Hi Dave, thanks for your reply. It turns out that the with the upgrade from 14.2-RELEASE to 14.3-RELEASE something went wrong. 'file' told my that on the 14.3-RELEASE system was 'for FreeBSD 14.2', while my local VM is 'for FreeBSD 14.3'.
After fiddling around with the BEs I had left after the update, I was able to
get a working 14.2-RELEASE booted. Deleted the leftover BEs and did
a fresh the upgrade to 14.3-RELEASE. After that the problem disappeared.
--Gordon
On Thu, Jul 17, 2025 at 02:17:26PM +0000, Dave Cottlehuber wrote:
> On Thu, 17 Jul 2025, at 11:21, Gordon Bergling wrote:
> > Hi,
> >
> > I have two FreeBSD externaly hosted, one at Hetzner and one on Azure.
> >
> > Both systems running latest 14.3-RELEASE, but I can't no long connect to
> > them,
> > wether from a local 14.2-RELEASE, or the latest macOS. Nothing has changed
> > in
> > terms of configuration. All systems use public-key authentication. The error
> > I am getting is the following:
> >
> > sshd[10965]: error: Fssh_kex_input_kexinit: unknown kex type 10 [preauth]
> >
> > Has anyone an idea whould could cause this?
> >
> > Seeking out in forums about trying different KexAlgorithms options didn't
> > solved the problem.
> >
> > Any help is much appreciated!
> >
> > --Gordon
> >
> > Attachments:
> > * signature.asc
>
> Odd. I have no issue from a 14.2 client -> 14.3 server connecting,
> with defaults, and ed25519 private key.
>
> My best guess is that your sshd binary (or config) isn't correctly
> upgraded for some reason. What does file(1) report on server & client?
>
> On 14.2-RELEASE:
>
> root@picard:/ # file /usr/sbin/sshd
> /usr/sbin/sshd: ELF 64-bit LSB pie executable, x86-64, version 1 (FreeBSD),
> dynamically linked, interpreter /libexec/ld-elf.so.1, for FreeBSD 14.2,
> FreeBSD-style, stripped
>
> root@picard:/ # file /usr/bin/ssh
> /usr/bin/ssh: ELF 64-bit LSB pie executable, x86-64, version 1 (FreeBSD),
> dynamically linked, interpreter /libexec/ld-elf.so.1, for FreeBSD 14.2,
> FreeBSD-style, stripped
> root@picard:/ #
>
> If this is not correct, it's worth checking with `freebsd-update IDS` on
> server & client, for what else is incorrect.
>
> Are there any non-default settings in /etc/ssh/ssh_config for client,
> and /etc/ssh/sshd_config for server?
>
> Assuming that's sorted, please post output of `ssh -vv ...`, so we can see
> the negotiation, forcing key exchange algorithm on the client:
>
> ssh -vv -o
> KexAlgorithms=curve25519-sha256,curve25519-sha...@libssh.org,diffie-hellman-group-exchange-sha256
> you@there
>
> BTW I assume the kex list comes from crypto/openssh/kex.h, so #10 would be
> KEX_KEM_SNTRUP761X25519_SHA512
>
> enum kex_exchange {
> KEX_DH_GRP1_SHA1 = 1,
> KEX_DH_GRP14_SHA1,
> KEX_DH_GRP14_SHA256,
> KEX_DH_GRP16_SHA512,
> KEX_DH_GRP18_SHA512,
> KEX_DH_GEX_SHA1,
> KEX_DH_GEX_SHA256,
> KEX_ECDH_SHA2,
> KEX_C25519_SHA256,
> KEX_KEM_SNTRUP761X25519_SHA512, <----
> KEX_KEM_MLKEM768X25519_SHA256,
> KEX_MAX
> };
>
> A+
> Dave
signature.asc
Description: PGP signature
