# FreeBSD 9.0 RELEASE + sshd



## xy16644 (Jun 10, 2012)

I've just completed upgrading my system from 8.2 to 9.0 RELEASE. After the upgrade was complete I rebuilt all my ports.

One strange thing happened with SSH. After the upgrade it wasn't running and tryng to start it with:
[CMD=""]/etc/rc.d/sshd start[/CMD]

gave the error:


```
/etc/rc.d/sshd: Command not found.
```

After a bit of research I did added this to /etc/rc.conf:

```
openssh_enable="YES"
```

I also commented out the following in /etc/rc.conf:

```
#sshd_enable="YES"
#sshd_program="/usr/local/sbin/sshd"
```

After rebooting I could SSH into my server again. Did I do the correct thing here? I still can't stop/start/restart SSH with:
[CMD=""]/etc/rc.d/sshd start[/CMD]


----------



## kpa (Jun 10, 2012)

Any reason why you're using sshd(8) from ports when there's one already in the base OS? The /etc/rc.d/sshd file can not be used to start the one in ports, the correct file is probably /usr/local/etc/rc.d/openssh. The service(8) utility knows automatically which one to use:

`# service openssh start`


----------



## xy16644 (Jun 10, 2012)

Good question! When I built this server...it was running FreeBSD 7.2 and at the time I followed the instructions in the book "Building a Server with FreeBSD 7 A Modular Approach" and the way to install/configure an OpenSSH server was done from ports.

Is there anything I should do to correct this now that I have upgraded to 9.0? I had commented out the old SSH lines in my /etc/rc.conf. Is this enough?


----------



## kpa (Jun 10, 2012)

You need to copy the key files from /usr/local/etc/ssh (I think that's the correct path) to /etc/ssh and verify the settings in /etc/ssh/sshd_config that no references to /usr/local/etc/ssh remain. Then it's just

```
sshd_enable="YES"
```
 in /etc/rc.conf and `# service sshd start` should start the sshd correctly.

If you have the system sources of 9.0 installed you can just copy the default configuration files from /usr/src/crypto/openssh/ssh/ssh(d)_config to /etc/ssh so you can redo the configuration from clean state.


----------



## xy16644 (Jun 10, 2012)

Thanks for your reply! Looks like all my config files are already in /etc/ssh. Theres no reference to /usr/local/etc/ssh in /etc/ssh/sshd_config.

If I edit /etc/rc.conf and comment out 
	
	



```
openssh_enable="YES
```
 but enable (or uncomment) 
	
	



```
#sshd_enable="YES"
```
 then I get the following error when I run:

[CMD=""]service sshd start[/CMD]


```
sshd does not exist in /etc/rc.d or the local startup
directories (/usr/local/etc/rc.d)
```

So just to clarify, which is the correct built in SSH version I should be using?

Currently the OpenSSH version is running and working fine now but I am unsure after what you have mentioned.

Thanks!


----------



## kpa (Jun 10, 2012)

I think you're missing parts of /etc/rc.d (was the openssh installed with some option that replaced the base sshd?), again if you have the system sources copy /usr/src/etc/rc.d/sshd to /etc/rc.d/ and try again.


----------



## xy16644 (Jun 10, 2012)

I have now copied /usr/src/etc/rc.d/sshd to /etc/rc.d/ and re-enabled 
	
	



```
sshd_enable="YES"
```
 in /etc/rc.conf but now i get this when I try to start the sshd service:

```
/etc/rc.d/sshd: WARNING: /usr/bin/ssh-keygen does not exist.
/etc/rc.d/sshd: WARNING: failed precmd routine for sshd
```

Seem to have gotten a bit further!


----------



## kpa (Jun 10, 2012)

I don't guarantee this will work so make some kind of backup of your existing ssh related files  before trying it.

`# cd /usr/src/secure/usr.bin/ssh-keygen`
`# make clean`
`# make depend`
`# make`
`# make install`

Oh and it probably doesn't hurt to do the same in /usr/src/secure/usr.sbin/sshd to make sure the sshd binary is in sync with 9.0-RELEASE.


----------



## xy16644 (Jun 10, 2012)

kpa said:
			
		

> I don't guarantee this will work so make some kind of backup of your existing ssh related files  before trying it.
> 
> `# cd /usr/src/secure/usr.bin/ssh-keygen`
> `# make clean`
> ...



Don't think this did much.

