Fssh_sshbuf_dup_string - on 2.4.2 to 2.4.4 p1 routine upgrade

dirkx · Dec 13, 2018, 1:34 PM

After a rather routine upgrade from 2.4.2 to 2.4.4p1 I am getting a

Dec 13 11:00:36 router php-fpm[339]: /sshd: The command '/usr/sbin/sshd' returned exit code '1', the output was '/usr/sbin/sshd: Undefined symbol "Fssh_sshbuf_dup_string"'

Does that ring a bell with any one ?

Or alternatively - is there any way to do a 'tripwire' style check of the integrity of all files ?

Thanks !

Dw.

jimp · Dec 13, 2018, 7:27 PM

Sounds like somehow it's using the wrong/unexpected version of a library file.

There are a couple ways to check the integrity of files on the install.

For packaged items:

$ pkg check -s |& egrep -v '(Checking all packages|local/man|local/share/doc|local/info|local/share/aclocal)'

For files included in the base package:

$ /usr/sbin/mtree -e -f /usr/local/share/pfSense/base.mtree -p /

That will print a lot of normal things that have changed like config files, however, so it's not as clear which things are good vs bad.

dirkx · Dec 13, 2018, 7:46 PM

Thanks - that mtree(8) command did the trick -- shows that what I thought was a routine update must have aborted half way through. As a fair number of files has the sha256 of the previous version.

I ended up fetching a fresh image and mounting it to confirm.

So I guess the question is now - how does one 'force' an update - even if the system thinks its update was success-full (the updater shows a happy:

2.4.4-RELEASE-p1 (amd64) 
built on Mon Nov 26 11:40:26 EST 2018 
FreeBSD 11.2-RELEASE-p4 

The system is on the latest version.
Version information updated at Thu Dec 13 18:45:19 UTC 2018

i.e. repeat the process - hopefully without it silently aborting somewhere.

jimp · Dec 13, 2018, 7:48 PM

pkg upgrade -yf would forcefully reinstall everything on top of itself. Then you should reboot it manually after.

dirkx · Dec 13, 2018, 8:02 PM

Would that command include updating the base OS - as it seems the files in /usr/sbin and /usr/lib to be the ones that are affected (as opposed to /usr/local files under ports/pkg) ?

jimp · Dec 13, 2018, 8:28 PM

Yes, it would reinstall those as well since they are a part of the pfSense-base package.

dirkx · Dec 13, 2018, 8:33 PM

Thanks ! Seems to have done the trick quite nicely.

All that is left are a few 10's of mtree deltas on lockdown flags on things like passwd: flags ("schg" is not "schg,uarch").

Thanks a lot !