From nobody@FreeBSD.org  Tue Jan  7 09:05:01 2014
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
	(using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by hub.freebsd.org (Postfix) with ESMTPS id 376351D2
	for <freebsd-gnats-submit@FreeBSD.org>; Tue,  7 Jan 2014 09:05:01 +0000 (UTC)
Received: from oldred.freebsd.org (oldred.freebsd.org [IPv6:2001:1900:2254:206a::50:4])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.freebsd.org (Postfix) with ESMTPS id 23C3411A3
	for <freebsd-gnats-submit@FreeBSD.org>; Tue,  7 Jan 2014 09:05:01 +0000 (UTC)
Received: from oldred.freebsd.org ([127.0.1.6])
	by oldred.freebsd.org (8.14.5/8.14.7) with ESMTP id s07950hI069015
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 7 Jan 2014 09:05:00 GMT
	(envelope-from nobody@oldred.freebsd.org)
Received: (from nobody@localhost)
	by oldred.freebsd.org (8.14.5/8.14.5/Submit) id s07950tT069008;
	Tue, 7 Jan 2014 09:05:00 GMT
	(envelope-from nobody)
Message-Id: <201401070905.s07950tT069008@oldred.freebsd.org>
Date: Tue, 7 Jan 2014 09:05:00 GMT
From: David Cecchin <dcecchin@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: freebsd-update can modify sshd and lock you out of your system
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         185546
>Category:       bin
>Synopsis:       freebsd-update(8) can modify sshd and lock you out of your system
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    cperciva
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jan 07 09:10:00 UTC 2014
>Closed-Date:    
>Last-Modified:  Sun Apr 13 23:29:09 UTC 2014
>Originator:     David Cecchin
>Release:        9.1-RELEASE to 9.2-RELEASE
>Organization:
>Environment:
FreeBSD sanction.local 9.2-RELEASE FreeBSD 9.2-RELEASE #0 r255898: Thu Sep 26 22:50:31 UTC 2013     root@bake.isc.freebsd.org:/usr/obj/usr/src/sys/GENERIC  amd64
>Description:
I think this is a usability bug:

When upgrading a system for example from FreeBSD 9.1 to 9.2 with these instructions: http://www.freebsd.org/releases/9.2R/installation.html I was locked out of my FreeBSD system.

The freebsd-update process made some changes to my sshd configuration:

51 <<<<<<< current version
52 AuthorizedKeysFile .ssh/authorized_keys
53 =======
54
55 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
56 #AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
57
58 #AuthorizedPrincipalsFile none
59
60 #AuthorizedKeysCommand none
61 #AuthorizedKeysCommandUser nobody
62 >>>>>>> 9.2-RELEASE

Now of course the changes are on lines 51, 53 and 62 were read in by sshd as invalid parameters and stopped sshd from starting on reboot.

This isn't an issue for things like ntp.conf which will just simply print a warning to syslog, but for critical services such as sshd, it will stop the service from starting.

If adding these markers is necessary why don't you at very least put a # in front of them.
>How-To-Repeat:

>Fix:


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->cperciva 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sun Apr 13 23:27:34 UTC 2014 
Responsible-Changed-Why:  
Over to maintainer. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=185546 
>Unformatted:
