Connection refused to Guix-hosted SSH

Connection refused to Guix-hosted SSH

[dabbede]

Dear all,
I'm starting with Guix and I'm still learning. I've set up a simple
system with no gui, and now I would like to configure OpenSSH daemon
to accept incoming connections for my two users ("root" and "pcp").
Here is my config.scm file. Both "root.pub" and "pcp.pub" are existing
in /etc when I run guix system reconfigure.

(use-modules (gnu))
(use-modules (gnu packages linux))
(use-service-modules desktop networking ssh xorg)

(operating-system
  (kernel linux-libre)
  (locale "en_US.utf8")
  (timezone "Europe/Rome")
  (keyboard-layout (keyboard-layout "it"))
  (host-name "PCP3600")
  (users (cons* (user-account
                  (name "pcp")
                  (comment "Pcp Developer")
                  (group "users")
                  (home-directory "/home/pcp")
                  (supplementary-groups
                    '("wheel" "netdev" "audio" "video")))
                %base-user-accounts))
  (services
    (append
      (list (service static-networking-service-type
              (list (static-networking
                       (addresses (list (network-address (device
"eno1") (value "10.168.214.102/24")))))))
            (service openssh-service-type
                     (openssh-configuration
                        (permit-root-login #t)
                        (password-authentication? #t)
                        (public-key-authentication? #t)
                        (authorized-keys
                          `(("root" ,(local-file "root.pub"))
                            ("pcp" ,(local-file "pcp.pub")))))))
      %base-services))
  (bootloader
    (bootloader-configuration
      (bootloader grub-bootloader)
      (target "/dev/sda")
      (keyboard-layout keyboard-layout)))
  (swap-devices
    (list (uuid "7137662a-60fa-4f0e-b820-916e644d6e84")))
  (file-systems
    (cons* (file-system
             (mount-point "/")
             (device
               (uuid "4fc3b29d-3ef4-4c79-ba8c-8a86fb5fc06c"
                     'ext4))
             (type "ext4"))
           %base-file-systems)))

From another machine I can correctly ping this system at the static
address, but I can't login with private credentials. Actually, I can't
connect even with password, because every time my client ends with
"Network error: Software caused connection abort".

Within guix, if I run "ssh pcp@localhost" I receive a "Connection
reset by 127.0.0.1 port 22" (I don't know if it is supposed to work on
localhost).

I've also tried to manaully add the pub keys in ".ssh/authorized_keys"
for both users, with no luck. What am I missing?!

Thank you for your help

Re: Connection refused to Guix-hosted SSH

[Oleg Pykhalov]

[-- Attachment #1: Type: text/plain, Size: 2190 bytes --]

Hi,

"dabbede@gmail.com" <dabbede@gmail.com> writes:

[…]

>   (users (cons* (user-account
>                   (name "pcp")
>                   (comment "Pcp Developer")
>                   (group "users")
>                   (home-directory "/home/pcp")
>                   (supplementary-groups
>                     '("wheel" "netdev" "audio" "video")))
>                 %base-user-accounts))
>   (services
>     (append
>       (list (service static-networking-service-type
>               (list (static-networking
>                        (addresses (list (network-address (device
> "eno1") (value "10.168.214.102/24")))))))
>             (service openssh-service-type
>                      (openssh-configuration
>                         (permit-root-login #t)
>                         (password-authentication? #t)
>                         (public-key-authentication? #t)
>                         (authorized-keys
>                           `(("root" ,(local-file "root.pub"))
>                             ("pcp" ,(local-file "pcp.pub")))))))
>       %base-services))

[…]

> From another machine I can correctly ping this system at the static
> address, but I can't login with private credentials. Actually, I can't
> connect even with password, because every time my client ends with
> "Network error: Software caused connection abort".

Is another machine in the same network 10.168.214.102/24?

A default gateway should be specified if not.

(static-networking
 (routes
   (list (network-route
          (destination "default")
          (gateway "???"))))
 ...)

