The Wiert Corner – irregular stream of stuff

Before upgrading Tumbleweed this week, you need to review your openssh config.

This is not mentioned in Review of the week 2018/03 – Dominique a.k.a. DimStar (Dim*), but very important.

So be sure to read these before upgrading:

• [WayBack] OpenSSH 7.5 has just been released… Future deprecation notice … Potentially-incompatible changes
• [WayBack] OpenSSH 7.6 has just been released… Potentially-incompatible changes

If you forget to review /etc/ssh/sshd_config, you get this in journalctl if you have specified your own MACs for instance when hardening according to [WayBack including rimemd160] Secure Secure Shell:

-- Subject: Unit sshd.service has finished start-up
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit sshd.service has finished starting up.
--
-- The start-up result is done.
Jan 20 21:02:43 revue sshd[3679]: /etc/ssh/sshd_config line 126: Deprecated option UsePrivilegeSeparation
Jan 20 21:02:43 revue sshd[3679]: /etc/ssh/sshd_config line 157: Bad SSH2 mac spec 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-
Jan 20 21:02:43 revue systemd[1]: sshd.service: Main process exited, code=exited, status=255/n/a
Jan 20 21:02:43 revue systemd[1]: sshd.service: Unit entered failed state.
Jan 20 21:02:43 revue systemd[1]: sshd.service: Failed with result 'exit-code'.
Jan 20 21:02:43 revue systemd[1]: sshd.service: Service hold-off time over, scheduling restart.
Jan 20 21:02:43 revue systemd[1]: Stopped OpenSSH Daemon.
-- Subject: Unit sshd.service has finished shutting down
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit sshd.service has finished shutting down.

This gets you a more complete error message:

# `which sshd`
/etc/ssh/sshd_config line 126: Deprecated option UsePrivilegeSeparation
/etc/ssh/sshd_config line 157: Bad SSH2 mac spec 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com'.

You can basically comment out or remove the UsePrivilegeSeparation  line, as the 7.5 release notes tell this:

This release deprecates the sshd_config UsePrivilegeSeparation
   option, thereby making privilege separation mandatory. Privilege
   separation has been on by default for almost 15 years and
   sandboxing has been on by default for almost the last five.

Then change your MAC line and remove both these entries:

• hmac-ripemd160-etm@openssh.com
• hmac-ripemd160

You can verify the supported mac by running # ssh -Q mac which on my system returns this:

hmac-sha1
hmac-sha1-96
hmac-sha2-256
hmac-sha2-512
hmac-md5
hmac-md5-96
umac-64@openssh.com
umac-128@openssh.com
hmac-sha1-etm@openssh.com
hmac-sha1-96-etm@openssh.com
hmac-sha2-256-etm@openssh.com
hmac-sha2-512-etm@openssh.com
hmac-md5-etm@openssh.com
hmac-md5-96-etm@openssh.com
umac-64-etm@openssh.com
umac-128-etm@openssh.com

I’ve asked DimStar to emphasis the above changes in response to [WayBack] Dominique / DimStar on Twitter: Week 2018/3 had a lot of good things for @openSUSE #Tumbleweed users, crammed into 4 snapshots. The weekly review is out!.

These posts helped me a lot to figure out the above:

• [WayBack] SSH meldet „Bad SSH2 Mac spec“ « think eMeidi
• [WayBack] File openssh.changes of Package openssh – openSUSE Build Service

–jeroen