FreeBSD 9.2 : Upgrade and SSH improvements

Posted on by

FreeBSD 9.2 have been released a few days ago, this post explains the required steps to upgrade a FreeBSD 9.1 host from source, and how to take advantage of an OpenSSH new feature in this release.

Upgrade
I’m assuming the host is already running on FreeBSD 9.1. First, check the current mirror used by SVN :

# cd /usr/src && svninfo

Move the previously used src and obj repertories :

# mv /usr/src /usr/src.9_1
# mv /usr/obj /usr/obj.9_1

Then, fetch the source from the releng/9.2 branch (in my case, from the UK mirror) :

# svn co https://svn0.eu.freebsd.org/base/releng/9.2 /usr/src

Start to compile the world the usual way :

# cd /usr/src && make -j<NUMBER_OF_CPU> buildworld

Unfortunately, GCC failed to build some part of a llvm lib on my host :

/usr/src/lib/clang/libllvminstcombine/../../../contrib/llvm/lib/Transforms/InstCombine/InstCombineAndOrXor.cpp:1665: internal compiler error: in memory_address_length, at config/i386/i386.c:13897

No matters what kind of error the good old GCC 4.2 could generate, I decided to switch to clang/llvm, which will be the default compiler on FreeBSD 10 anyway. This is done via /etc/src.conf :

CC=clang
CXX=clang++
CPP=clang-cpp
CPUTYPE?=native

Then I cleaned and rebuilt world. And guess what ? It worked.
After that, follow the normal way to build / install a new version [1]. Don’t forget to add the auditdistd user as requested by mergemaster, and to cleanup with make delete-old and make delete-old-libs.

New features

In FreeBSD 9.2, ZFS now include LZ4 compression, available after a pool upgrade via :

# zpool upgrade

Remember : an upgraded pool could not be used anymore by the previous versions of FreeBSD, and this operation can not be reverted. Another useful ZFS change in this release is the display of the ARC cache usage in top.

But FreeBSD 9.2 also include the long awaited OpenSSH 6.2 instead of 5.8 [2]. This version now include the AuthenticationMethods option [3] required to use SSH keypair in combination with Google Authenticator [4] (this was not possible before, because only one successful method out of all possible methods was required for a valid authentication).
So, if you want to use an SSH keypair along with with Google Authenticator, first install the port :

# portmaster security/pam_google_authenticator

Then generate a configuration file with the desired user account :

$ google-authenticator

And enable PAM in /etc/ssh/sshd_config :

ChallengeResponseAuthentication yes
UsePAM yes

As well as the authentication requirement for both public key and validation code (first require the public key) :

AuthenticationMethods publickey,keyboard-interactive

And enable the Google Authenticator module for PAM in /etc/pam.d/sshd (it replaces the password authentication for SSH, as a public key is already required by OpenSSH) :

auth            required        /usr/local/lib/pam_google_authenticator.so
#auth           required        pam_unix.so             no_warn try_first_pass


[1] : http://www.freebsd.org/doc/handbook/makeworld.html
[2] : http://www.freebsd.org/releases/9.2R/relnotes.html
[3] : http://lwn.net/Articles/544640/
[4] : http://code.google.com/p/google-authenticator/issues/detail?id=40