no ssh connection possible after updating via GUI, disabling and re-eabling via GUI ssh solves the problem. I think starting update by ssh is this time a bad idea.
At the 2nd box same issue: updating using ssh, logoff and ssh is no longer connecting. Open a shell before logoff and "service openssh onerestart" solves this.
There's very little information here. Not sure why this OpenSSH update would appear any different.
Cheers,
Franco
The key is regenerated:
unknown key type dsa
Generating public/private rsa key pair.
Your identification has been saved in /usr/local/etc/ssh/ssh_host_rsa_key
Your public key has been saved in /usr/local/etc/ssh/ssh_host_rsa_key.pub
Probably related to https://github.com/opnsense/core/commit/0f86d8a06c which wasn't moved to stable for risk of regression, but I see now they meant to disable DSA meaning to disable accepting the config parser input -.-
PS: "service openssh onerestart" is really not a good way to deal with this
I see the same issue after upgrading to 24.1.10
kex_exhange_identification: Connection closed by remote host.
Luckily I could access the console via Proxmox and after reloading all services, ssh did work again.
I think this is about presence of an old DSA key, but I'm not sure why it would start breaking at runtime unless it reads the config file on each connect and fails due to having removed the parser support for DSA keys causing a configuration error. That would be pretty stupid.
Cheers,
Franco
Quote from: franco on July 11, 2024, 04:23:40 PM
PS: "service openssh onerestart" is really not a good way to deal with this
that may be, what would be the better way?
I'm trying to find out what the actual issue is now... brb
Restarting from the GUI or console works... or reboot the whole box. Console restart is:
# pluginctl -s openssh restart
It doesn't look related to our changes or DSA then... just the binary update of /usr/local/sbin/sshd that causes the active connection listener to fail to spawn a child process?
Cheers,
Franco
Choosing menu item 11 (restart all services) after updating seems also to works ;) So happy updating 8) Thanks, Franco.
Siegfried
Ok I debugged this by switching binaries... which leads to this error: "-R not supported here"
https://gitlab.archlinux.org/archlinux/packaging/packages/openssh/-/issues/5
to restart ssh via gui: System/Diagnostic/Services - openssh and restart...
Don't you guys reboot your systems after an update?
We do restart our opnsense boxes after update, through SSH...
Have had this issue on 3/3 opnsense that were updated through Ansible via SSH so far, and much more to come.
The fix being to login to the GUI and restart openssh service.
But yeah it would be nice if that wasn't necessary.
As discussed on GitHub I added the note to the changelog as well: https://github.com/opnsense/changelog/commit/208f60a9
Cheers,
Franco