) = 0 mmap(NULL, 80456, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f7b98765000 mmap(0x7f7b98769000, 36864, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x4000) = 0x7f7b98769000 mmap(0x7f7b98772000, 12288, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xd000) = 0x7f7b98772000 mmap(0x7f7b98775000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xf000) = 0x7f7b98775000 mmap(0x7f7b98777000, 6728, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f7b98777000 close(3) = 0 openat(AT_FDCWD, "/lib64/libselinux.so.1", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0pp\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=175752, ...}) = 0 mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7b98a0b000 mmap(NULL, 181896, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f7b98738000 mmap(0x7f7b9873e000, 110592, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6000) = 0x7f7b9873e000 mmap(0x7f7b98759000, 32768, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x21000) = 0x7f7b98759000 mmap(0x7f7b98761000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x28000) = 0x7f7b98761000 mmap(0x7f7b98763000, 5768, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f7b98763000 close(3) = 0 openat(AT_FDCWD, "/lib64/libpcre2-8.so.0", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\220$\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=636848, ...}) = 0 mmap(NULL, 635440, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f7b9808a000 mmap(0x7f7b9808c000, 446464, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f7b9808c000 mmap(0x7f7b980f9000, 176128, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6f000) = 0x7f7b980f9000 mmap(0x7f7b98124000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x99000) = 0x7f7b98124000 close(3) = 0 mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7b98a09000 arch_prctl(ARCH_SET_FS, 0x7f7b98a0a040) = 0 set_tid_address(0x7f7b98a0a310) = 648229 set_robust_list(0x7f7b98a0a320, 24) = 0 rseq(0x7f7b98a0a9e0, 0x20, 0, 0x53053053) = 0 mprotect(0x7f7b989f4000, 16384, PROT_READ) = 0 mprotect(0x7f7b98124000, 4096, PROT_READ) = 0 mprotect(0x7f7b98761000, 4096, PROT_READ) = 0 mprotect(0x7f7b98775000, 4096, PROT_READ) = 0 mprotect(0x7f7b9877e000, 4096, PROT_READ) = 0 mprotect(0x7f7b98a2e000, 4096, PROT_READ) = 0 mprotect(0x7f7b986b8000, 372736, PROT_READ) = 0 mprotect(0x7f7b9878f000, 4096, PROT_READ) = 0 mprotect(0x7f7b98a12000, 4096, PROT_READ) = 0 mprotect(0x7f7b987a7000, 8192, PROT_READ) = 0 mprotect(0x7f7b981f0000, 57344, PROT_READ) = 0 mprotect(0x7f7b987fd000, 8192, PROT_READ) = 0 mprotect(0x7f7b98ab9000, 4096, PROT_READ) = 0 mprotect(0x403000, 4096, PROT_READ) = 0 mprotect(0x7f7b98b01000, 8192, PROT_READ) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 munmap(0x7f7b98abf000, 54843) = 0 statfs("/sys/fs/selinux", {f_type=SELINUX_MAGIC, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={val=[0, 0]}, f_namelen=255, f_frsize=4096, f_flags=ST_VALID|ST_NOSUID|ST_NOEXEC|ST_RELATIME}) = 0 statfs("/sys/fs/selinux", {f_type=SELINUX_MAGIC, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={val=[0, 0]}, f_namelen=255, f_frsize=4096, f_flags=ST_VALID|ST_NOSUID|ST_NOEXEC|ST_RELATIME}) = 0 getrandom("\x2a\x25\xe2\xe6\x96\x80\xb3\x53", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x2345000 brk(0x2366000) = 0x2366000 access("/etc/selinux/config", F_OK) = 0 futex(0x7f7b987162a4, FUTEX_WAKE_PRIVATE, 2147483647) = 0 