[GH-ISSUE #6379] ssh: cannot access private key stored in TPM (private-dev) #3256

New issue

Closed

opened 2026-05-05 09:51:54 -06:00 by gitea-mirror · 25 comments

gitea-mirror commented 2026-05-05 09:51:54 -06:00

Owner

Copy link

Originally created by @qdii on GitHub (Jun 13, 2024).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6379

Description

Security freaks like me do like to store their SSH private keys in protected places. Most laptops nowadays come with a TPM, which can store them (see https://jade.fyi/blog/tpm-ssh/ for instance).

Steps to Reproduce

1. Follow the configuration guide for ssh with TPM2 linked above

2. Add the following configuration in ssh.local

   private-dev
   whitelist /usr/lib/libtss2-*
   

   Note: the SSH connection is also broken without adding these lines, but for a different reasons (no access to /dev/tpm0, no access to the libraries).

3. Run firejail ssh <some host>

Expected behavior

A SSH connection is opened to the host.

Actual behavior

An error message appears and no connection is established.

Behavior without a profile

A SSH connection is established.

Environment

• Arch Linux
• Firejail version 0.9.72

Checklist

• The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
• I can reproduce the issue without custom modifications (e.g. globals.local).
• The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• The profile (and redirect profile if exists) hasn't already been fixed upstream.
• I have performed a short search for similar issues (to avoid opening a duplicate).
  • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
• I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

$ firejail ssh $host
fexecve: No such file or directory
Error: failed to run /run/firejail/lib/fseccomp, exiting...
Error: proc 18455 cannot sync with peer: unexpected EOF
Peer 18456 unexpectedly exited with status 1

Originally created by @qdii on GitHub (Jun 13, 2024). Original GitHub issue: https://github.com/netblue30/firejail/issues/6379 ### Description Security freaks like me do like to store their SSH private keys in protected places. Most laptops nowadays come with a TPM, which can store them (see https://jade.fyi/blog/tpm-ssh/ for instance). ### Steps to Reproduce 1. Follow the configuration guide for ssh with TPM2 linked above 2. Add the following configuration in `ssh.local` ``` private-dev whitelist /usr/lib/libtss2-* ``` Note: the SSH connection is also broken without adding these lines, but for a different reasons (no access to `/dev/tpm0`, no access to the libraries). 3. Run `firejail ssh <some host>` ### Expected behavior A SSH connection is opened to the host. ### Actual behavior An error message appears and no connection is established. ### Behavior without a profile A SSH connection is established. ### Environment - Arch Linux - Firejail version 0.9.72 ### Checklist - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [x] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [x] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log ``` $ firejail ssh $host fexecve: No such file or directory Error: failed to run /run/firejail/lib/fseccomp, exiting... Error: proc 18455 cannot sync with peer: unexpected EOF Peer 18456 unexpectedly exited with status 1 ```

gitea-mirror closed this issue 2026-05-05 09:51:55 -06:00

gitea-mirror commented 2026-05-05 09:51:56 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jun 13, 2024):

Instead of removing private-dev from profiles, we should enhance private-dev.

Proposal 1.

• private-dev includes TPM devices
• notpm blocks them

Proposal 2.

• private-dev supports subgroups.
  • private-dev only basic devices
  • private-dev tpm,video,3d basic with TPM devices, video devices and GPU.
• Unresolved to keep blacklisting approach.

<!-- gh-comment-id:2165057047 --> @rusty-snake commented on GitHub (Jun 13, 2024): Instead of removing `private-dev` from profiles, we should enhance `private-dev`. Proposal 1. - `private-dev` includes TPM devices - `notpm` blocks them Proposal 2. - `private-dev` supports subgroups. - `private-dev` only basic devices - `private-dev tpm,video,3d` basic with TPM devices, video devices and GPU. - Unresolved to keep blacklisting approach.

gitea-mirror commented 2026-05-05 09:51:57 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jun 13, 2024):

@qdii

The ssh.profile in 0.9.72 already has private-dev, I don't get why you added it (once more) to your ssh.local. Unless you wanted to ignore private-dev?

<!-- gh-comment-id:2165089928 --> @ghost commented on GitHub (Jun 13, 2024): @qdii The `ssh.profile` in 0.9.72 already has `private-dev`, I don't get why you added it (once more) to your `ssh.local`. Unless you wanted to `ignore private-dev`?

gitea-mirror commented 2026-05-05 09:51:58 -06:00

Author

Owner

Copy link

@kmk3 commented on GitHub (Jun 13, 2024):

@rusty-snake on Jun 13:

Instead of removing private-dev from profiles, we should enhance
private-dev.

Agreed.

Proposal 1.

• private-dev includes TPM devices
• notpm blocks them

That makes sense, though why not reuse nou2f for this?

Aren't they used for the same use case?

Or is access to the tpm more critical than to u2f devices?

<!-- gh-comment-id:2165095569 --> @kmk3 commented on GitHub (Jun 13, 2024): @rusty-snake [on Jun 13](https://github.com/netblue30/firejail/issues/6379#issuecomment-2165057047): > Instead of removing `private-dev` from profiles, we should enhance > `private-dev`. Agreed. > Proposal 1. > > * `private-dev` includes TPM devices > * `notpm` blocks them That makes sense, though why not reuse `nou2f` for this? Aren't they used for the same use case? Or is access to the tpm more critical than to u2f devices?

gitea-mirror commented 2026-05-05 09:52:00 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jun 13, 2024):

@rusty-snake

Instead of removing private-dev from profiles, we should enhance private-dev.

That's the way forward, fully agree.

I like Proposal 1.

<!-- gh-comment-id:2165097319 --> @ghost commented on GitHub (Jun 13, 2024): @rusty-snake > Instead of removing private-dev from profiles, we should enhance private-dev. That's the way forward, fully agree. I like `Proposal 1`.

gitea-mirror commented 2026-05-05 09:52:01 -06:00

Author

Owner

Copy link

@kmk3 commented on GitHub (Jun 13, 2024):

@qdii on Jun 13:

$ firejail ssh $host

When executing firejail directly, it's recommended to use the full path for the
program, to avoid calling firejail within firejail, as the program may already
be symlinked to firejail through firecfg (ssh -> /usr/local/bin/ssh ->
firejail).

For example:

firejail /usr/bin/ssh $host

<!-- gh-comment-id:2165115852 --> @kmk3 commented on GitHub (Jun 13, 2024): @qdii [on Jun 13](https://github.com/netblue30/firejail/issues/6379#issue-2350488393): > ``` > $ firejail ssh $host > ``` When executing firejail directly, it's recommended to use the full path for the program, to avoid calling firejail within firejail, as the program may already be symlinked to firejail through firecfg (ssh -> /usr/local/bin/ssh -> firejail). For example: ``` firejail /usr/bin/ssh $host ```

gitea-mirror commented 2026-05-05 09:52:02 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jun 13, 2024):

Side note:

The linked blog entree mentions /etc/tpm2-tss and ${HOME}/.tpm2_pkcs11. We might want to protect these directories.

Sadly I don't have hardware with a TPM (for now) to actually check what OP can do to support their setup with the 0.9.72 ssh.profile.

<!-- gh-comment-id:2165125211 --> @ghost commented on GitHub (Jun 13, 2024): Side note: The linked [blog entree](https://jade.fyi/blog/tpm-ssh/) mentions `/etc/tpm2-tss` and `${HOME}/.tpm2_pkcs11`. We might want to protect these directories. Sadly I don't have hardware with a TPM (for now) to actually check what OP can do to support their setup with the 0.9.72 ssh.profile.

gitea-mirror commented 2026-05-05 09:52:02 -06:00

Author

Owner

Copy link

@qdii commented on GitHub (Jun 13, 2024):

I'm happy to be your testing monkey :) Just throw a config at me and I'll try.

