thebaselab
Unable to establish SSH connection - "Disconnect [preauth]" error
Description
I just purchased this app specifically for its SSH functionality, but I cannot establish an SSH connection. The connection is immediately dropped during the pre-authentication phase.
Environment
- Client: iOS (latest App Version, just downloaded)
- Authentication method: OpenSSH private key pasted directly into the app with passphrase
- Other SSH clients on my Mac: Working fine with the same credentials
- SFTP enabled, root login access allowed with pubkey/no-password
Error Log
Connection from 10.90.90.41 port 54447 on 10.90.90.40 port 22 rdomain ""
Received disconnect from 10.90.90.41 port 54447:11: NMSSH: Disconnect [preauth]
Disconnected from authenticating user root 10.90.90.41 port 54447 [preauth]
srclimit_penalise: ipv4: new 10.90.90.41/32 deferred penalty of 1 seconds for penalty: connections without attempting authentication
What I've tried
- ✅ SSH config checked – all settings allow the connection
- ✅ Same private key + passphrase works with other SSH clients (Terminal, etc.)
- ✅ Server is reachable and accepting connections from my IP
Problem
The server log shows "connections without attempting authentication", meaning the app disconnects before even trying to authenticate. The error message references "NMSSH: Disconnect [preauth]", suggesting the NMSSH library is terminating the connection prematurely.
Question
What could cause the app to disconnect before attempting authentication? Is there a known issue with the NMSSH library or how private keys with passphrases are handled?
What's your OpenSSH version on the server? Please share the output of sshd -V
OpenSSH_10.0p2, OpenSSL 3.5.4 30 Sep 2025
I don't think that this matters but in my case, it's a Home Assistant Server via Advanced SSH Add-on in a test environment
The sshd_config:
# Cryptography
# ===================
Ciphers [email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
MACs -hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,[email protected],[email protected],[email protected]
KexAlgorithms -diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecd>
# Authentication
# ===================
LoginGraceTime 120
MaxAuthTries 6
MaxSessions 10
MaxStartups 10:30:100
PermitRootLogin yes
AllowUsers root
PubkeyAuthentication yes
IgnoreRhosts yes
HostbasedAuthentication no
IgnoreUserKnownHosts no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
PasswordAuthentication no
AuthorizedKeysFile [REDACTED]
# Environment
# ===================
PermitUserEnvironment [REDACTED]
# Forwarding / Tunnel
# ===================
X11Forwarding no
X11DisplayOffset 10
X11UseLocalhost yes
PermitTunnel no
AllowTcpForwarding no
AllowAgentForwarding yes
GatewayPorts no
# Messages
# ===================
Banner none
PrintMotd no
# SFTP
=====================
Subsystem sftp /usr/lib/ssh/sftp-server
# Misc
# ===================
AcceptEnv LANG LC_*
It's a 'Ed25519' key and I inserted it in OpenSSH format directly into the textfield in the app. I inserted it with the PEM boundaries / start-end marker intact.
FYI - I just tried:
- Testing it on my iPad in the Code app resulted in the same issues.
- Connecting to a Mac that uses the same key for authentication produced the same problem.
The same key/passphrase works fine in other IDEs on my Mac.
That sounds like a key compatibility issue. Just for experiment, can you please use a key generated with different algorithm like EDCSA / RSA and see if it connects?
I ran some tests. Initially, I encountered the same problem with the ECDSA key, but after generating a new one and trying again, it worked. Strangely, it suddenly worked with a completely new ED25519 key. However, when I tried again with my original ED25519 key, it unfortunately failed again with the same error (preauth aborted by code app).
So what exactly does this mean? Is something wrong with my ED25519 key?
Test with EDCSA:
Connection from 10.90.90.41 port 51841 on 10.90.90.40 port 22 rdomain ""
Accepted key ECDSA SHA256:TagrFKh9MYm5lAY1rIHPSWIIYW112ChCKtHJTUN2xlw found at /etc/ssh/authorized_keys:1
Postponed publickey for root from 10.90.90.41 port 51841 ssh2 [preauth]
Accepted key ECDSA SHA256:TagrFKh9MYm5lAY1rIHPSWIIYW112ChCKtHJTUN2xlw found at /etc/ssh/authorized_keys:1
Accepted publickey for root from 10.90.90.41 port 51841 ssh2: ECDSA SHA256:TagrFKh9MYm5lAY1rIHPSWIIYW112ChCKtHJTUN2xlw
Test with RSA:
Connection from 10.90.90.41 port 51838 on 10.90.90.40 port 22 rdomain ""
Accepted key RSA SHA256:ViHho1P3Rt7AiktYunhoR31OzWebSA/bdVy2TkeepBk found at /etc/ssh/authorized_keys:1
Postponed publickey for root from 10.90.90.41 port 51838 ssh2 [preauth]
Accepted key RSA SHA256:ViHho1P3Rt7AiktYunhoR31OzWebSA/bdVy2TkeepBk found at /etc/ssh/authorized_keys:1
Accepted publickey for root from 10.90.90.41 port 51838 ssh2: RSA SHA256:ViHho1P3Rt7AiktYunhoR31OzWebSA/bdVy2TkeepBk
Test with new ED25519:
Connection from 10.90.90.41 port 51843 on 10.90.90.40 port 22 rdomain ""
Accepted key ED25519 SHA256:dLxfH5Wds3KMzoGQ99MggNP9yj2dvsnqpWfoH1WCfmI found at /etc/ssh/authorized_keys:1
Postponed publickey for root from 10.90.90.41 port 51843 ssh2 [preauth]
Accepted key ED25519 SHA256:dLxfH5Wds3KMzoGQ99MggNP9yj2dvsnqpWfoH1WCfmI found at /etc/ssh/authorized_keys:1
Accepted publickey for root from 10.90.90.41 port 51843 ssh2: ED25519 SHA256:dLxfH5Wds3KMzoGQ99MggNP9yj2dvsnqpWfoH1WCfmI
I'm glad it works now. The original key was somehow incompatible with our ssh library, due to some unknown feature used to generated it. We probably need to update our ssh library (libssh2) from 1.11.0 to 1.11.1 to support it.
TODO: Re-compile NMSSH with the latest libssh2. https://github.com/libssh2/libssh2/releases/tag/libssh2-1.11.1
I found something else. It seems that those errors occur mainly with SSH keys I generated through 1Password. I had an RSA key generated via 1Password just now, and it didn't work. I generated another RSA key with the same bit length via 'ssh-keygen', and it worked.