> Within guix, if I run "ssh pcp@localhost" I receive a "Connection
> reset by 127.0.0.1 port 22" (I don't know if it is supposed to work on
> localhost).

It is supposed.

What does ‘sudo herd status’ show?

> I've also tried to manaully add the pub keys in ".ssh/authorized_keys"
> for both users, with no luck. What am I missing?!

By default on Guix system that should work as well as specifing keys in
the system configuration file.

Make sure that .ssh directory has 0700 permissions, which is required by
SSH daemon.


Oleg.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 861 bytes --]

Re: Connection refused to Guix-hosted SSH

[dabbede]

On Thu, Oct 13, 2022 at 7:30 AM Oleg Pykhalov <go.wigust@gmail.com> wrote:
>
> Hi,

Hi oleg

[...]
>
> > From another machine I can correctly ping this system at the static
> > address, but I can't login with private credentials. Actually, I can't
> > connect even with password, because every time my client ends with
> > "Network error: Software caused connection abort".
>
> Is another machine in the same network 10.168.214.102/24?

Yes, with IP 10.168.214.155

> A default gateway should be specified if not.
>
> (static-networking
>  (routes
>    (list (network-route
>           (destination "default")
>           (gateway "???"))))
>  ...)

I've tried now your suggestion, but even with that it doesn't work

> > Within guix, if I run "ssh pcp@localhost" I receive a "Connection
> > reset by 127.0.0.1 port 22" (I don't know if it is supposed to work on
> > localhost).
>
> It is supposed.

This is a bad sign... no matter my network (client-server)
configuration, localhost should always be reachable (from within the
server)

> What does ‘sudo herd status’ show?

Started:
 + console-font-tty1
 + console-font-tty2
 + console-font-tty3
 + console-font-tty4
 + console-font-tty5
 + console-font-tty6
 + file-system-/dev/pts
 + file-system-/dev/shm
 + file-system-/gnu/store
 + file-system-/sys/firmware/efi/efivars
 + file-system-/sys/kernel/debug
 + file-systems
 + guix-daemon
 + loopback
 + mcron
 + networking
 + nscd
 + root
 + root-file-system
 + ssh-daemon
 + swap-713766
 + syslogd
 + term-tty1
 + term-tty2
 + term-tty3
 + term-tty4
 + term-tty5
 + term-tty6
 + udev
 + urandom-seed
 + user-file-systems
 + user-processes
 + virtual-terminal
Stopped:
 - term-console
One-shot:
 * host-name
 * sysctl
 * user-homes

If I invoke "sudo herd status ssh" I obtain this output:

Status of ssh-daemon:
  It is started.
  Running value is ("#<input-output: socket 18>" "#<input-output: socket 19>").
  It is enabled.
  Provides (ssh-daemon ssh sshd).
  Requires (syslogd loopback).
  Conflicts with ().
  Will be respawned.

It seems to me that everything is correctly running...

> > I've also tried to manaully add the pub keys in ".ssh/authorized_keys"
> > for both users, with no luck. What am I missing?!
>
> By default on Guix system that should work as well as specifing keys in
> the system configuration file.
>
> Make sure that .ssh directory has 0700 permissions, which is required by
> SSH daemon.
>
>
> Oleg.

In principle I had no .ssh folder, I've only added it later in a
desperate attempt to solve the issue. Now I set the permissions as
your suggestion but it does not solve the issue.
What else can I check? Where can I find the sshd config file that Guix
built "under the hood" using my config.scm?! Just to double check that
the everything is properly set...

Thanks

Re: Connection refused to Guix-hosted SSH

[Felix Lechner via]

Hi,

On Wed, Oct 12, 2022 at 1:33 PM dabbede@gmail.com <dabbede@gmail.com> wrote:
>
> I can't login with private credentials.

Did you set a password interactively? Otherwise you can set an initial
password with something like (password (crypt "alice" "$6$abc")) [1]

Either way, I would also have a look at the output of

    fgrep -i ssh /var/log/messages

on the server.