<!-- gh-comment-id:2165160628 --> @qdii commented on GitHub (Jun 13, 2024): I'm happy to be your testing monkey :) Just throw a config at me and I'll try.

gitea-mirror commented 2026-05-05 09:52:03 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jun 13, 2024):

The linked blog entree mentions /etc/tpm2-tss and ${HOME}/.tpm2_pkcs11. We might want to protect these directories.

FWIW

$ cat /etc/tpm2-tss/fapi-config.json
{
     "profile_name": "P_ECCP256SHA256",
     "profile_dir": "/etc/tpm2-tss/fapi-profiles/",
     "user_dir": "~/.local/share/tpm2-tss/user/keystore",
     "system_dir": "/var/lib/tpm2-tss/system/keystore",
     "tcti": "",
     "system_pcrs" : [],
     "log_dir" : "/run/tpm2-tss/eventlog/",
     "firmware_log_file": "/dev/null",
     "ima_log_file": "/dev/null"
}

<!-- gh-comment-id:2165268214 --> @rusty-snake commented on GitHub (Jun 13, 2024): > The linked [blog entree](https://jade.fyi/blog/tpm-ssh/) mentions /etc/tpm2-tss and ${HOME}/.tpm2_pkcs11. We might want to protect these directories. FWIW ```console $ cat /etc/tpm2-tss/fapi-config.json { "profile_name": "P_ECCP256SHA256", "profile_dir": "/etc/tpm2-tss/fapi-profiles/", "user_dir": "~/.local/share/tpm2-tss/user/keystore", "system_dir": "/var/lib/tpm2-tss/system/keystore", "tcti": "", "system_pcrs" : [], "log_dir" : "/run/tpm2-tss/eventlog/", "firmware_log_file": "/dev/null", "ima_log_file": "/dev/null" } ```

gitea-mirror commented 2026-05-05 09:52:04 -06:00

Author

Owner

Copy link

@qdii commented on GitHub (Jun 15, 2024):

So far, my ssh.local looks like this:

# TPM access
private-dev
whitelist /usr/lib/libtss2-*
whitelist /etc/tpm2-tss
whitelist ${HOME}/.tpm2_pkcs11

However I always get the same error:

❯ firejail /usr/local/bin/ssh del
fexecve: No such file or directory
Error: failed to run /run/firejail/lib/fseccomp, exiting...
Error: proc 73198 cannot sync with peer: unexpected EOF
Peer 73199 unexpectedly exited with status 1

I'm not sure why fexecve fails like this?

<!-- gh-comment-id:2170038472 --> @qdii commented on GitHub (Jun 15, 2024): So far, my `ssh.local` looks like this: ``` # TPM access private-dev whitelist /usr/lib/libtss2-* whitelist /etc/tpm2-tss whitelist ${HOME}/.tpm2_pkcs11 ``` However I always get the same error: ``` ❯ firejail /usr/local/bin/ssh del fexecve: No such file or directory Error: failed to run /run/firejail/lib/fseccomp, exiting... Error: proc 73198 cannot sync with peer: unexpected EOF Peer 73199 unexpectedly exited with status 1 ``` I'm not sure why `fexecve` fails like this?

gitea-mirror commented 2026-05-05 09:52:04 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jun 15, 2024):

Guess ssh needs a few more libraries than libtss2-* like libc, libpcre2, libselinux, ...

<!-- gh-comment-id:2170106232 --> @rusty-snake commented on GitHub (Jun 15, 2024): Guess ssh needs a few more libraries than `libtss2-*` like libc, libpcre2, libselinux, ...

gitea-mirror commented 2026-05-05 09:52:04 -06:00

Author

Owner

Copy link

@qdii commented on GitHub (Jun 16, 2024):

Inspired by this comment, I extended ssh.local using the result of ldd:

❯ ldd /usr/local/bin/ssh
	linux-vdso.so.1 (0x0000794c4ea53000)
	libapparmor.so.1 => /usr/lib/libapparmor.so.1 (0x0000794c4e896000)
	libc.so.6 => /usr/lib/libc.so.6 (0x0000794c4e6aa000)
	libgcc_s.so.1 => /usr/lib/libgcc_s.so.1 (0x0000794c4e67d000)
	/lib64/ld-linux-x86-64.so.2 => /usr/lib64/ld-linux-x86-64.so.2 (0x0000794c4ea55000)

cat ~/.config/firejail/ssh.local
private-dev
whitelist /usr/lib/libtss2-*
whitelist /etc/tpm2-tss
whitelist ${HOME}/.tpm2_pkcs11
whitelist /usr/lib/libc.*
whitelist /usr/lib/libapparmor.*
whitelist /usr/lib/libgcc_s.*
whitelist /usr/lib64/ld-linux-x86-64.so.2

Unfortunately this doesn't help much:

❯ firejail /usr/local/bin/ssh del
fexecve: No such file or directory
Error: failed to run /run/firejail/lib/fseccomp, exiting...
Error: proc 108872 cannot sync with peer: unexpected EOF
Peer 108873 unexpectedly exited with status 1

<!-- gh-comment-id:2171795856 --> @qdii commented on GitHub (Jun 16, 2024): Inspired by this comment, I extended `ssh.local` using the result of `ldd`: ``` ❯ ldd /usr/local/bin/ssh linux-vdso.so.1 (0x0000794c4ea53000) libapparmor.so.1 => /usr/lib/libapparmor.so.1 (0x0000794c4e896000) libc.so.6 => /usr/lib/libc.so.6 (0x0000794c4e6aa000) libgcc_s.so.1 => /usr/lib/libgcc_s.so.1 (0x0000794c4e67d000) /lib64/ld-linux-x86-64.so.2 => /usr/lib64/ld-linux-x86-64.so.2 (0x0000794c4ea55000) ``` ``` cat ~/.config/firejail/ssh.local private-dev whitelist /usr/lib/libtss2-* whitelist /etc/tpm2-tss whitelist ${HOME}/.tpm2_pkcs11 whitelist /usr/lib/libc.* whitelist /usr/lib/libapparmor.* whitelist /usr/lib/libgcc_s.* whitelist /usr/lib64/ld-linux-x86-64.so.2 ``` Unfortunately this doesn't help much: ``` ❯ firejail /usr/local/bin/ssh del fexecve: No such file or directory Error: failed to run /run/firejail/lib/fseccomp, exiting... Error: proc 108872 cannot sync with peer: unexpected EOF Peer 108873 unexpectedly exited with status 1 ```

gitea-mirror commented 2026-05-05 09:52:05 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jun 16, 2024):

Looks like /usr/lib*/firejail is missing.

I wouldn't mess with whitelisting in /usr/lib*

<!-- gh-comment-id:2171810577 --> @rusty-snake commented on GitHub (Jun 16, 2024): Looks like `/usr/lib*/firejail` is missing. I wouldn't mess with whitelisting in `/usr/lib*`

gitea-mirror commented 2026-05-05 09:52:05 -06:00

Author

Owner

Copy link

@kmk3 commented on GitHub (Jun 17, 2024):

@qdii on Jun 13:

2. Add the following configuration in ssh.local

   private-dev
   whitelist /usr/lib/libtss2-*
   

   Note: the SSH connection is also broken without adding these lines, but
   for a different reasons (no access to /dev/tpm0, no access to the
   libraries).

3. Run firejail ssh <some host>

Note that whitelisting a path also enables whitelisting in its base directory,
so unless the profile already has similar whitelisting commands, adding them is
likely to just lead to more breakage.

What is the output without any local modifications?

Example:

firejail --ignore='include ssh.local' --ignore='include globals.local' \
  /usr/bin/ssh $host

Also, if you use private-lib, make sure that it is not in effect.

@qdii on Jun 16:

Inspired by this comment, I extended ssh.local using the result of ldd:

❯ ldd /usr/local/bin/ssh
	linux-vdso.so.1 (0x0000794c4ea53000)
	libapparmor.so.1 => /usr/lib/libapparmor.so.1 (0x0000794c4e896000)
	libc.so.6 => /usr/lib/libc.so.6 (0x0000794c4e6aa000)
	libgcc_s.so.1 => /usr/lib/libgcc_s.so.1 (0x0000794c4e67d000)
	/lib64/ld-linux-x86-64.so.2 => /usr/lib64/ld-linux-x86-64.so.2 (0x0000794c4ea55000)

See --trace= in the firejail manual, which is likely to be more helpful.

