On Wed, Jan 15, 2025 at 12:06:09PM -0300, x9p via tor-relays wrote:
I am running a relay and other servers. Sometimes doing SSHD over Tor via a hidden service in a VPS in openbsd.amsterdam. In all my other setups, in other providers, I do not see this problem happening.
Upon connecting for the first time, I do get a "banner line contains invalid characters" error, and the connection is terminated. (MSG1) Upon connecting for the second time, everything goes smooth. (MSG2)
What happens the third time? That is, does it happen consistently failing the first time and working after that, or what?
Is it possible a bad guard is logging the IPs first connecting, then dropping the connection, and then allowing the connection to succeed later?
As Felix said, there shouldn't be any way for your guard to get inside Tor's encryption, so no, that's unlikely to be what's going on.
And assuming you are indeed connecting to an onion service like it seems, there isn't any exit relay in the path that could be trying to modify or intercept the traffic either.
debug1: Connecting to ngbjd5vpxamy5d63hcflinghioo2qa5e75uiysscmo4ml5qd4rpaobid.onion [127.42.42.0] port 60113. debug1: Local version string SSH-2.0-OpenSSH_9.9 kex_exchange_identification: banner line contains invalid characters banner exchange: Connection to 127.42.42.0 port 60113: invalid format
Ok, it looks like that ssh server is still reachable at that onion service, so I connected to it myself and got similar results as you. The first time I connected, it did not send me any ssh banner. Eventually I hit enter and it gave me an error and hung up on me.
""" $ torify telnet ngbjd5vpxamy5d63hcflinghioo2qa5e75uiysscmo4ml5qd4rpaobid.onion 60113 Trying 127.42.42.0... Connected to ngbjd5vpxamy5d63hcflinghioo2qa5e75uiysscmo4ml5qd4rpaobid.onion. Escape character is '^]'.
Invalid SSH identification string. Connection closed by foreign host. """
Then I tried to connect again, and it gave me a banner that time, and several subsequent times:
""" $ torify telnet ngbjd5vpxamy5d63hcflinghioo2qa5e75uiysscmo4ml5qd4rpaobid.onion 60113 Trying 127.42.42.0... Connected to ngbjd5vpxamy5d63hcflinghioo2qa5e75uiysscmo4ml5qd4rpaobid.onion. Escape character is '^]'. SSH-2.0-OpenSSH_9.9
Invalid SSH identification string. Connection closed by foreign host. """
So: I think Tor is behaving correctly, and I think your ssh client is behaving correctly too. It is your sshd (ssh server) that is somehow not deciding to send a banner sometimes. That is where I would look.
--Roger