update 24.1.10 kills ssh

[siegfried]

no ssh connection possible after updating via GUI, disabling and re-eabling via GUI ssh solves the problem. I think starting update by ssh  is this time a bad idea.
At the 2nd box same issue: updating using ssh, logoff and ssh is no longer connecting. Open a shell before logoff and "service openssh onerestart" solves this.

[franco]

There's very little information here. Not sure why this OpenSSH update would appear any different.


Cheers,
Franco

[siegfried]

The key is regenerated:

unknown key type dsa
Generating public/private rsa key pair.
Your identification has been saved in /usr/local/etc/ssh/ssh_host_rsa_key
Your public key has been saved in /usr/local/etc/ssh/ssh_host_rsa_key.pub

[franco]

Probably related to https://github.com/opnsense/core/commit/0f86d8a06c which wasn't moved to stable for risk of regression, but I see now they meant to disable DSA meaning to disable accepting the config parser input -.-

[franco]

PS: "service openssh onerestart" is really not a good way to deal with this

[Alpha_DE]

I see the same issue after upgrading to 24.1.10

kex_exhange_identification: Connection closed by remote host.

Luckily I could access the console via Proxmox and after reloading all services, ssh did work again.

[franco]

I think this is about presence of an old DSA key, but I'm not sure why it would start breaking at runtime unless it reads the config file on each connect and fails due to having removed the parser support for DSA keys causing a configuration error. That would be pretty stupid.


Cheers,
Franco

[siegfried]

PS: "service openssh onerestart" is really not a good way to deal with this

that may be, what would be the better way?

[franco]

I'm trying to find out what the actual issue is now... brb

[franco]

Restarting from the GUI or console works... or reboot the whole box. Console restart is:

# pluginctl -s openssh restart

It doesn't look related to our changes or DSA then... just the binary update of /usr/local/sbin/sshd that causes the active connection listener to fail to spawn a child process?


Cheers,
Franco

[siegfried]

Choosing menu item 11 (restart all services) after updating seems also to works So happy updating Thanks, Franco.

Siegfried

[franco]

Ok I debugged this by switching binaries... which leads to this error: "-R not supported here"

https://gitlab.archlinux.org/archlinux/packaging/packages/openssh/-/issues/5

[grufo]

to restart ssh via gui: System/Diagnostic/Services - openssh and restart...

[Patrick M. Hausen]

Don't you guys reboot your systems after an update?

[Yorick]

We do restart our opnsense boxes after update, through SSH...

Have had this issue on 3/3 opnsense that were updated through Ansible via SSH so far, and much more to come.

The fix being to login to the GUI and restart openssh service.

But yeah it would be nice if that wasn't necessary.