<!-- gh-comment-id:2172587440 --> @kmk3 commented on GitHub (Jun 17, 2024): @qdii [on Jun 13](https://github.com/netblue30/firejail/issues/6379#issue-2350488393): > 2. Add the following configuration in `ssh.local` > > ``` > private-dev > whitelist /usr/lib/libtss2-* > ``` > > Note: the SSH connection is also broken without adding these lines, but > for a different reasons (no access to `/dev/tpm0`, no access to the > libraries). > > 3. Run `firejail ssh <some host>` Note that whitelisting a path also enables whitelisting in its base directory, so unless the profile already has similar whitelisting commands, adding them is likely to just lead to more breakage. What is the output without any local modifications? Example: ```sh firejail --ignore='include ssh.local' --ignore='include globals.local' \ /usr/bin/ssh $host ``` Also, if you use `private-lib`, make sure that it is not in effect. @qdii [on Jun 16](https://github.com/netblue30/firejail/issues/6379#issuecomment-2171795856): > Inspired by this comment, I extended `ssh.local` using the result of `ldd`: > > ``` > ❯ ldd /usr/local/bin/ssh > linux-vdso.so.1 (0x0000794c4ea53000) > libapparmor.so.1 => /usr/lib/libapparmor.so.1 (0x0000794c4e896000) > libc.so.6 => /usr/lib/libc.so.6 (0x0000794c4e6aa000) > libgcc_s.so.1 => /usr/lib/libgcc_s.so.1 (0x0000794c4e67d000) > /lib64/ld-linux-x86-64.so.2 => /usr/lib64/ld-linux-x86-64.so.2 (0x0000794c4ea55000) > ``` See `--trace=` in the firejail manual, which is likely to be more helpful.

gitea-mirror commented 2026-05-05 09:52:05 -06:00

Author

Owner

Copy link

@qdii commented on GitHub (Jun 17, 2024):

With no modification, SSH simply connects to the host:

❯ firejail --ignore='include ssh.local' --ignore='include globals.local'  /usr/bin/ssh ovh
Last login: Mon Jun 17 22:51:56 2024 from 81.6.34.64
...

If I understand correctly the previous comments, allowing libraries to be loaded is better done using private-lib than whitelist, so I modified my ssh.local file so that now it reads this:

# TPM access
whitelist /etc/tpm2-tss
whitelist ${HOME}/.tpm2_pkcs11

private-dev
private-lib /usr/lib/libtss2-*
private-lib /usr/lib/libc.*
private-lib /usr/lib/libapparmor.*
private-lib /usr/lib/libgcc_s.*
private-lib /usr/lib64/ld-linux-x86-64.so.2

Then executing gives this:

❯ firejail /usr/local/bin/ssh del
Error mount bind ld.so.preload: fs_trace.c:116 fs_trace: No such file or directory
Error: proc 26048 cannot sync with peer: unexpected EOF
Peer 26049 unexpectedly exited with status 1

<!-- gh-comment-id:2174509024 --> @qdii commented on GitHub (Jun 17, 2024): With no modification, SSH simply connects to the host: ``` ❯ firejail --ignore='include ssh.local' --ignore='include globals.local' /usr/bin/ssh ovh Last login: Mon Jun 17 22:51:56 2024 from 81.6.34.64 ... ``` If I understand correctly the previous comments, allowing libraries to be loaded is better done using `private-lib` than `whitelist`, so I modified my `ssh.local` file so that now it reads this: ``` # TPM access whitelist /etc/tpm2-tss whitelist ${HOME}/.tpm2_pkcs11 private-dev private-lib /usr/lib/libtss2-* private-lib /usr/lib/libc.* private-lib /usr/lib/libapparmor.* private-lib /usr/lib/libgcc_s.* private-lib /usr/lib64/ld-linux-x86-64.so.2 ``` Then executing gives this: ``` ❯ firejail /usr/local/bin/ssh del Error mount bind ld.so.preload: fs_trace.c:116 fs_trace: No such file or directory Error: proc 26048 cannot sync with peer: unexpected EOF Peer 26049 unexpectedly exited with status 1 ```

gitea-mirror commented 2026-05-05 09:52:06 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jun 17, 2024):

If I understand correctly the previous comments, allowing libraries to be loaded is better done using private-lib than whitelist [...]

Be aware that private-lib is disabled by default in /etc/firejail/firejail.config:

[...]
# Enable or disable private-lib feature, default disabled
# private-lib no
[...]

FYI: after 0.9.72 things have changed even more and, besides the above, support for private-lib needs to be explicitly enabled during configure.

So although technically on 0.9.72 you can use it, the option isn't actively supported any longer. If you use it, keep eyes on this option whenever a 0.9.74 release hits your OS.

<!-- gh-comment-id:2174537250 --> @ghost commented on GitHub (Jun 17, 2024): > If I understand correctly the previous comments, allowing libraries to be loaded is better done using private-lib than whitelist [...] Be aware that `private-lib` is disabled by default in `/etc/firejail/firejail.config`: ```console [...] # Enable or disable private-lib feature, default disabled # private-lib no [...] ``` FYI: after `0.9.72` things have changed even more and, besides the above, support for private-lib needs to be explicitly enabled during configure. So although technically on 0.9.72 you _can_ use it, the option isn't actively supported any longer. If you use it, keep eyes on this option whenever a `0.9.74` release hits your OS.

gitea-mirror commented 2026-05-05 09:52:06 -06:00

Author

Owner

Copy link

@kmk3 commented on GitHub (Jun 18, 2024):

@qdii on Jun 17:

With no modification, SSH simply connects to the host:

❯ firejail --ignore='include ssh.local' --ignore='include globals.local'  /usr/bin/ssh ovh
Last login: Mon Jun 17 22:51:56 2024 from 81.6.34.64
...

If I understand correctly the previous comments, allowing libraries to be
loaded is better done using private-lib than whitelist, so I modified my
ssh.local file so that now it reads this:

Modifying /usr/lib is rarely done and is likely not as tested, so unless you
know what you're doing and are able to debug and fix errors, I'd avoid doing
anything with /usr/lib in profiles.

As for the other entries, the whitelisting in ${HOME} is fine.

Though in /etc it is usually done with private-etc.

Try this in ssh.local:

whitelist ${HOME}/.ssh
whitelist ${HOME}/.tpm2_pkcs11

private-etc ssh,tpm2-tss

<!-- gh-comment-id:2175524045 --> @kmk3 commented on GitHub (Jun 18, 2024): @qdii [on Jun 17](https://github.com/netblue30/firejail/issues/6379#issuecomment-2174509024): > With no modification, SSH simply connects to the host: > > ``` > ❯ firejail --ignore='include ssh.local' --ignore='include globals.local' /usr/bin/ssh ovh > Last login: Mon Jun 17 22:51:56 2024 from 81.6.34.64 > ... > ``` > > If I understand correctly the previous comments, allowing libraries to be > loaded is better done using `private-lib` than `whitelist`, so I modified my > `ssh.local` file so that now it reads this: Modifying /usr/lib is rarely done and is likely not as tested, so unless you know what you're doing and are able to debug and fix errors, I'd avoid doing anything with /usr/lib in profiles. As for the other entries, the whitelisting in `${HOME}` is fine. Though in /etc it is usually done with `private-etc`. Try this in ssh.local: ``` whitelist ${HOME}/.ssh whitelist ${HOME}/.tpm2_pkcs11 private-etc ssh,tpm2-tss ```

gitea-mirror commented 2026-05-05 09:52:07 -06:00

Author

Owner

Copy link

@qdii commented on GitHub (Jun 18, 2024):

Ok, thanks for the explanation about private-lib and modifying /usr/lib.