futex(0x7f7b987162a0, FUTEX_WAKE_PRIVATE, 2147483647) = 0 futex(0x7f7b9871629c, FUTEX_WAKE_PRIVATE, 2147483647) = 0 openat(AT_FDCWD, "/proc/sys/crypto/fips_enabled", O_RDONLY) = 3 read(3, "0\n", 2) = 2 close(3) = 0 futex(0x7f7b98715c08, FUTEX_WAKE_PRIVATE, 2147483647) = 0 futex(0x7f7b98715f20, FUTEX_WAKE_PRIVATE, 2147483647) = 0 futex(0x7f7b98716180, FUTEX_WAKE_PRIVATE, 2147483647) = 0 futex(0x7f7b98715f30, FUTEX_WAKE_PRIVATE, 2147483647) = 0 futex(0x7f7b98716298, FUTEX_WAKE_PRIVATE, 2147483647) = 0 openat(AT_FDCWD, "/etc/pki/tls/openssl.cnf", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=12433, ...}) = 0 read(3, "#\n# OpenSSL example configuratio"..., 4096) = 4096 newfstatat(AT_FDCWD, "/etc/pki/tls/openssl.d", {st_mode=S_IFDIR|0755, st_size=6, ...}, 0) = 0 openat(AT_FDCWD, "/etc/pki/tls/openssl.d", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0755, st_size=6, ...}) = 0 getdents64(4, 0x23590f0 /* 2 entries */, 32768) = 48 getdents64(4, 0x23590f0 /* 0 entries */, 32768) = 0 close(4) = 0 newfstatat(AT_FDCWD, "/etc/crypto-policies/back-ends/opensslcnf.config", {st_mode=S_IFREG|0644, st_size=737, ...}, 0) = 0 openat(AT_FDCWD, "/etc/crypto-policies/back-ends/opensslcnf.config", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=737, ...}) = 0 read(4, "CipherString = @SECLEVEL=2:kEECD"..., 4096) = 737 read(4, "", 4096) = 0 close(4) = 0 read(3, "d look\n# For type CA, the listed"..., 4096) = 4096 read(3, "mmendation\n# subjectAltName=emai"..., 4096) = 4096 read(3, "e update\ncmd = kur\noldcert = $in"..., 4096) = 145 read(3, "", 4096) = 0 close(3) = 0 futex(0x7f7b98715dc8, FUTEX_WAKE_PRIVATE, 2147483647) = 0 futex(0x7f7b98715ef0, FUTEX_WAKE_PRIVATE, 2147483647) = 0 futex(0x7f7b98716280, FUTEX_WAKE_PRIVATE, 2147483647) = 0 futex(0x7f7b9871627c, FUTEX_WAKE_PRIVATE, 2147483647) = 0 futex(0x7f7b98715de0, FUTEX_WAKE_PRIVATE, 2147483647) = 0 futex(0x7f7b9871628c, FUTEX_WAKE_PRIVATE, 2147483647) = 0 getuid() = 1000 socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3 connect(3, {sa_family=AF_UNIX, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory) close(3) = 0 socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3 connect(3, {sa_family=AF_UNIX, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory) close(3) = 0 newfstatat(AT_FDCWD, "/etc/nsswitch.conf", {st_mode=S_IFREG|0644, st_size=2124, ...}, 0) = 0 newfstatat(AT_FDCWD, "/", {st_mode=S_IFDIR|0555, st_size=235, ...}, 0) = 0 openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=2124, ...}) = 0 read(3, "#\n# /etc/nsswitch.conf\n#\n# Name "..., 4096) = 2124 read(3, "", 4096) = 0 fstat(3, {st_mode=S_IFREG|0644, st_size=2124, ...}) = 0 close(3) = 0 openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=54843, ...}) = 0 mmap(NULL, 54843, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f7b98abf000 close(3) = 0 openat(AT_FDCWD, "/lib64/libnss_sss.so.2", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260%\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=53480, ...