sshd fails after update to 1.1.4.29 from Openrepo sshd
I just updated to 1.1.4.29 which overall seems to have gone ok. I did encounter a strange side effect, though: After the update, I was no longer able to use ssh to connect to the Jolla. I then tried to restart sshd from a terminal, I got an error message in the log:
May 10 00:03:25 Jolla systemd[1]: Started OpenSSH server daemon.
May 10 00:03:25 Jolla sshd[2731]: /etc/ssh/sshd_config line 110: Bad yes/no argument: sandbox
May 10 00:03:25 Jolla systemd[1]: sshd.service: main process exited, code=exited, status=255/n/a
May 10 00:03:25 Jolla systemd[1]: Unit sshd.service entered failed state.
May 10 00:03:26 Jolla systemd[1]: sshd.service holdoff time over, scheduling restart.
May 10 00:03:26 Jolla systemd[1]: sshd.service start request repeated too quickly, refusing to start.
May 10 00:03:26 Jolla systemd[1]: Unit sshd.service entered failed state.
I proceeded to modify /etc/ssh/sshd_config and changed the line
UsePrivilegeSeparation sandbox
to
UsePrivilegeSeparation yes
After that change, sshd started normally and I could use ssh again to connect to the Jolla. I just don't have any idea why this occurred - as far as I remember I was running stock sshd before the update.
I'm on OpenSSH_6.8p1 with OpenSSL 1.0.2a and have no issues whatsoever even with
J4ZZ ( 2015-05-10 22:13:40 +0300 )editUsePrivilegeSeparation
set to 'sandbox'@J4ZZ Please be aware that OpenSSL 1.0.2 is not ABI compatible with 1.0.1 and at somepoint you might end up with lots of problems with it.
tigeli ( 2015-05-10 23:07:16 +0300 )editAre you sure?
First line in the release news says
J4ZZ ( 2015-05-10 23:56:09 +0300 )editThe OpenSSL project has released its second feature release of the OpenSSL 1.0 series, version 1.0.2 which is ABI compatible with the 1.0.0 and 1.0.1 series.
It says "is"@J4ZZ It's not 100% compatible. ;) See:
http://upstream-tracker.org/compat_reports/openssl/1.0.1m_to_1.0.2/abi_compat_report.html
Anyway I'm more worried issues like:
https://github.com/excon/excon/issues/467
which then causes things like: https://github.com/excon/excon/pull/490/files
tigeli ( 2015-05-11 01:23:04 +0300 )editI dont trust that upstream tracker ;) So far, ruby (2.1,1) didnt give me issues (used it to install metasploit.which is using many ruby modules) I assume different builds can cause different issues. Most likely to my best guess, ruby in those were not compiled against 1.0.2. Will keep an eye on this, and for sure update when needed . if needed.
Nieldk ( 2015-05-11 11:44:09 +0300 )edit