`# make clean` had the following output:

```
rm -f ssh-keygen ssh-keygen.o roaming_dummy.o ssh-keygen.1.gz ssh-keygen.1.cat.gz
```

`# make depend` had the following output:

```
make: don't know how to make ssh-keygen.c. Stop
```

`# make` had the following output:

```
Warning: Object directory not changed from original /usr/src/secure/usr.bin/ssh-keygen
make: don't know how to make ssh-keygen.c. Stop
```

`# make install` had the following output:

```
install -s -o root -g wheel -m 555   ssh-keygen /usr/bin
install: ssh-keygen: No such file or directory
*** Error code 71

Stop in /usr/src/secure/usr.bin/ssh-keygen.
```

Not the right thing to do? :stud


----------



## kpa (Jun 10, 2012)

Hmm, I guess that works for me because I have done a [cmd=]make buildworld[/cmd] and the necessary files are in place at /usr/obj. You don't have to do that, you can fetch the base distribution of FreeBSD 9.0 from the ftp site and extract the needed files from that.

`# cd /tmp`

Substitute i386 with amd64 if your system is amd64.

`# fetch [url]ftp://ftp.freebsd.org/pub/FreeBSD/releases/i386/i386/9.0-RELEASE/base.txz[/url]`

`# tar -x -z -v -C / -f base.txz usr/sbin/sshd usr/bin/ssh-keygen usr/bin/ssh-add usr/bin/ssh-keyscan usr/bin/scp usr/bin/sftp usr/bin/ssh-agent`

Careful with that, you want to extract only the listed files, nothing else. Double check what you're typing.


----------



## xy16644 (Jun 10, 2012)

That*'*s strange, I upgraded from source and did [cmd=]make buildworld[/cmd]

I've downloaded the base.txz file to my /tmp folder.

The next bit looks scary hah! Is it basically extracing those files in the command from the base.txz file and putting them in the correct folders off the root?

Just want to make sure I don't mess it up!


----------



## kpa (Jun 10, 2012)

It will extract the files directly to correct locations. Just make sure you don't fat finger anything, extracting  for example /etc by accident would overwrite your master.passwd file with an initial version of the file and you would lose all user accounts.

If you're unsure you can leave the -C / option out and tar(1) will extract the files as /tmp/usr/sbin/sshd etc. and you can copy those manually to correct locations.


----------



## xy16644 (Jun 10, 2012)

kpa said:
			
		

> It will extract the files directly to correct locations. Just make sure you don't fat finger anything, extracting  for example /etc by accident would overwrite your master.passwd file with an initial version of the file and you would lose all user accounts.
> 
> If you're unsure you can leave the -C / option out and tar(1) will extract the files as /tmp/usr/sbin/sshd etc. and you copy those manually to correct locations.



Right, did all that and this is the outcome:

```
service sshd start

You already have an RSA host key in /etc/ssh/ssh_host_key
Skipping protocol version 1 RSA Key Generation
You already have a DSA host key in /etc/ssh/ssh_host_dsa_key
Skipping protocol version 2 DSA Key Generation
You already have an RSA host key in /etc/ssh/ssh_host_rsa_key
Skipping protocol version 2 RSA Key Generation
Generating public/private ecdsa key pair.
key_generate: unknown type 5
/etc/rc.d/sshd: WARNING: failed precmd routine for sshd
```

Still no luck...hasn't been a good day for SSH!


----------



## kpa (Jun 10, 2012)

I think you need to extract /usr/lib/libssh.so.5 from base.txz as well using the same method.

Also move away any old copies of those binaries and libraries you find in /usr/local/bin, /usr/local/sbin and /usr/local/lib.


----------



## xy16644 (Jun 10, 2012)

I can see libssh.so.5 is already in /usr/lib/libssh.so.5. Should I go ahead and overwrite it?


----------



## kpa (Jun 10, 2012)

It shouldn't break anything.


----------



## xy16644 (Jun 10, 2012)

Woohoo, it worked! Once that file was copied across and I stopped the OpenSSH service...I could successfully start the sshd service!

Thank you very much!

I was wondering, could I need to do something similar to this to get my SASL problem working:

http://forums.freebsd.org/showthread.php?t=32393

I see thats moaning about a library file too called:
/usr/local/lib/sasl2/libgs2.so.2


----------



## kpa (Jun 10, 2012)

That sounds like a different problem to me, maybe a mismatch with GSSAPI (that's KERBEROS I think) options between some ports?


----------



## xy16644 (Jun 10, 2012)

Well that*'*s the thing, I am stumped with the problem at hand. I can't rebuild the port (think it moans about krb5?). How does one handle a mismatch? Rebuild krb5? Baffled.

PS: Rebulding /usr/ports/security/krb5 did nothing to help.


----------

