freebsd stable - Oct 2016 - sshd whines & dies after releng/10 "freebsd-update" run

For most of my experience with FreeBSD (since 1998) and for most of my
machines, I build from source (either on the machine itself or a
dedicated "build machine"); this has been ... occasionally turbulent,
but overall, a fairly stable approach for me (and it's a great deal less
turbulent -- usually! -- now than it was a decade ago).

However, I have one machine that is pretty much dedicated to one
specific function, and for it, I thought I'd try freebsd-update.

And over the last year or so, it's worked pretty well:  I have the
machine set up (as is usually my approach) to be able to boot from
either of a couple of slices.  I use a "dump | restore" pipeline
to copy the / and /usr file systems from the "active" slice to the
"inactive" slice, adjust /etc/fstab on the inactive slice to reflect
reality for when it's the boot slice, then (while the file systemms
from the other slice are still mounted -- e.g., on /S2) run
"freebsd-update -b /S2 fetch install", then reboot from the
newly-updated slice.

In the past, that's Just Worked.

This weekend, though, I was planning to update my other systems tfrom
stable/10 to stable/11, so I figured I'd try freebsd-update on this
machine first.

But before I tried going to stable/11, I thought it might be good to
first get to the latest releng/10.

Running freebsd-update seemed to go well.  I rebooted from the updated
slice... and found that I could not ssh to the machine.  (I only
physically login to a machine other than my laptop if there's a problem
that's so bad that I can't login from the laptop....)

And I found that sshd wasn't running.  Indeed, on attempting to start it
by hand:

root at sisboombah: # service sshd start
Performing sanity check on sshd configuration.
Undefined symbol "ssh_compat13" referenced from COPY relocation in
/usr/sbin/sshd
/etc/rc.d/sshd: WARNING: failed precmd routine for sshd

Attempting to start it in "debug" mode was of no help:

root at sisboombah:/tmp # `which sshd` -d
Undefined symbol "ssh_compat13" referenced from COPY relocation in
/usr/sbin/sshd

Any clues?

I have placed both a typescript of the freebsd-update run (actually, a
pair of them: one yesterday; another, today), as well as a typescript
from some poking around a bit, under
<http://www.catwhisker.org/~david/FreeBSD/freebsd-update/>.

Thanks!

Peace,
david
-- 
David H. Wolfskill				david at catwhisker.org
Those who would murder in the name of God or prophet are blasphemous cowards.

See http://www.catwhisker.org/~david/publickey.gpg for my public key.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 603 bytes
Desc: not available
URL:
<http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20161016/44460a71/attachment.sig>

On Sun, Oct 16, 2016 at 12:26 PM, David Wolfskill <david at
catwhisker.org>
wrote:
> This weekend, though, I was planning to update my other systems tfrom
> stable/10 to stable/11, so I figured I'd try freebsd-update on this
> machine first.
>
Wait, you used freebsd-update on a machine running stable? It only supports
releases. IOW you may well have *downgraded* the machine in some sense.
(Although really it should have just failed in that case.)

Also make sure you are not using an sshd from ports; even if such a
down/sidegrade works for base, I'd expect it to screw up installed ports.

-- 
brandon s allbery kf8nh                               sine nomine associates
allbery.b at gmail.com                                  ballbery at
sinenomine.net
unix, openafs, kerberos, infrastructure, xmonad        http://sinenomine.net

On 10/16/16 09:26, David Wolfskill wrote:
> And over the last year or so, it's worked pretty well:  I have the
> machine set up (as is usually my approach) to be able to boot from
> either of a couple of slices.  I use a "dump | restore" pipeline
> to copy the / and /usr file systems from the "active" slice to
the
> "inactive" slice, adjust /etc/fstab on the inactive slice to
reflect
> reality for when it's the boot slice, then (while the file systemms
> from the other slice are still mounted -- e.g., on /S2) run
> "freebsd-update -b /S2 fetch install", then reboot from the
> newly-updated slice.
> 
> In the past, that's Just Worked.
Your usage probably worked because you were lucky for a few times in the
past.  (details below)
> This weekend, though, I was planning to update my other systems tfrom
> stable/10 to stable/11, so I figured I'd try freebsd-update on this
> machine first.
> 
[...]
> root at sisboombah:/tmp # `which sshd` -d
> Undefined symbol "ssh_compat13" referenced from COPY relocation
in /usr/sbin/sshd
> 
> Any clues?
I think this is not going to work (stable/10 -> releng/10.3) due to ABI
incompatibility in a downgrade.

Basically, freebsd-update is treating your stable/10 as a 10.3-RELEASE
installation and will fetch only changes from 10.3-RELEASE to the latest
patchlevel.

Because of a SSH vulnerability that affects 10.3, freebsd-update would
patch libssh (shared library used by sshd and friends), however the
change does not affect the main binary.  This worked by replacing your
existing libssh with the one shipped by freebsd-update (effectively
downgraded the library) and that would break sshd.

I think upgrade -r 10.2-RELEASE (ideally, 11.0-RELEASE though as it
would eliminate the possibility of any potential incompatibility) would
work because that would result in a full rewrite of all files.

Cheers,

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20161016/b7c2d46b/attachment.sig>