❯ cat .config/firejail/ssh.local
whitelist ${HOME}/.tpm2_pkcs11
whitelist ${HOME}/.ssh
private-etc ssh,tpm2-tss

❯ firejail /usr/bin/ssh del
No user exists for uid 1000

<!-- gh-comment-id:2177209397 --> @qdii commented on GitHub (Jun 18, 2024): Ok, thanks for the explanation about private-lib and modifying /usr/lib. ``` ❯ cat .config/firejail/ssh.local whitelist ${HOME}/.tpm2_pkcs11 whitelist ${HOME}/.ssh private-etc ssh,tpm2-tss ``` ``` ❯ firejail /usr/bin/ssh del No user exists for uid 1000 ```

gitea-mirror commented 2026-05-05 09:52:07 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jun 18, 2024):

private-etc ssh,tpm2-tss

No user exists for uid 1000

Looks like you need more from /etc than is currently allowed. Try adding group,login.defs,passwd to private-etc:

$ cat .config/firejail/ssh.local
whitelist ${HOME}/.tpm2_pkcs11
whitelist ${HOME}/.ssh
private-etc group,login.defs,passwd,ssh,tpm2-tss

<!-- gh-comment-id:2177225066 --> @ghost commented on GitHub (Jun 18, 2024): > private-etc ssh,tpm2-tss > No user exists for uid 1000 Looks like you need more from /etc than is currently allowed. Try adding `group,login.defs,passwd` to `private-etc`: ```sh $ cat .config/firejail/ssh.local whitelist ${HOME}/.tpm2_pkcs11 whitelist ${HOME}/.ssh private-etc group,login.defs,passwd,ssh,tpm2-tss ```

gitea-mirror commented 2026-05-05 09:52:07 -06:00

Author

Owner

Copy link

@qdii commented on GitHub (Jun 19, 2024):

OK I get a little further, but still no TPM

❯ cat .config/firejail/ssh.local
whitelist ${HOME}/.tpm2_pkcs11
whitelist ${HOME}/.ssh
private-etc ssh,tpm2-tss,group,login.defs,passwd

❯ firejail /usr/bin/ssh del

** (process:11): CRITICAL **: 21:18:46.830: failed to allocate dbus proxy object: Could not connect: Permission denied
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-tabrmd.so.0 
ERROR:tcti:src/tss2-tcti/tcti-device.c:451:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpmrm0: No such file or directory 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 
ERROR:tcti:src/tss2-tcti/tcti-device.c:451:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpm0: No such file or directory 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 
WARNING:tcti:src/util/io.c:229:socket_connect() Host localhost does not resolve to a valid address: -3: Temporary failure in name resolution 
ERROR:tcti:src/tss2-tcti/tcti-swtpm.c:613:Tss2_Tcti_Swtpm_Init() Cannot connect to swtpm TPM socket 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-swtpm.so.0 
WARNING:tcti:src/util/io.c:229:socket_connect() Host localhost does not resolve to a valid address: -3: Temporary failure in name resolution 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-mssim.so.0 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:269:tctildr_get_default() No standard TCTI could be loaded 
ERROR:tcti:src/tss2-tcti/tctildr.c:430:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI 
WARNING: Listing FAPI token objects failed: "tcti:IO failure"
Please see https://github.com/tpm2-software/tpm2-pkcs11/blob/1.9.0/docs/FAPI.md for more details
WARNING: FAPI backend was not initialized.

** (process:11): CRITICAL **: 21:18:46.832: failed to allocate dbus proxy object: Could not connect: Permission denied
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-tabrmd.so.0 
ERROR:tcti:src/tss2-tcti/tcti-device.c:451:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpmrm0: No such file or directory 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 
ERROR:tcti:src/tss2-tcti/tcti-device.c:451:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpm0: No such file or directory 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 
WARNING:tcti:src/util/io.c:229:socket_connect() Host localhost does not resolve to a valid address: -3: Temporary failure in name resolution 
ERROR:tcti:src/tss2-tcti/tcti-swtpm.c:613:Tss2_Tcti_Swtpm_Init() Cannot connect to swtpm TPM socket 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-swtpm.so.0 
WARNING:tcti:src/util/io.c:229:socket_connect() Host localhost does not resolve to a valid address: -3: Temporary failure in name resolution 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-mssim.so.0 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:269:tctildr_get_default() No standard TCTI could be loaded 
ERROR:tcti:src/tss2-tcti/tctildr.c:430:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI 
ERROR: Could not initialize tpm ctx: 0x5
ERROR: Getting tokens from esysdb backend failed.
C_Initialize for provider /usr/lib/pkcs11/libtpm2_pkcs11.so failed: 5

<!-- gh-comment-id:2179468909 --> @qdii commented on GitHub (Jun 19, 2024): OK I get a little further, but still no TPM ``` ❯ cat .config/firejail/ssh.local whitelist ${HOME}/.tpm2_pkcs11 whitelist ${HOME}/.ssh private-etc ssh,tpm2-tss,group,login.defs,passwd ``` ``` ❯ firejail /usr/bin/ssh del ** (process:11): CRITICAL **: 21:18:46.830: failed to allocate dbus proxy object: Could not connect: Permission denied ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-tabrmd.so.0 ERROR:tcti:src/tss2-tcti/tcti-device.c:451:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpmrm0: No such file or directory ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 ERROR:tcti:src/tss2-tcti/tcti-device.c:451:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpm0: No such file or directory ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 WARNING:tcti:src/util/io.c:229:socket_connect() Host localhost does not resolve to a valid address: -3: Temporary failure in name resolution ERROR:tcti:src/tss2-tcti/tcti-swtpm.c:613:Tss2_Tcti_Swtpm_Init() Cannot connect to swtpm TPM socket ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-swtpm.so.0 WARNING:tcti:src/util/io.c:229:socket_connect() Host localhost does not resolve to a valid address: -3: Temporary failure in name resolution ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-mssim.so.0 ERROR:tcti:src/tss2-tcti/tctildr-dl.c:269:tctildr_get_default() No standard TCTI could be loaded ERROR:tcti:src/tss2-tcti/tctildr.c:430:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI WARNING: Listing FAPI token objects failed: "tcti:IO failure" Please see https://github.com/tpm2-software/tpm2-pkcs11/blob/1.9.0/docs/FAPI.md for more details WARNING: FAPI backend was not initialized. ** (process:11): CRITICAL **: 21:18:46.832: failed to allocate dbus proxy object: Could not connect: Permission denied ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-tabrmd.so.0 ERROR:tcti:src/tss2-tcti/tcti-device.c:451:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpmrm0: No such file or directory ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 ERROR:tcti:src/tss2-tcti/tcti-device.c:451:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpm0: No such file or directory ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 WARNING:tcti:src/util/io.c:229:socket_connect() Host localhost does not resolve to a valid address: -3: Temporary failure in name resolution ERROR:tcti:src/tss2-tcti/tcti-swtpm.c:613:Tss2_Tcti_Swtpm_Init() Cannot connect to swtpm TPM socket ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-swtpm.so.0 WARNING:tcti:src/util/io.c:229:socket_connect() Host localhost does not resolve to a valid address: -3: Temporary failure in name resolution ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-mssim.so.0 ERROR:tcti:src/tss2-tcti/tctildr-dl.c:269:tctildr_get_default() No standard TCTI could be loaded ERROR:tcti:src/tss2-tcti/tctildr.c:430:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI ERROR: Could not initialize tpm ctx: 0x5 ERROR: Getting tokens from esysdb backend failed. C_Initialize for provider /usr/lib/pkcs11/libtpm2_pkcs11.so failed: 5 ```

gitea-mirror commented 2026-05-05 09:52:08 -06:00

Author

Owner

Copy link

@qdii commented on GitHub (Jun 22, 2024):

@kmk3

I think U2F and TPMs share the same goal, but do not always come in the same form factor:

• U2F is usually implemented via a USB device (Yubikey, Titan key)
• TPMs are usually chips on the motherboard

Binding the two in firejail would make it less flexible for the user to disable one without disabling the other, and currently now the source code relates U2F to USB devices: https://github.com/netblue30/firejail/blob/master/src/firejail/fs_dev.c#L92.

