Date: Fri, 21 Dec 2018 18:10:35 +0100 From: Andrea Brancatelli <abrancatelli@schema31.it> To: freebsd-stable@freebsd.org Subject: Upgrade to FreeBSD 12.0 breaks SSHD Message-ID: <ecb82a4c4c088976b276f64b10b468aa@schema31.it>
next in thread | raw e-mail | index | archive | help
Hello. Just a quick head up.... Today we update a FreeBSD 11.2 to 12.0 machine and our SSHD got broken. The problem is with HMAC line in the config file, specifically the hmac-ripemd160 value. It was legit in 11.2 (and I suspect default-enabled for a previous FreeBSD version because never in the world we would change that line - I don't even knot what's for) but it doesn't work anymore in 12.0. So as a check, before upgrading check your /etc/ssh/sshd_config. -- Andrea Brancatelli Schema31 S.p.a. Chief Technology Officier ROMA - FI - PA ITALY Tel: +39.06.98.358.472 Cell: +39.331.2488468 Fax: +39.055.71.880.466 Società del Gruppo OVIDIO TECH S.R.L. From owner-freebsd-stable@freebsd.org Fri Dec 21 17:55:17 2018 Return-Path: <owner-freebsd-stable@freebsd.org> Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 263CF1352370 for <freebsd-stable@mailman.ysv.freebsd.org>; Fri, 21 Dec 2018 17:55:17 +0000 (UTC) (envelope-from abrancatelli@schema31.it) Received: from stricnina.schema31.it (stricnina.schema31.it [IPv6:2001:470:28:12b::99]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "stricnina.roma.schema31.it", Issuer "stricnina.roma.schema31.it" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 46A3975BBE for <freebsd-stable@freebsd.org>; Fri, 21 Dec 2018 17:55:16 +0000 (UTC) (envelope-from abrancatelli@schema31.it) Received: from smtp.schema31.it (localhost [127.0.0.1]) by stricnina.roma.schema31.it (8.15.2/8.15.2) with ESMTP id wBLHtEF5094810 for <freebsd-stable@freebsd.org>; Fri, 21 Dec 2018 18:55:14 +0100 (CET) (envelope-from abrancatelli@schema31.it) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=schema31.it; s=gCloud; t=1545414914; bh=rOltonUAx3W1tzE/JnDznF2n87lLHt0oZjqfRISxXIg=; h=Date:From:To:Subject:In-Reply-To:References; b=DcaQyPtD13cPJyLqcoJRTYNvW0MRFc3NR07m8MaMRRB3HmWgwiIfua6U4FKnCZbr7 wspWRk643OYCuUQDaxUHFHnU6AAkoTuPf/jjAbwW7kQnAau3Y5GL6D9sOFAIWAxs6f mqEpz+yeHdw7/wEt6dg266FHtM/4zIBGE+sJpojDsV6ZmTIPJwbTCkVy2SkR6LYoUV jAeVRBIXphfytiIFJqoVw3DSo4zwW92JNe4VKirPWG94yv7OxpDCOJLttGJT4BMQe/ KllUttCRlvK1a2hzjRVxVCvZdIkRsPpcIA9ahcnXVEHOA01BQJCxOTLeOyAG2uXrnq UQVK4W3rKDFfA== MIME-Version: 1.0 Date: Fri, 21 Dec 2018 18:55:08 +0100 From: Andrea Brancatelli <abrancatelli@schema31.it> To: freebsd-stable@freebsd.org Subject: Re: Upgrade to FreeBSD 12.0 breaks SSHD Organization: Schema31 s.r.l. In-Reply-To: <ecb82a4c4c088976b276f64b10b468aa@schema31.it> References: <ecb82a4c4c088976b276f64b10b468aa@schema31.it> Message-ID: <eb7be613db4f825dc5e8317fc38194e7@schema31.it> X-Sender: abrancatelli@schema31.it User-Agent: Roundcube Webmail/1.3.6 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org> List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-stable>, <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/> List-Post: <mailto:freebsd-stable@freebsd.org> List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help> List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-stable>, <mailto:freebsd-stable-request@freebsd.org?subject=subscribe> X-List-Received-Date: Fri, 21 Dec 2018 17:55:17 -0000 To David Wolfskil, your mail server keeps refusing my mail, so I'm sending you my reply here: Hello David sorry I didn't mean to sound critic towards the work of anyone but I can assure you 100% that we never touched that file for any particular reason. What I can assure you tho, is that the machine used to be a FreeBSD 8/9 in the beginning. What I just checked is that the man page for sshd_config lists the allowed values for MAC and hmac-ripemd160 disappeared since 12.0 - you can check it in the online man page: https://www.freebsd.org/cgi/man.cgi?query=sshd_config&apropos=0&sektion=5&manpath=FreeBSD+11.2-RELEASE&arch=default&format=html