Bug #25645
Fix sshd config generation
Description
If user does not specify «Extra options:» in SSH service configuration, he gets:
Protocol 2 UseDNS no ChallengeResponseAuthentication no ClientAliveCountMax 3 ClientAliveInterval 15 NoneEnabled yes VersionAddendum none ...
But if he adds something as simple as
# Comment
in there, he gets:
Protocol 2 UseDNS no ChallengeResponseAuthentication no ClientAliveCountMax 3 ClientAliveInterval 15 NoneEnabled yes Ciphers +aes128-cbc ...
Note that
VersionAddendum none
is gone, but Ciphers +aes128-cbc
appeared.
This occurs because of code duplication in https://github.com/freenas/freenas/blob/master/src/freenas/etc/ix.rc.d/ix-sshd#L40. It can lead to various errors during fixes. E.g. commit https://github.com/freenas/freenas/commit/d0eab1441ac79deba5406ddb91b3faa9f7389382 changes only branch 1 while commit https://github.com/freenas/freenas/commit/d092075f96 changes only branch 2. For service as important as sshd
this may someday lead to vulnerability.
Related issues
History
#1
Updated by William Grzybowski over 3 years ago
- Status changed from 15 to Unscreened
This was definitely an overlook during some rewrite of that script a long while ago.
Please ago ahead and fix the inconsistency adding VersionAddendum and Ciphers +aes128-cbc to both cases. I dont think adding aes128-cbc is a big deal, since it just allows that cipher be used if the client really wants to. We even allow No cipher at all, because of replication without encryption, for speed.
#2
Updated by Vladimir Vinogradenko over 3 years ago
- Status changed from Unscreened to Needs Developer Review
#3
Updated by William Grzybowski over 3 years ago
- Status changed from Needs Developer Review to Reviewed by Developer
#4
Updated by Dru Lavigne over 3 years ago
Vladimir or William: what is the target version?
#5
Updated by Vladimir Vinogradenko over 3 years ago
- Status changed from Reviewed by Developer to Ready For Release
#6
Updated by William Grzybowski over 3 years ago
- Target version changed from N/A to 11.1
- Seen in changed from N/A to 11.0-U2
#7
Updated by William Grzybowski over 3 years ago
- Priority changed from No priority to Nice to have
#8
Updated by Dru Lavigne over 3 years ago
- Subject changed from Inconsistent sshd config generation to Fix sshd config generation
#9
Updated by William Grzybowski over 3 years ago
- Related to Bug #20044: SFTP backup from CUCM 10.5.2.12900-14 fails with FreeNAS-9.10.2 (a476f16) added
#10
Updated by Dru Lavigne over 3 years ago
- Target version changed from 11.1 to 11.1-BETA1
#11
Updated by Dru Lavigne about 3 years ago
- Status changed from Ready For Release to Resolved
#12
Updated by Nick Wolff about 3 years ago
- QA Status Test Passes FreeNAS added
- QA Status deleted (
Not Tested)
#13
Updated by Joe Maloney about 3 years ago
- Needs QA changed from Yes to No