I am trying to update an AWS EC2 from Debian v11.9 to bookworm.
Every time I've tried I find I am unable to ssh in after the upgrade.
For some brackground: this instance started out as Debian 6.0 (squeeze) and has been updated regularly over its lifetime.
While I can't be 100% sure, I am fairly confident that on every upgrade package maintainer / distribution configs would be installed and then changes applied as necessary.
This is the first test instance to sort out the update process after which it will be applied to several dozen instances.
I can successfully ssh into fresh install of bookworm with no issues.
Without debug logging on, all I get in the log on the server is:
Logs from both the client and server (and fresh server) below.
I have access to the server via Session Manager so I can access it for the moment.
Client:
Server (unable to ssh):
Server (able to ssh):
...
Every time I've tried I find I am unable to ssh in after the upgrade.
For some brackground: this instance started out as Debian 6.0 (squeeze) and has been updated regularly over its lifetime.
While I can't be 100% sure, I am fairly confident that on every upgrade package maintainer / distribution configs would be installed and then changes applied as necessary.
This is the first test instance to sort out the update process after which it will be applied to several dozen instances.
I can successfully ssh into fresh install of bookworm with no issues.
Without debug logging on, all I get in the log on the server is:
Code:
sshd[4774]: error: sys_get_rdomain: cannot determine VRF for fd=4 : Protocol not availableI have access to the server via Session Manager so I can access it for the moment.
Client:
Code:
user@ip-192-168-30-10 ~ % ssh -vvvv admin@bookworm.example.comOpenSSH_9.0p1, LibreSSL 3.3.6debug1: Reading configuration data /Users/user/.ssh/configdebug3: /Users/user/.ssh/config line 1: Including file /Users/user/.ssh/config.aws-ssm/int depth 0debug1: Reading configuration data /Users/user/.ssh/config.aws-ssm/intdebug1: Reading configuration data /etc/ssh/ssh_configdebug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no filesdebug1: /etc/ssh/ssh_config line 54: Applying options for *debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/Users/user/.ssh/known_hosts'debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/Users/user/.ssh/known_hosts2'debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disablingdebug1: Connecting to bookworm.example.com port 22.debug1: Connection established.debug1: identity file /Users/user/.ssh/id_rsa type 0debug1: identity file /Users/user/.ssh/id_rsa-cert type -1debug1: identity file /Users/user/.ssh/id_ecdsa type -1debug1: identity file /Users/user/.ssh/id_ecdsa-cert type -1debug1: identity file /Users/user/.ssh/id_ecdsa_sk type -1debug1: identity file /Users/user/.ssh/id_ecdsa_sk-cert type -1debug1: identity file /Users/user/.ssh/id_ed25519 type 3debug1: identity file /Users/user/.ssh/id_ed25519-cert type -1debug1: identity file /Users/user/.ssh/id_ed25519_sk type -1debug1: identity file /Users/user/.ssh/id_ed25519_sk-cert type -1debug1: identity file /Users/user/.ssh/id_xmss type -1debug1: identity file /Users/user/.ssh/id_xmss-cert type -1debug1: identity file /Users/user/.ssh/id_dsa type 1debug1: identity file /Users/user/.ssh/id_dsa-cert type -1debug1: Local version string SSH-2.0-OpenSSH_9.0debug1: Remote protocol version 2.0, remote software version OpenSSH_9.2p1 Debian-2+deb12u2debug1: compat_banner: match: OpenSSH_9.2p1 Debian-2+deb12u2 pat OpenSSH* compat 0x04000000debug3: fd 6 is O_NONBLOCKdebug1: Authenticating to bookworm.example.com:22 as 'admin'debug3: record_hostkey: found key type ED25519 in file /Users/user/.ssh/known_hosts:697debug3: load_hostkeys_file: loaded 1 keys from bookworm.example.comdebug1: load_hostkeys: fopen /Users/user/.ssh/known_hosts2: No such file or directorydebug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directorydebug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directorydebug3: order_hostkeyalgs: have matching best-preference key type ssh-ed25519-cert-v01@openssh.com, using HostkeyAlgorithms verbatimdebug3: send packet: type 20debug1: SSH2_MSG_KEXINIT sentServer (unable to ssh):
