Upgrade to FreeBSD 12.0 breaks SSHD

Andrea Brancatelli abrancatelli at schema31.it
Fri Dec 21 17:55:17 UTC 2018 

To David Wolfskil, your mail server keeps refusing my mail, so I'm
sending you my reply here: 

Hello David 

sorry I didn't mean to sound critic towards the work of anyone but I can
assure you 100% that we never touched that file for any particular
reason. 

What I can assure you tho, is that the machine used to be a FreeBSD 8/9
in the beginning. 

What I just checked is that the man page for sshd_config lists the
allowed values for MAC and hmac-ripemd160 disappeared since 12.0 - you
can check it in the online man page:
https://www.freebsd.org/cgi/man.cgi?query=sshd_config&apropos=0&sektion=5&manpath=FreeBSD+11.2-RELEASE&arch=default&format=html
vs https://www.freebsd.org/cgi/man.cgi?sshd_config(5) 

Furthermore I just checked some other of our machines that were upgraded
from previous versions of FreeBSD (always 8/9 era): 

root at cianuro:/etc/ssh # freebsd-version
11.2-RELEASE-p7
root at cianuro:/etc/ssh # cat /etc/ssh/sshd_config | grep MACs
MACs hmac-sha1,hmac-ripemd160
root at cianuro:/etc/ssh # 

While a fresh new 11.x doesn't have that line: 

root at phpengine-ams301:~ # freebsd-version
11.2-RELEASE-p5
root at phpengine-ams301:~ # cat /etc/ssh/sshd_config | grep MACs
root at phpengine-ams301:~ # 

---

Andrea Brancatelli
Schema31 S.p.a.
Chief Technology Officier

ROMA - FI - PA 
ITALY
Tel: +39.06.98.358.472
Cell: +39.331.2488468
Fax: +39.055.71.880.466
Società del Gruppo OVIDIO TECH S.R.L.

On 2018-12-21 18:10, Andrea Brancatelli wrote:

> Hello. 
> 
> Just a quick head up.... Today we update a FreeBSD 11.2 to 12.0 machine
> and our SSHD got broken. 
> 
> The problem is with HMAC line in the config file, specifically the
> hmac-ripemd160 value. It was legit in 11.2 (and I suspect
> default-enabled for a previous FreeBSD version because never in the
> world we would change that line - I don't even knot what's for) but it
> doesn't work anymore in 12.0. 
> 
> So as a check, before upgrading check your /etc/ssh/sshd_config. 
> 
> -- 
> 
> Andrea Brancatelli
> Schema31 S.p.a.
> Chief Technology Officier
> 
> ROMA - FI - PA 
> ITALY
> Tel: +39.06.98.358.472
> Cell: +39.331.2488468
> Fax: +39.055.71.880.466
> Società del Gruppo OVIDIO TECH S.R.L.
> _______________________________________________
> freebsd-stable at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"

More information about the freebsd-stable mailing list