SSH not working after May update

So after i updated today to osmc may update on my pi2, ssh no longer works, i tried enabling it, reinstalimg and restarting and still get conexion refused, and of course and more important i cant acces via sftp either, ftp work as usual, my ip is ok and the only thing that changed is osmc update. Please need some advice
Edit: i got a 2nd update right now that i search manually for, and the issue still persist

Hi. Welcome to the forum.

We’ll need logs in order to help out.
https://osmc.tv/wiki/general/how-to-submit-a-useful-support-request/

Thanks for the reply! now when i restart i got an error about openbsd failed to start, but the ssh server in myosmc is still enabled and still cant connect. This are my logs -> https://paste.osmc.tv/oquxedubiw

I see the logs and see that are a lot of tries of starting openbsd and something about ssh.service failed, and this still happening after i reinstall the service.

First, you have an unwise entry in /etc/apt/sources.list:

deb http://ftp.debian.org/debian/ unstable main contrib non-free

that might be a cause of problems and shouldn’t be there if you want a stable system.

The immediate issue is related to a hardening of SSH in the May update that is causing problems on your system. As a temporary workaround, you should edit file /etc/ssh/sshd_config and comment out the lines:

KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

See this for details of accessing the command line without SSH. Alternatively, since you’re using a Pi, you can also shutdown the machine and edit the card on another computer.

Edit: I’ve tested the new sshd_config file and it works fine on my machine. I suspect your link to Debian unstable (“sid”) might have caused unforeseen problems.

Edit 2: Sorry, I forgot to mention which file to edit, :wink: Error now fixed.

Thank u very much i have comented that unstable deb, i didnt ever use a nighly build or something like that why i have that there?

After comenting those lines i restarted rhe service and worked first try!!! I will lose some funcionally beacuse of that or this will be automatically be removed in the next osmc update?

I believe future updates will not normally overwrite the changes made to the sshd_config file. But if you reinstall SSH, you will get the newest config.

I tried reinstalling, but i get the file again whit those lines uncometed and ssh dont work until i comment them again. Its ok for me now, the one question i have is that those lines are about encryption, they were there before may update? And im not using encryption now whenever i connect?

You are still using encryption but a weak encryption. You should urgently update your SSH client that you use to connect with OSMC and when you have done that you can uncomment those lines.

I use the terminus app for iOS whit the lastest version, but i doubt that is a client problem, if i uncoment those lines the ssh service wont even start on my pi, so that means before may update the ssh service that i can install from myosmc didnt have these type of encryption?

I just crosschecked. Originally I thought that line came from a security update that was implemented but that is not the case. This line is not part of the OSMC sshd_config but the Debian distibuted sshd_config. So means for whatever reason during your multiple install/remove of OSMC SSH App your sshd_config is not set correctly

So there is a way i can have this to work as usual again? Its ok is is fixed in the mext update, but i dont want to search for my keyboard everytime osmc is updated to fix this kind of things

Ok, there seems to be some confusion here right now. It might quite well be that these lines came with the May security update but might not have been installed on my device due to config file protection.

But I just now installed the version that was distributed with the May update and has those lines in there and ssh still starts as normal.

Which means you must have messed up some installed packets when you had the debian repository in there.
Safest option is a reinstallation

Of the entire osmc? There is no way of knowing what exactly went wrong to fix it?

Well at least not by me!

:frowning: even if i can start the ssh service whit the lines comented when i start the service i got this lines when i launch it, could has something to do? Also u guys got it working are u guys using the Pi ?

Jun 10 12:51:03 Pi sshd[4789]: Received disconnect from 116.31.116.44: 11: [preauth]
Jun 10 12:51:09 Pi sshd[4795]: Failed password for root from 116.31.116.44 port 36765 ssh2
Jun 10 12:51:09 Pi sshd[4795]: Failed password for root from 116.31.116.44 port 36765 ssh2
Jun 10 12:51:10 Pi sshd[4795]: Failed password for root from 116.31.116.44 port 36765 ssh2
Jun 10 12:51:48 Pi sudo[4720]: pam_unix(sudo:session): session closed for user root
Jun 10 12:51:50 Pi sshd[4803]: rexec line 92: Unsupported option UsePAM
Jun 10 12:51:50 Pi sshd[4803]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
Jun 10 12:51:50 Pi sshd[4803]: Accepted password for osmc from 192.168.0.13 port 63667 ssh2

Which lines?

