public inbox for developer@lists.illumos.org (since 2011-08)
 help / color / mirror / Atom feed
* [developer] Sshd fails on OS upgrade
@ 2024-11-05 19:30 Gary Mills
  2024-11-05 20:05 ` Marcel Telka
  2024-11-05 20:27 ` Till Wegmüller
  0 siblings, 2 replies; 8+ messages in thread
From: Gary Mills @ 2024-11-05 19:30 UTC (permalink / raw)
  To: illumos-developer

Yesterday, I upgraded one of my systems from hipster-20230813 to
hipster-20241104.  (The number is the ISO date with dashes removed).
On reboot, everything was successful, except the console said:

SUNW-MSG-ID: SMF-8000-YX, TYPE: defect, VER: 1, SEVERITY: major
EVENT-TIME: Mon Nov  4 16:55:50 CST 2024
PLATFORM: S5510, CSN: empty, HOSTNAME: tyan
SOURCE: software-diagnosis, REV: 0.1
EVENT-ID: 26a5e479-0755-47d0-837d-4a0fbb3f6e99
DESC: A service failed - a start, stop or refresh method failed.
  Refer to http://illumos.org/msg/SMF-8000-YX for more information.
AUTO-RESPONSE: The service has been placed into the maintenance state.
IMPACT: svc:/network/ssh:default is unavailable.
REC-ACTION: Run 'svcs -xv svc:/network/ssh:default' to determine the generic
+reason why the service failed, the location of any logfiles, and a list of
+other services impacted.

The server log said:

[ Nov  4 16:55:49 Executing start method ("/lib/svc/method/sshd start"). ]
/etc/ssh/sshd_config line 85: Deprecated option ServerKeyBits
/etc/ssh/sshd_config line 90: Deprecated option KeyRegenerationInterval
/etc/ssh/sshd_config: line 103: Bad configuration option: MaxAuthTriesLog
/etc/ssh/sshd_config line 132: Deprecated option RhostsAuthentication
/etc/ssh/sshd_config line 138: Deprecated option RhostsRSAAuthentication
/etc/ssh/sshd_config line 145: Deprecated option RSAAuthentication
/etc/ssh/sshd_config: terminating, 1 bad configuration options
[ Nov  4 16:55:49 Method "start" exited with status 95. ]

The configuration file was /etc/ssh/sshd_config .  When I edited that
file to comment out all the Deprecated or Bad options, the service ran
with no fatal errors.  I don't know where that file came from, but it
dates from 2017, and often mentions Oracle and Solaris.  Perhaps it
came with an earlier version of the ssh package.  The options
mentioned all were in the version 1 section.

In any case, the ssh package should include a working configuration
file, for ssh dummies like me.  That way, the service would run
without all those errors.  I don't even use ssh on that system.


-- 
-Gary Mills-            -refurb-                -Winnipeg, Manitoba, Canada-

------------------------------------------
illumos: illumos-developer
Permalink: https://illumos.topicbox.com/groups/developer/Tb0111d8c22b37938-M21e2c46d29da722aba7fb8e6
Delivery options: https://illumos.topicbox.com/groups/developer/subscription

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [developer] Sshd fails on OS upgrade
  2024-11-05 19:30 [developer] Sshd fails on OS upgrade Gary Mills
@ 2024-11-05 20:05 ` Marcel Telka
  2024-11-05 21:34   ` Gary Mills
  2024-11-05 20:27 ` Till Wegmüller
  1 sibling, 1 reply; 8+ messages in thread
From: Marcel Telka @ 2024-11-05 20:05 UTC (permalink / raw)
  To: illumos-developer

On Tue, Nov 05, 2024 at 01:30:23PM -0600, Gary Mills wrote:
> Yesterday, I upgraded one of my systems from hipster-20230813 to
> hipster-20241104.  (The number is the ISO date with dashes removed).
> On reboot, everything was successful, except the console said:

https://openindiana.org/pipermail/openindiana-discuss/2024-October/027030.html

-- 
+-------------------------------------------+
| Marcel Telka   e-mail:   marcel@telka.sk  |
|                homepage: http://telka.sk/ |
+-------------------------------------------+

