11 to 12 update resulted in 'weak ciphers' enabled in Services > SSH
Description
Problem/Justification
Impact
SmartDraw Connector
Katalon Manual Tests (BETA)
Activity
Please file a new ticket if you can reproduce fresh installs having it enabled.
@William Gryzbowski : assuming @Simon Marquardt is correct that fresh installs also have 'weak ciphers' enabled, shouldn't this ticket be reopened?!
This default setting is also present on fresh installs. (I noticed it on one installed as U3 and also checked a fresh install.)
I really think this should not be default, not only because of the “safe by default” principle, but especially as SSH is a service people trust enough to make it available on the internet. For fresh installs there are no setups to be broken.
I am not sure what exactly the risks are, but NoneEnabled
doesn’t even to be an option available in stock OpenSSH but added by the HPN-SSH patch set.
Also the UI wording is horrible, see this Community Thread. I wasn’t sure wether the setting would enable or disable weak ciphers, because I didn’t expect enabled to be the default.
Maybe this should be handled as a security bug and a CVE be issued, so people become aware of this setting?
How about popping up a post-upgrade warning message then? Unless one combs through every setting, it's very hard to know that your system is setup insecurely.
That was required so upgrades would not break setups.
After updating from FreeNAS 11.3-U5 to TrueNAS 12.0-U2.1 and reviewing various settings, I noticed that in Services > SSH, burried behind the advanced option, that both 'weak cipher' options were enabled.
That seems like a poor default. I think it would be better to default to something secure, and let uses consciously reduce their security if necessary.