Sshd wont start after first reboot. firstly it works for me…but then...
-
sshd wont start after first reboot. firstly it works for me…but then...I add then remove it to "service watchdog" then sshd wont go up even through services applet. So i remove it from watchdog (clear all wtchdog list). But still cant start it again, even if i enable/disable few times through web interface. :'( I've sended few crashes to devs, here is one last:
Crash report begins. Anonymous machine information:
amd64
10.1-RC3
FreeBSD 10.1-RC3 #38 3ed8b80(releng/10.1)-dirty: Fri Oct 24 12:25:53 CDT 2014 root@pf22-amd64-snap:/usr/obj.amd64/usr/pfSensesrc/src/sys/pfSense_SMP.10Crash report details:
PHP Errors:
[25-Oct-2014 08:44:55 Europe/Moscow] PHP Parse error: syntax error, unexpected '}' in /etc/sshd on line 130
[25-Oct-2014 08:45:16 Europe/Moscow] PHP Fatal error: Cannot redeclare byte_convert() (previously declared in /usr/local/pkg/phpservice.inc:52) in /usr/local/pkg/backup.inc on line 43
[25-Oct-2014 08:48:12 Europe/Moscow] PHP Parse error: syntax error, unexpected '}' in /etc/sshd on line 130
[25-Oct-2014 08:48:37 Europe/Moscow] PHP Parse error: syntax error, unexpected '}' in /etc/sshd on line 130
[25-Oct-2014 08:56:04 Europe/Moscow] PHP Parse error: syntax error, unexpected '}' in /etc/sshd on line 130Hope you can find what it is ;D I am going to sleep now. Still, I tried most of the packages and they are mostly work out for me, but any of squid :o….nvm it is BETA, so even though i glad to send few crash reports. Could you implement some automatic crash sending thing into pfsense 2.2 or next version? Cause i think automatic sending is way more better then manual and probably much more reliable.
-
/etc/sshd master version in GitHub does not look like it has any mis-matched {} pairs, and no } at line 130.
What is actually in your /etc/sshd?
(Diagnostics->Edit file) -
I am not edit any files, just add some services to the installed packet called "service watchdog" then delete all services for relaunch on the list of watch dog, so it is clear write now. Maybe some of my packages also can interfere with my configs, but since I reboot my system first time ssh work as intended for me. Maybe I just need to reset my box after 2.1.5 -> 2.2 RC-3 update to fix this behaviour? Just waiting for some advices ;D Anyway, this is home box so no worries about it, I can anytime switch my screen to the box through my D-link KVM switch and access all options locally. So if you have any ideas i will gladly listen to your tips, but I am not a professional programmer and look like a dumb cow on these code :D
/etc/sshd
#!/usr/local/bin/php -f /* sshd - Modified to work on disk based system Copyright 2004 Scott K Ullrich Original Copyright (C) 2004 Fred Mol <fredmol@xs4all.nl>. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1\. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2\. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ require_once("globals.inc"); require_once("config.inc"); require_once("functions.inc"); require_once("shaper.inc"); if (!isset($config['system']['enablesshd'])) { return; } /* are we already running? if not, do conf_mount_rw(), otherwise it should already be rw */ if (!is_subsystem_dirty('sshdkeys')) { conf_mount_rw(); } $keys = array( 'ssh_host_key', 'ssh_host_key.pub', 'ssh_host_dsa_key', 'ssh_host_dsa_key.pub', 'ssh_host_rsa_key', 'ssh_host_rsa_key.pub', 'ssh_host_ecdsa_key', 'ssh_host_ecdsa_key.pub', 'ssh_host_ed25519_key', 'ssh_host_ed25519_key.pub' ); /* restore ssh data for nanobsd platform */ if($g['platform'] == "nanobsd" and file_exists("/conf/sshd/ssh_host_key") and !file_exists("/etc/ssh/ssh_host_key.pub")) { echo "Restoring SSH from /conf/sshd/"; exec("/bin/cp -p /conf/sshd/* /etc/ssh/"); /* make sure host private key permissions aren't too open so sshd won't complain */ foreach($keys as $f2c) { if(file_exists("/etc/ssh/{$f2c}")) chmod("/etc/ssh/{$f2c}", 0600); } } /* if any of these files are 0 bytes then they are corrupted. * remove them */ foreach($keys as $f2c) { if (file_exists("/etc/ssh/{$f2c}") && filesize("/etc/ssh/{$f2c}") == 0) { unlink_if_exists('/etc/ssh/ssh_host*'); break; } } if (!is_dir("/var/empty")) { /* make ssh home directory */ mkdir("/var/empty", 0555); } if(!file_exists("/var/log/lastlog")) { /* Login related files. */ @touch("/var/log/lastlog"); } $sshConfigDir = "/etc/ssh"; if (is_array($config['system']['ssh']) && !empty($config['system']['ssh']['port'])) $sshport = $config['system']['ssh']['port']; else $sshport = 22; /* Include default configuration for pfSense */ $sshconf = "# This file is automatically generated at startup\n"; $sshconf .= "Ciphers aes128-ctr,aes256-ctr,arcfour256,arcfour,aes128-cbc,aes256-cbc\n"; $sshconf .= "PermitRootLogin yes\n"; $sshconf .= "Compression yes\n"; $sshconf .= "ClientAliveInterval 30\n"; $sshconf .= "UseDNS no\n"; $sshconf .= "X11Forwarding no\n"; if (isset($config['system']['ssh']['sshdkeyonly'])) { $sshconf .= "# Login via Key only\n"; $sshconf .= "PasswordAuthentication no\n"; $sshconf .= "ChallengeResponseAuthentication no\n"; $sshconf .= "PubkeyAuthentication yes\n"; } else { $sshconf .= "# Login via Key and Password\n"; $sshconf .= "PasswordAuthentication yes\n"; $sshconf .= "ChallengeResponseAuthentication yes\n"; $sshconf .= "PubkeyAuthentication yes\n"; } $sshconf .= "# override default of no subsystems\n"; $sshconf .= "Subsystem sftp /usr/libexec/sftp-server\n"; /* Only allow protocol 2, because we say so */ $sshconf .= "Protocol 2\n"; /* Run the server on another port if we have one defined */ $sshconf .= "Port $sshport\n"; if(file_exists("/etc/ssh/sshd_extra")){$sshconf.=file_get_contents("/etc/ssh/sshd_extra");} /* Hide FreeBSD version */ $sshconf .= "VersionAddendum \n"; /* Apply package SSHDCond settings if config file exists */ $szExtra = fread($fdExtra, 1048576); // Read up to 1MB from extra file $sshconf .= $szExtra; fclose($fdExtra); } /* Write the new sshd config file */ @file_put_contents("/etc/ssh/sshd_config", $sshconf); /* mop up from a badly implemented ssh keys -> cf backup */ if($config['ssh']['dsa_key'] <> "") { unset($config['ssh']['dsa_key']); unset($config['ssh']['ecdsa_key']); unset($config['ssh']['ed25519_key']); unset($config['ssh']['rsa_key']); unset($config['ssh']['rsa1_key']); unset($config['ssh']['dsa']); unset($config['ssh']['rsa']); unset($config['ssh']['rsa1']); unset($config['ssh']['ak']); write_config("Clearing SSH keys from config.xml"); } /* are we already running? if so exit */ if(is_subsystem_dirty('sshdkeys')) { unset($keys); return; } // Check for all needed key files. If any are missing, the keys need to be regenerated. $generate_keys = false; foreach ($keys as $f2c) { if (!file_exists("/etc/ssh/{$f2c}")) { $generate_keys = true; break; } } if ($generate_keys) { /* remove previous keys and regen later */ file_notice("SSH", "{$g['product_name']} has started creating your SSH keys. SSH Startup will be delayed. Please note that reloading the filter rules and changes will be delayed until this operation is completed.", "SSH KeyGen", ""); unlink_if_exists('/etc/ssh/ssh_host_*'); mark_subsystem_dirty('sshdkeys'); echo " Generating Keys:\n"; $_gb = exec("/usr/bin/nice -n20 /usr/bin/ssh-keygen -t rsa1 -N '' -f $sshConfigDir/ssh_host_key"); $_gb = exec("/usr/bin/nice -n20 /usr/bin/ssh-keygen -t rsa -N '' -f $sshConfigDir/ssh_host_rsa_key"); $_gb = exec("/usr/bin/nice -n20 /usr/bin/ssh-keygen -t dsa -N '' -f $sshConfigDir/ssh_host_dsa_key"); $_gb = exec("/usr/bin/nice -n20 /usr/bin/ssh-keygen -t ecdsa -N '' -f $sshConfigDir/ssh_host_ecdsa_key"); $_gb = exec("/usr/bin/nice -n20 /usr/bin/ssh-keygen -t ed25519 -N '' -f $sshConfigDir/ssh_host_ed25519_key"); clear_subsystem_dirty('sshdkeys'); file_notice("SSH", "{$g['product_name']} has completed creating your SSH keys. SSH is now started.", "SSH Startup", ""); } /* kill existing sshd process, server only, not the childs */ $sshd_pid = exec("ps ax | egrep '/usr/sbin/[s]shd' | awk '{print $1}'"); if($sshd_pid <> "") { echo "stopping ssh process $sshd_pid \n"; @posix_kill($sshd_pid, SIGTERM); } /* Launch new server process */ $status = mwexec("/usr/sbin/sshd"); if($status <> 0) { file_notice("sshd_startup", "SSHD failed to start.", "SSHD Daemon", ""); echo "error!\n"; } else { echo "done.\n"; } // NanoBSD if($g['platform'] == "nanobsd") { if(!is_dir("/conf/sshd")) mkdir("/conf/sshd", 0750); $_gb = exec("/bin/cp -p /etc/ssh/ssh_host* /conf/sshd"); } conf_mount_ro(); unset($keys); ?> /usr/local/pkg/phpservice.inc [code]/* $Id$ */ /* /* ========================================================================== */ /* phpservice.inc Copyright (C) 2008 Mark J Crane All rights reserved. */ /* ========================================================================== */ /* Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1\. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2\. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ if (!function_exists("pkg_is_service_running")) { function pkg_is_service_running($servicename) { exec("/bin/ps ax | awk '{ print $5 }'", $psout); array_shift($psout); foreach($psout as $line) { $ps[] = trim(array_pop(explode(' ', array_pop(explode('/', $line))))); } if(is_service_running($servicename, $ps) or is_process_running($servicename) ) { return true; } else { return false; } } } if (!function_exists("byte_convert")) { function byte_convert( $bytes ) { if ($bytes<=0) return '0 Byte'; $convention=1000; //[1000->10^x|1024->2^x] $s=array('B', 'kB', 'MB', 'GB', 'TB', 'PB', 'EB', 'ZB'); $e=floor(log($bytes,$convention)); return round($bytes/pow($convention,$e),2).' '.$s[$e]; } } function phpservice_sync_package_php() { global $config; if($config['installedpackages']['phpservice']['config'] != "") { conf_mount_rw(); config_unlock(); $tmp = " $tmp .= "\n"; $tmp .= "// Set time limit to indefinite execution\n"; $tmp .= "set_time_limit (0);\n"; $tmp .= "\n"; $tmp .= "//run this program as long as the pid file exists\n"; $tmp .= "\$filename = '/tmp/phpmonitor.pid';\n"; $tmp .= "\$fp = fopen(\$filename, 'w');\n"; $tmp .= "fwrite(\$fp, \"If this file is deleted then phpmonitor will stop.\");\n"; $tmp .= "fclose(\$fp);\n"; $tmp .= "unset(\$filename);\n"; $tmp .= "\n"; $tmp .= "//require_once(\"config.inc\");\n"; $tmp .= "//global \$config;\n"; $tmp .= "//\$syslogaddress = \$config['syslog']['remoteserver'];\n"; $tmp .= "\$syslogaddress = \"127.0.0.1\";\n"; $tmp .= "\$syslogport = 514;\n"; $tmp .= "echo \"syslog server: \".\$syslogaddress.\"\\n\";\n"; $tmp .= "\n"; $tmp .= "\n"; $tmp .= "\n"; $tmp .= "function send_to_syslog(\$syslogaddress, \$syslogport, \$syslogmsg) {\n"; $tmp .= "\n"; $tmp .= " \$fp = fsockopen(\"udp://\".\$syslogaddress, \$syslogport, \$errno, \$errstr);\n"; $tmp .= " if (!\$fp) {\n"; $tmp .= " //echo \"ERROR: \$errno - \$errstr \\n\";\n"; $tmp .= " } else {\n"; $tmp .= " fwrite(\$fp, \$syslogmsg);\n"; $tmp .= " fclose(\$fp);\n"; $tmp .= " }\n"; $tmp .= "\n"; $tmp .= "}\n"; $tmp .= "\n"; $tmp .= "\n"; $tmp .= "//\$msg = \"1.begin loop. \".date('r').\"\\n\";\n"; $tmp .= "//\$fp = fopen('/tmp/phpmonitor.txt', 'a');\n"; $tmp .= "//fwrite(\$fp, \$msg.\"\\n\");\n"; $tmp .