From nobody Fri Aug 29 12:22:33 2025 X-Original-To: questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cCy9N6wjNz65QTJ for ; Fri, 29 Aug 2025 12:23:36 +0000 (UTC) (envelope-from freebsd-doc@fjl.co.uk) Received: from bs1.fjl.org.uk (bs1.fjl.org.uk [84.45.41.196]) by mx1.freebsd.org (Postfix) with ESMTP id 4cCy9N10W0z3JrB for ; Fri, 29 Aug 2025 12:23:35 +0000 (UTC) (envelope-from freebsd-doc@fjl.co.uk) Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of freebsd-doc@fjl.co.uk designates 84.45.41.196 as permitted sender) smtp.mailfrom=freebsd-doc@fjl.co.uk Received: from [192.168.1.154] ([92.62.9.11]) (authenticated bits=0) by bs1.fjl.org.uk (8.14.4/8.14.4) with ESMTP id 57TCNS3a025349 for ; Fri, 29 Aug 2025 13:23:29 +0100 (BST) (envelope-from freebsd-doc@fjl.co.uk) Message-ID: Date: Fri, 29 Aug 2025 13:22:33 +0100 List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Replacing a REMOVED drive in DEGRADED zpool Content-Language: en-GB To: questions@freebsd.org References: From: Frank Leonhardt In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spamd-Bar: + X-Spamd-Result: default: False [1.01 / 15.00]; NEURAL_SPAM_LONG(1.00)[1.000]; NEURAL_SPAM_MEDIUM(0.99)[0.988]; NEURAL_HAM_SHORT(-0.98)[-0.981]; R_SPF_ALLOW(-0.20)[+ip4:84.45.41.196]; ONCE_RECEIVED(0.20)[]; RCVD_NO_TLS_LAST(0.10)[]; MIME_GOOD(-0.10)[text/plain]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:25577, ipnet:84.45.0.0/17, country:GB]; RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_ONE(0.00)[1]; MID_RHS_MATCH_FROM(0.00)[]; R_DKIM_NA(0.00)[]; TO_DN_NONE(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; ARC_NA(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DMARC_NA(0.00)[fjl.co.uk]; PREVIOUSLY_DELIVERED(0.00)[questions@freebsd.org]; MLMMJ_DEST(0.00)[questions@freebsd.org]; FROM_HAS_DN(0.00)[] X-Rspamd-Queue-Id: 4cCy9N10W0z3JrB On 21/08/2025 01:55, Robert wrote: > I have my first zpool degraded on a FreeBSD 13.5 server and looking > for advice on the steps I'll be taking to successfully replace the > REMOVED drive in a 4 disk 2 mirror zpool. It is scrubbed monthly with > last scrub August 3rd... > Funnily enough I wrote about this exact thing in Feb: https://blog.frankleonhardt.com/2025/freebsd-zfs-raidz-failed-disk-replacement/ Okay, you're configuration is mirrors but I think most of the same applies. Note what I say about making the replacement disk bootable, which doesn't seem to have been mentioned in this tread. Also, posted a script on this list that installed ZFS manually and other stuff a few months later. Guess what got me interested :-) Since then I've had a spectacular failure of a ZFS mirror that had been happy for years. The problem with mirrored drives is that when you replace one it thrashes the other while it's resilvering, so if the old one becoming dodgy it could push it over the edge. I hope you have more luck than I did. From nobody Fri Aug 29 12:36:23 2025 X-Original-To: questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cCyTF5DjLz65S56 for ; Fri, 29 Aug 2025 12:37:21 +0000 (UTC) (envelope-from freebsd-doc@fjl.co.uk) Received: from bs1.fjl.org.uk (bs1.fjl.org.uk [84.45.41.196]) by mx1.freebsd.org (Postfix) with ESMTP id 4cCyTF0qSxz3LhH for ; Fri, 29 Aug 2025 12:37:21 +0000 (UTC) (envelope-from freebsd-doc@fjl.co.uk) Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of freebsd-doc@fjl.co.uk designates 