So I think distinguishing them is a better approach.

<!-- gh-comment-id:2183987649 --> @qdii commented on GitHub (Jun 22, 2024): @kmk3 I think U2F and TPMs share the same goal, but do not always come in the same form factor: - U2F is usually implemented via a USB device (Yubikey, Titan key) - TPMs are usually chips on the motherboard Binding the two in firejail would make it less flexible for the user to disable one without disabling the other, and currently now the source code relates U2F to USB devices: https://github.com/netblue30/firejail/blob/master/src/firejail/fs_dev.c#L92. So I think distinguishing them is a better approach.

gitea-mirror commented 2026-05-05 09:52:08 -06:00

Author

Owner

Copy link

@kmk3 commented on GitHub (Jun 23, 2024):

@qdii on Jun 19:

OK I get a little further, but still no TPM

❯ cat .config/firejail/ssh.local
whitelist ${HOME}/.tpm2_pkcs11
whitelist ${HOME}/.ssh
private-etc ssh,tpm2-tss,group,login.defs,passwd

Sorry, in the previous comment I left out the default paths for private-etc,
which are now included by default (and also modified IIRC) in 0.9.73 (see
#5610).

There have been many changes to private-etc (among other things) since
0.9.72, so please use firejail-git (AUR) in this issue to ensure
reproducibility.

Also, does it work without private-etc?

❯ firejail /usr/bin/ssh del

** (process:11): CRITICAL **: 21:18:46.830: failed to allocate dbus proxy object: Could not connect: Permission denied
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-tabrmd.so.0 
ERROR:tcti:src/tss2-tcti/tcti-device.c:451:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpmrm0: No such file or directory 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 
ERROR:tcti:src/tss2-tcti/tcti-device.c:451:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpm0: No such file or directory 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 
WARNING:tcti:src/util/io.c:229:socket_connect() Host localhost does not resolve to a valid address: -3: Temporary failure in name resolution 
ERROR:tcti:src/tss2-tcti/tcti-swtpm.c:613:Tss2_Tcti_Swtpm_Init() Cannot connect to swtpm TPM socket 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-swtpm.so.0 
WARNING:tcti:src/util/io.c:229:socket_connect() Host localhost does not resolve to a valid address: -3: Temporary failure in name resolution 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-mssim.so.0 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:269:tctildr_get_default() No standard TCTI could be loaded 
ERROR:tcti:src/tss2-tcti/tctildr.c:430:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI 
WARNING: Listing FAPI token objects failed: "tcti:IO failure"
Please see https://github.com/tpm2-software/tpm2-pkcs11/blob/1.9.0/docs/FAPI.md for more details
WARNING: FAPI backend was not initialized.

** (process:11): CRITICAL **: 21:18:46.832: failed to allocate dbus proxy object: Could not connect: Permission denied
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-tabrmd.so.0 
ERROR:tcti:src/tss2-tcti/tcti-device.c:451:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpmrm0: No such file or directory 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 
ERROR:tcti:src/tss2-tcti/tcti-device.c:451:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpm0: No such file or directory 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 
WARNING:tcti:src/util/io.c:229:socket_connect() Host localhost does not resolve to a valid address: -3: Temporary failure in name resolution 
ERROR:tcti:src/tss2-tcti/tcti-swtpm.c:613:Tss2_Tcti_Swtpm_Init() Cannot connect to swtpm TPM socket 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-swtpm.so.0 
WARNING:tcti:src/util/io.c:229:socket_connect() Host localhost does not resolve to a valid address: -3: Temporary failure in name resolution 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-mssim.so.0 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:269:tctildr_get_default() No standard TCTI could be loaded 
ERROR:tcti:src/tss2-tcti/tctildr.c:430:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI 
ERROR: Could not initialize tpm ctx: 0x5
ERROR: Getting tokens from esysdb backend failed.
C_Initialize for provider /usr/lib/pkcs11/libtpm2_pkcs11.so failed: 5

What is the output of the following commands?

firejail --trace=trace.txt --ignore='include ssh.local' /usr/bin/ssh -vvv $host
firejail --trace=trace_local.txt /usr/bin/ssh -vvv $host

What is the output in trace.txt and trace_local.txt?

<!-- gh-comment-id:2185113557 --> @kmk3 commented on GitHub (Jun 23, 2024): @qdii [on Jun 19](https://github.com/netblue30/firejail/issues/6379#issuecomment-2179468909): > OK I get a little further, but still no TPM > > ``` > ❯ cat .config/firejail/ssh.local > whitelist ${HOME}/.tpm2_pkcs11 > whitelist ${HOME}/.ssh > private-etc ssh,tpm2-tss,group,login.defs,passwd > ``` Sorry, in the previous comment I left out the default paths for `private-etc`, which are now included by default (and also modified IIRC) in 0.9.73 (see #5610). There have been many changes to `private-etc` (among other things) since 0.9.72, so please use firejail-git (AUR) in this issue to ensure reproducibility. Also, does it work without `private-etc`? > ``` > ❯ firejail /usr/bin/ssh del > > ** (process:11): CRITICAL **: 21:18:46.830: failed to allocate dbus proxy object: Could not connect: Permission denied > ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-tabrmd.so.0 > ERROR:tcti:src/tss2-tcti/tcti-device.c:451:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpmrm0: No such file or directory > ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 > ERROR:tcti:src/tss2-tcti/tcti-device.c:451:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpm0: No such file or directory > ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 > WARNING:tcti:src/util/io.c:229:socket_connect() Host localhost does not resolve to a valid address: -3: Temporary failure in name resolution > ERROR:tcti:src/tss2-tcti/tcti-swtpm.c:613:Tss2_Tcti_Swtpm_Init() Cannot connect to swtpm TPM socket > ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-swtpm.so.0 > WARNING:tcti:src/util/io.c:229:socket_connect() Host localhost does not resolve to a valid address: -3: Temporary failure in name resolution > ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-mssim.so.0 > ERROR:tcti:src/tss2-tcti/tctildr-dl.c:269:tctildr_get_default() No standard TCTI could be loaded > ERROR:tcti:src/tss2-tcti/tctildr.c:430:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI > WARNING: Listing FAPI token objects failed: "tcti:IO failure" > Please see https://github.com/tpm2-software/tpm2-pkcs11/blob/1.9.0/docs/FAPI.md for more details > WARNING: FAPI backend was not initialized. > > ** (process:11): CRITICAL **: 21:18:46.832: failed to allocate dbus proxy object: Could not connect: Permission denied > ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-tabrmd.so.0 > ERROR:tcti:src/tss2-tcti/tcti-device.c:451:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpmrm0: No such file or directory > ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 > ERROR:tcti:src/tss2-tcti/tcti-device.c:451:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpm0: No such file or directory > ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 > WARNING:tcti:src/util/io.c:229:socket_connect() Host localhost does not resolve to a valid address: -3: Temporary failure in name resolution > ERROR:tcti:src/tss2-tcti/tcti-swtpm.c:613:Tss2_Tcti_Swtpm_Init() Cannot connect to swtpm TPM socket > ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-swtpm.so.0 > WARNING:tcti:src/util/io.c:229:socket_connect() Host localhost does not resolve to a valid address: -3: Temporary failure in name resolution > ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-mssim.so.0 > ERROR:tcti:src/tss2-tcti/tctildr-dl.c:269:tctildr_get_default() No standard TCTI could be loaded > ERROR:tcti:src/tss2-tcti/tctildr.c:430:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI > ERROR: Could not initialize tpm ctx: 0x5 > ERROR: Getting tokens from esysdb backend failed. > C_Initialize for provider /usr/lib/pkcs11/libtpm2_pkcs11.so failed: 5 > ``` What is the output of the following commands? ```sh firejail --trace=trace.txt --ignore='include ssh.local' /usr/bin/ssh -vvv $host firejail --trace=trace_local.txt /usr/bin/ssh -vvv $host ``` What is the output in trace.txt and trace_local.txt?

gitea-mirror commented 2026-05-05 09:52:09 -06:00

Author

Owner

Copy link

@qdii commented on GitHub (Jun 23, 2024):

Also, does it work without private-etc?

