Cannot ssh even with VPN connected

Hi there, I am trying to ssh a machine but has some wired issues. Use a Mac, it can be ssh under the institute WiFi only or with VPN only without institute’s WiFi, but if using Manjaro from another laptop, I could:

  • ssh to the server with both VPN and under institute’s WiFi
  • ssh to another server from another institute
    but could not
  • ssh only with WiFi
  • ssh only with VPN

The debug message is attached.

OpenSSH_9.0p1, OpenSSL 1.1.1p  21 Jun 2022
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 20: Applying options for *
debug1: Connecting to 10.22.21.57 [10.22.21.57] port 22.
debug1: Connection established.
debug1: identity file /home/cz/.ssh/id_rsa type 0
debug1: identity file /home/cz/.ssh/id_rsa-cert type -1
debug1: identity file /home/cz/.ssh/id_ecdsa type -1
debug1: identity file /home/cz/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/cz/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/cz/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/cz/.ssh/id_ed25519 type 3
debug1: identity file /home/cz/.ssh/id_ed25519-cert type -1
debug1: identity file /home/cz/.ssh/id_ed25519_sk type -1
debug1: identity file /home/cz/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/cz/.ssh/id_xmss type -1
debug1: identity file /home/cz/.ssh/id_xmss-cert type -1
debug1: identity file /home/cz/.ssh/id_dsa type -1
debug1: identity file /home/cz/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.0
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.6p1 Ubuntu-4ubuntu0.6
debug1: compat_banner: match: OpenSSH_7.6p1 Ubuntu-4ubuntu0.6 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
debug1: Authenticating to 10.22.21.57:22 as 'macalester'
debug1: load_hostkeys: fopen /home/cz/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY

And output of lspci:

00:00.0 Host bridge: Intel Corporation 12th Gen Core Processor Host Bridge/DRAM Registers (rev 02)
00:01.0 PCI bridge: Intel Corporation 12th Gen Core Processor PCI Express x16 Controller #1 (rev 02)
00:02.0 VGA compatible controller: Intel Corporation Alder Lake-P Integrated Graphics Controller (rev 0c)
00:04.0 Signal processing controller: Intel Corporation Alder Lake Innovation Platform Framework Processor Participant (rev 02)
00:06.0 PCI bridge: Intel Corporation 12th Gen Core Processor PCI Express x4 Controller #0 (rev 02)
00:06.2 PCI bridge: Intel Corporation 12th Gen Core Processor PCI Express x4 Controller #2 (rev 02)
00:08.0 System peripheral: Intel Corporation 12th Gen Core Processor Gaussian & Neural Accelerator (rev 02)
00:0a.0 Signal processing controller: Intel Corporation Platform Monitoring Technology (rev 01)
00:14.0 USB controller: Intel Corporation Alder Lake PCH USB 3.2 xHCI Host Controller (rev 01)
00:14.2 RAM memory: Intel Corporation Alder Lake PCH Shared SRAM (rev 01)
00:14.3 Network controller: Intel Corporation Alder Lake-P PCH CNVi WiFi (rev 01)
00:15.0 Serial bus controller: Intel Corporation Alder Lake PCH Serial IO I2C Controller #0 (rev 01)
00:16.0 Communication controller: Intel Corporation Alder Lake PCH HECI Controller (rev 01)
00:1c.0 PCI bridge: Intel Corporation Device 51bc (rev 01)
00:1d.0 PCI bridge: Intel Corporation Device 51b0 (rev 01)
00:1f.0 ISA bridge: Intel Corporation Alder Lake PCH eSPI Controller (rev 01)
00:1f.3 Multimedia audio controller: Intel Corporation Alder Lake PCH-P High Definition Audio Controller (rev 01)
00:1f.4 SMBus: Intel Corporation Alder Lake PCH-P SMBus Host Controller (rev 01)
00:1f.5 Serial bus controller: Intel Corporation Alder Lake-P PCH SPI Controller (rev 01)
01:00.0 VGA compatible controller: NVIDIA Corporation GA103M [GeForce RTX 3080 Ti Laptop GPU] (rev a1)
01:00.1 Audio device: NVIDIA Corporation Device 2288 (rev a1)
03:00.0 Non-Volatile memory controller: Solid State Storage Technology Corporation Device 1001 (rev 01)
04:00.0 PCI bridge: Intel Corporation Device 1133 (rev 02)
05:00.0 PCI bridge: Intel Corporation Device 1133 (rev 02)
05:01.0 PCI bridge: Intel Corporation Device 1133 (rev 02)
05:02.0 PCI bridge: Intel Corporation Device 1133 (rev 02)
05:03.0 PCI bridge: Intel Corporation Device 1133 (rev 02)
06:00.0 USB controller: Intel Corporation Device 1134
3a:00.0 USB controller: Intel Corporation Device 1135
6e:00.0 SD Host controller: O2 Micro, Inc. SD/MMC Card Reader Controller (rev 01)

Any idea about this? Thank you!

Possibly the version of ssh running on the machine.

It happens if the server is using a deprecated cipher.

There has been several topics on the subject

https://forum.manjaro.org/search?q=ssh%20deprecated%20cipher

I’ve tried everything I could understand but there’s nothing changed (e.g.

Host *
  IdentityAgent none

). Could you explain it more? Thank you!

Look… you are not the only one with this problem. Use a search engine

If it hangs here then the problematic part is here the server. you get normally after that:

debug1: SSH2_MSG_KEX_ECDH_REPLY received

Therefore the requested KexAlgorithms seems not be available on the server. Therefore you need to adjuste the KexAlgorithms to what the server has.

Therefore for example:

ssh -oKexAlgorithms=ecdh-sha2-nistp521 blabla
1 Like

You have looked into the logs of the client.
Please also look into the logs of sshd on the server.

Sorry I’m new to ssh and have done investigation about this, especially to add something like this to .ssh/config, but nothing worked out.

This indeed helped it out! Still, is there anything that can pertinently add this to config file or other config? Thank you!

I would suggest something like this:

Host shortcut example.com 
    HostName example.com 
    KexAlgorithms ecdh-sha2-nistp521
    #UpdateHostKeys no
    #IdentityFile ~/.ssh/example.com
    User ssh-username
    #LogLevel DEBUG

Then run:

ssh shortcut

However if possible, update the ssh-server on the remote server. That would solve the problem. That is only a workaround.

In man sshd_config under KexAlgorithms you see the default ones. you can add them comma separated on the personal config. Or ssh -Q kex

Sounds good to me! Thank you!

btw I could use this workaround to ssh, but if using a Filezilla or other things, it still not working. Is this expected?

There might be similar settings in other applications. You could contact the applications developers.

The best solution would be to contact your IT department and ask them to update their server.

1 Like

yes it is to expected since not all programs read the personal ssh config file. They have their own settings when using ssh. you need to call the shortcut normally. Some programs can handle it. Not sure about filezilla,

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.