Kind regards
Felix Lechner

[1] https://guix.gnu.org/en/manual/devel/en/html_node/Using-the-Configuration-System.html

Re: Connection refused to Guix-hosted SSH

[dabbede]

On Thu, Oct 13, 2022 at 11:05 PM Felix Lechner
<felix.lechner@lease-up.com> wrote:
>
> Hi,

Hi Felix

> On Wed, Oct 12, 2022 at 1:33 PM dabbede@gmail.com <dabbede@gmail.com> wrote:
> >
> > I can't login with private credentials.
>
> Did you set a password interactively? Otherwise you can set an initial
> password with something like (password (crypt "alice" "$6$abc")) [1]

Password was set interactively. Now I've added a third user "test"
with a prescribed/crypted password and I can login to it from terminal
but, again, not from ssh client.

> Either way, I would also have a look at the output of
>
>     fgrep -i ssh /var/log/messages
>
> on the server.

Sure. I receive a bunch of messages of this form:

Oct 14 10:04:23 localhost vmunix: [ 5869.880044] audit: type=1326
audit(1665734663.369:6): auid=4294967295 uid=989 gid=983
ses=4294967295 subj=unconfined pid=599 comm="sshd"
exe="/gnu/store/jgw64z5w2q6b4nph7a74jc97ihfxkfsf-openssh-8.9p1/sbin/sshd"
sig=31 arch=40000003 syscall=414 compat=0 ip=0xb7f94549 code=0x0
Oct 14 10:04:23 localhost shepherd[1]: 0 connections still in use
after sshd-5 termination.
Oct 14 10:04:23 localhost shepherd[1]: Service sshd-5 (PID 598) exited with 255.
Oct 14 10:04:23 localhost shepherd[1]: Service sshd-5 has been disabled.
Oct 14 10:04:23 localhost shepherd[1]: Transient service sshd-5
terminated, now unregistered.
Oct 14 10:05:43 localhost shepherd[1]: Service sshd-6 has been started.
Oct 14 10:05:43 localhost vmunix: [ 5950.061859] audit: type=1326
audit(1665734743.553:7): auid=4294967295 uid=989 gid=983
ses=4294967295 subj=unconfined pid=601 comm="sshd"
exe="/gnu/store/jgw64z5w2q6b4nph7a74jc97ihfxkfsf-openssh-8.9p1/sbin/sshd"
sig=31 arch=40000003 syscall=414 compat=0 ip=0xb7fba549 code=0x0
Oct 14 10:05:43 localhost shepherd[1]: 0 connections still in use
after sshd-6 termination.
Oct 14 10:05:43 localhost shepherd[1]: Service sshd-6 (PID 600) exited with 255.
Oct 14 10:05:43 localhost shepherd[1]: Service sshd-6 has been disabled.
Oct 14 10:05:43 localhost shepherd[1]: Transient service sshd-6
terminated, now unregistered.

I see "Service sshd-6 (PID 600) exited with 255." but I don't know
what it means nor why.
In order to gain more insight I've tried to connect with verbose
output "ssh -v test@localhost" and this is the output

OpenSSH_8.9p1, OpenSSL 1.1.1q  5 Jul 2022
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /home/pcp/.ssh/id_rsa type 0
debug1: identity file /home/pcp/.ssh/id_rsa-cert type -1
debug1: identity file /home/pcp/.ssh/id_ecdsa type -1
debug1: identity file /home/pcp/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/pcp/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/pcp/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/pcp/.ssh/id_ed25519 type -1
debug1: identity file /home/pcp/.ssh/id_ed25519-cert type -1
debug1: identity file /home/pcp/.ssh/id_ed25519_sk type -1
debug1: identity file /home/pcp/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/pcp/.ssh/id_xmss type -1
debug1: identity file /home/pcp/.ssh/id_xmss-cert type -1
debug1: identity file /home/pcp/.ssh/id_dsa type -1
debug1: identity file /home/pcp/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.9
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.9
debug1: compat_banner: match: OpenSSH_8.9 pat OpenSSH* compat 0x04000000
debug1: Authenticating to localhost:22 as 'test'
debug1: load_hostkeys: fopen /home/pcp/.ssh/known_hosts: No such file
or directory
debug1: load_hostkeys: fopen /home/pcp/.ssh/known_hosts2: No such file
or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file
or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC:
<implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC:
<implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
Connection reset by 127.0.0.1 port 22

The lines about missing known_hosts were suspicious, but even touching
a new .ssh/knwon_hosts does not help.
The line with "expecting SSH2_MSG_KEX_ECDH_REPLY" is also suspicious
but I don't know how to solve it.

