SSH Timeout Error When Launching Syz-Manager
4 views
Skip to first unread message
Pwn Sally
Dec 1, 2025, 4:08:31 AM (3 days ago) Dec 1
to syzkaller
First off, I have checked the the troubleshooting guide and m question is not answered. Here is my fuzzing config. I'm just running a smoke test to see if it runs (it doesn't).
```
{
"name": "freebsd-tuntap",
"target": "freebsd/amd64",
"http": ":10000",
"workdir": "/home/jordan/FreeBSD/Fuzzing/syzkaller-output",
"syzkaller": "/home/jordan/FreeBSD/syzkaller",
"sshkey": "/home/jordan/.ssh/id_rsa_syzkaller",
"sandbox": "none",
"procs": 8,
"image": "/home/jordan/FreeBSD/FreeBSD-16.0-CURRENT-amd64-BASIC-CLOUDINIT-ufs.raw",
"type": "qemu",
"vm": {
"count": 4,
"cpu": 4,
"mem": 4096,
"qemu_args": "-accel tcg"
}
}
```
If I start `qemu` like (and note, I have already instrumented the kernel)
```
qemu-system-x86_64 \
-m 4G -smp 4 \
-drive file=FreeBSD-16.0-CURRENT-amd64-BASIC-CLOUDINIT-ufs.raw,format=raw \
-nographic \
-net user,host=10.0.2.10,hostfwd=tcp::10022-:22 \
-net nic,model=e1000
```
And I'm able to connect just fine with:
```
jordan@bsd ~/FreeBSD> ssh -i ~/.ssh/id_rsa_syzkaller -p 10022 root@localhost
Last login: Sat Nov 22 20:37:43 2025 from 10.0.2.10
FreeBSD 16.0-CURRENT (SYZKALLER) #0 main-n282064-a8740ba860bf: Fri Nov 21 17:01:14 EST 2025
Welcome to FreeBSD!
root@freebsd:~ #
```
In the guest machine, I enabled:
```
PermitRootLogin without-password
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_key
```
And on the host machine, I have my ssh config to be:
```
Host [localhost]:*
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
```
And yet, when I run with:
```
./syzkaller/bin/syz-manager -config ./Fuzzing/Configs/freebsd.cfg --debug
```
I get this error (Note that `sshd` has started):
```
Starting sshd.
Starting cron.
Starting background file system checks in 60 seconds.
Sun Nov 30 20:29:50 UTC 2025
2025/11/30 15:29:50 running ssh: []string{"-p", "18884", "-F", "/dev/null", "-o", "UserKnownHostsFile=/dev/null", "-o", "IdentitiesOnly=yes", "-o", "BatchMode=yes", "-o", "StrictHostKeyChecking=no", "-o", "ConnectTimeout=10", "-i", "/home/jordan/.ssh/id_rsa_syzkaller", "-v", "root@localhost", "pwd"}
FreeBSD/amd64 (freebsd) (ttyu0)
2025/11/30 15:30:01 ssh failed: failed to run ["ssh" "-p" "18884" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "IdentitiesOnly=yes" "-o" "BatchMode=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/home/jordan/.ssh/id_rsa_syzkaller" "-v" "root@localhost" "pwd"]: exit status 255
2025/11/30 15:30:06 running ssh: []string{"-p", "18884", "-F", "/dev/null", "-o", "UserKnownHostsFile=/dev/null", "-o", "IdentitiesOnly=yes", "-o", "BatchMode=yes", "-o", "StrictHostKeyChecking=no", "-o", "ConnectTimeout=10", "-i", "/home/jordan/.ssh/id_rsa_syzkaller", "-v", "root@localhost", "pwd"}
2025/11/30 15:30:16 ssh failed: failed to run ["ssh" "-p" "18884" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "IdentitiesOnly=yes" "-o" "BatchMode=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/home/jordan/.ssh/id_rsa_syzkaller" "-v" "root@localhost" "pwd"]: exit status 255
```
**BUT** if I connect to the machine normally **AND** only change the timeout, it works:
```
jordan@bsd ~/FreeBSD [255]> ssh -p 18884 \
-F /dev/null \
-o UserKnownHostsFile=/dev/null \
-o IdentitiesOnly=yes \
-o BatchMode=yes \
-o StrictHostKeyChecking=no \
-o ConnectTimeout=30 \
-i /home/jordan/.ssh/id_rsa_syzkaller \
-v \
root@localhost
OpenSSH_9.9p2, OpenSSL 3.0.16 11 Feb 2025
debug1: Reading configuration data /dev/null
debug1: Connecting to localhost [127.0.0.1] port 18884.