I actually don't see any difference in the output with or without private-etc

<!-- gh-comment-id:2185327637 --> @qdii commented on GitHub (Jun 23, 2024): > Also, does it work without `private-etc`? I actually don't see any difference in the output with or without `private-etc`

gitea-mirror commented 2026-05-05 09:52:09 -06:00

Author

Owner

Copy link

@qdii commented on GitHub (Jun 25, 2024):

❯ firejail --trace=trace.txt --ignore='include ssh.local' /usr/bin/ssh -vvv $host
OpenSSH_9.7p1, OpenSSL 3.3.1 4 Jun 2024
debug1: Reading configuration data /home/qdii/.ssh/config
debug1: /home/qdii/.ssh/config line 118: Applying options for vrt
debug1: /home/qdii/.ssh/config line 145: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: /etc/ssh/ssh_config line 2: Including file /etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf
debug3: /etc/ssh/ssh_config line 2: Including file /etc/ssh/ssh_config.d/ssh-audit-hardening.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/ssh-audit-hardening.conf
debug3: kex names ok: [sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256]
debug2: resolve_canonicalize: hostname 192.168.2.50 is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/qdii/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/qdii/.ssh/known_hosts2'
debug1: auto-mux: Trying existing master at '/home/qdii/.ssh/qdii@192.168.2.50:22'
Control socket connect(/home/qdii/.ssh/qdii@192.168.2.50:22): Transport endpoint is not connected
debug3: channel_clear_timeouts: clearing
debug3: ssh_connect_direct: entering
debug1: Connecting to 192.168.2.50 [192.168.2.50] port 22.
debug3: set_sock_tos: set socket 3 IP_TOS 0x48
debug1: Connection established.

** (process:4): CRITICAL **: 23:53:13.864: failed to allocate dbus proxy object: Could not connect: Permission denied
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-tabrmd.so.0 
ERROR:tcti:src/tss2-tcti/tcti-device.c:451:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpmrm0: No such file or directory 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 
ERROR:tcti:src/tss2-tcti/tcti-device.c:451:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpm0: Permission denied 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 
WARNING:tcti:src/util/io.c:262:socket_connect() Failed to connect to host 127.0.0.1, port 2321: errno 111: Connection refused 
ERROR:tcti:src/tss2-tcti/tcti-swtpm.c:613:Tss2_Tcti_Swtpm_Init() Cannot connect to swtpm TPM socket 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-swtpm.so.0 
WARNING:tcti:src/util/io.c:262:socket_connect() Failed to connect to host 127.0.0.1, port 2321: errno 111: Connection refused 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-mssim.so.0 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:269:tctildr_get_default() No standard TCTI could be loaded 
ERROR:tcti:src/tss2-tcti/tctildr.c:430:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI 
WARNING: Listing FAPI token objects failed: "tcti:IO failure"
Please see https://github.com/tpm2-software/tpm2-pkcs11/blob/1.9.0/docs/FAPI.md for more details
WARNING: FAPI backend was not initialized.

** (process:4): CRITICAL **: 23:53:13.868: failed to allocate dbus proxy object: Could not connect: Permission denied
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-tabrmd.so.0 
ERROR:tcti:src/tss2-tcti/tcti-device.c:451:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpmrm0: No such file or directory 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 
ERROR:tcti:src/tss2-tcti/tcti-device.c:451:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpm0: Permission denied 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 
WARNING:tcti:src/util/io.c:262:socket_connect() Failed to connect to host 127.0.0.1, port 2321: errno 111: Connection refused 
ERROR:tcti:src/tss2-tcti/tcti-swtpm.c:613:Tss2_Tcti_Swtpm_Init() Cannot connect to swtpm TPM socket 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-swtpm.so.0 
WARNING:tcti:src/util/io.c:262:socket_connect() Failed to connect to host 127.0.0.1, port 2321: errno 111: Connection refused 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-mssim.so.0 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:269:tctildr_get_default() No standard TCTI could be loaded 
ERROR:tcti:src/tss2-tcti/tctildr.c:430:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI 
ERROR: Could not initialize tpm ctx: 0x5
ERROR: Getting tokens from esysdb backend failed.
C_Initialize for provider /usr/lib/pkcs11/libtpm2_pkcs11.so failed: 5
debug1: identity file /home/qdii/.ssh/id_rsa type 0
debug1: identity file /home/qdii/.ssh/id_rsa-cert type -1
debug1: identity file /home/qdii/.ssh/id_ecdsa type -1
debug1: identity file /home/qdii/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/qdii/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/qdii/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/qdii/.ssh/id_ed25519 type -1
debug1: identity file /home/qdii/.ssh/id_ed25519-cert type -1
debug1: identity file /home/qdii/.ssh/id_ed25519_sk type -1
debug1: identity file /home/qdii/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/qdii/.ssh/id_xmss type -1
debug1: identity file /home/qdii/.ssh/id_xmss-cert type -1
debug1: identity file /home/qdii/.ssh/id_dsa type -1
debug1: identity file /home/qdii/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.7
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.9p1 Ubuntu-3ubuntu0.7
debug1: compat_banner: match: OpenSSH_8.9p1 Ubuntu-3ubuntu0.7 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 192.168.2.50:22 as 'qdii'
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
Bad packet length 1231976033.
debug2: sshpkt_disconnect: sending SSH2_MSG_DISCONNECT: Packet corrupt
debug3: send packet: type 1
ssh_dispatch_run_fatal: Connection to 192.168.2.50 port 22: message authentication code incorrect

❯ firejail --trace=trace_local.txt /usr/bin/ssh -vvv $host
OpenSSH_9.7p1, OpenSSL 3.3.1 4 Jun 2024
debug1: Reading configuration data /home/qdii/.ssh/config
debug1: /home/qdii/.ssh/config line 118: Applying options for vrt
debug1: /home/qdii/.ssh/config line 145: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: /etc/ssh/ssh_config line 2: Including file /etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf
debug3: /etc/ssh/ssh_config line 2: Including file /etc/ssh/ssh_config.d/ssh-audit-hardening.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/ssh-audit-hardening.conf
debug3: kex names ok: [sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256]
debug2: resolve_canonicalize: hostname 192.168.2.50 is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/qdii/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/qdii/.ssh/known_hosts2'
debug1: auto-mux: Trying existing master at '/home/qdii/.ssh/qdii@192.168.2.50:22'
Control socket connect(/home/qdii/.ssh/qdii@192.168.2.50:22): Transport endpoint is not connected
debug3: channel_clear_timeouts: clearing
debug3: ssh_connect_direct: entering
debug1: Connecting to 192.168.2.50 [192.168.2.50] port 22.
debug3: set_sock_tos: set socket 3 IP_TOS 0x48
debug1: Connection established.

** (process:5): CRITICAL **: 23:53:53.984: failed to allocate dbus proxy object: Could not connect: Permission denied
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-tabrmd.so.0 
ERROR:tcti:src/tss2-tcti/tcti-device.c:451:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpmrm0: No such file or directory 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 
ERROR:tcti:src/tss2-tcti/tcti-device.c:451:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpm0: Permission denied 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 
WARNING:tcti:src/util/io.c:262:socket_connect() Failed to connect to host 127.0.0.1, port 2321: errno 111: Connection refused 
ERROR:tcti:src/tss2-tcti/tcti-swtpm.c:613:Tss2_Tcti_Swtpm_Init() Cannot connect to swtpm TPM socket 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-swtpm.so.0 
WARNING:tcti:src/util/io.c:262:socket_connect() Failed to connect to host 127.0.0.1, port 2321: errno 111: Connection refused 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-mssim.so.0 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:269:tctildr_get_default() No standard TCTI could be loaded 
ERROR:tcti:src/tss2-tcti/tctildr.c:430:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI 
WARNING: Listing FAPI token objects failed: "tcti:IO failure"
Please see https://github.com/tpm2-software/tpm2-pkcs11/blob/1.9.0/docs/FAPI.md for more details
WARNING: FAPI backend was not initialized.