}) = 0 mmap(NULL, 53856, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f7b9872a000 mmap(0x7f7b9872c000, 32768, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f7b9872c000 mmap(0x7f7b98734000, 8192, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xa000) = 0x7f7b98734000 mmap(0x7f7b98736000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xb000) = 0x7f7b98736000 close(3) = 0 mprotect(0x7f7b98736000, 4096, PROT_READ) = 0 munmap(0x7f7b98abf000, 54843) = 0 openat(AT_FDCWD, "/var/lib/sss/mc/passwd", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) futex(0x7f7b98737214, FUTEX_WAKE_PRIVATE, 2147483647) = 0 openat(AT_FDCWD, "/var/lib/sss/mc/passwd", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) futex(0x7f7b98737250, FUTEX_WAKE_PRIVATE, 2147483647) = 0 newfstatat(AT_FDCWD, "/proc/self/", {st_mode=S_IFDIR|0555, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 getpid() = 648229 fstat(-1, 0x7fff7fdce8f0) = -1 EBADF (Bad file descriptor) socket(AF_UNIX, SOCK_STREAM, 0) = 3 fcntl(3, F_GETFL) = 0x2 (flags O_RDWR) fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0 fcntl(3, F_GETFD) = 0 fcntl(3, F_SETFD, FD_CLOEXEC) = 0 connect(3, {sa_family=AF_UNIX, sun_path="/var/lib/sss/pipes/nss"}, 110) = -1 ENOENT (No such file or directory) close(3) = 0 openat(AT_FDCWD, "/etc/passwd", O_RDONLY|O_CLOEXEC) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=1781, ...}) = 0 lseek(3, 0, SEEK_SET) = 0 read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1781 close(3) = 0 openat(AT_FDCWD, "/home/useruser/.ssh/config", O_RDONLY) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/etc/ssh/ssh_config", O_RDONLY) = 3 openat(AT_FDCWD, "/etc/localtime", O_RDONLY|O_CLOEXEC) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=1909, ...}) = 0 fstat(4, {st_mode=S_IFREG|0644, st_size=1909, ...}) = 0 read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\5\0\0\0\5\0\0\0\0"..., 4096) = 1909 lseek(4, -1217, SEEK_CUR) = 692 read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\6\0\0\0\0"..., 4096) = 1217 close(4) = 0 write(2, "[2025/05/21 13:34:27.590787, 3] "..., 54) = 54 write(2, " Reading configuration data fro"..., 54) = 54 fstat(3, {st_mode=S_IFREG|0644, st_size=1921, ...}) = 0 read(3, "#\t$OpenBSD: ssh_config,v 1.35 20"..., 4096) = 1921 openat(AT_FDCWD, "/etc/ssh/ssh_config.d", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0755, st_size=28, ...}) = 0 brk(0x2388000) = 0x2388000 getdents64(4, 0x235f440 /* 3 entries */, 32768) = 88 getdents64(4, 0x235f440 /* 0 entries */, 32768) = 0 brk(0x2380000) = 0x2380000 close(4) = 0 openat(AT_FDCWD, "/etc/ssh/ssh_config.d/50-redhat.conf", O_RDONLY) = 4 newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.593152, 3] "..., 49) = 49 write(2, " Reading additional configurati"..., 82) = 82 fstat(4, {st_mode=S_IFREG|0644, st_size=581, ...}) = 0 read(4, "# The options here are in the \"M"..., 4096) = 581 newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.593752, 2] "..., 54) = 54 write(2, " line 3: Unsupported Match keyw"..., 54) = 54 newfstatat(AT_FDCWD, "/etc/crypto-policies/back-ends/openssh.config", {st_mode=S_IFLNK|0777, st_size=46, ...}, AT_SYMLINK_NOFOLLOW) = 0 openat(AT_FDCWD, "/etc/crypto-policies/back-ends/openssh.config", O_RDONLY) = 5 newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.594435, 3] "..., 49) = 49 write(2, " Reading additional configurati"..., 91) = 91 fstat(5, {st_mode=S_IFREG|0644, st_size=1322, ...}) = 0 read(5, "Ciphers aes256-gcm@xxxxxxxxxxx,c"..., 4096) = 1322 newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.595007, 2] "..., 54) = 54 write(2, " Unknown option: GSSAPIKexAlgor"..., 47) = 47 newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.595462, 2] "..., 54) = 54 write(2, " Unknown option: CASignatureAlg"..., 49) = 49 newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.595836, 2] "..., 54) = 54 write(2, " Unknown option: RequiredRSASiz"..., 43) = 43 read(5, "", 4096) = 0 close(5) = 0 newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.596448, 2] "..., 54) = 54 write(2, " Unapplicable option: ForwardX1"..., 51) = 51 read(4, "", 4096) = 0 close(4) = 0 read(3, "", 4096) = 0 close(3) = 0 brk(0x237f000) = 0x237f000 getuid() = 1000 newfstatat(AT_FDCWD, "/etc/nsswitch.conf", {st_mode=S_IFREG|0644, st_size=2124, ...