vs https://www.freebsd.org/cgi/man.cgi?sshd_config(5) Furthermore I just checked some other of our machines that were upgraded from previous versions of FreeBSD (always 8/9 era): root@cianuro:/etc/ssh # freebsd-version 11.2-RELEASE-p7 root@cianuro:/etc/ssh # cat /etc/ssh/sshd_config | grep MACs MACs hmac-sha1,hmac-ripemd160 root@cianuro:/etc/ssh # While a fresh new 11.x doesn't have that line: root@phpengine-ams301:~ # freebsd-version 11.2-RELEASE-p5 root@phpengine-ams301:~ # cat /etc/ssh/sshd_config | grep MACs root@phpengine-ams301:~ # --- Andrea Brancatelli Schema31 S.p.a. Chief Technology Officier ROMA - FI - PA ITALY Tel: +39.06.98.358.472 Cell: +39.331.2488468 Fax: +39.055.71.880.466 Società del Gruppo OVIDIO TECH S.R.L. On 2018-12-21 18:10, Andrea Brancatelli wrote: > Hello. > > Just a quick head up.... Today we update a FreeBSD 11.2 to 12.0 machine > and our SSHD got broken. > > The problem is with HMAC line in the config file, specifically the > hmac-ripemd160 value. It was legit in 11.2 (and I suspect > default-enabled for a previous FreeBSD version because never in the > world we would change that line - I don't even knot what's for) but it > doesn't work anymore in 12.0. > > So as a check, before upgrading check your /etc/ssh/sshd_config. > > -- > > Andrea Brancatelli > Schema31 S.p.a. > Chief Technology Officier > > ROMA - FI - PA > ITALY > Tel: +39.06.98.358.472 > Cell: +39.331.2488468 > Fax: +39.055.71.880.466 > Società del Gruppo OVIDIO TECH S.R.L. > _______________________________________________ > freebsd-stable@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" From owner-freebsd-stable@freebsd.org Fri Dec 21 18:21:59 2018 Return-Path: <owner-freebsd-stable@freebsd.org> Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7F945135303A for <freebsd-stable@mailman.ysv.freebsd.org>; Fri, 21 Dec 2018 18:21:59 +0000 (UTC) (envelope-from jamie@catflap.org) Received: from donotpassgo.dyslexicfish.net (donotpassgo.dyslexicfish.net [IPv6:2001:19f0:300:2185:a:dead:bad:faff]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 04F2476A91 for <freebsd-stable@freebsd.org>; Fri, 21 Dec 2018 18:21:58 +0000 (UTC) (envelope-from jamie@catflap.org) Received: from donotpassgo.dyslexicfish.net (donotpassgo.dyslexicfish.net [104.207.135.49]) by donotpassgo.dyslexicfish.net (8.14.5/8.14.5) with ESMTP id wBLILuHq049815 for <freebsd-stable@freebsd.org>; Fri, 21 Dec 2018 18:21:57 GMT (envelope-from jamie@donotpassgo.dyslexicfish.net) Received: (from jamie@localhost) by donotpassgo.dyslexicfish.net (8.14.5/8.14.5/Submit) id wBLILunK049814 for freebsd-stable@freebsd.org; Fri, 21 Dec 2018 18:21:56 GMT (envelope-from jamie) From: Jamie Landeg-Jones <jamie@catflap.org> Message-Id: <201812211821.wBLILunK049814@donotpassgo.dyslexicfish.net> Date: Fri, 21 Dec 2018 18:21:56 +0000 Organization: Dyslexic Fish To: freebsd-stable@freebsd.org Subject: Error in /usr/src/UPDATING regarding drm User-Agent: Heirloom mailx 12.4 7/29/08 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (donotpassgo.dyslexicfish.net [104.207.135.49]); Fri, 21 Dec 2018 18:21:57 +0000 (GMT) X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org> List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-stable>, <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/> List-Post: <mailto:freebsd-stable@freebsd.org> List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help> List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-stable>, <mailto:freebsd-stable-request@freebsd.org?subject=subscribe> X-List-Received-Date: Fri, 21 Dec 2018 18:21:59 -0000 /usr/src/UPDATING contains the line: "WITHOUT_DRM_MODULE=t and WITHOUT_DRM2_MODULE=t to avoid nasty" This should be: WITHOUT_MODULE_DRM and WITHOUT_MODULE_DRM2=t to /etc/src.conf to avoid nasty" (I also added the reference to /etc/src.conf which I think is missing) cheers, Jamie
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ecb82a4c4c088976b276f64b10b468aa>