Fssh_sshbuf_dup_string - on 2.4.2 to 2.4.4 p1 routine upgrade

  • After a rather routine upgrade from 2.4.2 to 2.4.4p1 I am getting a

    Dec 13 11:00:36 router php-fpm[339]: /sshd: The command '/usr/sbin/sshd' returned exit code '1', the output was '/usr/sbin/sshd: Undefined symbol "Fssh_sshbuf_dup_string"'

    Does that ring a bell with any one ?

    Or alternatively - is there any way to do a 'tripwire' style check of the integrity of all files ?

    Thanks !


  • Rebel Alliance Developer Netgate

    Sounds like somehow it's using the wrong/unexpected version of a library file.

    There are a couple ways to check the integrity of files on the install.

    For packaged items:

    $ pkg check -s |& egrep -v '(Checking all packages|local/man|local/share/doc|local/info|local/share/aclocal)'

    For files included in the base package:

    $ /usr/sbin/mtree -e -f /usr/local/share/pfSense/base.mtree -p /

    That will print a lot of normal things that have changed like config files, however, so it's not as clear which things are good vs bad.

  • Thanks - that mtree(8) command did the trick -- shows that what I thought was a routine update must have aborted half way through. As a fair number of files has the sha256 of the previous version.

    I ended up fetching a fresh image and mounting it to confirm.

    So I guess the question is now - how does one 'force' an update - even if the system thinks its update was success-full (the updater shows a happy:

    2.4.4-RELEASE-p1 (amd64) 
    built on Mon Nov 26 11:40:26 EST 2018 
    FreeBSD 11.2-RELEASE-p4 
    The system is on the latest version.
    Version information updated at Thu Dec 13 18:45:19 UTC 2018

    i.e. repeat the process - hopefully without it silently aborting somewhere.

  • Rebel Alliance Developer Netgate

    pkg upgrade -yf would forcefully reinstall everything on top of itself. Then you should reboot it manually after.

  • Would that command include updating the base OS - as it seems the files in /usr/sbin and /usr/lib to be the ones that are affected (as opposed to /usr/local files under ports/pkg) ?

  • Rebel Alliance Developer Netgate

    Yes, it would reinstall those as well since they are a part of the pfSense-base package.

  • Thanks ! Seems to have done the trick quite nicely.

    All that is left are a few 10's of mtree deltas on lockdown flags on things like passwd: flags ("schg" is not "schg,uarch").

    Thanks a lot !

Log in to reply