Project

General

Profile

Actions

Todo #8245

closed

use delayed compression for sshd

Added by Art Manion about 6 years ago. Updated about 6 years ago.

Status:
Resolved
Priority:
Low
Assignee:
-
Category:
Operating System
Target version:
Start date:
12/29/2017
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:

Description

FreeBSD default sshd config is "compression delayed". [1] This defends against vulnerabilities like CVE-2016-10012 [2]. This also came up in a PCI compliance scan FWIW. I'm not aware of any reason not to use "compression delayed".

My pfSense and sshd version info:
2.4.2-RELEASE-p1 (amd64)
built on Tue Dec 12 13:14:55 CST 2017
FreeBSD 11.1-RELEASE-p6

OpenSSH_7.2p2, OpenSSL 1.0.2m-freebsd 2 Nov 2017

Simple patch:

[2.4.2-RELEASE][foo@bar]/root: diff u /etc/sshd.0 /etc/sshd
--
/etc/sshd.0 2017-12-29 18:19:10.642116000 0500
++ /etc/sshd 2017-12-29 18:20:31.265030000 -0500
@ -81,7 +81,7 @
foreach ($keys as $key) {
$sshconf .= "HostKey {$sshConfigDir}/ssh_host_{$key['suffix']}key\n";
}
$sshconf .= "Compression yes\n";
$sshconf .= "Compression delayed\n";
$sshconf .= "ClientAliveInterval 30\n";
$sshconf .= "PermitRootLogin yes\n";
if (isset($config['system']['ssh']['sshdkeyonly'])) {

[1] https://www.freebsd.org/cgi/man.cgi?sshd_config(5)
[2] https://nvd.nist.gov/vuln/detail/CVE-2016-10012

Actions

Also available in: Atom PDF