You are not logged in.
After pacman update and reboot, sshd failed to load.
sshd Log Messages in JournalCtl
Oct 13 07:29:31 sd110 sshd[20847]: /etc/ssh/sshd_config line 127: Bad SSH2 mac spec 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,hmac-sha1-96'.
Oct 13 07:29:31 sd110 systemd[1]: sshd.service: Main process exited, code=exited, status=255/n/a
Oct 13 07:29:31 sd110 systemd[1]: sshd.service: Failed with result 'exit-code'.
Release notes for OpenSSH 7.6: https://www.openssh.com/txt/release-7.6
* ssh(1)/sshd(8): remove support for the hmac-ripemd160 MAC.
Edited /etc/ssh/sshd_config
Removed "hmac-ripemd160," from the MACs configuration line
Service starts normally after.
Ideally this would be done before rebooting when updating OpenSSH.
Cheers
PS I should add that the MACs configuration line is not in /etc/ssh/sshd_config by default. So this only applies if you have a custom sshd configuration. We have it added to ours to attempt the more secure methods before the less.
Last edited by TeknoBilly (2017-10-13 17:10:14)
Offline
This is to be expected as you pointed out. Since you modified your sshd_config to implicitly define these, you had the issue. Users who use the package provided config will not have this issue. In any case, the wiki is a better place for this info, not a random bbs post.
CPU-optimized Linux-ck packages @ Repo-ck • AUR packages • Zsh and other configs
Offline
I would say that this is a bug in openssh - it should just *warn* about the unavailable MAC, rather than fail to start. SSH is too important.
Offline
After pacman update and reboot, sshd failed to load.
Edited /etc/ssh/sshd_config
Removed "hmac-ripemd160," from the MACs configuration lineService starts normally after.
Thanks. Saved me a lot of time!
Offline
I only stumbled across the problem, yesterday. When I investigated the sshd_config, I discovered that there was a sshd_config.pacnew file from earlier this month. Swapping it in also corrects the problem.
However, now that I know exactly which MAC to remove, I may swap my old one back in. I'm pretty sure I had some of my own customizations to the default for security purposes.
Tim
Offline