Since a few weeks I cannot connect from my MacOS client to ThinLinc server. I assume this happened since the upgrade of the SSH server to OpenSSH_9.2 on the server side.
The error says" No route to host", but it seems to be related to the failure to find the server in the known_hosts file.
Client Log says:
2025-03-24T14:55:01: Log file created for ThinLinc client running on process 14631
2025-03-24T14:55:01: ThinLinc client release 4.16.0 build 3389
2025-03-24T14:55:01: Unable to load system wide configuration
2025-03-24T14:55:04: SSH command: “/Applications/ThinLinc Client.app/Contents/lib/tlclient/ssh” -N -o GlobalKnownHostsFile=/dev/null -o UserKnownHostsFile=/dev/null -o UpdateHostKeys=yes -o PasswordAuthentication=no -o ChallengeResponseAuthentication=no -o KbdInteractiveAuthentication=no -o IdentityFile="/Users/antsiro/.ssh/id_rsa" -o CheckHostIP=no -o NumberOfPasswordPrompts=3 -o HostKeyAlgorithms=<ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-ed25519,ecdsa-sha2-nistp256 USERNAME@SERVER -p 22 thinlinc-login master
2025-03-24T14:55:04: SSH pid is 14633
2025-03-24T14:55:04: ssh[E]: ssh: connect to host SERVER port 22: No route to host
2025-03-24T14:55:04: ssh[E]: CONNECT ERROR: 65
2025-03-24T14:55:07: Process 14633 exited with code 255
If I replace UserKnownHostsFile with the actual path to known_hosts file (output of ssh-keyscan added to .thinlinc/known_hosts), running the same SSH command from command line establishes connection.
“/Applications/ThinLinc Client.app/Contents/lib/tlclient/ssh” -o UserKnownHostsFile=~/.ssh/known_hosts -o UpdateHostKeys=yes -o PasswordAuthentication=no -o ChallengeResponseAuthentication=no -o KbdInteractiveAuthentication=no -o IdentityFile="/Users/USERNAME/.ssh/id_rsa" -o CheckHostIP=no -o NumberOfPasswordPrompts=3 USERNAME@SERVER
I have to delete -o HostKeyAlgorythms as they cause error:
-bash: ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-ed25519,ecdsa-sha2-nistp256: No such file or directory
The syntax is also not correct, it seems, as the < is not closing.
I can’t figure out how to force the client to use known_hosts file, how to change the arguments to ssh, and also, potentially, how to switch to local native ssh client, which is more uptodate and secure. Is there any way to configure this? The client app is a compiled binary, and I don’t find any way to correct it.
-bash: ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-ed25519,ecdsa-sha2-nistp256: No such file or directory
This is just due to the quotation not being right for running the command through bash. Hence, the problem is somewhere else. Similarly, the UserKnownHostsFile, is also a red herring as that file is managed by other parts of the ThinLinc client.
One issue that has started popping up recently is that Apple has introduced a popup that is shown when a third-party application tries to connect to the devices on the local network. The user in this case has to give active permission to allow the application to connect. Sadly, there appears to be bugs in macOS causing this permission popup to not show up in many instances, leading to the “No route to host” error message you are describing. Hence:
Did you update macOS recently?
Is the ThinLinc server on the same local network as the mac you are connecting from?
If the answers here are yes, you are likely hit by this macOS bug. Sadly, we are yet to find a reliable workaround. However, many other third-party applications (such as Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=1919889) are also hit by this issue. This hopefully means that Apple will roll out a fix in the near-term.
Thanks for a quick response. Yes, I’ve updated my macOS. So perhaps it is that bug.
But to clarify: why is UserKnownHostsFile=/dev/null in the log for the ssh line? Is the actual .thinlinc/known_hosts being used? I found this entry in the tlclient binary indeed, and tried to patch with no success.
Following your advice I connected to another subnet and tried to connect to the server this way. Now I pass the first stage, initialization of the session goes on and then there is a blue screen with "Unable to contact settings server; Could not connect: connection refused " message
What should I do?
why is UserKnownHostsFile=/dev/null in the log for the ssh line?
ThinLinc wants SSH to ask whether to accept host keys every time. This way, ThinLinc can be smarter during host key verification and, for example, let the master service keep track of acceptable agent host keys and report those to the client. Setting UserKnownHostsFile to /dev/null is simply a way to let ThinLinc more flexibly handle host key verification instead.
Now I pass the first stage, initialization of the session goes on and then there is a blue screen with "Unable to contact settings server; Could not connect: connection refused " message.
In this case, ThinLinc is very likely working as intended. Based on that error, it instead sounds like the desktop environment is not properly installed/configured on the server-side system in question.
I didn’t change any configuration on the server side and cannot connect from the other clients now too.
After trying to narrow down the problem I could find an issue
in /var/opt/thinlinc/sessions/user/last/xinit.log file :
Executing profile: xfce
Using XDG session: xfce
Updating D-Bus and systemd environment…
dbus-update-activation-environment: error: unable to connect to D-Bus: Failed to connect to socket /tmp/dbus-tprcwrNfsR: Connection refused
tl-run-profile: Failed to update D-Bus and systemd environment
Executing XDG session command: startxfce4
/usr/bin/startxfce4: X server already running on display :19
Profile command exited with exit code 0
Running /opt/thinlinc/etc/xlogout.d/tl-kdestroy.sh
kdestroy: No credentials cache found while destroying cache
Running /opt/thinlinc/etc/xlogout.d/tl-umount-localdrives
tl-xinit: client terminated and returned 0
tl-xinit: Terminating X server…
X I/O error
tl-while-x11: lost Xserver connection, terminating child 30335 …
tl-while-x11: lost Xserver connection, terminating child 30345 …
I tried to remove xfce from the equation and put in options : start the xterm application.
With that got ThinLinc login and show xterm.
Trying to test it further now I am getting error “Thinlinc login failed (You are not allowed to create any more sessions)” .
Could you give a hand further how to move forward?
It looks like there is already a ThinLinc session running, and the server is not configured to allow multiple sessions per user. You can do one of the following:
reconnect to the existing session
check the “end existing session” box in the native client, before reconnecting
Regarding XFCE failing to start, it’s not immediately obvious why that’s happening. One common reason however is that you already have an XFCE session running on the server’s local console. If this is the case, please try logging out of that session and reconnecting with ThinLinc.