}, 0) = 0 openat(AT_FDCWD, "/var/lib/sss/mc/passwd", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/var/lib/sss/mc/passwd", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) newfstatat(AT_FDCWD, "/proc/self/", {st_mode=S_IFDIR|0555, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 getpid() = 648229 socket(AF_UNIX, SOCK_STREAM, 0) = 3 fcntl(3, F_GETFL) = 0x2 (flags O_RDWR) fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0 fcntl(3, F_GETFD) = 0 fcntl(3, F_SETFD, FD_CLOEXEC) = 0 connect(3, {sa_family=AF_UNIX, sun_path="/var/lib/sss/pipes/nss"}, 110) = -1 ENOENT (No such file or directory) close(3) = 0 openat(AT_FDCWD, "/etc/passwd", O_RDONLY|O_CLOEXEC) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=1781, ...}) = 0 lseek(3, 0, SEEK_SET) = 0 read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1781 close(3) = 0 newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.599300, 2] "..., 44) = 44 write(2, " libssh 0.10.4 (c) 2003-2022 Ar"..., 216) = 216 newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.599665, 3] "..., 38) = 38 write(2, " host 10.10.10.108 matches an I"..., 42) = 42 socket(AF_INET, SOCK_STREAM, IPPROTO_TCP) = 3 fcntl(3, F_SETFL, O_RDONLY|O_NONBLOCK) = 0 connect(3, {sa_family=AF_INET, sin_port=htons(2222), sin_addr=inet_addr("10.10.10.108")}, 16) = -1 EINPROGRESS (Operation now in progress) newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.600535, 2] "..., 51) = 51 write(2, " Nonblocking connection socket:"..., 35) = 35 newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.600870, 2] "..., 44) = 44 write(2, " Socket connecting, now waiting"..., 59) = 59 newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.601443, 3] "..., 44) = 44 write(2, " Actual timeout : 10000\n", 25) = 25 poll([{fd=3, events=POLLIN|POLLOUT}], 1, 10000) = 1 ([{fd=3, revents=POLLOUT}]) newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.601920, 3] "..., 56) = 56 write(2, " Received POLLOUT in connecting"..., 39) = 39 fcntl(3, F_SETFL, O_RDONLY) = 0 newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.602437, 1] "..., 58) = 58 write(2, " Socket connection callback: 1 "..., 36) = 36 sendto(3, "SSH-2.0-libssh_0.10.4\r\n", 23, MSG_NOSIGNAL, NULL, 0) = 23 newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.603181, 3] "..., 60) = 60 write(2, " Enabling POLLOUT for socket\n", 30) = 30 poll([{fd=3, events=POLLIN|POLLOUT}], 1, 9999) = 1 ([{fd=3, revents=POLLIN|POLLOUT}]) recvfrom(3, "SSH-2.0-libssh_0.9.7\r\n\0\0\3t\t\24\324\343\374\275"..., 4096, 0, NULL, NULL) = 910 newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.603965, 3] "..., 56) = 56 write(2, " Received banner: SSH-2.0-libss"..., 40) = 40 newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.604345, 2] "..., 63) = 63 write(2, " SSH server banner: SSH-2.0-lib"..., 42) = 42 newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.604644, 2] "..., 51) = 51 write(2, " Analyzing banner: SSH-2.0-libs"..., 41) = 41 futex(0x7f7b98716670, FUTEX_WAKE_PRIVATE, 2147483647) = 0 futex(0x7f7b987165e8, FUTEX_WAKE_PRIVATE, 