debug1: fd 4 clearing O_NONBLOCK
debug1: Connection established.
debug1: identity file /home/jordan/.ssh/id_rsa_syzkaller type 0
debug1: identity file /home/jordan/.ssh/id_rsa_syzkaller-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.9
debug1: Remote protocol version 2.0, remote software version OpenSSH_10.0 FreeBSD-20250801
debug1: Fssh_compat_banner: match: OpenSSH_10.0 FreeBSD-20250801 pat OpenSSH* compat 0x04000000
debug1: Authenticating to localhost:18884 as 'root'
debug1: Fssh_load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: Fssh_load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: sntrup761x25519-sha512
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20...@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20...@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:u3k3V/9s6TmX6raoAib9GPNcsJpYik55Sgag3InEsho
debug1: Fssh_load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: Fssh_load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: checking without port identifier
debug1: Fssh_load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: Fssh_load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
Warning: Permanently added '[localhost]:18884' (ED25519) to the list of known hosts.
debug1: Fssh_ssh_packet_send2_wrapped: resetting send seqnr 3
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: Sending SSH2_MSG_EXT_INFO
debug1: expecting SSH2_MSG_NEWKEYS
debug1: Fssh_ssh_packet_read_poll2: resetting read seqnr 3
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_ext_info_client_parse: server-sig-algs=<ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-...@openssh.com,sk-ecdsa-sh...@openssh.com,rsa-sha2-512,rsa-sha2-256>
debug1: Fssh_kex_ext_info_check_ver: publickey...@openssh.com=<0>
debug1: Fssh_kex_ext_info_check_ver: pi...@openssh.com=<0>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_ext_info_client_parse: server-sig-algs=<ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-...@openssh.com,sk-ecdsa-sh...@openssh.com,rsa-sha2-512,rsa-sha2-256>
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Will attempt key: /home/jordan/.ssh/id_rsa_syzkaller RSA SHA256:5Iq1RJG3vX58cXhlD4lx1zYaaHZDOPw611b6kztQ2rY explicit
debug1: Offering public key: /home/jordan/.ssh/id_rsa_syzkaller RSA SHA256:5Iq1RJG3vX58cXhlD4lx1zYaaHZDOPw611b6kztQ2rY explicit
debug1: Server accepts key: /home/jordan/.ssh/id_rsa_syzkaller RSA SHA256:5Iq1RJG3vX58cXhlD4lx1zYaaHZDOPw611b6kztQ2rY explicit
Authenticated to localhost ([127.0.0.1]:18884) using "publickey".
debug1: channel 0: new session [client-session] (inactive timeout: 0)
debug1: Requesting no-more-...@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostk...@openssh.com want_reply 0
debug1: Remote: /root/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: Remote: /root/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: pledge: fork
Last login: Sun Nov 30 20:33:42 2025 from 10.0.2.2
FreeBSD 16.0-CURRENT (SYZKALLER) #0 main-n282064-a8740ba860bf: Fri Nov 21 17:01:14 EST 2025
Welcome to FreeBSD!
Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories: https://www.FreeBSD.org/security/
FreeBSD Handbook: https://www.FreeBSD.org/handbook/
FreeBSD FAQ: https://www.FreeBSD.org/faq/
Questions List: https://www.FreeBSD.org/lists/questions/
FreeBSD Forums: https://forums.FreeBSD.org/
Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with: pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.