Code:
sshd[4056]: debug1: Forked child 4774.sshd[4774]: debug1: Set /proc/self/oom_score_adj to 0sshd[4774]: debug1: rexec start in 6 out 6 newsock 6 pipe 8 sock 9sshd[4774]: debug1: inetd sockets after dupping: 4, 4sshd[4774]: error: sys_get_rdomain: cannot determine VRF for fd=4 : Protocol not availablesshd[4774]: Connection from ___.___.___.___ port 61663 on 172.31.1.169 port 22sshd[4774]: debug1: Local version string SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u2sshd[4774]: debug1: Remote protocol version 2.0, remote software version OpenSSH_9.0sshd[4774]: debug1: compat_banner: match: OpenSSH_9.0 pat OpenSSH* compat 0x04000000sshd[4774]: debug1: permanently_set_uid: 101/65534 [preauth]sshd[4774]: debug1: ssh_sandbox_child: prctl(PR_SET_NO_NEW_PRIVS): Invalid argument [preauth]sshd[4774]: debug1: ssh_sandbox_child: prctl(PR_SET_SECCOMP): Invalid argument [preauth]sshd[4774]: debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]sshd[4774]: debug1: do_cleanupsshd[4774]: debug1: Killing privsep child 4775sshd[4774]: debug1: audit_event: unhandled event 12Code:
sshd[9809]: debug1: Forked child 9863.sshd[9809]: debug3: send_rexec_state: entering fd = 8 config len 3247sshd[9809]: debug3: ssh_msg_send: type 0sshd[9809]: debug3: send_rexec_state: donesshd[9863]: debug3: oom_adjust_restoresshd[9863]: debug1: Set /proc/self/oom_score_adj to 0sshd[9863]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8sshd[9863]: debug1: inetd sockets after dupping: 4, 4sshd[9863]: debug3: process_channel_timeouts: setting 0 timeoutssshd[9863]: debug3: channel_clear_timeouts: clearingsshd[9863]: Connection from ___.___.___.___ port 63268 on 172.31.1.244 port 22 rdomain ""sshd[9863]: debug1: Local version string SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u2sshd[9863]: debug1: Remote protocol version 2.0, remote software version OpenSSH_9.0sshd[9863]: debug1: compat_banner: match: OpenSSH_9.0 pat OpenSSH* compat 0x04000000sshd[9863]: debug2: fd 4 setting O_NONBLOCKsshd[9863]: debug3: ssh_sandbox_init: preparing seccomp filter sandboxsshd[9863]: debug2: Network child is on pid 9864sshd[9863]: debug3: preauth child monitor startedsshd[9863]: debug3: privsep user:group 103:65534 [preauth]sshd[9863]: debug1: permanently_set_uid: 103/65534 [preauth]sshd[9863]: debug3: ssh_sandbox_child: setting PR_SET_NO_NEW_PRIVS [preauth]sshd[9863]: debug3: ssh_sandbox_child: attaching seccomp filter program [preauth]sshd[9863]: debug3: append_hostkey_type: ssh-rsa key not permitted by HostkeyAlgorithms [preauth]sshd[9863]: debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]sshd[9863]: debug3: send packet: type 20 [preauth]sshd[9863]: debug1: SSH2_MSG_KEXINIT sent [preauth]sshd[9863]: debug3: receive packet: type 20 [preauth]sshd[9863]: debug1: SSH2_MSG_KEXINIT received [preauth]sshd[9863]: debug2: local server KEXINIT proposal [preauth]sshd[9863]: debug2: KEX algorithms: sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,kex-strict-s-v00@openssh.com [preauth]sshd[9863]: debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]sshd[9863]: debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com [preauth]sshd[9863]: debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com [preauth]Statistics: Posted by joesysadmin — 2024-03-02 14:16 — Replies 2 — Views 101