Finally, I also tried to manually start sshd on port 2222 and this is the output
/etc/ssh/sshd_config: No such file or directory

I don't know if shepherd has a different way of launching the daemon.
I expect that a sshd_config must exist somewhere... I would really
like to give a look at it

> Kind regards
> Felix Lechner
>
> [1] https://guix.gnu.org/en/manual/devel/en/html_node/Using-the-Configuration-System.html

Thank you, regards

Re: Connection refused to Guix-hosted SSH

[Felix Lechner via]

Hi,

On Fri, Oct 14, 2022 at 1:54 AM dabbede@gmail.com <dabbede@gmail.com> wrote:
>
> Finally, I also tried to manually start sshd on port 2222

I think that is a fabulous idea, especially if you can prevent
daemonization with -d (or -D).

> this is the output /etc/ssh/sshd_config: No such file or directory

The sshd_config is in /gnu/store. It is generated by 'guix system
reconfigure'. You can see all available versions with

    ls -ld /gnu/store/*sshd-config

In a bind, I would pick one that should work and pass it via -f.

To find the version that is actually used by your current system
generation and corresponds to your latest config.scm would require
some sleuthing. You may have to examine the symbolic links in the
system profile and, possibly, in /gnu/store. You may be able to get
better advice about that in #guix on IRC.

Either way, please do not make any manual changes to /gnu/store,
however tempting it may appear.

Kind regards
Felix Lechner

Re: Connection refused to Guix-hosted SSH

[dabbede]

On Fri, Oct 14, 2022 at 7:06 PM Felix Lechner
<felix.lechner@lease-up.com> wrote:
>
> Hi,
>
> On Fri, Oct 14, 2022 at 1:54 AM dabbede@gmail.com <dabbede@gmail.com> wrote:
> >
> > Finally, I also tried to manually start sshd on port 2222
>
> I think that is a fabulous idea, especially if you can prevent
> daemonization with -d (or -D).
>
> > this is the output /etc/ssh/sshd_config: No such file or directory
>
> The sshd_config is in /gnu/store. It is generated by 'guix system
> reconfigure'. You can see all available versions with
>
>     ls -ld /gnu/store/*sshd-config
>
> In a bind, I would pick one that should work and pass it via -f.

I just have 3 versions in /gnu/store/, all of them very similar one
another. I just picked up the first one and tried running sshd -d -p
2222 -f /gnu/store/....path_to_sshd_config
The server starts up waiting for connections. Then, on another tty
(and another user), I try to connect to port 2222 in localhost: client
side receives "Connection reset by 127.0.0.1 port 2222", while the
server side reports this:

debug1: sshd version OpenSSH_8.9, OpenSSL 1.1.1q  5 Jul 2022
debug1: private host key #0: ssh-rsa
SHA256:stg5akPHR8JGdXPXmqUYJhhZFj1UmEmWx19el4EiHGM
debug1: private host key #1: ecdsa-sha2-nistp256
SHA256:zfyEMyjDdSOHX3e9byADPp5sm7Pu6zdq2jnQSWbDo+4
debug1: private host key #2: ssh-ed25519
SHA256:tBpk8+XR3GalUmNqIxT6ITf5Tyy8WKVSxBULZjAmQqI
debug1: rexec_argv[0]='/gnu/store/jgw64z5w2q6b4nph7a74jc97ihfxkfsf-openssh-8.9p1/sbin/sshd'
debug1: rexec_argv[1]='-d'
debug1: rexec_argv[2]='-f'
debug1: rexec_argv[3]='/gnu/store/h5hri15x24vljfahpwv1b4dva69nbis3-sshd_config'
debug1: rexec_argv[4]='-p'
debug1: rexec_argv[5]='2222'
debug1: Set /proc/self/oom_score_adj from 0 to -1000
debug1: Bind to port 2222 on 0.0.0.0.
Server listening on 0.0.0.0 port 2222.
debug1: Bind to port 2222 on ::.
Server listening on :: port 2222.
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: sshd version OpenSSH_8.9, OpenSSL 1.1.1q  5 Jul 2022
debug1: private host key #0: ssh-rsa
SHA256:stg5akPHR8JGdXPXmqUYJhhZFj1UmEmWx19el4EiHGM
debug1: private host key #1: ecdsa-sha2-nistp256
SHA256:zfyEMyjDdSOHX3e9byADPp5sm7Pu6zdq2jnQSWbDo+4
debug1: private host key #2: ssh-ed25519
SHA256:tBpk8+XR3GalUmNqIxT6ITf5Tyy8WKVSxBULZjAmQqI
debug1: inetd sockets after dupping: 3, 3
Connection from 127.0.0.1 port 33818 on 127.0.0.1 port 2222 rdomain ""
debug1: Local version string SSH-2.0-OpenSSH_8.9
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.9
debug1: compat_banner: match: OpenSSH_8.9 pat OpenSSH* compat 0x04000000
debug1: permanently_set_uid: 989/983 [preauth]
debug1: list_hostkey_types:
rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: monitor_read_log: child log fd closed
debug1: do_cleanup
debug1: Killing privsep child 366

I'm puzzled, as I don't understand exactly what went wrong...

> To find the version that is actually used by your current system
> generation and corresponds to your latest config.scm would require
> some sleuthing. You may have to examine the symbolic links in the
> system profile and, possibly, in /gnu/store. You may be able to get
> better advice about that in #guix on IRC.
>
> Either way, please do not make any manual changes to /gnu/store,
> however tempting it may appear.
>
> Kind regards
> Felix Lechner

Thanks again, regards

Re: Connection refused to Guix-hosted SSH

[Felix Lechner via]

Hi,

On Fri, Oct 14, 2022 at 1:02 PM dabbede@gmail.com <dabbede@gmail.com> wrote:
>
> I'm puzzled, as I don't understand exactly what went wrong...

How about the output from the client with

    ssh -vvv

Also, it may be helpful to post the contents of your sshd_config.

> Connection from 127.0.0.1 port 33818 on 127.0.0.1 port 2222 rdomain ""

Do you have reverse DNS configured? For example, please see here
https://serverfault.com/questions/206365/ssh-reverse-dns-lookup

Kind regards
Felix Lechner

Re: Connection refused to Guix-hosted SSH

[Efraim Flashner]

[-- Attachment #1: Type: text/plain, Size: 5298 bytes --]

From a previous email it looks like you only have an rsa key


debug1: Connection established.
debug1: identity file /home/pcp/.ssh/id_rsa type 0
debug1: identity file /home/pcp/.ssh/id_rsa-cert type -1
debug1: identity file /home/pcp/.ssh/id_ecdsa type -1
debug1: identity file /home/pcp/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/pcp/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/pcp/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/pcp/.ssh/id_ed25519 type -1
debug1: identity file /home/pcp/.ssh/id_ed25519-cert type -1
debug1: identity file /home/pcp/.ssh/id_ed25519_sk type -1
debug1: identity file /home/pcp/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/pcp/.ssh/id_xmss type -1
debug1: identity file /home/pcp/.ssh/id_xmss-cert type -1
debug1: identity file /home/pcp/.ssh/id_dsa type -1
debug1: identity file /home/pcp/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.9


