update 24.1.10 kills ssh

Started by siegfried, July 11, 2024, 04:03:42 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
July 11, 2024, 04:03:42 PM Last Edit: July 11, 2024, 04:20:07 PM by siegfried
no ssh connection possible after updating via GUI, disabling and re-eabling via GUI ssh solves the problem. I think starting update by ssh  is this time a bad idea.
At the 2nd box same issue: updating using ssh, logoff and ssh is no longer connecting. Open a shell before logoff and "service openssh onerestart" solves this.
July 11, 2024, 04:10:07 PM #1
There's very little information here. Not sure why this OpenSSH update would appear any different.


Cheers,
Franco
July 11, 2024, 04:19:18 PM #2
The key is regenerated:

unknown key type dsa
Generating public/private rsa key pair.
Your identification has been saved in /usr/local/etc/ssh/ssh_host_rsa_key
Your public key has been saved in /usr/local/etc/ssh/ssh_host_rsa_key.pub
July 11, 2024, 04:21:50 PM #3
Probably related to https://github.com/opnsense/core/commit/0f86d8a06c which wasn't moved to stable for risk of regression, but I see now they meant to disable DSA meaning to disable accepting the config parser input -.-
July 11, 2024, 04:23:40 PM #4
PS: "service openssh onerestart" is really not a good way to deal with this
July 11, 2024, 04:26:33 PM #5
I see the same issue after upgrading to 24.1.10

kex_exhange_identification: Connection closed by remote host.

Luckily I could access the console via Proxmox and after reloading all services, ssh did work again.
July 11, 2024, 04:27:00 PM #6
I think this is about presence of an old DSA key, but I'm not sure why it would start breaking at runtime unless it reads the config file on each connect and fails due to having removed the parser support for DSA keys causing a configuration error. That would be pretty stupid.


Cheers,
Franco
July 11, 2024, 04:36:42 PM #7
Quote from: franco on July 11, 2024, 04:23:40 PM
PS: "service openssh onerestart" is really not a good way to deal with this

that may be, what would be the better way?
July 11, 2024, 04:37:51 PM #8
I'm trying to find out what the actual issue is now... brb
July 11, 2024, 04:50:35 PM #9
Restarting from the GUI or console works... or reboot the whole box. Console restart is:

# pluginctl -s openssh restart

It doesn't look related to our changes or DSA then... just the binary update of /usr/local/sbin/sshd that causes the active connection listener to fail to spawn a child process?


Cheers,
Franco
July 11, 2024, 05:07:04 PM #10
Choosing menu item 11 (restart all services) after updating seems also to works ;) So happy updating 8) Thanks, Franco.

Siegfried
July 11, 2024, 05:14:00 PM #11
Ok I debugged this by switching binaries... which leads to this error: "-R not supported here"

https://gitlab.archlinux.org/archlinux/packaging/packages/openssh/-/issues/5
July 16, 2024, 06:22:51 AM #12
to restart ssh via gui: System/Diagnostic/Services - openssh and restart...
July 16, 2024, 08:30:25 AM #13
Don't you guys reboot your systems after an update?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
July 16, 2024, 11:50:06 AM #14
We do restart our opnsense boxes after update, through SSH...

Have had this issue on 3/3 opnsense that were updated through Ansible via SSH so far, and much more to come.

The fix being to login to the GUI and restart openssh service.

But yeah it would be nice if that wasn't necessary.
Print
Go Up Pages1 2
User actions