Show the version of FreeBSD installed: freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages: man man
FreeBSD directory layout: man hier
To change this login announcement, see motd(5).
root@freebsd:~ #
```
```
{
"name": "freebsd-tuntap",
"target": "freebsd/amd64",
"http": ":10000",
"workdir": "/home/jordan/FreeBSD/Fuzzing/syzkaller-output",
"syzkaller": "/home/jordan/FreeBSD/syzkaller",
"sshkey": "/home/jordan/.ssh/id_rsa_syzkaller",
"sandbox": "none",
"procs": 8,
"image": "/home/jordan/FreeBSD/FreeBSD-16.0-CURRENT-amd64-BASIC-CLOUDINIT-ufs.raw",
"type": "qemu",
"vm": {
"count": 4,
"cpu": 4,
"mem": 4096,
"qemu_args": "-accel tcg"
}
}
```
If I start `qemu` like (and note, I have already instrumented the kernel)
```
qemu-system-x86_64 \
-m 4G -smp 4 \
-drive file=FreeBSD-16.0-CURRENT-amd64-BASIC-CLOUDINIT-ufs.raw,format=raw \
-nographic \
-net user,host=10.0.2.10,hostfwd=tcp::10022-:22 \
-net nic,model=e1000
```
And I'm able to connect just fine with:
```
jordan@bsd ~/FreeBSD> ssh -i ~/.ssh/id_rsa_syzkaller -p 10022 root@localhost
Last login: Sat Nov 22 20:37:43 2025 from 10.0.2.10
FreeBSD 16.0-CURRENT (SYZKALLER) #0 main-n282064-a8740ba860bf: Fri Nov 21 17:01:14 EST 2025
Welcome to FreeBSD!
root@freebsd:~ #
```
In the guest machine, I enabled:
```
PermitRootLogin without-password
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_key
```
And on the host machine, I have my ssh config to be:
```
Host [localhost]:*
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
```
And yet, when I run with:
```
./syzkaller/bin/syz-manager -config ./Fuzzing/Configs/freebsd.cfg --debug
```
I get this error (Note that `sshd` has started):
```
Starting sshd.
Starting cron.
Starting background file system checks in 60 seconds.
Sun Nov 30 20:29:50 UTC 2025
2025/11/30 15:29:50 running ssh: []string{"-p", "18884", "-F", "/dev/null", "-o", "UserKnownHostsFile=/dev/null", "-o", "IdentitiesOnly=yes", "-o", "BatchMode=yes", "-o", "StrictHostKeyChecking=no", "-o", "ConnectTimeout=10", "-i", "/home/jordan/.ssh/id_rsa_syzkaller", "-v", "root@localhost", "pwd"}
FreeBSD/amd64 (freebsd) (ttyu0)
2025/11/30 15:30:01 ssh failed: failed to run ["ssh" "-p" "18884" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "IdentitiesOnly=yes" "-o" "BatchMode=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/home/jordan/.ssh/id_rsa_syzkaller" "-v" "root@localhost" "pwd"]: exit status 255
2025/11/30 15:30:06 running ssh: []string{"-p", "18884", "-F", "/dev/null", "-o", "UserKnownHostsFile=/dev/null", "-o", "IdentitiesOnly=yes", "-o", "BatchMode=yes", "-o", "StrictHostKeyChecking=no", "-o", "ConnectTimeout=10", "-i", "/home/jordan/.ssh/id_rsa_syzkaller", "-v", "root@localhost", "pwd"}
2025/11/30 15:30:16 ssh failed: failed to run ["ssh" "-p" "18884" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "IdentitiesOnly=yes" "-o" "BatchMode=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/home/jordan/.ssh/id_rsa_syzkaller" "-v" "root@localhost" "pwd"]: exit status 255
```
**BUT** if I connect to the machine normally **AND** only change the timeout, it works:
```
jordan@bsd ~/FreeBSD [255]> ssh -p 18884 \
-F /dev/null \
-o UserKnownHostsFile=/dev/null \
-o IdentitiesOnly=yes \
-o BatchMode=yes \
-o StrictHostKeyChecking=no \
-o ConnectTimeout=30 \
-i /home/jordan/.ssh/id_rsa_syzkaller \
-v \
root@localhost
OpenSSH_9.9p2, OpenSSL 3.0.16 11 Feb 2025
debug1: Reading configuration data /dev/null
debug1: Connecting to localhost [127.0.0.1] port 18884.
debug1: fd 4 clearing O_NONBLOCK
debug1: Connection established.
debug1: identity file /home/jordan/.ssh/id_rsa_syzkaller type 0
debug1: identity file /home/jordan/.ssh/id_rsa_syzkaller-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.9
debug1: Remote protocol version 2.0, remote software version OpenSSH_10.0 FreeBSD-20250801
debug1: Fssh_compat_banner: match: OpenSSH_10.0 FreeBSD-20250801 pat OpenSSH* compat 0x04000000
debug1: Authenticating to localhost:18884 as 'root'
debug1: Fssh_load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: Fssh_load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: sntrup761x25519-sha512
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20...@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20...@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:u3k3V/9s6TmX6raoAib9GPNcsJpYik55Sgag3InEsho
debug1: Fssh_load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: Fssh_load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: checking without port identifier
debug1: Fssh_load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: Fssh_load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
Warning: Permanently added '[localhost]:18884' (ED25519) to the list of known hosts.
debug1: Fssh_ssh_packet_send2_wrapped: resetting send seqnr 3
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: Sending SSH2_MSG_EXT_INFO
debug1: expecting SSH2_MSG_NEWKEYS
debug1: Fssh_ssh_packet_read_poll2: resetting read seqnr 3
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_ext_info_client_parse: server-sig-algs=<ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-...@openssh.com,sk-ecdsa-sh...@openssh.com,rsa-sha2-512,rsa-sha2-256>
debug1: Fssh_kex_ext_info_check_ver: publickey...@openssh.com=<0>
debug1: Fssh_kex_ext_info_check_ver: pi...@openssh.com=<0>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_ext_info_client_parse: server-sig-algs=<ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-...@openssh.com,sk-ecdsa-sh...@openssh.com,rsa-sha2-512,rsa-sha2-256>
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Will attempt key: /home/jordan/.ssh/id_rsa_syzkaller RSA SHA256:5Iq1RJG3vX58cXhlD4lx1zYaaHZDOPw611b6kztQ2rY explicit
debug1: Offering public key: /home/jordan/.ssh/id_rsa_syzkaller RSA SHA256:5Iq1RJG3vX58cXhlD4lx1zYaaHZDOPw611b6kztQ2rY explicit
debug1: Server accepts key: /home/jordan/.ssh/id_rsa_syzkaller RSA SHA256:5Iq1RJG3vX58cXhlD4lx1zYaaHZDOPw611b6kztQ2rY explicit
Authenticated to localhost ([127.0.0.1]:18884) using "publickey".
debug1: channel 0: new session [client-session] (inactive timeout: 0)
debug1: Requesting no-more-...@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostk...@openssh.com want_reply 0
debug1: Remote: /root/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: Remote: /root/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: pledge: fork
Last login: Sun Nov 30 20:33:42 2025 from 10.0.2.2
FreeBSD 16.0-CURRENT (SYZKALLER) #0 main-n282064-a8740ba860bf: Fri Nov 21 17:01:14 EST 2025
Welcome to FreeBSD!
Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories: https://www.FreeBSD.org/security/
FreeBSD Handbook: https://www.FreeBSD.org/handbook/
FreeBSD FAQ: https://www.FreeBSD.org/faq/
Questions List: https://www.FreeBSD.org/lists/questions/
FreeBSD Forums: https://forums.FreeBSD.org/
Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with: pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.
Show the version of FreeBSD installed: freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages: man man
FreeBSD directory layout: man hier
To change this login announcement, see motd(5).
root@freebsd:~ #
```
Reply all
Reply to author
Forward
0 new messages