** (process:5): CRITICAL **: 23:53:53.986: failed to allocate dbus proxy object: Could not connect: Permission denied
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-tabrmd.so.0 
ERROR:tcti:src/tss2-tcti/tcti-device.c:451:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpmrm0: No such file or directory 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 
ERROR:tcti:src/tss2-tcti/tcti-device.c:451:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpm0: Permission denied 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 
WARNING:tcti:src/util/io.c:262:socket_connect() Failed to connect to host 127.0.0.1, port 2321: errno 111: Connection refused 
ERROR:tcti:src/tss2-tcti/tcti-swtpm.c:613:Tss2_Tcti_Swtpm_Init() Cannot connect to swtpm TPM socket 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-swtpm.so.0 
WARNING:tcti:src/util/io.c:262:socket_connect() Failed to connect to host 127.0.0.1, port 2321: errno 111: Connection refused 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-mssim.so.0 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:269:tctildr_get_default() No standard TCTI could be loaded 
ERROR:tcti:src/tss2-tcti/tctildr.c:430:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI 
ERROR: Could not initialize tpm ctx: 0x5
ERROR: Getting tokens from esysdb backend failed.
C_Initialize for provider /usr/lib/pkcs11/libtpm2_pkcs11.so failed: 5
debug1: identity file /home/qdii/.ssh/id_rsa type 0
debug1: identity file /home/qdii/.ssh/id_rsa-cert type -1
debug1: identity file /home/qdii/.ssh/id_ecdsa type -1
debug1: identity file /home/qdii/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/qdii/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/qdii/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/qdii/.ssh/id_ed25519 type -1
debug1: identity file /home/qdii/.ssh/id_ed25519-cert type -1
debug1: identity file /home/qdii/.ssh/id_ed25519_sk type -1
debug1: identity file /home/qdii/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/qdii/.ssh/id_xmss type -1
debug1: identity file /home/qdii/.ssh/id_xmss-cert type -1
debug1: identity file /home/qdii/.ssh/id_dsa type -1
debug1: identity file /home/qdii/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.7
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.9p1 Ubuntu-3ubuntu0.7
debug1: compat_banner: match: OpenSSH_8.9p1 Ubuntu-3ubuntu0.7 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 192.168.2.50:22 as 'qdii'
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
Connection reset by 192.168.2.50 port 22