84.45.41.196 as permitted sender) smtp.mailfrom=freebsd-doc@fjl.co.uk Received: from [192.168.1.154] ([92.62.9.11]) (authenticated bits=0) by bs1.fjl.org.uk (8.14.4/8.14.4) with ESMTP id 57TCbK6V045665; Fri, 29 Aug 2025 13:37:20 +0100 (BST) (envelope-from freebsd-doc@fjl.co.uk) Content-Type: multipart/alternative; boundary="------------0yHJp8AxA5ig1lTPV9IvpOx0" Message-ID: <66c31d86-33bc-4a2f-9d97-36eed8441ed9@fjl.co.uk> Date: Fri, 29 Aug 2025 13:36:23 +0100 List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: ssh on FreeBSD 14.3 won't talk to older hosts Content-Language: en-GB To: Christian Weisgerber Cc: questions@freebsd.org References: <5933e560-714b-492b-9151-380d5527ba18@fjl.co.uk> <19992208-8ea5-4e3d-93fc-a4f62c5594f2@fjl.co.uk> From: Frank Leonhardt In-Reply-To: X-Spamd-Bar: / X-Spamd-Result: default: False [0.89 / 15.00]; NEURAL_SPAM_LONG(1.00)[1.000]; NEURAL_HAM_SHORT(-0.98)[-0.982]; NEURAL_SPAM_MEDIUM(0.87)[0.871]; R_SPF_ALLOW(-0.20)[+ip4:84.45.41.196:c]; ONCE_RECEIVED(0.20)[]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; RCVD_NO_TLS_LAST(0.10)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; ARC_NA(0.00)[]; RCVD_COUNT_ONE(0.00)[1]; ASN(0.00)[asn:25577, ipnet:84.45.0.0/17, country:GB]; TO_DN_SOME(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; R_DKIM_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MLMMJ_DEST(0.00)[questions@freebsd.org]; DMARC_NA(0.00)[fjl.co.uk]; FROM_HAS_DN(0.00)[] X-Rspamd-Queue-Id: 4cCyTF0qSxz3LhH This is a multi-part message in MIME format. --------------0yHJp8AxA5ig1lTPV9IvpOx0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit On 20/08/2025 15:31, Christian Weisgerber wrote: > Frank Leonhardt: > >> Add the following: >> >> HostKeyAlgorithms=+ssh-dss >> PubkeyAcceptedKeyTypes +ssh-rsa >> Protocol 2,1 >> >> I have all three but they may not all be needed in all circumstances, and >> having protocol 1 isn't something you want to enable unless you're aware of >> the risks. > That's cute if "Protocol 2,1" is still accepted for compatibility, > but there is no risk. The actual protocol 1 code has been summarily > deleted from OpenSSH as of release 7.6 (Oct 2017). > >> This is IN SPITE of OpenSSH ssh-keygen still generating RSA by default, so > Actually, that has been Ed25519 since OpenSSH 9.5 (Oct 2023)... but the > FreeBSD -stable branches haven't picked up that change. > >> the default key type it creates it won't use without this hack. Unless I'm >> missing something. > There is a difference between a _key type_ and a _public key algorithm_. > Admittely, those are the same for all other key types except for RSA, > where there are three algorithms that can all use the same RSA keys: > * ssh-rsa > * rsa-sha2-256 > * rsa-sha2-512 > > The difference is that those use the SHA-1, SHA-256, and SHA-512 > hashes, respectively. SHA-1 is obsolete and no longer considered > secure, so the "ssh-rsa" _algorithm_ has been disabled by default. > You can still use the same "ssh-rsa" _keys_ with rsa-sha2-256 or > rsa-sha2-512. Ah, thanks. Good background, and I didn't know a lot of that. Even if Ed25519 has been the default since OpenSSH, it's a bit much to refuse anything else two years after the change! I'd say refuse if five year AFTER the default was changed. Regards, Frank. --------------0yHJp8AxA5ig1lTPV9IvpOx0 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 7bit