------------------------------------------
illumos: illumos-developer
Permalink: https://illumos.topicbox.com/groups/developer/Tb0111d8c22b37938-M436f1e1202eae6b8d0254d1d
Delivery options: https://illumos.topicbox.com/groups/developer/subscription

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [developer] Sshd fails on OS upgrade
  2024-11-05 19:30 [developer] Sshd fails on OS upgrade Gary Mills
  2024-11-05 20:05 ` Marcel Telka
@ 2024-11-05 20:27 ` Till Wegmüller
  2024-11-05 21:49   ` Gary Mills
  2024-11-06  0:14   ` Joshua M. Clulow via illumos-developer
  1 sibling, 2 replies; 8+ messages in thread
From: Till Wegmüller @ 2024-11-05 20:27 UTC (permalink / raw)
  To: developer

Hi Gary

This file gets delivered in a working state by the package but as soon 
as you edit it, it will never be touched again by the package system. We 
can only destroy everyones edits by removing preserve=true attribute 
from the file or have this situation happen,

A workaround would be

mv /etc/ssh/sshd_config /etc/ssh/sshd_config.bak; pkg fix

once the file is not there it is elegible for restore by IPS.

Hope this helps in the Future
Till

On 05.11.24 20:30, Gary Mills wrote:
> Yesterday, I upgraded one of my systems from hipster-20230813 to
> hipster-20241104.  (The number is the ISO date with dashes removed).
> On reboot, everything was successful, except the console said:
> 
> SUNW-MSG-ID: SMF-8000-YX, TYPE: defect, VER: 1, SEVERITY: major
> EVENT-TIME: Mon Nov  4 16:55:50 CST 2024
> PLATFORM: S5510, CSN: empty, HOSTNAME: tyan
> SOURCE: software-diagnosis, REV: 0.1
> EVENT-ID: 26a5e479-0755-47d0-837d-4a0fbb3f6e99
> DESC: A service failed - a start, stop or refresh method failed.
>    Refer to http://illumos.org/msg/SMF-8000-YX for more information.
> AUTO-RESPONSE: The service has been placed into the maintenance state.
> IMPACT: svc:/network/ssh:default is unavailable.
> REC-ACTION: Run 'svcs -xv svc:/network/ssh:default' to determine the generic
> +reason why the service failed, the location of any logfiles, and a list of
> +other services impacted.
> 
> The server log said:
> 
> [ Nov  4 16:55:49 Executing start method ("/lib/svc/method/sshd start"). ]
> /etc/ssh/sshd_config line 85: Deprecated option ServerKeyBits
> /etc/ssh/sshd_config line 90: Deprecated option KeyRegenerationInterval
> /etc/ssh/sshd_config: line 103: Bad configuration option: MaxAuthTriesLog
> /etc/ssh/sshd_config line 132: Deprecated option RhostsAuthentication
> /etc/ssh/sshd_config line 138: Deprecated option RhostsRSAAuthentication
> /etc/ssh/sshd_config line 145: Deprecated option RSAAuthentication
> /etc/ssh/sshd_config: terminating, 1 bad configuration options
> [ Nov  4 16:55:49 Method "start" exited with status 95. ]
> 
> The configuration file was /etc/ssh/sshd_config .  When I edited that
> file to comment out all the Deprecated or Bad options, the service ran
> with no fatal errors.  I don't know where that file came from, but it
> dates from 2017, and often mentions Oracle and Solaris.  Perhaps it
> came with an earlier version of the ssh package.  The options
> mentioned all were in the version 1 section.
> 
> In any case, the ssh package should include a working configuration
> file, for ssh dummies like me.  That way, the service would run
> without all those errors.  I don't even use ssh on that system.
> 
> 

------------------------------------------
illumos: illumos-developer
Permalink: https://illumos.topicbox.com/groups/developer/Tb0111d8c22b37938-M719ca66e668077a7b9df33fa
Delivery options: https://illumos.topicbox.com/groups/developer/subscription

