Can't SSH into after update from to 1.3-rolling-202004020117 to 1.3-rolling-202006010117 (and newest)

hook.ua · June 3, 2020, 9:56am

Hi there,

Can’t SSH into after update from to 1.3-rolling-202004020117 to 1.3-rolling-202006010117 (and newest)
Some SSH clients can’t login anymore with “Access denied” reply.

Credentials are good becase could login from console and some rare systems like fedora 21 and Centos 8.
Centos 7.5, Bitwise, Putty 0.70 and 0.73, vyoses with older rolling releses are all impacted.
All setting for client and server out-of-the-box.

There is very thing idea that after upgrade ciphers between client and server not aligned, but short play with ciphers on vyos under issue and putty/bitwase does not help.

Debug is impossible, becase auth.log is almost emtpy.

Any changes to configuration as well as for /etc/ssh/sshd_config didn’t help

some configuration is below

set service ssh disable-host-validation
set service ssh listen-address ‘10.1.0.7’
set service ssh port ‘12322’

set system syslog global archive size ‘250’
set system syslog global facility all level ‘notice’
set system syslog global facility protocols level ‘debug’

Any idea/points to resolution will be highly appreciated

Dmitry · June 5, 2020, 10:10am

Hello @hook.ua, I can’t confirm this issue. I have successfully update from rolling 202005 to the latest. Connection and authorization work properly with your config.
Try to check

sudo journalctl | grep ssh
sudo netstat -lan | grep 12322

hook.ua · June 5, 2020, 2:29pm

Hi, Dmitry

Thanks for your kind reply.

Sorry, i have found the root issue and it is not about vyos releases.

Looks like I’d struck in arp mess inside the citrix hypervisor.
SSH requests magically send to another virtual machine - another vyos router with another IP in the same subnet.
Haven’t any clue why and how, but could reproduce and see the ssh error messages on another vyos router.

After release update i’d got the warning about changed ssh fingerprints by decided it was changed by update (sure, i was wrong)

Need additional digging inside the issue.

Thanks again for your help.

hook.ua · June 5, 2020, 3:33pm

…continue
The mind blowing cut from terminal window

[root@CENTOS ~]# ssh vyos@10.1.0.7 -p 12322
Welcome to VyOS
vyos@10.1.0.7's password:
Linux PROXIS-VFW046 4.19.112-amd64-vyos #1 SMP Sun Mar 22 12:54:25 UTC 2020 x86_64
Last login: Fri Jun  5 18:02:14 2020 from 10.1.0.xxx
vyos@VFW046:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
eth0             10.1.0.10/24                      u/u  Local network Interface

temporary fixed by two commands on problem interface, not sure i am right.

set interfaces ethernet eth0 ip enable-arp-accept
set interfaces ethernet eth0 ip enable-arp-announce