On 20/08/2025 15:31, Christian Weisgerber wrote:
Frank Leonhardt:


Add the following:

HostKeyAlgorithms=+ssh-dss
PubkeyAcceptedKeyTypes +ssh-rsa
Protocol 2,1

I have all three but they may not all be needed in all circumstances, and
having protocol 1 isn't something you want to enable unless you're aware of
the risks.

That's cute if "Protocol 2,1" is still accepted for compatibility,
but there is no risk.  The actual protocol 1 code has been summarily
deleted from OpenSSH as of release 7.6 (Oct 2017).


This is IN SPITE of OpenSSH ssh-keygen still generating RSA by default, so

Actually, that has been Ed25519 since OpenSSH 9.5 (Oct 2023)... but the
FreeBSD -stable branches haven't picked up that change.


the default key type it creates it won't use without this hack. Unless I'm
missing something.

There is a difference between a _key type_ and a _public key algorithm_.
Admittely, those are the same for all other key types except for RSA,
where there are three algorithms that can all use the same RSA keys:
* ssh-rsa
* rsa-sha2-256
* rsa-sha2-512

The difference is that those use the SHA-1, SHA-256, and SHA-512
hashes, respectively.  SHA-1 is obsolete and no longer considered
secure, so the "ssh-rsa" _algorithm_ has been disabled by default.
You can still use the same "ssh-rsa" _keys_ with rsa-sha2-256 or
rsa-sha2-512.

Ah, thanks. Good background, and I didn't know a lot of that.

Even if Ed25519 has been the default since OpenSSH, it's a bit much to refuse anything else two years after the change! I'd say refuse if five year AFTER the default was changed.

Regards, Frank.