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [developer] Sshd fails on OS upgrade
  2024-11-05 20:05 ` Marcel Telka
@ 2024-11-05 21:34   ` Gary Mills
  2024-11-05 21:40     ` Marcel Telka
  0 siblings, 1 reply; 8+ messages in thread
From: Gary Mills @ 2024-11-05 21:34 UTC (permalink / raw)
  To: illumos-developer

On Tue, Nov 05, 2024 at 09:05:37PM +0100, Marcel Telka wrote:
> 
> https://openindiana.org/pipermail/openindiana-discuss/2024-October/027030.html

This message suggests that only the ListenAddress option needed to be
changed.  That's certainly not the case for my problem.


-- 
-Gary Mills-            -refurb-                -Winnipeg, Manitoba, Canada-

------------------------------------------
illumos: illumos-developer
Permalink: https://illumos.topicbox.com/groups/developer/Tb0111d8c22b37938-M5e26dbd564d37ffbcbba94bf
Delivery options: https://illumos.topicbox.com/groups/developer/subscription

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [developer] Sshd fails on OS upgrade
  2024-11-05 21:34   ` Gary Mills
@ 2024-11-05 21:40     ` Marcel Telka
  0 siblings, 0 replies; 8+ messages in thread
From: Marcel Telka @ 2024-11-05 21:40 UTC (permalink / raw)
  To: illumos-developer

On Tue, Nov 05, 2024 at 03:34:52PM -0600, Gary Mills wrote:
> On Tue, Nov 05, 2024 at 09:05:37PM +0100, Marcel Telka wrote:
> > 
> > https://openindiana.org/pipermail/openindiana-discuss/2024-October/027030.html
> 
> This message suggests that only the ListenAddress option needed to be
> changed.  That's certainly not the case for my problem.

Please read all the thread.  For example this:
https://openindiana.org/pipermail/openindiana-discuss/2024-October/027032.html

-- 
+-------------------------------------------+
| Marcel Telka   e-mail:   marcel@telka.sk  |
|                homepage: http://telka.sk/ |
+-------------------------------------------+

------------------------------------------
illumos: illumos-developer
Permalink: https://illumos.topicbox.com/groups/developer/Tb0111d8c22b37938-M3523fada1707eecd99662708
Delivery options: https://illumos.topicbox.com/groups/developer/subscription

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [developer] Sshd fails on OS upgrade
  2024-11-05 20:27 ` Till Wegmüller
@ 2024-11-05 21:49   ` Gary Mills
  2024-11-06  0:14   ` Joshua M. Clulow via illumos-developer
  1 sibling, 0 replies; 8+ messages in thread
From: Gary Mills @ 2024-11-05 21:49 UTC (permalink / raw)
  To: illumos-developer

On Tue, Nov 05, 2024 at 09:27:15PM +0100, Till Wegmüller wrote:
> 
> This file gets delivered in a working state by the package but as soon as
> you edit it, it will never be touched again by the package system. We can
> only destroy everyones edits by removing preserve=true attribute from the
> file or have this situation happen,

Oh, it's the opposite from what I assumed.  The config file is
included in the package, but it was not installed.  Changing the
attribute to "preserve=renamenew" would satisfy everybody, but might
require manual renames.  Changing it to "preserve=renameold" would be
better for me, but would cause trouble for other people.


-- 
-Gary Mills-            -refurb-                -Winnipeg, Manitoba, Canada-

------------------------------------------
illumos: illumos-developer
Permalink: https://illumos.topicbox.com/groups/developer/Tb0111d8c22b37938-Ma017888df0c3321e48d63fed
Delivery options: https://illumos.topicbox.com/groups/developer/subscription

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [developer] Sshd fails on OS upgrade
  2024-11-05 20:27 ` Till Wegmüller
  2024-11-05 21:49   ` Gary Mills
@ 2024-11-06  0:14   ` Joshua M. Clulow via illumos-developer
  2024-11-06 21:38     ` Peter Tribble
  1 sibling, 1 reply; 8+ messages in thread
From: Joshua M. Clulow via illumos-developer @ 2024-11-06  0:14 UTC (permalink / raw)
  To: illumos-developer