= "//fclose(\$fp);\n"; $tmp .= "\n"; $tmp .= "\$x = 0;\n"; $tmp .= "while(\$x == 0) {\n"; $tmp .= "\n"; $tmp .= "\n"; $tmp .= " if(!file_exists('/tmp/phpmonitor.pid')) {\n"; $tmp .= " //if the file does not exist then close the program.\n"; $tmp .= " echo \"program closing\\n\";\n"; $tmp .= " return;\n"; $tmp .= " }\n"; $tmp .= "\n"; $tmp .= "\n"; $tmp .= "\n"; foreach($config['installedpackages']['phpservice']['config'] as $rowhelper) { if ($rowhelper['enabled'] != "false") { $tmp_php = base64_decode($rowhelper['php']); if (strlen($tmp_php) > 0) { $tmp .= "// name: ".$rowhelper['name']." \n"; $tmp .= "// description: ".$rowhelper['description']." \n\n"; $tmp .= base64_decode($rowhelper['php']); $tmp .= "\n"; } } } $tmp .= "\n"; $tmp .= "\n"; $tmp .= " //usleep(100000); //micro seconds //2 seconds 2000000\n"; $tmp .= " sleep(1); //in seconds\n"; $tmp .= " //if (\$x > 60){ exit; } //exit after 60 seconds for testing\n"; $tmp .= "} //emd while\n"; $tmp .= "\n"; $tmp .= "\n"; $tmp .= "?>"; $fout = fopen("/usr/local/pkg/phpservice.php","w"); fwrite($fout, $tmp); unset($tmp); fclose($fout); conf_mount_ro(); } } function phpservice_sync_package() { global $config; phpservice_sync_package_php(); } function phpservice_install_command() { global $config; conf_mount_rw(); config_lock(); if (!is_dir('/usr/local/www/packages/')) { exec("mkdir /usr/local/www/packages/"); } if (!is_dir('/usr/local/www/packages/phpservice/')) { exec("mkdir /usr/local/www/packages/phpservice/"); } //rename PHP files from .tmp to .php exec("cp /tmp/phpservice_php.tmp /usr/local/www/packages/phpservice/phpservice_php.php"); unlink_if_exists("/tmp/phpservice_php.tmp"); exec("cp /tmp/phpservice_php_edit.tmp /usr/local/www/packages/phpservice/phpservice_php_edit.php"); unlink_if_exists("/tmp/phpservice_php_edit.tmp"); //write_config(); write_rcfile(array( "file" => "phpservice.sh", "start" => "/usr/local/bin/php /usr/local/pkg/phpservice.php >> /var/log/phpservice.log &", "stop" => "rm /tmp/phpmonitor.pid" ) ); phpservice_sync_package(); //$handle = popen("/usr/local/etc/rc.d/phpservice.sh start", "r"); //pclose($handle); //if (pkg_is_service_running('phpservice')) { //documentation purposes //} conf_mount_ro(); config_unlock(); } function phpservice_deinstall_command() { conf_mount_rw(); config_lock(); $handle = popen("/usr/local/etc/rc.d/phpservice.sh stop", "r"); unlink_if_exists("/usr/local/pkg/phpservice.xml"); unlink_if_exists("/usr/local/pkg/phpservice.inc"); unlink_if_exists("/usr/local/www/phpservice.inc"); unlink_if_exists("/usr/local/etc/rc.d/phpservice.sh"); conf_mount_ro(); config_unlock(); } ?> [/code] [img]https://i.imgur.com/klfPmOl.png[/img] [img]https://i.imgur.com/94EiFYI.png[/img] [img]https://i.imgur.com/MFznTby.png[/img] [img]https://i.imgur.com/7mezIwd.png[/img] [img]https://i.imgur.com/gDZE4vD.png[/img][/s]</fredmol@xs4all.nl> -
Your /etc/sshd file is a little different to the official distribution.
Line 123 has been added:
if(file_exists("/etc/ssh/sshd_extra")){$sshconf.=file_get_contents("/etc/ssh/sshd_extra");}And line 128 and 129 are missing:
if (file_exists("/etc/sshd_extra")) { $fdExtra = fopen("/etc/sshd_extra", 'r');Those missing lines cause a missing opening "{" and thus the error about an unexpected "}" further down.
What happened to cause this file to be edited?Anyway, you can fix it up again by:
a) Go to https://raw.githubusercontent.com/pfsense/pfsense/master/etc/sshd to see the text of the file on GitHub. Select and copy the text.
b) On the WebGUI of pfSense, Diagnostics->Edit, bring up /etc/sshd, select all the text, paste the good text from GitHub, save.Or upgrade to the next snapshot, that should overwrite everything, including /etc/sshd, with the correct code.
