FreeBSD: SSH logins hang after install of openssh-portable
I needed to upgrade my OpenSSL installation on FreeBSD without having to recompile everything (make installworld), and found out that you can do so by installing the openssh-portable port. You must force it to replace the base OpenSSL install, so you pass in the proper options:
cd /usr/ports/security/openssh-portable
make -DOPENSSH_OVERWRITE_BASE install
This went great, however, I could no longer log in remotely. It would prompt me for username and password then just hang until it timed out.
This happens because newer versions of sshd have “UsePrivilegeSeparation” (privsep) set to YES by default, so sshd will always try to verify the remote host name and check that the resolved host name for the remote IP address maps back to the very same IP address.
Because sshd is chrooted to /usr/local/empty, it is unable to read /etc/resolv.conf and fails any DNS lookups. This is why we are hanging! To fix it, I found some people suggesting to copy /etc/resolv.conf to /var/empty/etc/resolv.conf. I decided to try a symbolic link instead, but got the following error.
mkdir /var/empty/etc
mkdir: /var/empty/etc: Operation not permitted
This is probably caused by some flags or the schg bit on the dir, and I didn’t want to deal with it. Instead I decided to take the easy (even though probably unsafe) way out: disable privsep. Open up your /etc/ssh/ssd_config file and add the following:
UsePrivilegeSeparation no
Restart your sshd with /etc/rc.d/sshd restart and you should be good to go! I know it’s probably not a good idea to run with privsep off, but with it on, NOBODY could log into the server via ssh, including myself, and that’s no good. Hopefully OpenSSH and the FreeBSD ports people will find a way to make things work with privsep enabled in the near future.