2147483647) = 0 futex(0x7f7b98716294, FUTEX_WAKE_PRIVATE, 2147483647) = 0 futex(0x7f7b98716290, FUTEX_WAKE_PRIVATE, 2147483647) = 0 getpid() = 648229 brk(0x23a0000) = 0x23a0000 brk(0x239f000) = 0x239f000 getpid() = 648229 getrandom("\xb9\x5c\x36\x05\x7b\x66\x8f\x0d\xd4\x42\x90\xdf\x6c\x70\x53\xce\x1d\x9f\x9d\x52\x38\x7d\xdc\xd1\xa9\xf1\xa7\xc1\xb5\x93\x94\x0b"..., 40, 0) = 40 getpid() = 648229 getrandom("\x13\xff\x9a\x16\x96\xc1\xbb\xf4\x4c\xab\x08\x21\x87\xf9\xea\xef\x9e\x60\xc9\x84\xd7\xf4\x6b\x06\x26\xf0\xbb\x6d\x6c\xf1\x01\x4a"..., 48, 0) = 48 getpid() = 648229 newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.607601, 3] "..., 59) = 59 write(2, " Order of wanted host keys: \"ss"..., 129) = 129 openat(AT_FDCWD, "/home/useruser/.ssh/known_hosts", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0600, st_size=831, ...}) = 0 read(4, "10.10.10.82 ssh-ed25519 AAAAC3Nz"..., 4096) = 831 read(4, "", 4096) = 0 close(4) = 0 openat(AT_FDCWD, "/etc/ssh/ssh_known_hosts", O_RDONLY) = -1 ENOENT (No such file or directory) newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.608765, 1] "..., 61) = 61 write(2, " Failed to open the known_hosts"..., 92) = 92 newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.609206, 3] "..., 59) = 59 write(2, " No key found in known_hosts; c"..., 159) = 159 newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.609572, 3] "..., 45) = 45 write(2, " packet: wrote [type=20, len=90"..., 74) = 74 newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.609926, 3] "..., 45) = 45 write(2, " SSH_MSG_KEXINIT sent\n", 23) = 23 newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.610313, 3] "..., 59) = 59 write(2, " packet: read type 20 [len=884,"..., 64) = 64 newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.610620, 3] "..., 51) = 51 write(2, " Dispatching handler for packet"..., 41) = 41 newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.610968, 2] "..., 55) = 55 write(2, " Negotiated curve25519-sha256,r"..., 120) = 120 getpid() = 648229 getrandom("\x07\x9d\xed\xdf\x90\x04\xcd\x0e\xeb\x9d\xa7\xfa\xc3\x48\x37\x74\x7f\xce\x1c\xfa\xfd\x51\x46\x96\x09\x7f\xab\x76\x4c\x46\x78\x54"..., 48, 0) = 48 getpid() = 648229 newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.611859, 3] "..., 45) = 45 write(2, " packet: wrote [type=30, len=44"..., 71) = 71 sendto(3, "\0\0\3\204\7\24x\343\214\251\306\227@Y\231'\243\254Vi5\377\0\0\0\361curve2"..., 952, MSG_NOSIGNAL, NULL, 0) = 952 newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.612518, 3] "..., 60) = 60 write(2, " Enabling POLLOUT for socket\n", 30) = 30 poll([{fd=3, events=POLLIN|POLLOUT}], 1, 9989) = 1 ([{fd=3, revents=POLLOUT}]) poll([{fd=3, events=POLLIN}], 1, 9989) = 1 ([{fd=3, revents=POLLIN}]) recvfrom(3, "\0\0\2d\v\37\0\0\1\27\0\0\0\7ssh-rsa\0\0\0\3\1\0\1\0\0\1\1"..., 4096, 0, NULL, NULL) = 616 newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.631691, 3] "..., 59) = 59 write(2, " packet: read type 31 [len=612,"..., 65) = 65 newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.632382, 3] "..., 51) = 51 write(2, " Dispatching handler for packet"..., 41) = 41 sendto(3, "\0\0\0\f\n\25\0\0\0\0\0\0\0\0\0\0", 16, MSG_NOSIGNAL, NULL, 0) = 16 newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.633561, 3] "..., 60) = 60 write(2, " Enabling POLLOUT for socket\n", 30) = 30 newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.634140, 3] "..., 45) = 45 write(2, " packet: wrote [type=21, len=12"..., 70) = 70 newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.634969, 3] "..., 54) = 54 write(2, " Set output algorithm to aes256"..., 49) = 49 newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.635493, 3] "..., 54) = 54 write(2, " Set HMAC output algorithm to a"..., 40) = 40 newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.635990, 3] "..., 54) = 54 write(2, " Set input algorithm to aes256-"..., 48) = 48 newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.636496, 3] "..., 54) = 54 write(2, " Set HMAC input algorithm to ae"..., 39) = 39 newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.637092, 2] "..., 53) = 53 write(2, " Set rekey after 4294967296 blo"..., 36) = 36 newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.637618, 2] "..., 53) = 53 write(2, " Set rekey after 4294967296 blo"..., 36) = 36 newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.638153, 2] "..., 67) = 67 write(2, " SSH_MSG_NEWKEYS sent\n", 23) = 23 poll([{fd=3, events=POLLIN|POLLOUT}], 1, 9964) = 1 ([{fd=3, revents=POLLIN|POLLOUT}]) recvfrom(3, "\0\0\0\f\n\25\0\0\0\0\0\0\0\0\0\0", 4096, 0, NULL, NULL) = 16 newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.638975, 3] "..., 59) = 59 write(2, " packet: read type 21 [len=12,p"..., 60) = 60 newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.639485, 3] "..., 51) = 51 write(2, " Dispatching handler for packet"..., 41) = 41 newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.640101, 2] "..., 51) = 51 write(2, " Received SSH_MSG_NEWKEYS\n", 27) = 27 brk(0x23c0000) = 0x23c0000 brk(0x23bf000) = 0x23bf000 newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.641171, 2] "..., 51) = 51 write(2, " Signature verified and valid\n", 31) = 31 newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.641688, 3] "..., 44) = 44 write(2, " current state : 7\n", 20) = 20 newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.642211, 3] "..., 60) = 60 write(2, " Trying to authenticate with /h"..., 52) = 52 openat(AT_FDCWD, "/home/useruser/id_rsa.pub", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=401, ...}) = 0 fstat(4, {st_mode=S_IFREG|0644, st_size=401, ...}) = 0 read(4, "ssh-rsa AAAAB3NzaC1yc2EAAAADAQAB"..., 4096) = 401 close(4) = 0 newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.643466, 3] "..., 58) = 58 write(2, " Checking rsa-sha2-512 with lis"..., 358) = 358 newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.643865, 3] "..., 58) = 58 write(2, " Checking rsa-sha2-256 with lis"..., 358) = 358 newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.644243, 3] "..., 58) = 58 write(2, " Checking ssh-rsa with list <ec"..., 353) = 353 newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.644552, 1] "..., 59) = 59 write(2, " The key algorithm 'ssh-rsa' is"..., 105) = 105 newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.644855, 3] "..., 60) = 60 write(2, " Public key for /home/useruser/"..., 57) = 57 newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.645245, 3] "..., 60) = 60 write(2, " Trying to authenticate with /h"..., 61) = 61 openat(AT_FDCWD, "/home/useruser/.ssh/id_ed25519.pub", O_RDONLY) = -1 ENOENT (No such file or directory) newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.645697, 1] "..., 59) = 59 write(2, " Error opening /home/useruser/."