On Fri, Oct 14, 2022 at 10:01:57PM +0200, dabbede@gmail.com wrote:
> On Fri, Oct 14, 2022 at 7:06 PM Felix Lechner
> <felix.lechner@lease-up.com> wrote:
> >
> > Hi,
> >
> > On Fri, Oct 14, 2022 at 1:54 AM dabbede@gmail.com <dabbede@gmail.com> wrote:
> > >
> > > Finally, I also tried to manually start sshd on port 2222
> >
> > I think that is a fabulous idea, especially if you can prevent
> > daemonization with -d (or -D).
> >
> > > this is the output /etc/ssh/sshd_config: No such file or directory
> >
> > The sshd_config is in /gnu/store. It is generated by 'guix system
> > reconfigure'. You can see all available versions with
> >
> >     ls -ld /gnu/store/*sshd-config
> >
> > In a bind, I would pick one that should work and pass it via -f.
> 
> I just have 3 versions in /gnu/store/, all of them very similar one
> another. I just picked up the first one and tried running sshd -d -p
> 2222 -f /gnu/store/....path_to_sshd_config
> The server starts up waiting for connections. Then, on another tty
> (and another user), I try to connect to port 2222 in localhost: client
> side receives "Connection reset by 127.0.0.1 port 2222", while the
> server side reports this:
> 
> debug1: sshd version OpenSSH_8.9, OpenSSL 1.1.1q  5 Jul 2022
> debug1: private host key #0: ssh-rsa
> SHA256:stg5akPHR8JGdXPXmqUYJhhZFj1UmEmWx19el4EiHGM
> debug1: private host key #1: ecdsa-sha2-nistp256
> SHA256:zfyEMyjDdSOHX3e9byADPp5sm7Pu6zdq2jnQSWbDo+4
> debug1: private host key #2: ssh-ed25519
> SHA256:tBpk8+XR3GalUmNqIxT6ITf5Tyy8WKVSxBULZjAmQqI
> debug1: rexec_argv[0]='/gnu/store/jgw64z5w2q6b4nph7a74jc97ihfxkfsf-openssh-8.9p1/sbin/sshd'
> debug1: rexec_argv[1]='-d'
> debug1: rexec_argv[2]='-f'
> debug1: rexec_argv[3]='/gnu/store/h5hri15x24vljfahpwv1b4dva69nbis3-sshd_config'
> debug1: rexec_argv[4]='-p'
> debug1: rexec_argv[5]='2222'
> debug1: Set /proc/self/oom_score_adj from 0 to -1000
> debug1: Bind to port 2222 on 0.0.0.0.
> Server listening on 0.0.0.0 port 2222.
> debug1: Bind to port 2222 on ::.
> Server listening on :: port 2222.
> debug1: Server will not fork when running in debugging mode.
> debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
> debug1: sshd version OpenSSH_8.9, OpenSSL 1.1.1q  5 Jul 2022
> debug1: private host key #0: ssh-rsa
> SHA256:stg5akPHR8JGdXPXmqUYJhhZFj1UmEmWx19el4EiHGM
> debug1: private host key #1: ecdsa-sha2-nistp256
> SHA256:zfyEMyjDdSOHX3e9byADPp5sm7Pu6zdq2jnQSWbDo+4
> debug1: private host key #2: ssh-ed25519
> SHA256:tBpk8+XR3GalUmNqIxT6ITf5Tyy8WKVSxBULZjAmQqI
> debug1: inetd sockets after dupping: 3, 3
> Connection from 127.0.0.1 port 33818 on 127.0.0.1 port 2222 rdomain ""
> debug1: Local version string SSH-2.0-OpenSSH_8.9
> debug1: Remote protocol version 2.0, remote software version OpenSSH_8.9
> debug1: compat_banner: match: OpenSSH_8.9 pat OpenSSH* compat 0x04000000
> debug1: permanently_set_uid: 989/983 [preauth]
> debug1: list_hostkey_types:
> rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]

^^^ There are rsa keys listed here, so the server should have rsa keys
in /etc/ssh.

