Date: Sun, 23 Dec 2018 18:25:34 +0000 From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-stable@freebsd.org Subject: Re: Upgrade to FreeBSD 12.0 breaks SSHD Message-ID: <ea921a4b-bbce-f7b2-1e59-fa5d1c6bd400@FreeBSD.org> In-Reply-To: <ecb82a4c4c088976b276f64b10b468aa@schema31.it> References: <ecb82a4c4c088976b276f64b10b468aa@schema31.it>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --k0r0whD56D4yZ6ZyAzqruqD25jOPFpKhB Content-Type: multipart/mixed; boundary="RHWT12GKVqeYibqxEmIWk411f5mGY8J4Q"; protected-headers="v1" From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-stable@freebsd.org Message-ID: <ea921a4b-bbce-f7b2-1e59-fa5d1c6bd400@FreeBSD.org> Subject: Re: Upgrade to FreeBSD 12.0 breaks SSHD References: <ecb82a4c4c088976b276f64b10b468aa@schema31.it> In-Reply-To: <ecb82a4c4c088976b276f64b10b468aa@schema31.it> --RHWT12GKVqeYibqxEmIWk411f5mGY8J4Q Content-Type: text/plain; charset=utf-8 Content-Language: en-GB Content-Transfer-Encoding: quoted-printable On 21/12/2018 17:10, Andrea Brancatelli wrote: > Hello.=20 >=20 > Just a quick head up.... Today we update a FreeBSD 11.2 to 12.0 machine= > and our SSHD got broken.=20 >=20 > The problem is with HMAC line in the config file, specifically the > hmac-ripemd160 value. It was legit in 11.2 (and I suspect > default-enabled for a previous FreeBSD version because never in the > world we would change that line - I don't even knot what's for) but it > doesn't work anymore in 12.0.=20 >=20 > So as a check, before upgrading check your /etc/ssh/sshd_config.=20 >=20 This should have been high-lighted for you when you ran etcupdate(8) or mergemaster(8) as a routine part of your upgrade procedure. If you never modified anything to do with the MACs setting in /etc/ssh/sshd_config then either of those two programs would automatically remove hmac-ripemd160 for you, or else they should show a merge conflict for you to resolve. I recommend using etcupdate(8) as it minimizes the effort needed to merge in updates to your /etc files. It takes two steps: 1) jJust run etcupdate(8) without arguments. It will do a three-way merge between the previous default and current default contents of /etc and your actual /etc and automatically upgrade everything it can. It will then print out a list of the files it modified, each with a single character indicator shown how the file was dealt with. 2) If anything was listed with flag 'C' (meaning "conflict") then you need to run a second step to resolve the conflicts: # etcupdate resolve Edit each of the files presented to remove the conflicts and provide the correct settings for your system. Cheers, Matthew --RHWT12GKVqeYibqxEmIWk411f5mGY8J4Q-- --k0r0whD56D4yZ6ZyAzqruqD25jOPFpKhB Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEEGfFU7L8RLlBUTj8wAFE/EOCp5OcFAlwf0x5fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDE5 RjE1NEVDQkYxMTJFNTA1NDRFM0YzMDAwNTEzRjEwRTBBOUU0RTcACgkQAFE/EOCp 5OfiDg/+LwX8/wZJ2y6ogCqPGD6fZphfvYPXCOF+21J+sYSNjSklGNiH0uQWCap7 U1KP09kWftDunBIW4fTqi5oZuFZ4HwaBBzHsZDKmbGJJJBD0HgDHsl7ooUIfXyPx B2+KhFNmXZBqzgQIRG+7hTw8pWrxinihNiI4TtdmoalLI6yxlF0Z92kOk+PdMijW U+rqYc2Nz7haeMSfOdhhyEcDLN2Sfo7yVJH2x23dqSkNB7oyoH0U0R5nk2wo6A/t tZMTSSkn2taDXv8mCaLQT2YhyAH+pvypN86ZYW4LmU1MSPRFw0HeNP9IhxK4jgeZ iIsh0MMIJNaXz97gfHYVKnq+dVK4YqEteXJ09gAAjPBqv0H9AUs35HuP5SeGr/sv k4G5ixTcuCdkEZ2aqNXpkMEtJeeKM1ain15NBQsCIoOHfpneOlSxY2LWSgw3fuuj kMghTLWuNkEpeUWFmzed0wrXeRWvEisCUuoCTjMml6RjY+zC5GJo+3Tn9DJc5DHU bY1wNpnruIMIX9dKSOODL3ijj0tZvQz8cVkVpJ2fMFum66i0sgmei+PJ2i0IvqwB Lxi2UYg0OrwrKOZIWPPrvDOGNLHjkpUJM/SHHwgn3U0j5HBQ/XhQ4w/tLHvkla+n PwyCfZep2aYVHpVZGlvpQvLbJ3H2DNchMMjib5oZIfsVPRpyeBk= =a7NI -----END PGP SIGNATURE----- --k0r0whD56D4yZ6ZyAzqruqD25jOPFpKhB--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ea921a4b-bbce-f7b2-1e59-fa5d1c6bd400>