ssh problem on VMware Fusion with openbsd 6.4

Since OpenBSD 6.4(i386) SSH to a remote host from a virtual machine

hosted on Vmware Fusion (10 and 11) is not working when network

interface is in NAT mode.

Moving the interface to bridge mode "fixes" the problem.


After sending the password it drops the connection with the message:

packet_write_wait: Connection to XXX.XX.X.XX port 22: Broken pipe

More debug log below.


With OBSD version 6.3(i386) all was working fine.

Tried also with a fresh new installed vm, same issue.


obsdws$ ssh -vvv [hidden email]

OpenSSH_7.9, LibreSSL 2.8.2

debug1: Reading configuration data /etc/ssh/ssh_config

debug2: resolve_canonicalize: hostname XXX.XX.X.XX is address

debug2: ssh_connect_direct

debug1: Connecting to XXX.XX.X.XX [XXX.XX.X.XX] port 22.

debug1: Connection established.

debug1: identity file /home/peter/.ssh/id_rsa type -1

debug1: identity file /home/peter/.ssh/id_rsa-cert type -1

debug1: identity file /home/peter/.ssh/id_dsa type -1

debug1: identity file /home/peter/.ssh/id_dsa-cert type -1

debug1: identity file /home/peter/.ssh/id_ecdsa type -1

debug1: identity file /home/peter/.ssh/id_ecdsa-cert type -1

debug1: identity file /home/peter/.ssh/id_ed25519 type -1

debug1: identity file /home/peter/.ssh/id_ed25519-cert type -1

debug1: identity file /home/peter/.ssh/id_xmss type -1

debug1: identity file /home/peter/.ssh/id_xmss-cert type -1

debug1: Local version string SSH-2.0-OpenSSH_7.9

debug1: Remote protocol version 2.0, remote software version OpenSSH_7.6

debug1: match: OpenSSH_7.6 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002

debug2: fd 3 setting O_NONBLOCK

debug1: Authenticating to XXX.XX.X.XX:22 as 'myusername'

debug3: hostkeys_foreach: reading file "/home/peter/.ssh/known_hosts"

debug3: record_hostkey: found key type ECDSA in file /home/peter/.ssh/known_hosts:6

debug3: load_hostkeys: loaded 1 keys from XXX.XX.X.XX

debug3: order_hostkeyalgs: prefer hostkeyalgs: [hidden email],[hidden email],[hidden email],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521

debug3: send packet: type 20

debug1: SSH2_MSG_KEXINIT sent

debug3: receive packet: type 20

debug1: SSH2_MSG_KEXINIT received

debug2: local client KEXINIT proposal

debug2: KEX algorithms: curve25519-sha256,[hidden email],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c

debug2: host key algorithms: [hidden email],[hidden email],[hidden email],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[hidden email],[hidden email],[hidden email],[hidden email],ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa

debug2: ciphers ctos: [hidden email],aes128-ctr,aes192-ctr,aes256-ctr,[hidden email],[hidden email]

debug2: ciphers stoc: [hidden email],aes128-ctr,aes192-ctr,aes256-ctr,[hidden email],[hidden email]

debug2: MACs ctos: [hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: MACs stoc: [hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: compression ctos: none,[hidden email],zlib

debug2: compression stoc: none,[hidden email],zlib

debug2: languages ctos:

debug2: languages stoc:

debug2: first_kex_follows 0

debug2: reserved 0

debug2: peer server KEXINIT proposal

debug2: KEX algorithms: curve25519-sha256,[hidden email],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1

debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519

debug2: ciphers ctos: [hidden email],aes128-ctr,aes192-ctr,aes256-ctr,[hidden email],[hidden email]

debug2: ciphers stoc: [hidden email],aes128-ctr,aes192-ctr,aes256-ctr,[hidden email],[hidden email]

debug2: MACs ctos: [hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: MACs stoc: [hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: compression ctos: none,[hidden email]

debug2: compression stoc: none,[hidden email]

debug2: languages ctos:

debug2: languages stoc:

debug2: first_kex_follows 0

debug2: reserved 0

debug1: kex: algorithm: curve25519-sha256

debug1: kex: host key algorithm: ecdsa-sha2-nistp256

debug1: kex: server->client cipher: [hidden email] MAC: <implicit> compression: none

debug1: kex: client->server cipher: [hidden email] MAC: <implicit> compression: none

debug3: send packet: type 30

debug1: expecting SSH2_MSG_KEX_ECDH_REPLY

debug3: receive packet: type 31

debug1: Server host key: ecdsa-sha2-nistp256 SHA256:jGpBDtsGB6YifcW+9VYwVGlKv4HXb4A+u0PPVgr71Dk

debug3: hostkeys_foreach: reading file "/home/peter/.ssh/known_hosts"

debug3: record_hostkey: found key type ECDSA in file /home/peter/.ssh/known_hosts:6

debug3: load_hostkeys: loaded 1 keys from XXX.XX.X.XX

debug1: Host 'XXX.XX.X.XX' is known and matches the ECDSA host key.