-
Well. it is edited by some package interfering with ssh, I don't remember what exactly the name of it, to be honest yesterday I've install way too many packages to try it out, then some of them doing mess with my configuration. Even resetting to factory defaults doesn't help, so I try to copy/paste conf file from github ;D Thank you for your answers I appreciate your help :D
Yapp! It's running perfectly now
-
It would be good to find out what package is doing the editing - because it is going to screw up with different versions of /etc/sshd
If you have a package suspect in mind, mention it.
Edit, add: the suspect was not hard to find - sshdcond package has code that edit /etc/sshd
https://github.com/pfsense/pfsense-packages/blob/master/config/sshdcond/sshdcond.inc
The master version of /etc/sshd was modified by:
https://github.com/pfsense/pfsense/commit/5a89049022022e98f745ccb1eba51b7f438f6fe7
In particular, it did:- if(file_exists("/etc/sshd_extra")) - { + if (file_exists("/etc/sshd_extra")) {That put the "{" on the same line as the "if" and made a big difference to the result of the editing done by sshdcond.
Bug reported: https://redmine.pfsense.org/issues/3959
-
It would be good to find out what package is doing the editing - because it is going to screw up with different versions of /etc/sshd
If you have a package suspect in mind, mention it.
Edit, add: the suspect was not hard to find - sshdcond package has code that edit /etc/sshd
https://github.com/pfsense/pfsense-packages/blob/master/config/sshdcond/sshdcond.inc
The master version of /etc/sshd was modified by:
https://github.com/pfsense/pfsense/commit/5a89049022022e98f745ccb1eba51b7f438f6fe7
In particular, it did:- if(file_exists("/etc/sshd_extra")) - { + if (file_exists("/etc/sshd_extra")) {That put the "{" on the same line as the "if" and made a big difference to the result of the editing done by sshdcond.
Bug reported: https://redmine.pfsense.org/issues/3959
Thanks for doing it for me, I look into this code now trying to understand what's wrong with it ::), seems you are right here, these package has almost ruin my life yesterday ;D
Yepp now I see this piece of code:
121 115 /* Apply package SSHDCond settings if config file exists */ 122 - if(file_exists("/etc/sshd_extra")) 123 - { 116 + if (file_exists("/etc/sshd_extra")) { 124 117 $fdExtra = fopen("/etc/sshd_extra", 'r'); 125 118 $szExtra = fread($fdExtra, 1048576); // Read up to 1MB from extra file 126 119 $sshconf .= $szExtra; @@ -128,9 +121,7 @@ 128 121 }Thank you for reporting bug for me, I've just installed these package to try if it extend/enhance in some way functionality as it written in package info: "Allows to define SSH overrides for users,groups,hosts and addresses using Match in a convenient way. This package acts as an access list frontend for ssh connections", but it seems digging in alpha/beta packages is not for me to deal with. I'm trying to stay out of it using most of released or stable packages next time :P Even though half of the packages I've tried to install yesterday report missing digital signature message, so it has to be fixed sometime late when 2.2 is prepared for release. Also my thoughts is for adding some functionality to package installation process, some marks that desired to install package does not met system requirements or can break something on the main distribution when installed :-X or some option to hide all unstable testing packages using some filtering with parameters like "platform & status", which is could potentially grow performance when showing up a list of packages even though they can be now sorted out by categories . Cause tabs it's a good idea, but it's not enough here in package manager to filter pbi packets that you need/want to install on your system. Hope we see some changes in that way in the future.
-
Renato committed some fixes for this today. The bug https://redmine.pfsense.org/issues/3959 is now in Feedback. Since I don't actually use this package, it is a bit hard for me to really verify that it works OK now.
If anyone is using sshdcond I suggest you update to latest snap and latest package version and then report back on the Redmine bug to say if it now works OK. -
I am having same issue.. was loving the updates in 2.2 cause ssh would run till I rebooted or lost power. But now since no more updates as I am on 1/16 RC 64 bit and that is last I see till 2.2 release I will have to wait till 2.2 release to have ssh back and only till I reboot again ?
-
I am having same issue..
You're not having the same issue. This thread was about a long-ago fixed issue with SSH host key generation in some circumstances. There are no known issues along these lines since, and any that do exist wouldn't be relevant to this thread. Please start a new thread with specifics of what you're seeing, as it's definitely completely unrelated to this thread.