On Tue, 5 Nov 2024 at 12:27, Till Wegmüller <toasterson@gmail.com> wrote:
> This file gets delivered in a working state by the package but as soon
> as you edit it, it will never be touched again by the package system. We
> can only destroy everyones edits by removing preserve=true attribute
> from the file or have this situation happen,

FWIW, there are at least two other options:

  - only deliver new software that is compatible with the existing
    configuration file (patch software as needed)

  - deliver an SMF service that "upgrades" the configuration, where
    it is mechanically possible to do so, prior to starting the service

Ultimately this is an OpenIndiana-specific issue, though, as we no
longer deliver SSH in illumos itself.  Other distributions are
presumably making different decisions with respect to backwards
compatibility and upgrades, etc.


Cheers.

-- 
Joshua M. Clulow
http://blog.sysmgr.org

------------------------------------------
illumos: illumos-developer
Permalink: https://illumos.topicbox.com/groups/developer/Tb0111d8c22b37938-M293e5a1741d182c425a36bfc
Delivery options: https://illumos.topicbox.com/groups/developer/subscription

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [developer] Sshd fails on OS upgrade
  2024-11-06  0:14   ` Joshua M. Clulow via illumos-developer
@ 2024-11-06 21:38     ` Peter Tribble
  0 siblings, 0 replies; 8+ messages in thread
From: Peter Tribble @ 2024-11-06 21:38 UTC (permalink / raw)
  To: illumos-developer

[-- Attachment #1: Type: text/plain, Size: 1912 bytes --]

On Wed, Nov 6, 2024 at 12:15 AM Joshua M. Clulow via illumos-developer <
developer@lists.illumos.org> wrote:

> On Tue, 5 Nov 2024 at 12:27, Till Wegmüller <toasterson@gmail.com> wrote:
> > This file gets delivered in a working state by the package but as soon
> > as you edit it, it will never be touched again by the package system. We
> > can only destroy everyones edits by removing preserve=true attribute
> > from the file or have this situation happen,
>
> FWIW, there are at least two other options:
>
>   - only deliver new software that is compatible with the existing
>     configuration file (patch software as needed)
>
>   - deliver an SMF service that "upgrades" the configuration, where
>     it is mechanically possible to do so, prior to starting the service
>
> Ultimately this is an OpenIndiana-specific issue, though, as we no
> longer deliver SSH in illumos itself.  Other distributions are
> presumably making different decisions with respect to backwards
> compatibility and upgrades, etc.
>

As those of us who lived through it will remember, the transition from
SunSSH
to OpenSSH in OmniOS was fun. I remember having to push out a specially
fixed
sshd_conf that worked (and satisfied our requirements) with the old and new
ssh,
and then we had to do it again.

https://omnios.org/info/sunssh.html

In Tribblix, I've traditionally unconditionally overwritten sshd_conf on
update, but
recently switched over to retaining a modified version. Time will tell
whether that
causes more problems than it solves.

-- 
-Peter Tribble
http://www.petertribble.co.uk/ - http://ptribble.blogspot.com/

------------------------------------------
illumos: illumos-developer
Permalink: https://illumos.topicbox.com/groups/developer/Tb0111d8c22b37938-M0693e3de48b55c9690f812e0
Delivery options: https://illumos.topicbox.com/groups/developer/subscription

[-- Attachment #2: Type: text/html, Size: 3268 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2024-11-06 21:40 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-11-05 19:30 [developer] Sshd fails on OS upgrade Gary Mills
2024-11-05 20:05 ` Marcel Telka
2024-11-05 21:34   ` Gary Mills
2024-11-05 21:40     ` Marcel Telka
2024-11-05 20:27 ` Till Wegmüller
2024-11-05 21:49   ` Gary Mills
2024-11-06  0:14   ` Joshua M. Clulow via illumos-developer
2024-11-06 21:38     ` Peter Tribble

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).