You are not logged in.
- Topics: Active | Unanswered
#1 2017-10-13 16:13:00
- TeknoBilly
- Member
- Registered: 2016-04-30
- Posts: 3
OpenSSH 7.6 from 7.5. sshd fails. hmac-ripemd160 deprecated
After pacman update and reboot, sshd failed to load.
sshd Log Messages in JournalCtl
Oct 13 07:29:31 sd110 sshd[20847]: /etc/ssh/sshd_config line 127: Bad SSH2 mac spec 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,hmac-sha1-96'.
Oct 13 07:29:31 sd110 systemd[1]: sshd.service: Main process exited, code=exited, status=255/n/a
Oct 13 07:29:31 sd110 systemd[1]: sshd.service: Failed with result 'exit-code'.
Release notes for OpenSSH 7.6: https://www.openssh.com/txt/release-7.6
* ssh(1)/sshd(8): remove support for the hmac-ripemd160 MAC.
Edited /etc/ssh/sshd_config
Removed "hmac-ripemd160," from the MACs configuration line
Service starts normally after.
Ideally this would be done before rebooting when updating OpenSSH.
Cheers
PS I should add that the MACs configuration line is not in /etc/ssh/sshd_config by default. So this only applies if you have a custom sshd configuration. We have it added to ours to attempt the more secure methods before the less.
Last edited by TeknoBilly (2017-10-13 17:10:14)
Offline
#2 2017-10-13 20:16:24
- graysky
- Wiki Maintainer
- From: :wq
- Registered: 2008-12-01
- Posts: 10,597
- Website
Re: OpenSSH 7.6 from 7.5. sshd fails. hmac-ripemd160 deprecated
This is to be expected as you pointed out. Since you modified your sshd_config to implicitly define these, you had the issue. Users who use the package provided config will not have this issue. In any case, the wiki is a better place for this info, not a random bbs post.
CPU-optimized Linux-ck packages @ Repo-ck • AUR packages • Zsh and other configs
Offline
#3 2017-10-13 20:38:55
- brebs
- Member
- Registered: 2007-04-03
- Posts: 3,742
Re: OpenSSH 7.6 from 7.5. sshd fails. hmac-ripemd160 deprecated
I would say that this is a bug in openssh - it should just *warn* about the unavailable MAC, rather than fail to start. SSH is too important.
Offline
#4 2017-10-21 01:14:59
- MountainX
- Member
- Registered: 2016-02-08
- Posts: 371
Re: OpenSSH 7.6 from 7.5. sshd fails. hmac-ripemd160 deprecated
After pacman update and reboot, sshd failed to load.
Edited /etc/ssh/sshd_config
Removed "hmac-ripemd160," from the MACs configuration lineService starts normally after.
Thanks. Saved me a lot of time!
Offline
#5 2017-10-25 15:34:23
- ratcheer
- Member
- Registered: 2011-10-09
- Posts: 912
Re: OpenSSH 7.6 from 7.5. sshd fails. hmac-ripemd160 deprecated
I only stumbled across the problem, yesterday. When I investigated the sshd_config, I discovered that there was a sshd_config.pacnew file from earlier this month. Swapping it in also corrects the problem.
However, now that I know exactly which MAC to remove, I may swap my old one back in. I'm pretty sure I had some of my own customizations to the default for security purposes.
Tim
Offline