Hello. Just a quick head up.... Today we update a FreeBSD 11.2 to 12.0 machine and our SSHD got broken. The problem is with HMAC line in the config file, specifically the hmac-ripemd160 value. It was legit in 11.2 (and I suspect default-enabled for a previous FreeBSD version because never in the world we would change that line - I don't even knot what's for) but it doesn't work anymore in 12.0. So as a check, before upgrading check your /etc/ssh/sshd_config. -- Andrea Brancatelli Schema31 S.p.a. Chief Technology Officier ROMA - FI - PA ITALY Tel: +39.06.98.358.472 Cell: +39.331.2488468 Fax: +39.055.71.880.466 Societ? del Gruppo OVIDIO TECH S.R.L.
To David Wolfskil, your mail server keeps refusing my mail, so I'm sending you my reply here: Hello David sorry I didn't mean to sound critic towards the work of anyone but I can assure you 100% that we never touched that file for any particular reason. What I can assure you tho, is that the machine used to be a FreeBSD 8/9 in the beginning. What I just checked is that the man page for sshd_config lists the allowed values for MAC and hmac-ripemd160 disappeared since 12.0 - you can check it in the online man page: https://www.freebsd.org/cgi/man.cgi?query=sshd_config&apropos=0&sektion=5&manpath=FreeBSD+11.2-RELEASE&arch=default&format=html vs https://www.freebsd.org/cgi/man.cgi?sshd_config(5) Furthermore I just checked some other of our machines that were upgraded from previous versions of FreeBSD (always 8/9 era): root at cianuro:/etc/ssh # freebsd-version 11.2-RELEASE-p7 root at cianuro:/etc/ssh # cat /etc/ssh/sshd_config | grep MACs MACs hmac-sha1,hmac-ripemd160 root at cianuro:/etc/ssh # While a fresh new 11.x doesn't have that line: root at phpengine-ams301:~ # freebsd-version 11.2-RELEASE-p5 root at phpengine-ams301:~ # cat /etc/ssh/sshd_config | grep MACs root at phpengine-ams301:~ # --- Andrea Brancatelli Schema31 S.p.a. Chief Technology Officier ROMA - FI - PA ITALY Tel: +39.06.98.358.472 Cell: +39.331.2488468 Fax: +39.055.71.880.466 Societ? del Gruppo OVIDIO TECH S.R.L. On 2018-12-21 18:10, Andrea Brancatelli wrote:> Hello. > > Just a quick head up.... Today we update a FreeBSD 11.2 to 12.0 machine > and our SSHD got broken. > > The problem is with HMAC line in the config file, specifically the > hmac-ripemd160 value. It was legit in 11.2 (and I suspect > default-enabled for a previous FreeBSD version because never in the > world we would change that line - I don't even knot what's for) but it > doesn't work anymore in 12.0. > > So as a check, before upgrading check your /etc/ssh/sshd_config. > > -- > > Andrea Brancatelli > Schema31 S.p.a. > Chief Technology Officier > > ROMA - FI - PA > ITALY > Tel: +39.06.98.358.472 > Cell: +39.331.2488468 > Fax: +39.055.71.880.466 > Societ? del Gruppo OVIDIO TECH S.R.L. > _______________________________________________ > freebsd-stable at freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
On 21/12/2018 17:10, Andrea Brancatelli wrote:> Hello. > > Just a quick head up.... Today we update a FreeBSD 11.2 to 12.0 machine > and our SSHD got broken. > > The problem is with HMAC line in the config file, specifically the > hmac-ripemd160 value. It was legit in 11.2 (and I suspect > default-enabled for a previous FreeBSD version because never in the > world we would change that line - I don't even knot what's for) but it > doesn't work anymore in 12.0. > > So as a check, before upgrading check your /etc/ssh/sshd_config. >This should have been high-lighted for you when you ran etcupdate(8) or mergemaster(8) as a routine part of your upgrade procedure. If you never modified anything to do with the MACs setting in /etc/ssh/sshd_config then either of those two programs would automatically remove hmac-ripemd160 for you, or else they should show a merge conflict for you to resolve. I recommend using etcupdate(8) as it minimizes the effort needed to merge in updates to your /etc files. It takes two steps: 1) jJust run etcupdate(8) without arguments. It will do a three-way merge between the previous default and current default contents of /etc and your actual /etc and automatically upgrade everything it can. It will then print out a list of the files it modified, each with a single character indicator shown how the file was dealt with. 2) If anything was listed with flag 'C' (meaning "conflict") then you need to run a second step to resolve the conflicts: # etcupdate resolve Edit each of the files presented to remove the conflicts and provide the correct settings for your system. Cheers, Matthew -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 963 bytes Desc: OpenPGP digital signature URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20181223/142e2715/attachment.sig>