--------------0yHJp8AxA5ig1lTPV9IvpOx0-- From nobody Sun Aug 31 18:44:04 2025 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cFLXh4dtJz66MFS for ; Sun, 31 Aug 2025 18:45:08 +0000 (UTC) (envelope-from freebsd-doc@fjl.co.uk) Received: from bs1.fjl.org.uk (bs1.fjl.org.uk [84.45.41.196]) by mx1.freebsd.org (Postfix) with ESMTP id 4cFLXg5b9Pz3Y5m for ; Sun, 31 Aug 2025 18:45:07 +0000 (UTC) (envelope-from freebsd-doc@fjl.co.uk) Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of freebsd-doc@fjl.co.uk designates 84.45.41.196 as permitted sender) smtp.mailfrom=freebsd-doc@fjl.co.uk Received: from [192.168.1.154] ([92.62.9.11]) (authenticated bits=0) by bs1.fjl.org.uk (8.14.4/8.14.4) with ESMTP id 57VIiINQ024237 for ; Sun, 31 Aug 2025 19:45:01 +0100 (BST) (envelope-from freebsd-doc@fjl.co.uk) Message-ID: Date: Sun, 31 Aug 2025 19:44:04 +0100 List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird From: Frank Leonhardt Subject: Re: [Bulk] [nfsd_server_flags="-h ipaddress" has no effect] To: freebsd-questions@freebsd.org References: Content-Language: en-GB In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spamd-Bar: -- X-Spamd-Result: default: False [-2.99 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.99)[-0.989]; R_SPF_ALLOW(-0.20)[+ip4:84.45.41.196]; ONCE_RECEIVED(0.20)[]; RCVD_NO_TLS_LAST(0.10)[]; MIME_GOOD(-0.10)[text/plain]; ASN(0.00)[asn:25577, ipnet:84.45.0.0/17, country:GB]; RCVD_COUNT_ONE(0.00)[1]; RCPT_COUNT_ONE(0.00)[1]; MIME_TRACE(0.00)[0:+]; FROM_HAS_DN(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; MLMMJ_DEST(0.00)[freebsd-questions@freebsd.org]; TO_DN_NONE(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DMARC_NA(0.00)[fjl.co.uk]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; ARC_NA(0.00)[] X-Rspamd-Queue-Id: 4cFLXg5b9Pz3Y5m On 31/08/2025 17:23, void wrote: > Hi, > > (sorry, originally sent to -current, oops) > > On relatively recent -current (main-n278917-233a26b5c5d7 amd64) > I was alarmed to find that on a dual-NIC host that if nfsd > is enabled with the -h flag set, the port appears open on all NICs and > not just the internal facing one. > > This behaviour is in contrast to rpcbind_flags="-h 192.168.1.100" > which when set means rpcbind cannot be seen on the external-facing > interface when tested. > > Is this expected? > > I would have expected port 2047 to be inaccessible from outside the > network if nfsd is bound with -h to an internal-only interface/ip address No, indeed I would not. It's not what the source code says to do, but it does silently ignore the bind addresses list it's created if the -a flag has been used. if it hits a -a flag. If the count of things added to the list is zero it binds to everything regardless. Are you sure you set the server flags correctly in rc.conf and they're the ones being used? nfs_server_enable="YES" nfs_server_flags="-t -n 4 -h 192.168.1.2" (-t and -n 4 being a reasonable choice). IIRC there's a problem binding to an interface if you're using UDP. Assuming you DIDN'T set the -a flag a printf() around line 300 of usr.sbin/nfsd/nfsd.c would be interesting. Regards, Frank. From nobody Sun Aug 31 18:47:12 2025 X-Original-To: questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cFLcB2T8nz66MPv for ; Sun, 31 Aug 2025 18:48:10 +0000 (UTC) (envelope-from freebsd-doc@fjl.co.uk) Received: from bs1.fjl.org.uk (bs1.fjl.org.uk [84.45.41.196]) by mx1.freebsd.org (Postfix) with ESMTP id 4cFLc93Nn0z3ZR3 for ; Sun, 31 Aug 2025 18:48:09 +0000 (UTC) (envelope-from freebsd-doc@fjl.co.uk) Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of freebsd-doc@fjl.co.uk designates 84.45.41.196 as permitted sender) smtp.mailfrom=freebsd-doc@fjl.co.uk Received: from [192.168.1.154] ([92.62.9.11]) (authenticated bits=0) by bs1.fjl.org.uk (8.14.4/8.14.4) with ESMTP id 57VIlZ5l033476 for ; Sun, 31 Aug 2025 19:48:09 +0100 (BST) (envelope-from freebsd-doc@fjl.co.uk) Message-ID: <3f308f70-a646-46fb-aa2a-068d59ed1f8e@fjl.co.uk> Date: Sun, 31 Aug 2025 19:47:12 +0100 List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird From: Frank Leonhardt Subject: Re: [nfsd_server_flags="-h ipaddress" has no effect] To: questions@freebsd.org References: Content-Language: en-GB In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spamd-Bar: -- X-Spamd-Result: default: False [-2.99 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.99)[-0.991]; ONCE_RECEIVED(0.20)[]; R_SPF_ALLOW(-0.20)[+ip4:84.45.41.196:c]; MIME_GOOD(-0.10)[text/plain]; RCVD_NO_TLS_LAST(0.10)[]; FROM_HAS_DN(0.00)[]; ARC_NA(0.00)[]; RCVD_COUNT_ONE(0.00)[1]; ASN(0.00)[asn:25577, ipnet:84.45.0.0/17, country:GB]; MIME_TRACE(0.00)[0:+]; SINGLE_SHORT_PART(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; MLMMJ_DEST(0.00)[questions@freebsd.org]; TO_DN_NONE(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DMARC_NA(0.00)[fjl.co.uk]; PREVIOUSLY_DELIVERED(0.00)[questions@freebsd.org]; RCPT_COUNT_ONE(0.00)[1] X-Rspamd-Queue-Id: 4cFLc93Nn0z3ZR3 Please ignore - wrong list opps.