..., 78) = 78 openat(AT_FDCWD, "/home/useruser/.ssh/id_ed25519", O_RDONLY) = -1 ENOENT (No such file or directory) newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.646195, 1] "..., 60) = 60 write(2, " Error opening /home/useruser/."..., 74) = 74 newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.646548, 3] "..., 60) = 60 write(2, " Private key /home/useruser/.ss"..., 60) = 60 newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.646885, 3] "..., 60) = 60 write(2, " Trying to authenticate with /h"..., 59) = 59 openat(AT_FDCWD, "/home/useruser/.ssh/id_ecdsa.pub", O_RDONLY) = -1 ENOENT (No such file or directory) newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.647375, 1] "..., 59) = 59 write(2, " Error opening /home/useruser/."..., 76) = 76 openat(AT_FDCWD, "/home/useruser/.ssh/id_ecdsa", O_RDONLY) = -1 ENOENT (No such file or directory) newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.647845, 1] "..., 60) = 60 write(2, " Error opening /home/useruser/."..., 72) = 72 newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.648234, 3] "..., 60) = 60 write(2, " Private key /home/useruser/.ss"..., 58) = 58 newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.648576, 3] "..., 60) = 60 write(2, " Trying to authenticate with /h"..., 57) = 57 openat(AT_FDCWD, "/home/useruser/.ssh/id_rsa.pub", O_RDONLY) = -1 ENOENT (No such file or directory) newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.649043, 1] "..., 59) = 59 write(2, " Error opening /home/useruser/."..., 74) = 74 openat(AT_FDCWD, "/home/useruser/.ssh/id_rsa", O_RDONLY) = -1 ENOENT (No such file or directory) newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.649489, 1] "..., 60) = 60 write(2, " Error opening /home/useruser/."..., 70) = 70 newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.649795, 3] "..., 60) = 60 write(2, " Private key /home/useruser/.ss"..., 56) = 56 newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.650163, 2] "..., 60) = 60 write(2, " Tried every public key, none m"..., 39) = 39 write(2, "Authentication failed: The key a"..., 126) = 126 getpid() = 648229 sendto(3, "\0\0\0 d\331x\37\250\6\203\35E\334\256'\300/\303\366\354\202\260\241\200t\256X\210\v\215N"..., 52, MSG_NOSIGNAL, NULL, 0) = 52 newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.650956, 3] "..., 60) = 60 write(2, " Enabling POLLOUT for socket\n", 30) = 30 newfstatat(AT_FDCWD, "/etc/localtime", {st_mode=S_IFREG|0644, st_size=1909, ...}, 0) = 0 write(2, "[2025/05/21 13:34:27.651442, 3] "..., 45) = 45 write(2, " packet: wrote [type=1, len=32,"..., 71) = 71 close(3) = 0 exit_group(1) = ? +++ exited with 1 +++
Re: The key algorithm 'ssh-rsa' is not allowed in V 0.10.4 | Jakub Jelen <jjelen@xxxxxxxxxx> |
Re: The key algorithm 'ssh-rsa' is not allowed in V 0.10.4 | g4-lisz@xxxxxxxxxxxx |
Re: The key algorithm 'ssh-rsa' is not allowed in V 0.10.4 | g4-lisz@xxxxxxxxxxxx |
Re: The key algorithm 'ssh-rsa' is not allowed in V 0.10.4 | g4-lisz@xxxxxxxxxxxx |
Re: The key algorithm 'ssh-rsa' is not allowed in V 0.10.4 | Andreas Schneider <asn@xxxxxxxxxxxxxx> |
Re: The key algorithm 'ssh-rsa' is not allowed in V 0.10.4 | Jakub Jelen <jjelen@xxxxxxxxxx> |
Re: The key algorithm 'ssh-rsa' is not allowed in V 0.10.4 | g4-lisz@xxxxxxxxxxxx |
Re: The key algorithm 'ssh-rsa' is not allowed in V 0.10.4 | Jakub Jelen <jjelen@xxxxxxxxxx> |
Re: The key algorithm 'ssh-rsa' is not allowed in V 0.10.4 | g4-lisz@xxxxxxxxxxxx |
Re: The key algorithm 'ssh-rsa' is not allowed in V 0.10.4 | Jakub Jelen <jjelen@xxxxxxxxxx> |