This is a cross post from
https://forums.freebsd.org/threads/openssh-portable-8-9-p1_3-1-ssh_dispatch_run_fatal-connection-not-permitted-in-capability-mode-preauth.84966/
Updating from openssh-portable from 8.8.p1_1,1 to 8.9.p1_3,1 broke it on my boxes. It seems to be related to capsicum based on the error message but I'm not finding any obvious clues in the usual places.
FreeBSD 11.3-RELEASE-p8 #0 r360490
(Unsupported I know, but, sadly, not practical to do an OS update at this time due to being very remote)
openssh-portable options:
(X) FIDO_U2F
(X) LDNS
(X) LIBEDIT
(X) PAM
(X) TCP_WRAPPERS
Setting identical DEBUG3 for jails running 8.8 vs. 8.9 there's no differences in the setup preamble, including both logging "debug3: ssh_sandbox_init: preparing capsicum sandbox" but the similarities end with "debug1: SSH2_MSG_KEXINIT sent [preauth]" and
8.9 then logs to /var/log/debug.log as it fails:
debug1: do_cleanup [preauth]
debug1: monitor_read_log: child log fd closed
debug3: mm_request_receive: entering
debug1: do_cleanup
debug1: Killing privsep child 62090
and to /var/log/auth.log
ssh_dispatch_run_fatal: Connection from ip.add.re.ss port 33492: Not permitted in capability mode [preauth]
I'm at a loss. I do not have remotely efficient hands-on should something go off the rails. I have jexec and (emergency only) telnet, so I'm not dead, but dreading the next network drop that breaks the live SSH connections I have left.
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)