Between 8.8p1_2,1 and 8.9.p1,1 (...e32 commit) of security/openssh-portable a change was committed that results, on my system at least, in connection attempts being rejected while logging to debug.log: debug1: do_cleanup [preauth] debug1: monitor_read_log: child log fd closed debug3: mm_request_receive: entering debug1: do_cleanup debug1: Killing privsep child 62090 and to auth.log ssh_dispatch_run_fatal: Connection from ip.add.re.ss port 33492: Not permitted in capability mode [preauth] openssh-portable options: (X) FIDO_U2F (X) LDNS (X) LIBEDIT (X) PAM (X) TCP_WRAPPERS FreeBSD 11.3-RELEASE-p8 #0 r360490 (Unsupported I know, but, sadly, not practical to do an OS update at this time due to being very remote) It seems to be related to capsicum based on the error message.
Do you have sysctl kern.trap_enotcap set? What does your sshd_config look like?
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=272dd07a309c086a4bc97dc015ef7faf4fbf89ca commit 272dd07a309c086a4bc97dc015ef7faf4fbf89ca Author: Bryan Drewery <bdrewery@FreeBSD.org> AuthorDate: 2022-05-24 23:08:14 +0000 Commit: Bryan Drewery <bdrewery@FreeBSD.org> CommitDate: 2022-05-25 13:34:24 +0000 security/openssh-portable: Fix some capsicum issues - Brings in latest changes from base. See patches for details. - Version 9.0 is being worked on but I wanted to fix this issue before proceeding with bigger changes. PR: 263753 security/openssh-portable/Makefile | 2 +- .../files/patch-FreeBSD-caph_cache_tzdata (new) | 43 ++++++++++++++ .../files/patch-FreeBSD-logincap (new) | 69 ++++++++++++++++++++++ .../openssh-portable/files/patch-auth2.c (gone) | 47 --------------- 4 files changed, 113 insertions(+), 48 deletions(-)
Let me know if version 8.9.p1_4,1 works for you. It eliminates the ENOTCAPABLE errors I could find.
A commit in branch 2022Q2 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=61026a2af1198336a10d20df79d61f75e4a3bfaa commit 61026a2af1198336a10d20df79d61f75e4a3bfaa Author: Bryan Drewery <bdrewery@FreeBSD.org> AuthorDate: 2022-05-24 23:08:14 +0000 Commit: Bryan Drewery <bdrewery@FreeBSD.org> CommitDate: 2022-06-22 18:44:50 +0000 security/openssh-portable: Fix some capsicum issues - Brings in latest changes from base. See patches for details. - Version 9.0 is being worked on but I wanted to fix this issue before proceeding with bigger changes. PR: 263753 (cherry picked from commit 272dd07a309c086a4bc97dc015ef7faf4fbf89ca) security/openssh-portable/Makefile | 2 +- .../files/patch-FreeBSD-caph_cache_tzdata (new) | 43 ++++++++++++++ .../files/patch-FreeBSD-logincap (new) | 69 ++++++++++++++++++++++ .../openssh-portable/files/patch-auth2.c (gone) | 47 --------------- 4 files changed, 113 insertions(+), 48 deletions(-)
Hi! I have the same problem on 12.0-RELEASE-p13 (unfortunately unable to upgrade...) with OpenSSH_9.3p2, OpenSSL 3.0.11 19 Sep 2023 sysctl kern.trap_enotcap = 0/1 doesn't matter options only (X) PAM (X) TCP_WRAPPERS I would be very pleased to have a solution, as it seems that NO version with openssl3 support is working Many thanks in advance! Jimmy