Error message during connection to agent: WARNING - SECURITY BREACH

Menis · 14 February 2025 22:11

Hi, I’m trying to deploy a ThinLinc server but I’m running into some issues, I was able to install the server and connect using Linux and macOS with no issues, but after a day I can’t connect again, from what I can see the connection to the VSM Server is completed without a problem, the problem is when it tries to connect to the VSM Agent which is on the same server, I get this error message:

WARNING - SECURITY BREACH

The host key received from the server for the agent you are about to connect to and the host key reported by the agent itself doesn't concur.

This almost certainly means there are a third party trying to listen to the communication between you and the server

Contact your systems administrator about this problem!

You will not be connected to the system at this time

Error: No acceptable host key found.

I’ve tried everything to dig deeper into the problem but I can’t find it, if I restart the vsmserver service or the vsmagent service the same thing keeps happening to me, but if I restart the server (reboot) everything works after the next day, then I get the same error.

Maybe someone can give me a little light on how to investigate this problem further.

Kubuntu 24.04 TLS (Server)
ThinLinc Server 4.18.0
ThinLinc Linux RPM Client 4.18.0
ThinLinc MacOS Client 4.18.0

Server logs during error connection:

==> /var/log/vsmserver.log <==
2025-02-14 16:32:17 INFO vsmserver.session: User with uid 929804178 requested a reconnection to 127.0.0.1:11
2025-02-14 16:32:17 INFO vsmserver: Verifying session 127.0.0.1:11 for pmenino
2025-02-14 16:32:17 INFO vsmserver: Session 127.0.0.1:11 for pmenino is alive and ready for reconnection

Client logs during error connection:

2025-02-14T16:32:09: Log file created for ThinLinc client running on process 4398
2025-02-14T16:32:09: ThinLinc client release 4.18.0 build 3768
2025-02-14T16:32:09: Unable to load system wide configuration
2025-02-14T16:32:09: Unable to load user configuration
2025-02-14T16:32:09: SSH command: "/Applications/ThinLinc Client.app/Contents/lib/tlclient/ssh" -N -o GlobalKnownHostsFile=/dev/null -o UserKnownHostsFile=/dev/null -o UpdateHostKeys=yes -o PubkeyAuthentication=no -o CheckHostIP=no -o NumberOfPasswordPrompts=1 pmenino@XXXXXXXXX -p 22 thinlinc-login master
2025-02-14T16:32:09: SSH pid is 4400
2025-02-14T16:32:09: ssh[E]: CONFIRM HOST KEY: XXXXXXXXX ED25519
2025-02-14T16:32:13: User accepted the new host key.
2025-02-14T16:32:13: Storing host key for XXXXXXXXX
2025-02-14T16:32:13: ssh[E]: NEXT AUTHMETHOD: none
2025-02-14T16:32:13: ssh[E]: AUTH FAILURE
2025-02-14T16:32:13: ssh[E]: NEXT AUTHMETHOD: keyboard-interactive
2025-02-14T16:32:13: ssh[E]: SSH_PROMPT:(pmenino@XXXXXXXXX) Password: 
2025-02-14T16:32:14: ssh[E]: Autopushing login request to phone...
2025-02-14T16:32:16: ssh[E]: Success. Logging you in...
2025-02-14T16:32:16: ssh[E]: AUTH SUCCESS
2025-02-14T16:32:16: ssh[E]: CONNECTED
2025-02-14T16:32:17: ssh[E]: UPDATE HOST KEYS: 3 XXXXXXXXX XXXXXXXXX 22
2025-02-14T16:32:17: ssh[E]: UPDATED HOST KEY: XXXXXXXXX
2025-02-14T16:32:17: ssh[E]: UPDATED HOST KEY: XXXXXXXXX
2025-02-14T16:32:17: ssh[E]: UPDATED HOST KEY: XXXXXXXXX
2025-02-14T16:32:17: Updating host keys for XXXXXXXXX.
2025-02-14T16:32:17: ssh[E]: THINLINC-LOGIN: HELLO 4.18.0
2025-02-14T16:32:17: ssh[E]: THINLINC-LOGIN: CONNECTED MASTER
2025-02-14T16:32:17: My hardware address is 184A5319EEE9
2025-02-14T16:32:17: Calling XML-RPC method 'get_capabilities'
2025-02-14T16:32:17:  Response: 0: Éxito
2025-02-14T16:32:17: Calling XML-RPC method 'get_user_sessions'
2025-02-14T16:32:17:  Response: 0: Éxito
2025-02-14T16:32:17: Calling XML-RPC method 'reconnect_session'
2025-02-14T16:32:17:  Response: 0: Éxito
2025-02-14T16:32:17: Malformed host key
2025-02-14T16:32:17: Ignoring allowed host key
2025-02-14T16:32:17: SSH command: "/Applications/ThinLinc Client.app/Contents/lib/tlclient/ssh" -N -o GlobalKnownHostsFile=/dev/null -o UserKnownHostsFile=/dev/null -o UpdateHostKeys=yes -o PubkeyAuthentication=no -o CheckHostIP=no -o NumberOfPasswordPrompts=1 -o HostKeyAlgorithms=&ssh-rsa,rsa-sha2-256,rsa-sha2-512 pmenino@XXXXXXXXX -p 22 -L 55379:127.0.0.1:5911 -R 5015:127.0.0.1:55380 -R 5014:127.0.0.1:55381 thinlinc-login dummy
2025-02-14T16:32:17: SSH pid is 4405
2025-02-14T16:32:17: ssh[E]: CONFIRM HOST KEY: XXXXXXXXX XXXXXXXXX 22 XXXXXXXXX
2025-02-14T16:32:17: No acceptable host key found.

