11 to 12 update resulted in 'weak ciphers' enabled in Services > SSH
Description
Problem/Justification
Impact
SmartDraw Connector
Katalon Manual Tests (BETA)
Activity
William Gryzbowski December 13, 2021 at 12:21 PM
Please file a new ticket if you can reproduce fresh installs having it enabled.
Sean McBride December 10, 2021 at 9:51 PM
: assuming is correct that fresh installs also have 'weak ciphers' enabled, shouldn't this ticket be reopened?!
Simon Marquardt June 17, 2021 at 10:38 PM
This default setting is also present on fresh installs. (I noticed it on one installed as U3 and also checked a fresh install.)
I really think this should not be default, not only because of the “safe by default” principle, but especially as SSH is a service people trust enough to make it available on the internet. For fresh installs there are no setups to be broken.
I am not sure what exactly the risks are, but NoneEnabled doesn’t even to be an option available in stock OpenSSH but added by the HPN-SSH patch set.
Also the UI wording is horrible, see this Community Thread. I wasn’t sure wether the setting would enable or disable weak ciphers, because I didn’t expect enabled to be the default.
Maybe this should be handled as a security bug and a CVE be issued, so people become aware of this setting?
Sean McBride May 7, 2021 at 4:11 PM
How about popping up a post-upgrade warning message then? Unless one combs through every setting, it's very hard to know that your system is setup insecurely.
William Gryzbowski May 7, 2021 at 2:22 PM
That was required so upgrades would not break setups.
After updating from FreeNAS 11.3-U5 to TrueNAS 12.0-U2.1 and reviewing various settings, I noticed that in Services > SSH, burried behind the advanced option, that both 'weak cipher' options were enabled.
That seems like a poor default. I think it would be better to default to something secure, and let uses consciously reduce their security if necessary.