freebsd stable - Oct 2016 - sshd whines & dies after releng/10 "freebsd-update" run

On Sun, Oct 16, 2016 at 10:29:00AM -0700, Xin Li wrote:
> ... 
> On 10/16/16 09:26, David Wolfskill wrote:
> > And over the last year or so, it's worked pretty well:  I have the
> > machine set up (as is usually my approach) to be able to boot from
> > either of a couple of slices.  I use a "dump | restore"
pipeline
> > to copy the / and /usr file systems from the "active" slice
to the
> > "inactive" slice, adjust /etc/fstab on the inactive slice to
reflect
> > reality for when it's the boot slice, then (while the file
systemms
> > from the other slice are still mounted -- e.g., on /S2) run
> > "freebsd-update -b /S2 fetch install", then reboot from the
> > newly-updated slice.
> > 
> > In the past, that's Just Worked.
> 
> Your usage probably worked because you were lucky for a few times in the
> past.  (details below)
> 
> > This weekend, though, I was planning to update my other systems tfrom
> > stable/10 to stable/11, so I figured I'd try freebsd-update on
this
> > machine first.
> > 
> [...]
> > root at sisboombah:/tmp # `which sshd` -d
> > Undefined symbol "ssh_compat13" referenced from COPY
relocation in /usr/sbin/sshd
> > 
> > Any clues?
> 
> I think this is not going to work (stable/10 -> releng/10.3) due to ABI
> incompatibility in a downgrade.
I seem to have failed to commnunicate clearly:  The machine in question
does not, and has not, run "stable".  It runs releng.

At the moment (on the "old" slice), it reports:

sisboombah(10.3-RELEASE-p7)[1] uname -a
FreeBSD sisboombah.catwhisker.org 10.3-RELEASE-p7 FreeBSD 10.3-RELEASE-p7 #0:
Thu Aug 11 18:38:15 UTC 2016     root at
amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64
sisboombah(10.3-RELEASE-p7)[2] 
> Basically, freebsd-update is treating your stable/10 as a 10.3-RELEASE
> installation and will fetch only changes from 10.3-RELEASE to the latest
> patchlevel.
I can see that... if the machine were running stable.
> Because of a SSH vulnerability that affects 10.3, freebsd-update would
> patch libssh (shared library used by sshd and friends), however the
> change does not affect the main binary.  This worked by replacing your
> existing libssh with the one shipped by freebsd-update (effectively
> downgraded the library) and that would break sshd.
As a reality check:
sisboombah(10.3-RELEASE-p7)[4] sudo mount /S2
Password:
sisboombah(10.3-RELEASE-p7)[5] sudo mount /S2/usr
sisboombah(10.3-RELEASE-p7)[6] ls -lT {,/S2}/usr/lib/private/libssh.so.*
-r--r--r--  1 root  wheel  634232 Oct 16 11:57:32 2016
/S2/usr/lib/private/libssh.so.5
-r--r--r--  1 root  wheel  569864 Jun  5 13:37:52 2016
/usr/lib/private/libssh.so.5
sisboombah(10.3-RELEASE-p7)[7] ls -lT {,/S2}/usr/sbin/ssh*
-r-xr-xr-x  1 root  wheel  297736 Jun  5 13:38:35 2016 /S2/usr/sbin/sshd
-r-xr-xr-x  1 root  wheel  297736 Jun  5 13:38:35 2016 /usr/sbin/sshd
sisboombah(10.3-RELEASE-p7)[8] 
> I think upgrade -r 10.2-RELEASE (ideally, 11.0-RELEASE though as it
> would eliminate the possibility of any potential incompatibility) would
> work because that would result in a full rewrite of all files.
Well, I had seen reports of folks having "issues" with attempts to
use freebsd-update to get to releng/11 from systems that weren't
as up-to-date as they might be; I was actually trying to avoid a
problem.... :-}

Peace,
david
-- 
David H. Wolfskill				david at catwhisker.org
Those who would murder in the name of God or prophet are blasphemous cowards.

See http://www.catwhisker.org/~david/publickey.gpg for my public key.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 603 bytes
Desc: not available
URL:
<http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20161016/a382f0d2/attachment.sig>

On Sun, Oct 16, 2016 at 10:45 AM, David Wolfskill <david at
catwhisker.org>
wrote:
> On Sun, Oct 16, 2016 at 10:29:00AM -0700, Xin Li wrote:
> > ...
> > On 10/16/16 09:26, David Wolfskill wrote:
> > > And over the last year or so, it's worked pretty well:  I
have the
> > > machine set up (as is usually my approach) to be able to boot
from
> > > either of a couple of slices.  I use a "dump | restore"
pipeline
> > > to copy the / and /usr file systems from the "active"
slice to the
> > > "inactive" slice, adjust /etc/fstab on the inactive
slice to reflect
> > > reality for when it's the boot slice, then (while the file
systemms
> > > from the other slice are still mounted -- e.g., on /S2) run
> > > "freebsd-update -b /S2 fetch install", then reboot from
the
> > > newly-updated slice.
> > >
> > > In the past, that's Just Worked.
> >
> > Your usage probably worked because you were lucky for a few times in
the
> > past.  (details below)
> >
> > > This weekend, though, I was planning to update my other systems
tfrom
> > > stable/10 to stable/11, so I figured I'd try freebsd-update
on this
> > > machine first.
> > >
> > [...]
> > > root at sisboombah:/tmp # `which sshd` -d
> > > Undefined symbol "ssh_compat13" referenced from COPY
relocation in
> /usr/sbin/sshd
> > >
> > > Any clues?
> >
> > I think this is not going to work (stable/10 -> releng/10.3) due to
ABI
> > incompatibility in a downgrade.
>
> I seem to have failed to commnunicate clearly:  The machine in question
> does not, and has not, run "stable".  It runs releng.
>
> At the moment (on the "old" slice), it reports:
>
> sisboombah(10.3-RELEASE-p7)[1] uname -a
> FreeBSD sisboombah.catwhisker.org 10.3-RELEASE-p7 FreeBSD 10.3-RELEASE-p7
> #0: Thu Aug 11 18:38:15 UTC 2016     root at amd64-builder.daemonology.net:
> /usr/obj/usr/src/sys/GENERIC  amd64
> sisboombah(10.3-RELEASE-p7)[2]
>
> > Basically, freebsd-update is treating your stable/10 as a 10.3-RELEASE
> > installation and will fetch only changes from 10.3-RELEASE to the
latest
> > patchlevel.
>
> I can see that... if the machine were running stable.
>
> > Because of a SSH vulnerability that affects 10.3, freebsd-update would
> > patch libssh (shared library used by sshd and friends), however the
> > change does not affect the main binary.  This worked by replacing your
> > existing libssh with the one shipped by freebsd-update (effectively
> > downgraded the library) and that would break sshd.
>
> As a reality check:
> sisboombah(10.3-RELEASE-p7)[4] sudo mount /S2
> Password:
> sisboombah(10.3-RELEASE-p7)[5] sudo mount /S2/usr
> sisboombah(10.3-RELEASE-p7)[6] ls -lT {,/S2}/usr/lib/private/libssh.so.*
> -r--r--r--  1 root  wheel  634232 Oct 16 11:57:32 2016
> /S2/usr/lib/private/libssh.so.5
> -r--r--r--  1 root  wheel  569864 Jun  5 13:37:52 2016
> /usr/lib/private/libssh.so.5
> sisboombah(10.3-RELEASE-p7)[7] ls -lT {,/S2}/usr/sbin/ssh*
> -r-xr-xr-x  1 root  wheel  297736 Jun  5 13:38:35 2016 /S2/usr/sbin/sshd
> -r-xr-xr-x  1 root  wheel  297736 Jun  5 13:38:35 2016 /usr/sbin/sshd
> sisboombah(10.3-RELEASE-p7)[8]
>
> > I think upgrade -r 10.2-RELEASE (ideally, 11.0-RELEASE though as it
> > would eliminate the possibility of any potential incompatibility)
would
> > work because that would result in a full rewrite of all files.
>
> Well, I had seen reports of folks having "issues" with attempts
to
> use freebsd-update to get to releng/11 from systems that weren't
> as up-to-date as they might be; I was actually trying to avoid a
> problem.... :-}
>
> Peace,
> david
> --
> David H. Wolfskill                              david at catwhisker.org
> Those who would murder in the name of God or prophet are blasphemous
> cowards.
>
> See http://www.catwhisker.org/~david/publickey.gpg for my public key.
>
I believe sshd no longer supports ssh1 compatibility and it looks like you
might still have an entry in /etc/sshd/sshd.config trying to touch v1.
Check the file for any non-default entries. Compare your sshd_config with
the default version in /usr/src/crypto/openssh.
--
Kevin Oberman, Part time kid herder and retired Network Engineer
E-mail: rkoberman at gmail.com
PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683