> debug1: SSH2_MSG_KEXINIT sent [preauth]
> debug1: monitor_read_log: child log fd closed
> debug1: do_cleanup
> debug1: Killing privsep child 366
> 
> I'm puzzled, as I don't understand exactly what went wrong...
> 
> > To find the version that is actually used by your current system
> > generation and corresponds to your latest config.scm would require
> > some sleuthing. You may have to examine the symbolic links in the
> > system profile and, possibly, in /gnu/store. You may be able to get
> > better advice about that in #guix on IRC.
> >
> > Either way, please do not make any manual changes to /gnu/store,
> > however tempting it may appear.
> >
> > Kind regards
> > Felix Lechner
> 
> Thanks again, regards

There was recently a change in openssh to deprecate support for rsa-sha1
keys. Try generating new ssh keys using a newish version of openssh and
using that as your keys for pcp or test, and see if that works for
connecting using a key.

-- 
Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Connection refused to Guix-hosted SSH

[dabbede]

Hi Efraim,

Il mer 19 ott 2022, 20:54 Efraim Flashner <efraim@flashner.co.il> ha
scritto:

> From a previous email it looks like you only have an rsa key
>

Good point. At the beginning of the discussion I was recycling an old key,
and when I saw those messages (I was not sure whether errors or just info)
I also tried generating a new pair, but I could not connect either.
Moreover, in my configuration I was allowing for password authentication,
so I guess that at least that option should still be valid, even with a non
valid key-pair.

[...]


> There was recently a change in openssh to deprecate support for rsa-sha1
> keys. Try generating new ssh keys using a newish version of openssh and
> using that as your keys for pcp or test, and see if that works for
> connecting using a key.
>

>
>
[...]

Now unfortunately I can not reproduce, because I reinstalled a new system.
Now it works flawlessly.

Thank you, regards

   Davide

Re: Connection refused to Guix-hosted SSH

[Oleg Pykhalov]

[-- Attachment #1: Type: text/plain, Size: 2147 bytes --]

"dabbede@gmail.com" <dabbede@gmail.com> writes:

[…]

> Sure. I receive a bunch of messages of this form:
>
> Oct 14 10:04:23 localhost vmunix: [ 5869.880044] audit: type=1326
> audit(1665734663.369:6): auid=4294967295 uid=989 gid=983
> ses=4294967295 subj=unconfined pid=599 comm="sshd"
> exe="/gnu/store/jgw64z5w2q6b4nph7a74jc97ihfxkfsf-openssh-8.9p1/sbin/sshd"
> sig=31 arch=40000003 syscall=414 compat=0 ip=0xb7f94549 code=0x0
> Oct 14 10:04:23 localhost shepherd[1]: 0 connections still in use
> after sshd-5 termination.
> Oct 14 10:04:23 localhost shepherd[1]: Service sshd-5 (PID 598) exited with 255.
> Oct 14 10:04:23 localhost shepherd[1]: Service sshd-5 has been disabled.
> Oct 14 10:04:23 localhost shepherd[1]: Transient service sshd-5
> terminated, now unregistered.
> Oct 14 10:05:43 localhost shepherd[1]: Service sshd-6 has been started.
> Oct 14 10:05:43 localhost vmunix: [ 5950.061859] audit: type=1326
> audit(1665734743.553:7): auid=4294967295 uid=989 gid=983
> ses=4294967295 subj=unconfined pid=601 comm="sshd"
> exe="/gnu/store/jgw64z5w2q6b4nph7a74jc97ihfxkfsf-openssh-8.9p1/sbin/sshd"
> sig=31 arch=40000003 syscall=414 compat=0 ip=0xb7fba549 code=0x0
> Oct 14 10:05:43 localhost shepherd[1]: 0 connections still in use
> after sshd-6 termination.
> Oct 14 10:05:43 localhost shepherd[1]: Service sshd-6 (PID 600) exited with 255.
> Oct 14 10:05:43 localhost shepherd[1]: Service sshd-6 has been disabled.
> Oct 14 10:05:43 localhost shepherd[1]: Transient service sshd-6
> terminated, now unregistered.
>
> I see "Service sshd-6 (PID 600) exited with 255." but I don't know
> what it means nor why.
> In order to gain more insight I've tried to connect with verbose
> output "ssh -v test@localhost" and this is the output

255 usually means something wrong with a program execution (e.g. missing
binary).  In the current case it should a Shell program by SSH default.

Could you try to specify a non-interactive program manually? E.g.:

    ssh -vvv 127.0.0.1 -- /run/current-system/profile/bin/id

It should output SSH client log and ‘id’ program output.


Oleg.


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 861 bytes --]

Re: Connection refused to Guix-hosted SSH

[dabbede]

Hi all,

in the end I gave up... since my guix was not pulling anymore, I
suspected something more "serious" was happening than just a broken
ssh.
Then I've re-installed the whole system (it was a test system anyway,
not a big deal) and this time ssh works out of the box.
During installation, I've spotted one possible cause that could have
broken sshd in my first sistem: I did not select "Mozilla NSS
certificates" (which translates to package (specification->package
"nss-certs")) ).
I don't know if it is related, but the description says "To connect
through https"... probably not...
The other difference is that my first system was based on i686
(32bit), while the latter is x86_64 (64bit).

Whatever the reason, thank you all for the help.
I hope one day I'll be skilled enough to help others as well.

Regards

On Sat, Oct 15, 2022 at 8:01 AM Oleg Pykhalov <go.wigust@gmail.com> wrote:
>
> "dabbede@gmail.com" <dabbede@gmail.com> writes:
>
> […]
>
> > Sure. I receive a bunch of messages of this form:
> >
> > Oct 14 10:04:23 localhost vmunix: [ 5869.880044] audit: type=1326
> > audit(1665734663.369:6): auid=4294967295 uid=989 gid=983
> > ses=4294967295 subj=unconfined pid=599 comm="sshd"
> > exe="/gnu/store/jgw64z5w2q6b4nph7a74jc97ihfxkfsf-openssh-8.9p1/sbin/sshd"
> > sig=31 arch=40000003 syscall=414 compat=0 ip=0xb7f94549 code=0x0
> > Oct 14 10:04:23 localhost shepherd[1]: 0 connections still in use
> > after sshd-5 termination.
> > Oct 14 10:04:23 localhost shepherd[1]: Service sshd-5 (PID 598) exited with 255.
> > Oct 14 10:04:23 localhost shepherd[1]: Service sshd-5 has been disabled.
> > Oct 14 10:04:23 localhost shepherd[1]: Transient service sshd-5
> > terminated, now unregistered.
> > Oct 14 10:05:43 localhost shepherd[1]: Service sshd-6 has been started.
> > Oct 14 10:05:43 localhost vmunix: [ 5950.061859] audit: type=1326
> > audit(1665734743.553:7): auid=4294967295 uid=989 gid=983
> > ses=4294967295 subj=unconfined pid=601 comm="sshd"
> > exe="/gnu/store/jgw64z5w2q6b4nph7a74jc97ihfxkfsf-openssh-8.9p1/sbin/sshd"
> > sig=31 arch=40000003 syscall=414 compat=0 ip=0xb7fba549 code=0x0
> > Oct 14 10:05:43 localhost shepherd[1]: 0 connections still in use
> > after sshd-6 termination.
> > Oct 14 10:05:43 localhost shepherd[1]: Service sshd-6 (PID 600) exited with 255.
> > Oct 14 10:05:43 localhost shepherd[1]: Service sshd-6 has been disabled.
> > Oct 14 10:05:43 localhost shepherd[1]: Transient service sshd-6
> > terminated, now unregistered.
> >
> > I see "Service sshd-6 (PID 600) exited with 255." but I don't know
> > what it means nor why.
> > In order to gain more insight I've tried to connect with verbose
> > output "ssh -v test@localhost" and this is the output
>
> 255 usually means something wrong with a program execution (e.g. missing
> binary).  In the current case it should a Shell program by SSH default.
>
> Could you try to specify a non-interactive program manually? E.g.:
>
>     ssh -vvv 127.0.0.1 -- /run/current-system/profile/bin/id
>
> It should output SSH client log and ‘id’ program output.
>
>
> Oleg.
>