Project

General

Profile

Bug #26613

SSH

Added by Stranded Camel almost 3 years ago. Updated almost 3 years ago.

Status:
Closed: Not To Be Fixed
Priority:
No priority
Assignee:
Alexander Motin
Category:
OS
Target version:
Seen in:
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
Yes
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

I've just run the ssh-audit tool from [1] on my FreeNAS 11 U4 box, and the results are abysmal (see below for results). In short, all the items marked `warn`, `fail` or `remove` make FreeNAS's SSH more vulnerable that it needs to be. The hardening guide at [2] provides solutions that fix virtually all the vulnerabilities found by the audit on Linux, and I assume that its FreeBSD section will do the same for FreeNAS.

However, this is something that the FreeNAS devs will have to implement, as few of the hardening measures survive reboot. And in any case, I would imagine that the devs would want FreeNAS to be as hardened as possible out of the box, as it reflects on the whole platform, both FOSS and commercial.

[1] https://github.com/arthepsy/ssh-audit
[2] https://www.sshaudit.com/hardening_guides.html

RESULTS OF AUDIT:

  1. general
    (gen) banner: SSH-2.0-OpenSSH_7.4-hpn14v5 FreeBSD-openssh-portable-7.4.p1,1
    (gen) software: OpenSSH 7.4 (hpn14v5) running on FreeBSD
    (gen) compatibility: OpenSSH 7.3+ (some functionality from 6.6), Dropbear SSH 2016.73+
    (gen) compression: disabled
  1. key exchange algorithms
    (kex) curve25519-sha256 -- [warn] unknown algorithm
    (kex) -- [info] available since OpenSSH 6.5, Dropbear SSH 2013.62
    (kex) ecdh-sha2-nistp256 -- [fail] using weak elliptic curves
    `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
    (kex) ecdh-sha2-nistp384 -- [fail] using weak elliptic curves
    `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
    (kex) ecdh-sha2-nistp521 -- [fail] using weak elliptic curves
    `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
    (kex) diffie-hellman-group-exchange-sha256 -- [warn] using custom size modulus (possibly weak)
    `- [info] available since OpenSSH 4.4
    (kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
    (kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3
    (kex) diffie-hellman-group14-sha256 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
    (kex) diffie-hellman-group14-sha1 -- [warn] using weak hashing algorithm
    `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53
  1. host-key algorithms
    (key) ssh-rsa -- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
    (key) rsa-sha2-512 -- [info] available since OpenSSH 7.2
    (key) rsa-sha2-256 -- [info] available since OpenSSH 7.2
    (key) ecdsa-sha2-nistp256 -- [fail] using weak elliptic curves
    `- [warn] using weak random number generator could reveal the key
    `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
    (key) ssh-ed25519 -- [info] available since OpenSSH 6.5
  1. encryption algorithms (ciphers)
    (enc) -- [info] available since OpenSSH 6.5
    `- [info] default cipher since OpenSSH 6.9.
    (enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
    (enc) aes192-ctr -- [info] available since OpenSSH 3.7
    (enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
    (enc) -- [info] available since OpenSSH 6.2
    (enc) -- [info] available since OpenSSH 6.2
    (enc) aes128-cbc -- [fail] removed (in server) since OpenSSH 6.7, unsafe algorithm
    `- [warn] using weak cipher mode
    `- [info] available since OpenSSH 2.3.0, Dropbear SSH 0.28
    (enc) none -- [fail] no encryption/integrity
    `- [info] available since OpenSSH 1.2.2, Dropbear SSH 2013.56
  1. message authentication code algorithms
    (mac) -- [warn] using small 64-bit tag size
    `- [info] available since OpenSSH 6.2
    (mac) -- [info] available since OpenSSH 6.2
    (mac) -- [info] available since OpenSSH 6.2
    (mac) -- [info] available since OpenSSH 6.2
    (mac) -- [warn] using weak hashing algorithm
    `- [info] available since OpenSSH 6.2
    (mac) -- [warn] using encrypt-and-MAC mode
    `- [warn] using small 64-bit tag size
    `- [info] available since OpenSSH 4.7
    (mac) -- [warn] using encrypt-and-MAC mode
    `- [info] available since OpenSSH 6.2
    (mac) hmac-sha2-256 -- [warn] using encrypt-and-MAC mode
    `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
    (mac) hmac-sha2-512 -- [warn] using encrypt-and-MAC mode
    `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
    (mac) hmac-sha1 -- [warn] using encrypt-and-MAC mode
    `- [warn] using weak hashing algorithm
    `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
  1. algorithm recommendations (for OpenSSH 7.4)
    (rec) diffie-hellman-group14-sha1 - kex algorithm to remove
    (rec) diffie-hellman-group-exchange-sha256 - kex algorithm to remove
    (rec) ecdh-sha2-nistp256 - kex algorithm to remove
    (rec) ecdh-sha2-nistp384 - kex algorithm to remove
    (rec) ecdh-sha2-nistp521 - kex algorithm to remove
    (rec) ecdsa-sha2-nistp256 - key algorithm to remove
    (rec) none - enc algorithm to remove
    (rec) aes128-cbc - enc algorithm to remove
    (rec) hmac-sha1 - mac algorithm to remove
    (rec) hmac-sha2-256 - mac algorithm to remove
    (rec) hmac-sha2-512 - mac algorithm to remove
    (rec) - mac algorithm to remove
    (rec) - mac algorithm to remove
    (rec) - mac algorithm to remove
    (rec) - mac algorithm to remove