debug1: Found key in /home/peter/.ssh/known_hosts:6

debug3: send packet: type 21

debug2: set_newkeys: mode 1

debug1: rekey after 134217728 blocks

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug3: receive packet: type 21

debug1: SSH2_MSG_NEWKEYS received

debug2: set_newkeys: mode 0

debug1: rekey after 134217728 blocks

debug1: Will attempt key: /home/peter/.ssh/id_rsa

debug1: Will attempt key: /home/peter/.ssh/id_dsa

debug1: Will attempt key: /home/peter/.ssh/id_ecdsa

debug1: Will attempt key: /home/peter/.ssh/id_ed25519

debug1: Will attempt key: /home/peter/.ssh/id_xmss

debug2: pubkey_prepare: done

debug3: send packet: type 5

debug3: receive packet: type 7

debug1: SSH2_MSG_EXT_INFO received

debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>

debug3: receive packet: type 6

debug2: service_accept: ssh-userauth

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug3: send packet: type 50

debug3: receive packet: type 51

debug1: Authentications that can continue: publickey,password,keyboard-interactive

debug3: start over, passed a different list publickey,password,keyboard-interactive

debug3: preferred publickey,keyboard-interactive,password

debug3: authmethod_lookup publickey

debug3: remaining preferred: keyboard-interactive,password

debug3: authmethod_is_enabled publickey

debug1: Next authentication method: publickey

debug1: Trying private key: /home/peter/.ssh/id_rsa

debug3: no such identity: /home/peter/.ssh/id_rsa: No such file or directory

debug1: Trying private key: /home/peter/.ssh/id_dsa

debug3: no such identity: /home/peter/.ssh/id_dsa: No such file or directory

debug1: Trying private key: /home/peter/.ssh/id_ecdsa

debug3: no such identity: /home/peter/.ssh/id_ecdsa: No such file or directory

debug1: Trying private key: /home/peter/.ssh/id_ed25519

debug3: no such identity: /home/peter/.ssh/id_ed25519: No such file or directory

debug1: Trying private key: /home/peter/.ssh/id_xmss

debug3: no such identity: /home/peter/.ssh/id_xmss: No such file or directory

debug2: we did not send a packet, disable method

debug3: authmethod_lookup keyboard-interactive

debug3: remaining preferred: password

debug3: authmethod_is_enabled keyboard-interactive

debug1: Next authentication method: keyboard-interactive

debug2: userauth_kbdint

debug3: send packet: type 50

debug2: we sent a keyboard-interactive packet, wait for reply

debug3: receive packet: type 51

debug1: Authentications that can continue: publickey,password,keyboard-interactive

debug3: userauth_kbdint: disable: no info_req_seen

debug2: we did not send a packet, disable method

debug3: authmethod_lookup password

debug3: remaining preferred:

debug3: authmethod_is_enabled password

debug1: Next authentication method: password

[hidden email]'s password:

debug3: send packet: type 50

debug2: we sent a password packet, wait for reply

debug3: receive packet: type 52

debug1: Authentication succeeded (password).

Authenticated to XXX.XX.X.XX ([XXX.XX.X.XX]:22).

debug1: channel 0: new [client-session]

debug3: ssh_session2_open: channel_new: 0

debug2: channel 0: send open

debug3: send packet: type 90

debug1: Requesting [hidden email]

debug3: send packet: type 80

debug1: Entering interactive session.

debug1: pledge: network

debug3: receive packet: type 80

debug1: client_input_global_request: rtype [hidden email] want_reply 0

debug3: receive packet: type 91

debug2: channel_input_open_confirmation: channel 0: callback start

debug2: fd 3 setting TCP_NODELAY

debug3: ssh_packet_set_tos: set IP_TOS 0x48

debug2: client_session2_setup: id 0

debug2: channel 0: request pty-req confirm 1

debug3: send packet: type 98

debug2: channel 0: request shell confirm 1

debug3: send packet: type 98

debug2: channel_input_open_confirmation: channel 0: callback done

debug2: channel 0: open confirm rwindow 0 rmax 32768

debug3: send packet: type 1

packet_write_wait: Connection to XXX.XX.X.XX port 22: Broken pipe

On 2018/10/19 14:51, Peter van Oord van der Vlies wrote:
> Since OpenBSD 6.4(i386) SSH to a remote host from a virtual machine
>
> hosted on Vmware Fusion (10 and 11) is not working when network
>
> interface is in NAT mode.
>
> Moving the interface to bridge mode "fixes" the problem.

VMware's NAT implementation is broken.

It does not work with the normal standards used for IP QoS (OpenSSH switched
to using DSCP instead of deprecated "lowdelay"/"throughput" in this release
cycle).

You can workaround with "IPQoS lowdelay throughput" in ssh/sshd config.

https://marc.info/?t=153535113300003&r=1&w=2
https://marc.info/?t=153548553700004&r=1&w=2