Fix sshd config generation
If user does not specify «Extra options:» in SSH service configuration, he gets:
Protocol 2 UseDNS no ChallengeResponseAuthentication no ClientAliveCountMax 3 ClientAliveInterval 15 NoneEnabled yes VersionAddendum none ...
But if he adds something as simple as
in there, he gets:
Protocol 2 UseDNS no ChallengeResponseAuthentication no ClientAliveCountMax 3 ClientAliveInterval 15 NoneEnabled yes Ciphers +aes128-cbc ...
VersionAddendum noneis gone, but
This occurs because of code duplication in https://github.com/freenas/freenas/blob/master/src/freenas/etc/ix.rc.d/ix-sshd#L40. It can lead to various errors during fixes. E.g. commit https://github.com/freenas/freenas/commit/d0eab1441ac79deba5406ddb91b3faa9f7389382 changes only branch 1 while commit https://github.com/freenas/freenas/commit/d092075f96 changes only branch 2. For service as important as
sshd this may someday lead to vulnerability.
#1 Updated by William Grzybowski over 3 years ago
- Status changed from 15 to Unscreened
This was definitely an overlook during some rewrite of that script a long while ago.
Please ago ahead and fix the inconsistency adding VersionAddendum and Ciphers +aes128-cbc to both cases. I dont think adding aes128-cbc is a big deal, since it just allows that cipher be used if the client really wants to. We even allow No cipher at all, because of replication without encryption, for speed.