Yes on Pi

osmc@osmc:~$ uname -a
Linux osmc 4.9.29-5-osmc #1 SMP PREEMPT Tue Jun 6 18:23:42 UTC 2017 armv7l GNU/Linux

My /etc/ssh/sshd_config:

https://paste.osmc.tv/kifuwixano

And my systemctl

osmc@osmc:~$ sudo systemctl status sshd
● ssh.service - OpenBSD Secure Shell server
   Loaded: loaded (/lib/systemd/system/ssh.service; enabled)
   Active: active (running) since Sat 2017-06-10 18:54:13 HKT; 4min 6s ago
 Main PID: 357 (sshd)
   CGroup: /system.slice/ssh.service
           └─357 /usr/sbin/sshd -D
Jun 10 18:54:13 osmc systemd[1]: Started OpenBSD Secure Shell server.
Jun 10 18:54:14 osmc sshd[357]: Server listening on 0.0.0.0 port 22.
Jun 10 18:54:14 osmc sshd[357]: Server listening on :: port 22.

Sory i forgot the lines i update them in my previos post, it says that cant load a hostkey, i can somehow generate that key again? I see u ssh_config and is pretty much the same as mine

smc@Pi:~$ sudo systemctl status sshd

  • ssh.service - OpenBSD Secure Shell server
    Loaded: loaded (/lib/systemd/system/ssh.service; enabled)
    Active: active (running) since Sat 2017-06-10 12:48:20 CEST; 17min ago
    Main PID: 4734 (sshd)
    CGroup: /system.slice/ssh.service
    |-4475 sshd: osmc [priv]
    |-4477 sshd: osmc@notty
    |-4478 /usr/lib/openssh/sftp-server
    |-4734 /usr/sbin/sshd -D
    |-5192 sshd: osmc [priv]
    |-5194 sshd: osmc@pts/0
    |-5195 -bash
    |-5219 sshd: root [priv]
    |-5220 sshd: root [net]
    |-5225 sshd: [accepted]
    |-5226 sshd: [accepted]
    |-5227 sshd: [net]
    |-5228 sshd: [net]
    |-5229 sshd: [accepted]
    |-5230 sshd: [accepted]
    |-5231 sshd: [net]
    |-5232 sshd: [net]
    |-5233 sshd: [accepted]
    |-5234 sshd: [net]
    |-5235 sudo systemctl status sshd
    `-5236 systemctl status sshd

Jun 10 13:05:48 Pi sshd[5229]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
Jun 10 13:05:48 Pi sshd[5230]: rexec line 92: Unsupported option UsePAM
Jun 10 13:05:48 Pi sshd[5230]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
Jun 10 13:05:49 Pi sshd[5233]: rexec line 92: Unsupported option UsePAM
Jun 10 13:05:49 Pi sshd[5233]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
Jun 10 13:05:49 Pi sshd[5219]: Failed password for root from 116.31.116.44 port 14049 ssh2
Jun 10 13:05:50 Pi sshd[5219]: Failed password for root from 116.31.116.44 port 14049 ssh2
Jun 10 13:05:50 Pi sshd[5219]: Failed password for root from 116.31.116.44 port 14049 ssh2
Jun 10 13:05:50 Pi sudo[5235]: osmc : TTY=pts/0 ; PWD=/home/osmc ; USER=root ; COMMAND=/bin/systemctl status sshdJun 10 13:05:50 Pi sudo[5235]: pam_unix(sudo:session): session opened for user root by osmc(uid=0)
Hint: Some lines were ellipsiz

Very strange, what is the output of dpkg -l | grep ssh?

Well yes, but you may first want to figure out how you lost them!
ssh-keygen -f /etc/ssh/ssh_host_ecdsa_key -N '' -t ecdsa -b 521

osmc@Pi:~$ dpkg -l | grep ssh
ii libssh-4:armhf 0.6.3-4+deb8u2 armhf tiny C SSH library (OpenSSL flavor)
ii libssh2-1:armhf 1.4.3-4.1+deb8u1 armhf SSH2 client-side libraryii openssh-client 1:6.7p1-5+deb8u3 armhf secure shell (SSH) client, for secure access to remote machines
ii openssh-server 1:6.7p1-5+deb8u3 armhf secure shell (SSH) server, for secure access from remote machines
ii openssh-sftp-server 1:6.7p1-5+deb8u3 armhf secure shell (SSH) sftp server module, for SFTP access from remote machines
ii ssh-app-osmc 1.2.0 all SSH server for OSMC with prepopulated configuration

Well the key looks like still there

osmc@Pi:~$ cd /etc/ssh
osmc@Pi:/etc/ssh$ ls
moduli ssh_host_ecdsa_key ssh_host_key sshd_config sshd_config.save.3
ssh_config ssh_host_ecdsa_key.pub ssh_host_key.pub sshd_config.save
ssh_host_dsa_key ssh_host_ed25519_key ssh_host_rsa_key sshd_config.save.1
ssh_host_dsa_key.pub ssh_host_ed25519_key.pub ssh_host_rsa_key.pub sshd_config.save.2