Upgrade to FreeBSD 12.0 breaks SSHD

[Matthew Seaman]

On 21/12/2018 17:10, Andrea Brancatelli wrote:
> Hello. 
> 
> Just a quick head up.... Today we update a FreeBSD 11.2 to 12.0 machine
> and our SSHD got broken. 
> 
> The problem is with HMAC line in the config file, specifically the
> hmac-ripemd160 value. It was legit in 11.2 (and I suspect
> default-enabled for a previous FreeBSD version because never in the
> world we would change that line - I don't even knot what's for) but it
> doesn't work anymore in 12.0. 
> 
> So as a check, before upgrading check your /etc/ssh/sshd_config. 
> 

This should have been high-lighted for you when you ran etcupdate(8) or
mergemaster(8) as a routine part of your upgrade procedure.  If you
never modified anything to do with the MACs setting in
/etc/ssh/sshd_config then either of those two programs would
automatically remove hmac-ripemd160 for you, or else they should show a
merge conflict for you to resolve.

I recommend using etcupdate(8) as it minimizes the effort needed to
merge in updates to your /etc files.  It takes two steps:

1) jJust run etcupdate(8) without arguments.  It will do a three-way
merge between the previous default and current default contents of /etc
and your actual /etc and automatically upgrade everything it can.  It
will then print out a list of the files it modified, each with a single
character indicator shown how the file was dealt with.

2) If anything was listed with flag 'C' (meaning "conflict") then you
need to run a second step to resolve the conflicts:

   # etcupdate resolve

Edit each of the files presented to remove the conflicts and provide the
correct settings for your system.

	Cheers,

	Matthew




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20181223/142e2715/attachment.sig>