From owner-freebsd-bugs@FreeBSD.ORG  Tue Jan  7 09:10:00 2014
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@smarthost.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 9C59B20F
 for <freebsd-bugs@smarthost.ysv.freebsd.org>;
 Tue,  7 Jan 2014 09:10:00 +0000 (UTC)
Received: from freefall.freebsd.org (freefall.freebsd.org
 [IPv6:2001:1900:2254:206c::16:87])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 77A9E11C0
 for <freebsd-bugs@smarthost.ysv.freebsd.org>;
 Tue,  7 Jan 2014 09:10:00 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
 by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id s079A06H074499
 for <freebsd-bugs@freefall.freebsd.org>; Tue, 7 Jan 2014 09:10:00 GMT
 (envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
 by freefall.freebsd.org (8.14.7/8.14.7/Submit) id s079A0sP074498;
 Tue, 7 Jan 2014 09:10:00 GMT (envelope-from gnats)
Resent-Date: Tue, 7 Jan 2014 09:10:00 GMT
Resent-Message-Id: <201401070910.s079A0sP074498@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
 David Cecchin <dcecchin@gmail.com>
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 376351D2
 for <freebsd-gnats-submit@FreeBSD.org>; Tue,  7 Jan 2014 09:05:01 +0000 (UTC)
Received: from oldred.freebsd.org (oldred.freebsd.org
 [IPv6:2001:1900:2254:206a::50:4])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 23C3411A3
 for <freebsd-gnats-submit@FreeBSD.org>; Tue,  7 Jan 2014 09:05:01 +0000 (UTC)
Received: from oldred.freebsd.org ([127.0.1.6])
 by oldred.freebsd.org (8.14.5/8.14.7) with ESMTP id s07950hI069015
 for <freebsd-gnats-submit@FreeBSD.org>; Tue, 7 Jan 2014 09:05:00 GMT
 (envelope-from nobody@oldred.freebsd.org)
Received: (from nobody@localhost)
 by oldred.freebsd.org (8.14.5/8.14.5/Submit) id s07950tT069008;
 Tue, 7 Jan 2014 09:05:00 GMT (envelope-from nobody)
Message-Id: <201401070905.s07950tT069008@oldred.freebsd.org>
Date: Tue, 7 Jan 2014 09:05:00 GMT
From: David Cecchin <dcecchin@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-3.1
Subject: misc/185546: freebsd-update can modify sshd and lock you out of your
 system
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs/>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jan 2014 09:10:00 -0000


>Number:         185546
>Category:       misc
>Synopsis:       freebsd-update can modify sshd and lock you out of your system
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jan 07 09:10:00 UTC 2014
>Closed-Date:
>Last-Modified:
>Originator:     David Cecchin
>Release:        9.1-RELEASE to 9.2-RELEASE
>Organization:
>Environment:
FreeBSD sanction.local 9.2-RELEASE FreeBSD 9.2-RELEASE #0 r255898: Thu Sep 26 22:50:31 UTC 2013     root@bake.isc.freebsd.org:/usr/obj/usr/src/sys/GENERIC  amd64
>Description:
I think this is a usability bug:

When upgrading a system for example from FreeBSD 9.1 to 9.2 with these instructions: http://www.freebsd.org/releases/9.2R/installation.html I was locked out of my FreeBSD system.

The freebsd-update process made some changes to my sshd configuration:

51 <<<<<<< current version
52 AuthorizedKeysFile› .ssh/authorized_keys
53 =======
54
55 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
56 #AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
57
58 #AuthorizedPrincipalsFile none
59
60 #AuthorizedKeysCommand none
61 #AuthorizedKeysCommandUser nobody
62 >>>>>>> 9.2-RELEASE

Now of course the changes are on lines 51, 53 and 62 were read in by sshd as invalid parameters and stopped sshd from starting on reboot.

This isn't an issue for things like ntp.conf which will just simply print a warning to syslog, but for critical services such as sshd, it will stop the service from starting.

If adding these markers is necessary why don't you at very least put a # in front of them.
>How-To-Repeat:

>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted: