Register for the iXsystems Community to get an ad-free experience

TrueNAS 13.0-U1 is Now Available

airflow

Explorer
Joined
May 29, 2014
Messages
98
I upgraded today from 12.0-U8.1 to 13.0-U1.1 and ran into the problem that I couldn't authenticate with SSH & PubKey-Auth on the system.

When I checked the log /var/log/auth.log, I see

Code:
userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]
Connection closed by authenticating user root 192.168.0.45 port 64467 [preauth]


In /etc/ssh/sshd_config, there's the line

Code:
#PubkeyAuthentication yes


Is this intentional? Why has PubKeyAuth been disabled per default now?
For everyone else running this, it can be fixed by manually configuring the following two lines under Services/SSH/Advanced Options/Auxiliary Parameters:
Code:
PubkeyAuthentication yes
PubkeyAcceptedAlgorithms ssh-rsa
 

ChrisRJ

Guru
Joined
Oct 23, 2020
Messages
1,072
TrueNAS 13.0 is significantly faster, more secure, and inherently more reliable. However, it isn't as mature.
I would be interested in the definitions of "mature" and "reliable" here.

So far my impression is that the transition from TrueNAS 12 to 13 is comparable to the one from FreeNAS 11 to TrueNAS 12. In other words: not great. I understand that there are things like commercial and market pressure. And I sympathize with iXsystems being a relatively small player. But that also means that to stay in the game you must play by your own rules and not those of IBM, Oracle, EMC, HP, etc. (where you can only loose). In other words, credibility and word-of-mouth are your super-powers. Plus the current changes in B2B buying patterns will help you.

Please take my concerns as just that. I have been a happy user of FreeNAS/TrueNAS for about 10 years and care a lot. So this is meant is purely positive criticism. Should it come across differently, this was not intended.
 

Samuel Tai

Never underestimate your own stupidity
Moderator
Joined
Apr 24, 2020
Messages
4,843
For everyone else running this, it can be fixed by manually configuring the following two lines under Services/SSH/Advanced Options/Auxiliary Parameters:
Code:
PubkeyAuthentication yes
PubkeyAcceptedAlgorithms ssh-rsa

This is only a temporary work around, as ssh-rsa using SHA-1 has been essentially cracked. I changed to ed25519 keys so I could restore the default posture in 13 of deprecating ssh-rsa.
 

Ericloewe

Not-very-passive-but-aggressive
Moderator
Joined
Feb 15, 2014
Messages
18,111
ssh-rsa is RSA with SHA-1 hashing, which is now considered unsafe. However, RSA itself is fine when used with SHA256, which has been the default for a long time when generating RSA keys. The "new" algorithms are specified with something like rsa-sha2-256 and rsa-sha2-512.
For everyone else running this, it can be fixed by manually configuring the following two lines under Services/SSH/Advanced Options/Auxiliary Parameters:
Code:
PubkeyAuthentication yes
PubkeyAcceptedAlgorithms ssh-rsa
What client are you using?
 

airflow

Explorer
Joined
May 29, 2014
Messages
98
ssh-rsa is RSA with SHA-1 hashing, which is now considered unsafe. However, RSA itself is fine when used with SHA256, which has been the default for a long time when generating RSA keys. The "new" algorithms are specified with something like rsa-sha2-256 and rsa-sha2-512.

What client are you using?

I am using PuTTY in current release. Also, the key-pairs I'm using for authentication were recently created and are sha2 with 512 keylength. Your suggestion to define the allowed protocols better and restrict them to rsa-sha2-256 and rsa-sha2-512 is very good, I will do that.

But actually my point was not to discuss the quality of different algorithms, but to mention that PublicKeyAuthentication has been disabled per default in TrueNAS 13.
 

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
5,208
but to mention that PublicKeyAuthentication has been disabled per default in TrueNAS 13.
It has not. Only the older weak algorithms were disabled.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
13,546

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
5,208
The line #PubkeyAuthentication yes was commented out. That is the case for all config statements that are set to the compiled in defaults. To disable you would need to remove the comment sign and change "yes" to "no".
 

morganL

Captain Morgan
Administrator
Moderator
iXsystems
Joined
Mar 10, 2018
Messages
1,683
I would be interested in the definitions of "mature" and "reliable" here.

So far my impression is that the transition from TrueNAS 12 to 13 is comparable to the one from FreeNAS 11 to TrueNAS 12. In other words: not great. I understand that there are things like commercial and market pressure. And I sympathize with iXsystems being a relatively small player. But that also means that to stay in the game you must play by your own rules and not those of IBM, Oracle, EMC, HP, etc. (where you can only loose). In other words, credibility and word-of-mouth are your super-powers. Plus the current changes in B2B buying patterns will help you.

Please take my concerns as just that. I have been a happy user of FreeNAS/TrueNAS for about 10 years and care a lot. So this is meant is purely positive criticism. Should it come across differently, this was not intended.

It's a good question and perhaps the language I use can be improved.

The actual words I used were "inherently more reliable" - it was my way of saying that the TrueNAS 13.0 has improvements (e.g in ZFS and SMB) which will increase the reliability of TrueNAS. Both security and reliability improvements have been included. For example, TN 13.0 reboots and re-imports ZFS pools much faster than TrueNAS 12.0. It also eliminates some SMB security vulnerabilities. So, given the same level of maturity/testing, TrueNAS 13.0 will be more reliable than TrueNAS 12.0.

"maturity" is an orthogonal concept. It's about how much testing and bug resolution has been done. TrueNAS 12.0 has 8 updates, over 200,000 users and about 18 months of heavy use. It has well over 1 Million systems months of operation. This release is very mature and we have very few new bug reports coming in. It has reached its maximum reliability state.

TrueNAS 13.0 is not as "mature".... it's about to get its second update (about 60 bug fixes). It has about 50,000 system months of operation, so less than 5% of TN 12.0. We expect bug reports to keep coming in, but TrueNAS 13.0 is getting close to TrueNAS 12.0 reliability. Eventually, it will surpass TrueNAS 12.0

There's a separate issue of upgrading from one major release to another. TrueNAS 11.3 to 12.0 to 13.0. As the new release matures, those upgrades do get easier with fewer issues. However, there are some issues where, due to security needs, we have had to change some defaults or disable some previously allowed configurations. These should be documented in the Release Notes and, with some planning, major issues can be avoided. We try hard to avoid making these changes.... but some have to be made.

To simplify the understanding of where we are in the release lifecycle, we've attempted a clearer positioning in a "software status page". As a revision of software mature, it becomes recommended for General and Conservative users. TN 13.0 is still recommended for early adopters. TrueNAS 12.0 is recommended for General and Conservative users. TN 13.0-U2 is expected to become recommended for "general", but only after several weeks of deployment.
 

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
5,208
TrueNAS 12.0 is recommended for General and Conservative users.
The OS in TN 12 is EOL. I would not recommend running EOL software to anyone.
 

morganL

Captain Morgan
Administrator
Moderator
iXsystems
Joined
Mar 10, 2018
Messages
1,683
The OS in TN 12 is EOL. I would not recommend running EOL software to anyone.
The world isn't that black and white.

There is a good reason for Jails and Plug-in users to upgrade to TN13.0 - they would upgrade because they needed new software. TrueNAS 13.0 is relatively safe, but is not as mature as 12.0.

For typical storage users (iSCSI, NFS, SMB, S3) they don't see any major differences when using TrueNAS 12.0. If there are any specific issues encountered, they can upgrade to TrueNAS 13.0 to resolve.

When someone is building a new system, it's very reasonable to start with an early adopter release and do some testing before it goes into "production". However, if its an existing "production" system, the decision to upgrade needs to be supported by evidence showing it is a safe process for their specific use-case.

Even if software is perfect, I think it takes about 2 months to verify that. The TrueNAS community provides this invaluable feedback..
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
13,546

morganL

Captain Morgan
Administrator
Moderator
iXsystems
Joined
Mar 10, 2018
Messages
1,683
So that's surely why https://www.truenas.com/download-truenas-core/ says:
(why can't I upload images here?)

TrueNAS CORE 13.0-U1.1​

Current Stable Version, Recommended for Production use.​


This the problem we are trying to fix... "production" is such a broad term.
An early adopter can use it in production, but an existing mission critical user should probably wait unless they have a specific problem they need fixing.

Going forward, we'll have less of this advice distributed and instead to refer to a single "software status" page which will updated as often as every week.
 

airflow

Explorer
Joined
May 29, 2014
Messages
98
I have another problem since upgrading to TrueNAS Core 13.0-U1.1. Some ports in my jails are not building any more. They fail with error-messages pointing to a problem in connection with "dtrace".

After some searching and testing I could find a solution for them:
lang/perl5.32 (or any other version): There exists an option in the configuration-dialogue of the port to disable DTRACE (default=enabled). After disabling the option the port builds. The solution can be set nicely by putting lang_perl5.32_UNSET=DTRACE into /etc/make.conf.

java/openjdk11 (or any other version): Here I could fix the problem only by manually editing the Makefile of the port and adding the option
--disable-dtrace to CONFIGURE_ARGS. I wasn't able to add this nicely via make.conf or other scriptable means. Just setting CONFIGURE_ARGS+=--disable-dtrace in /etc/make.conf didn't work.

Are you aware of changed behaviour of TrueNAS v13 in regards to dtrace? Is this some kernel option which is not supported/compiled in kernel any more? Is it possible to enable this again? I'm far from finished with the migration of my jails, so there are likely to exist more ports where I have to adapt the build process for v13.
 

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
5,208
Why aren't you using packages inside your jails?
 

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
5,208
You need to switch to the "latest" branch instead of the "quarterly" one to get packages in sync with the latest port version.
Code:
mkdir -p /usr/local/etc/pkg/repos
echo 'FreeBSD: { url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest" }' > /usr/local/etc/pkg/repos/FreeBSD.conf
pkg update
pkg upgrade


Rust is currently at 1.62.1:
 

nabsltd

Dabbler
Joined
Jul 1, 2022
Messages
42
Code:
#PubkeyAuthentication yes


Is this intentional? Why has PubKeyAuth been disabled per default now?
It is not disabled.

The convention in config files for Linux is to place the compiled in default value commented out, just as you see here. This basically allows the entire config file to be commented out, and also be self-documenting. Then, if you make a change, you must create a line that is not commented, so it makes it easy to find changes from the default.
 

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
5,208
Top