On 21/12/2018 17:10, Andrea Brancatelli wrote: > Hello. > > Just a quick head up.... Today we update a FreeBSD 11.2 to 12.0 machine > and our SSHD got broken. > > The problem is with HMAC line in the config file, specifically the > hmac-ripemd160 value. It was legit in 11.2 (and I suspect > default-enabled for a previous FreeBSD version because never in the > world we would change that line - I don't even knot what's for) but it > doesn't work anymore in 12.0. > > So as a check, before upgrading check your /etc/ssh/sshd_config. >
This should have been high-lighted for you when you ran etcupdate(8) or
mergemaster(8) as a routine part of your upgrade procedure. If you
never modified anything to do with the MACs setting in
/etc/ssh/sshd_config then either of those two programs would
automatically remove hmac-ripemd160 for you, or else they should show a
merge conflict for you to resolve.
I recommend using etcupdate(8) as it minimizes the effort needed to
merge in updates to your /etc files. It takes two steps:
1) jJust run etcupdate(8) without arguments. It will do a three-way
merge between the previous default and current default contents of /etc
and your actual /etc and automatically upgrade everything it can. It
will then print out a list of the files it modified, each with a single
character indicator shown how the file was dealt with.
2) If anything was listed with flag 'C' (meaning "conflict") then you
need to run a second step to resolve the conflicts:
# etcupdate resolve
Edit each of the files presented to remove the conflicts and provide the
correct settings for your system.
Cheers,
Matthew
signature.asc
Description: OpenPGP digital signature