aaron · 16 February 2025 04:11

Hi @Menis,

Not sure what’s going on there. It looks like the client is receiving a different host key than what the ThinLinc server thinks it should be getting, but I don’t know why. Further, it looks like the host key that the ThinLinc client is receiving is invalid anyway.

Could there be another process on the server which is changing the host key? The host keys can be found in /etc/ssh and are named ssh_host_*. You can check the timestamps on these, and see if they have been changed since the last reboot.

Menis · 17 February 2025 00:09

The files don’t seem to be changed, it has the same date as the initial installation, I’m going to check tomorrow if they are identical (files content). I am checking the server and they have BitDefender (Enterprise) installed, I will have to try uninstalling it to see if for some reason it is affecting the connection process with the agent, it is the only thing I can think of at this time to check.

root@linux-server:/etc/ssh# ls -l ssh_host_*
-rw------- 1 root root 513 ene 31 17:07 ssh_host_ecdsa_key
-rw-r–r-- 1 root root 178 ene 31 17:07 ssh_host_ecdsa_key.pub
-rw------- 1 root root 411 ene 31 17:07 ssh_host_ed25519_key
-rw-r–r-- 1 root root 98 ene 31 17:07 ssh_host_ed25519_key.pub
-rw------- 1 root root 2602 ene 31 17:07 ssh_host_rsa_key
-rw-r–r-- 1 root root 570 ene 31 17:07 ssh_host_rsa_key.pub

aaron · 17 February 2025 00:47

@Menis sounds like a plan, let us know what you find.

aaron · 17 February 2025 20:00

@Menis please also check that whatever you have agent_hostname set to makes sense. I notice it’s been redacted in the logs, but it needs to be something which resolves correctly from the client.

You can find this parameter in /opt/thinlinc/etc/conf.d/vsmagent.hconf.

Menis · 18 February 2025 01:44

Hi, the agent_hostname is blank, but is reaching always to the same IP (Server management IP), but Bitdefender has a module called “Network Attack Defense”, which uses a modified version of libssh to proxy client connections. I think this is the problem I’m having (Connection from server to agent It is intercepted by this module and this is affecting the connection).

If I disable BitDefender and restart VSMAgent and VSMServer, I can connect to the server and the agent.

I think I will test adding some local exception for connections in BitDefender or, failing that, disabling this module for these servers.

I will make some changes and a lot of tests to see if this is really the problem and then add the result here for future reference.

aaron · 18 February 2025 05:21

Thanks @Menis, keep us updated!