Related issues

Related to FreeNAS - Bug #20044: SFTP backup from CUCM 10.5.2.12900-14 fails with FreeNAS-9.10.2 (a476f16)Resolved2017-01-05

History

#1 Updated by Stranded Camel almost 3 years ago

  • File debug-freenas-20171111233134.txz added

#2 Updated by Dru Lavigne almost 3 years ago

  • Assignee changed from Release Council to William Grzybowski

#3 Updated by William Grzybowski almost 3 years ago

  • Assignee changed from William Grzybowski to Alexander Motin

Alexander, is there anything actually actionable here?

#4 Updated by Alexander Motin almost 3 years ago

  • Related to Bug #20044: SFTP backup from CUCM 10.5.2.12900-14 fails with FreeNAS-9.10.2 (a476f16) added

#5 Updated by Alexander Motin almost 3 years ago

  • Status changed from Unscreened to Closed: Not To Be Fixed
  • Target version set to N/A
  • Seen in changed from Unspecified to 11.0-U4

I'd say it is a case of "If it ain’t broke, don’t fix it". The fact that some ciphers are supported does not mean they will be used by the client. If the client is modern, it will choose the best cipher automatically, otherwise weak cipher may be better then failure. For example, aes128-cbc cypher, on which test complained was enabled for compatibility reason on user request.

I doubt about "few of the hardening measures survive reboot". If you like, you should be able to set any arbitrary SSH options via the SSH service advanced settings.

#6 Updated by Dru Lavigne almost 3 years ago

  • File deleted (debug-freenas-20171111233134.txz)

#7 Updated by Dru Lavigne almost 3 years ago

  • Private changed from Yes to No

#8 Updated by Stranded Camel almost 3 years ago

Alexander Motin wrote:

I'd say it is a case of "If it ain’t broke, don’t fix it".

With all due respect, that is the kind of philosophy that gets servers pwned.

The fact that some ciphers are supported does not mean they will be used by the client. If the client is modern, it will choose the best cipher automatically...

And if the client is malicious, it will choose to attack the weakest cipher supported by the server.

I doubt about "few of the hardening measures survive reboot". If you like, you should be able to set any arbitrary SSH options via the SSH service advanced settings.

How exactly can you generate stronger keys via FreeNAS's SSH service advanced settings?

How can you remove known weak keys in FreeNAS?

How can you disable deprecated or vulnerable key exchange and MAC algorithms though advanced settings?

I believe the answer in FreeNAS is that as a user, you can't. Certainly not through the anemic web interface. Please feel free to correct me, of course!

I have no doubt you guys are busy, but security should be the #1 priority of any server or NAS system. I use your free version, so I can't complain. But if I were an enterprise customer, iX Systems would now be on my vendor blacklist.

#9 Updated by Alexander Motin almost 3 years ago

Stranded Camel wrote:

Alexander Motin wrote:

I'd say it is a case of "If it ain’t broke, don’t fix it".

With all due respect, that is the kind of philosophy that gets servers pwned.

Everything has reasonable limits. Default OpenSSH configuration is managed by its developers and community, who's opinion in this area I trust more then some tool from github. Weak cypher does not necessary mean a security breach. It still may need gigabytes of intercepted traffic and weeks/months of CPU time to be cracked. We are not talking about some RC4 or DES here. I consider potential risks of having somehow flawed custom configuration higher then risk of having default one, unless opposite is proven.

The fact that some ciphers are supported does not mean they will be used by the client. If the client is modern, it will choose the best cipher automatically...

And if the client is malicious, it will choose to attack the weakest cipher supported by the server.

If we are talking about the client, it already has server access and does not need to be malicious. Indeed, there can be a risk that somebody will use ancient SSH client not supporting any decent algorithms, making use of less secure ones, making his traffic more vulnerabile, but should we reject it completely? Some people who say so can explicitly disable respective ciphers.

I doubt about "few of the hardening measures survive reboot". If you like, you should be able to set any arbitrary SSH options via the SSH service advanced settings.

How exactly can you generate stronger keys via FreeNAS's SSH service advanced settings?

How can you remove known weak keys in FreeNAS?

You can generate any keys you like in regular FreeBSD ways, just run `service ix_sshd_save_keys start` after that to store them in configuration database.

How can you disable deprecated or vulnerable key exchange and MAC algorithms though advanced settings?

There is an "Extra options" field, where you can specify any sshd option you like, including Ciphers, MACs, KexAlgorithms and others.

Also available in: Atom PDF