SSH not working after install with Proxmox 9.0-1 ISO

[Logfro]

Hi guys!

Never had to post a thread in the forums, but i am at the end of my knowledge about this issue.

I have 3 Servers that i wanted to reinstall to Proxmox 9. 3 different machines, with CPUs from different generations and different motherboards, different networks, basically no common part with each of them.

2 Servers were installed using the Proxmox 9.0-1 ISO, 1 was installed on top of debian 13 because it needed mdadm RAID.

1. Server CPU: Xeon Gold 5128
2. Server CPU: Ryzen 7600X
3. Server CPU: EPYC 9654

SSH Server is using the default config from the installation, nothing was adjusted.

On the one server that didnt use the ISO, the SSH Server was working before the install.

I also tried the optin 6.17 kernel, no change.

THE PROBLEM

When i try to connect using windows terminal ssh i simply get "Connection closed by X.X.X.X port 2222"
Journalctl then gives me that info:

Oct 17 19:25:48 pve kernel: audit: type=1326 audit(1760721948.583:133): auid=4294967295 uid=102 gid=65534 ses=4294967295 subj=unconfined pid=10674 comm="sshd-auth" exe="/usr/lib/openssh/sshd-auth" sig=31 arch=c000003e syscall=104 compat=0 ip=0x70cc55b18779 code=0x0
Oct 17 19:25:48 pve sshd-session[10673]: error: mm_reap: preauth child terminated by signal 31
Oct 17 19:25:48 pve sshd[1552]: Session process 10673 unpriv child crash for connection from X.X.X.X to X.X.X.X

To further debug, i started a temporary ssh server with the following command: /usr/sbin/sshd -Dddd -e -p 2222

Output log from that:

debug3: server_process_channel_timeouts: setting 0 timeouts [preauth]
debug3: channel_clear_timeouts: clearing [preauth]
debug3: fd 5 is O_NONBLOCK [preauth]
debug3: ssh_sandbox_init: preparing seccomp filter sandbox [preauth]
debug3: privsep user:group 102:65534 [preauth]
debug1: permanently_set_uid: 102/65534 [preauth]
debug3: ssh_sandbox_child: setting PR_SET_NO_NEW_PRIVS [preauth]
debug3: ssh_sandbox_child: attaching seccomp filter program [preauth]
debug3: append_hostkey_type: ssh-rsa key not permitted by HostkeyAlgorithms [preauth]
debug1: monitor_read_log: child log fd closed
debug3: mm_request_receive: entering
debug3: mm_request_receive: monitor fd closed
mm_reap: preauth child terminated by signal 31
debug1: do_cleanup
debug3: PAM: sshpam_thread_cleanup entering
debug1: Killing privsep child 11762
debug1: audit_event: unhandled event 12

I dont exactly know what is the issue, I just think it has something to do with seccomp, I tried various things I found online, but nothing worked.

Thanks in advance.

 

[bbgeek17]

Hi @Logfro , congratulations on your first post.

The key message, so far, is "debug3: append_hostkey_type: ssh-rsa key not permitted by HostkeyAlgorithms [preauth]"

The client is trying to use an ssh-rsa key. The server’s HostKeyAlgorithms or PubkeyAcceptedAlgorithms configuration does not allow ssh-rsa, likely because it is considered weak in modern OpenSSH versions.

One way to workaround is to enable ssh-rsa in /etc/ssh/sshd_config:
HostkeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa

There are other ways to deal with it as well.

Cheers

---

Blockbridge : Ultra low latency all-NVME shared storage for Proxmox - https://www.blockbridge.com/proxmox

 

[Logfro]

Hi @Logfro , congratulations on your first post.

The key message, so far, is "debug3: append_hostkey_type: ssh-rsa key not permitted by HostkeyAlgorithms [preauth]"

The client is trying to use an ssh-rsa key. The server’s HostKeyAlgorithms or PubkeyAcceptedAlgorithms configuration does not allow ssh-rsa, likely because it is considered weak in modern OpenSSH versions.

One way to workaround is to enable ssh-rsa in /etc/ssh/sshd_config:
HostkeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa

There are other ways to deal with it as well.

Cheers

---

Blockbridge : Ultra low latency all-NVME shared storage for Proxmox - https://www.blockbridge.com/proxmox

I can also try using a client without an ssh key, same issue. I also tried adding the key to the sshd_config already, didnt work as well.

Thanks for you suggestion though

 

[bbgeek17]

I can also try using a client without an ssh key, same issue.

Do you mean password authentication? May be its disabled? Why don't you try to ssh to "localhost" from the server itself. You can also force password only client auth by using appropriate options. Keep an eye on sshd debug as you are trying to login.

I also tried adding the key to the sshd_config already

not sure what you mean.

Overall, sounds like your Debian base SSH is more restrictive than PVE software expects. Keep working on it by adding debug on client and server side and address changes as necessary.

---

Blockbridge : Ultra low latency all-NVME shared storage for Proxmox - https://www.blockbridge.com/proxmox

 

[Logfro]

I know that this is not the issue, since i would then get a message about not a valid authentication method.

The problem is, that if ANYTHING tries to log into the SSH Server, it crashes

debug3: mm_request_receive: monitor fd closed
mm_reap: preauth child terminated by signal 31
debug1: do_cleanup
debug3: PAM: sshpam_thread_cleanup entering
debug1: Killing privsep child 11762
debug1: audit_event: unhandled event 12

So this is the relevant part of the debug output here.

I just dont know why that is, or how it can be fixed.

SSH localhost also has the same issue

And its the default ssh config from PVE 9 ISO

 

[Logfro]

not sure what you mean.

I added the HostKeyAlgorithm to the config to allow the old key, didnt change anything.

 

[bbgeek17]

And its the default ssh config from PVE 9 ISO

On the one server that didnt use the ISO, the SSH Server was working before the install.

I could be mistaken, but IIRC one installs over Debian using PVE repos via internet, not by using ISO. You can check whether PVE installation overwrote the openssh package or its configuration files by querying the package repo.

The problem is, that if ANYTHING tries to log into the SSH Server, it crashes

thank you for providing this information.

I added the HostKeyAlgorithm to the config to allow the old key, didnt change anything.

I trust that you restarted sshd after changing the configuration?

You can also try adding:
UsePrivilegeSeparation sandbox no

And check running config via: sshd -T

Cheers

---

Blockbridge : Ultra low latency all-NVME shared storage for Proxmox - https://www.blockbridge.com/proxmox

 

[Logfro]

UsePrivilegeSeparation i have already tried, debug log says its deprecated and disregarded

Of course i restarted ssh everytime, and its the latest apt available package.

 

[bbgeek17]

You can try :
a) force-reinstall openssh package. Continue working on trying to login locally.
b) reproduce the problem - install Debian as VM, confirm access. Install PVE via same steps as before. Did you break it? If yes, perhaps there is an incompatibility and you should report it to PVE staff. If not, then its a one off - continue debugging.

I'll check on your progress on Monday.

Good luck

---

Blockbridge : Ultra low latency all-NVME shared storage for Proxmox - https://www.blockbridge.com/proxmox

 

[Logfro]

Reinstall doesnt help, and i did a fresh install of PVE 9 on 3 different systems, i think thats enough proof that i can reproduce the bug.

I havent done any changes to the systems otherwise

 

[Logfro]

Never the less, i tried installing another server i have laying around (9950X3D), and that one worked without a problem now...

The issue is getting stranger and stranger.

The only thing i did on the other 3 Systems is create a VM, and an additional storage from the secondary attached disks. But all through the GUI, and i dont see how that could break SSH...