Project

General

Profile

Bug #25645

Fix sshd config generation

Added by Vladimir Vinogradenko over 3 years ago. Updated about 3 years ago.

Status:
Resolved
Priority:
Nice to have
Assignee:
Vladimir Vinogradenko
Category:
Middleware
Target version:
11.1-BETA1
Seen in:
11.0-U2
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
No
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

If user does not specify «Extra options:» in SSH service configuration, he gets:

Protocol 2
UseDNS no
ChallengeResponseAuthentication no
ClientAliveCountMax 3
ClientAliveInterval 15
NoneEnabled yes
VersionAddendum none
...

But if he adds something as simple as
# Comment

in there, he gets:
Protocol 2
UseDNS no
ChallengeResponseAuthentication no
ClientAliveCountMax 3
ClientAliveInterval 15
NoneEnabled yes
Ciphers +aes128-cbc
...

Note that VersionAddendum none is gone, but Ciphers +aes128-cbc appeared.

This occurs because of code duplication in https://github.com/freenas/freenas/blob/master/src/freenas/etc/ix.rc.d/ix-sshd#L40. It can lead to various errors during fixes. E.g. commit https://github.com/freenas/freenas/commit/d0eab1441ac79deba5406ddb91b3faa9f7389382 changes only branch 1 while commit https://github.com/freenas/freenas/commit/d092075f96 changes only branch 2. For service as important as sshd this may someday lead to vulnerability.

Related issues

Related to FreeNAS - Bug #20044: SFTP backup from CUCM 10.5.2.12900-14 fails with FreeNAS-9.10.2 (a476f16)Resolved2017-01-05

History

#1 Updated by William Grzybowski over 3 years ago

  • Status changed from 15 to Unscreened

This was definitely an overlook during some rewrite of that script a long while ago.

Please ago ahead and fix the inconsistency adding VersionAddendum and Ciphers +aes128-cbc to both cases. I dont think adding aes128-cbc is a big deal, since it just allows that cipher be used if the client really wants to. We even allow No cipher at all, because of replication without encryption, for speed.

#2 Updated by Vladimir Vinogradenko over 3 years ago

  • Status changed from Unscreened to Needs Developer Review

#3 Updated by William Grzybowski over 3 years ago

  • Status changed from Needs Developer Review to Reviewed by Developer

#4 Updated by Dru Lavigne over 3 years ago

Vladimir or William: what is the target version?

#5 Updated by Vladimir Vinogradenko over 3 years ago

  • Status changed from Reviewed by Developer to Ready For Release

#6 Updated by William Grzybowski over 3 years ago

  • Target version changed from N/A to 11.1
  • Seen in changed from N/A to 11.0-U2

#7 Updated by William Grzybowski over 3 years ago

  • Priority changed from No priority to Nice to have

#8 Updated by Dru Lavigne over 3 years ago

  • Subject changed from Inconsistent sshd config generation to Fix sshd config generation

#9 Updated by William Grzybowski over 3 years ago

  • Related to Bug #20044: SFTP backup from CUCM 10.5.2.12900-14 fails with FreeNAS-9.10.2 (a476f16) added

#10 Updated by Dru Lavigne over 3 years ago

  • Target version changed from 11.1 to 11.1-BETA1

#11 Updated by Dru Lavigne about 3 years ago

  • Status changed from Ready For Release to Resolved

#12 Updated by Nick Wolff about 3 years ago

  • QA Status Test Passes FreeNAS added
  • QA Status deleted (Not Tested)

#13 Updated by Joe Maloney about 3 years ago

  • Needs QA changed from Yes to No

Also available in: Atom PDF