<!-- gh-comment-id:2190035660 --> @qdii commented on GitHub (Jun 25, 2024): ``` ❯ firejail --trace=trace.txt --ignore='include ssh.local' /usr/bin/ssh -vvv $host OpenSSH_9.7p1, OpenSSL 3.3.1 4 Jun 2024 debug1: Reading configuration data /home/qdii/.ssh/config debug1: /home/qdii/.ssh/config line 118: Applying options for vrt debug1: /home/qdii/.ssh/config line 145: Applying options for * debug1: Reading configuration data /etc/ssh/ssh_config debug3: /etc/ssh/ssh_config line 2: Including file /etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf depth 0 debug1: Reading configuration data /etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf debug3: /etc/ssh/ssh_config line 2: Including file /etc/ssh/ssh_config.d/ssh-audit-hardening.conf depth 0 debug1: Reading configuration data /etc/ssh/ssh_config.d/ssh-audit-hardening.conf debug3: kex names ok: [sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256] debug2: resolve_canonicalize: hostname 192.168.2.50 is address debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/qdii/.ssh/known_hosts' debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/qdii/.ssh/known_hosts2' debug1: auto-mux: Trying existing master at '/home/qdii/.ssh/qdii@192.168.2.50:22' Control socket connect(/home/qdii/.ssh/qdii@192.168.2.50:22): Transport endpoint is not connected debug3: channel_clear_timeouts: clearing debug3: ssh_connect_direct: entering debug1: Connecting to 192.168.2.50 [192.168.2.50] port 22. debug3: set_sock_tos: set socket 3 IP_TOS 0x48 debug1: Connection established. ** (process:4): CRITICAL **: 23:53:13.864: failed to allocate dbus proxy object: Could not connect: Permission denied ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-tabrmd.so.0 ERROR:tcti:src/tss2-tcti/tcti-device.c:451:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpmrm0: No such file or directory ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 ERROR:tcti:src/tss2-tcti/tcti-device.c:451:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpm0: Permission denied ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 WARNING:tcti:src/util/io.c:262:socket_connect() Failed to connect to host 127.0.0.1, port 2321: errno 111: Connection refused ERROR:tcti:src/tss2-tcti/tcti-swtpm.c:613:Tss2_Tcti_Swtpm_Init() Cannot connect to swtpm TPM socket ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-swtpm.so.0 WARNING:tcti:src/util/io.c:262:socket_connect() Failed to connect to host 127.0.0.1, port 2321: errno 111: Connection refused ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-mssim.so.0 ERROR:tcti:src/tss2-tcti/tctildr-dl.c:269:tctildr_get_default() No standard TCTI could be loaded ERROR:tcti:src/tss2-tcti/tctildr.c:430:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI WARNING: Listing FAPI token objects failed: "tcti:IO failure" Please see https://github.com/tpm2-software/tpm2-pkcs11/blob/1.9.0/docs/FAPI.md for more details WARNING: FAPI backend was not initialized. ** (process:4): CRITICAL **: 23:53:13.868: failed to allocate dbus proxy object: Could not connect: Permission denied ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-tabrmd.so.0 ERROR:tcti:src/tss2-tcti/tcti-device.c:451:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpmrm0: No such file or directory ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 ERROR:tcti:src/tss2-tcti/tcti-device.c:451:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpm0: Permission denied ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 WARNING:tcti:src/util/io.c:262:socket_connect() Failed to connect to host 127.0.0.1, port 2321: errno 111: Connection refused ERROR:tcti:src/tss2-tcti/tcti-swtpm.c:613:Tss2_Tcti_Swtpm_Init() Cannot connect to swtpm TPM socket ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-swtpm.so.0 WARNING:tcti:src/util/io.c:262:socket_connect() Failed to connect to host 127.0.0.1, port 2321: errno 111: Connection refused ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-mssim.so.0 ERROR:tcti:src/tss2-tcti/tctildr-dl.c:269:tctildr_get_default() No standard TCTI could be loaded ERROR:tcti:src/tss2-tcti/tctildr.c:430:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI ERROR: Could not initialize tpm ctx: 0x5 ERROR: Getting tokens from esysdb backend failed. C_Initialize for provider /usr/lib/pkcs11/libtpm2_pkcs11.so failed: 5 debug1: identity file /home/qdii/.ssh/id_rsa type 0 debug1: identity file /home/qdii/.ssh/id_rsa-cert type -1 debug1: identity file /home/qdii/.ssh/id_ecdsa type -1 debug1: identity file /home/qdii/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/qdii/.ssh/id_ecdsa_sk type -1 debug1: identity file /home/qdii/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /home/qdii/.ssh/id_ed25519 type -1 debug1: identity file /home/qdii/.ssh/id_ed25519-cert type -1 debug1: identity file /home/qdii/.ssh/id_ed25519_sk type -1 debug1: identity file /home/qdii/.ssh/id_ed25519_sk-cert type -1 debug1: identity file /home/qdii/.ssh/id_xmss type -1 debug1: identity file /home/qdii/.ssh/id_xmss-cert type -1 debug1: identity file /home/qdii/.ssh/id_dsa type -1 debug1: identity file /home/qdii/.ssh/id_dsa-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_9.7 debug1: Remote protocol version 2.0, remote software version OpenSSH_8.9p1 Ubuntu-3ubuntu0.7 debug1: compat_banner: match: OpenSSH_8.9p1 Ubuntu-3ubuntu0.7 pat OpenSSH* compat 0x04000000 debug2: fd 3 setting O_NONBLOCK debug1: Authenticating to 192.168.2.50:22 as 'qdii' debug3: send packet: type 20 debug1: SSH2_MSG_KEXINIT sent Bad packet length 1231976033. debug2: sshpkt_disconnect: sending SSH2_MSG_DISCONNECT: Packet corrupt debug3: send packet: type 1 ssh_dispatch_run_fatal: Connection to 192.168.2.50 port 22: message authentication code incorrect ``` ``` ❯ firejail --trace=trace_local.txt /usr/bin/ssh -vvv $host OpenSSH_9.7p1, OpenSSL 3.3.1 4 Jun 2024 debug1: Reading configuration data /home/qdii/.ssh/config debug1: /home/qdii/.ssh/config line 118: Applying options for vrt debug1: /home/qdii/.ssh/config line 145: Applying options for * debug1: Reading configuration data /etc/ssh/ssh_config debug3: /etc/ssh/ssh_config line 2: Including file /etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf depth 0 debug1: Reading configuration data /etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf debug3: /etc/ssh/ssh_config line 2: Including file /etc/ssh/ssh_config.d/ssh-audit-hardening.conf depth 0 debug1: Reading configuration data /etc/ssh/ssh_config.d/ssh-audit-hardening.conf debug3: kex names ok: [sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256] debug2: resolve_canonicalize: hostname 192.168.2.50 is address debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/qdii/.ssh/known_hosts' debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/qdii/.ssh/known_hosts2' debug1: auto-mux: Trying existing master at '/home/qdii/.ssh/qdii@192.168.2.50:22' Control socket connect(/home/qdii/.ssh/qdii@192.168.2.50:22): Transport endpoint is not connected debug3: channel_clear_timeouts: clearing debug3: ssh_connect_direct: entering debug1: Connecting to 192.168.2.50 [192.168.2.50] port 22. debug3: set_sock_tos: set socket 3 IP_TOS 0x48 debug1: Connection established. ** (process:5): CRITICAL **: 23:53:53.984: failed to allocate dbus proxy object: Could not connect: Permission denied ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-tabrmd.so.0 ERROR:tcti:src/tss2-tcti/tcti-device.c:451:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpmrm0: No such file or directory ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 ERROR:tcti:src/tss2-tcti/tcti-device.c:451:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpm0: Permission denied ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 WARNING:tcti:src/util/io.c:262:socket_connect() Failed to connect to host 127.0.0.1, port 2321: errno 111: Connection refused ERROR:tcti:src/tss2-tcti/tcti-swtpm.c:613:Tss2_Tcti_Swtpm_Init() Cannot connect to swtpm TPM socket ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-swtpm.so.0 WARNING:tcti:src/util/io.c:262:socket_connect() Failed to connect to host 127.0.0.1, port 2321: errno 111: Connection refused ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-mssim.so.0 ERROR:tcti:src/tss2-tcti/tctildr-dl.c:269:tctildr_get_default() No standard TCTI could be loaded ERROR:tcti:src/tss2-tcti/tctildr.c:430:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI WARNING: Listing FAPI token objects failed: "tcti:IO failure" Please see https://github.com/tpm2-software/tpm2-pkcs11/blob/1.9.0/docs/FAPI.md for more details WARNING: FAPI backend was not initialized. ** (process:5): CRITICAL **: 23:53:53.986: failed to allocate dbus proxy object: Could not connect: Permission denied ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-tabrmd.so.0 ERROR:tcti:src/tss2-tcti/tcti-device.c:451:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpmrm0: No such file or directory ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 ERROR:tcti:src/tss2-tcti/tcti-device.c:451:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpm0: Permission denied ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 WARNING:tcti:src/util/io.c:262:socket_connect() Failed to connect to host 127.0.0.1, port 2321: errno 111: Connection refused ERROR:tcti:src/tss2-tcti/tcti-swtpm.c:613:Tss2_Tcti_Swtpm_Init() Cannot connect to swtpm TPM socket ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-swtpm.so.0 WARNING:tcti:src/util/io.c:262:socket_connect() Failed to connect to host 127.0.0.1, port 2321: errno 111: Connection refused ERROR:tcti:src/tss2-tcti/tctildr-dl.c:169:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-mssim.so.0 ERROR:tcti:src/tss2-tcti/tctildr-dl.c:269:tctildr_get_default() No standard TCTI could be loaded ERROR:tcti:src/tss2-tcti/tctildr.c:430:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI ERROR: Could not initialize tpm ctx: 0x5 ERROR: Getting tokens from esysdb backend failed. C_Initialize for provider /usr/lib/pkcs11/libtpm2_pkcs11.so failed: 5 debug1: identity file /home/qdii/.ssh/id_rsa type 0 debug1: identity file /home/qdii/.ssh/id_rsa-cert type -1 debug1: identity file /home/qdii/.ssh/id_ecdsa type -1 debug1: identity file /home/qdii/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/qdii/.ssh/id_ecdsa_sk type -1 debug1: identity file /home/qdii/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /home/qdii/.ssh/id_ed25519 type -1 debug1: identity file /home/qdii/.ssh/id_ed25519-cert type -1 debug1: identity file /home/qdii/.ssh/id_ed25519_sk type -1 debug1: identity file /home/qdii/.ssh/id_ed25519_sk-cert type -1 debug1: identity file /home/qdii/.ssh/id_xmss type -1 debug1: identity file /home/qdii/.ssh/id_xmss-cert type -1 debug1: identity file /home/qdii/.ssh/id_dsa type -1 debug1: identity file /home/qdii/.ssh/id_dsa-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_9.7 debug1: Remote protocol version 2.0, remote software version OpenSSH_8.9p1 Ubuntu-3ubuntu0.7 debug1: compat_banner: match: OpenSSH_8.9p1 Ubuntu-3ubuntu0.7 pat OpenSSH* compat 0x04000000 debug2: fd 3 setting O_NONBLOCK debug1: Authenticating to 192.168.2.50:22 as 'qdii' debug3: send packet: type 20 debug1: SSH2_MSG_KEXINIT sent Connection reset by 192.168.2.50 port 22 ```

gitea-mirror commented 2026-05-05 09:52:10 -06:00

Author

Owner

Copy link

@kmk3 commented on GitHub (Jul 4, 2024):

The original issue was about accessing the keys in the TPM, which should be
fixed by #6390.

As for issues arising from adding whitelisting, I'd suggest looking at the
output of --trace= to see what other paths libtss tries to access in
${HOME} and then try to whitelist those paths as well.

The libtss error messages unfortunately do not contain any paths, but it looks
like it might need access to dbus as well, so maybe ignore dbus-user none
could help.

<!-- gh-comment-id:2208335516 --> @kmk3 commented on GitHub (Jul 4, 2024): The original issue was about accessing the keys in the TPM, which should be fixed by #6390. As for issues arising from adding whitelisting, I'd suggest looking at the output of `--trace=` to see what other paths libtss tries to access in `${HOME}` and then try to whitelist those paths as well. The libtss error messages unfortunately do not contain any paths, but it looks like it might need access to dbus as well, so maybe `ignore dbus-user none` could help.

gitea-mirror commented 2026-05-05 09:52:10 -06:00

Author

Owner

Copy link

@qdii commented on GitHub (Jul 4, 2024):

True, the issue at hand is solved, I'll try with trace, and open another issue if it persists.

<!-- gh-comment-id:2209483256 --> @qdii commented on GitHub (Jul 4, 2024): True, the issue at hand is solved, I'll try with trace, and open another issue if it persists.

gitea-mirror referenced this issue 2026-05-05 10:24:57 -06:00

[PR #3256] [CLOSED] support netcat variants #4697

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3256

No description provided.