How to upgrade SSH version on FreeNAS?

[austin comstock]

Hi everyone,

New user here... I've been searching around trying to find out how to upgrade sshd for security reasons without much help. In general it seems like installing packages is much more difficult on freeBSD than ubuntu/mint/debian/redhat/suse/etc. and I'm kind of wondering why that is the case. The repos by default aren't working and to me that really seems off. These give errors seen in #2 below.

Anyway, I tried:
1. Downloading the package directly from OpenSSH and extracting, configuring, make, and make install and it didn't end up changing the ssh -v
2. Adding pkg+ to the repo in /usr/local/etc/pkg.conf and running pkg update and then pkg upgrade which only give me => problems pkg: PACKAGESITE in pkg.conf is deprecated. Please create a repository configuration file
3. pkg_add -r openssh-portable installs but also does not update ssh -v
All I want to do is update packages, how on earth does everyone do it?

 

[cyberjock]

Well, are you trying to do this in a jail or in FreeNAS itself? If its part of FreeNAS itself you don't upgrade it. You get the version that FreeNAS comes with, and you install the upgrade for FreeNAS when it comes out(or compile FreeNAS yourself with the appropriate version).

If you are trying to do this inside the jail the jail is nothing more than a standard FreeBSD install and is beyond the scope of this forum. ;)

 

[austin comstock]

Thanks for the swift response. I'm trying to do this directly to FreeNAS system for remote administration and so as you can imagine security is a concern. Especially with recently released vulnerabilities in this space...OpenSSH_6.2p2, OpenSSL 0.9.8y 5 Feb 2013 is far too old. Does everybody here just assume the risk of having a out of date SSH/SSL? I can't see a significant portion of those here going out and compiling their own OS when they want a newer package. I also can't be the only person here concerned about running vulnerable versions.

 

[cyberjock]

You are correct. But, there's a few catches.

1. If you aren't running FreeNAS behind a firewall you've already failed security 101 as the manual says that the system has not been tested to be in a stand-alone open-to-the-world configuration. We've had very heated fights over this and other file server appliances make the same recommendation.
2. If you aren't behind a firewall your OpenSSL is the absolute least of your concerns. It's trivial to engage in a distributed attack to crack your passwords and what-not.
3. The version numbers aren't exactly correct as the ports tree FreeNAS is compiled with shows a particular version number, but that version number doesn't necessarily reflect reality. Had a discussion about this over a year ago and the general feeling is that as an appliance based OS the version numbers don't matter too much as long as the FreeNAS developers stay on top of things. If you can actually provide a proof-of-concept attack that should be patched but isn't then we have a problem. But if you are going by version numbers alone you are going to be proven wrong more often then right(assuming you get any of them right). iX has a developer that has some FreeBSD security certification(sorry, don't remember which) and he handles all security issues.

If you have a proof-of-concept attack that successfully attacks any part of FreeNAS you should definitely file a ticket. If you have concerns you are welcome to jump in IRC and talk to _jkh_ as he is the CTO and is typically in IRC between 9pm and midnight CST. I'm sure he'd be happy to discuss any concerns you have with you.

 

[austin comstock]

I understand your point. But let's forget the versions numbers for now and get to facts. Last night I scanned the inbox FreeNAS 9.2.1.5 which revealed a high threat vulnerability: NVT: OpenSSL CCS Man in the Middle Security Bypass Vulnerability; CVE-2014-0224. This has been fixed in 0.9.8za and above. See here: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224

It would be nice if we had a method of upgrading to this at the system level without having to wait or recompile the ISO. I for one don't want to be sitting on this or any other that comes out between now and 9.2.1.6 release. Hopefully someone here is seasoned in grabbing the newest packages into a FreeNAS installation!

Thanks!

 

[cyberjock]

I agree, and that will change in the future. But, this is an appliance based OS, and as such there are limitations with what it provides. Just like that home router that you have you are limited to what is offered and provided.

Like I said, if this is such a problem feel free to compile it yourself. There are benefits to having the knowledge to do things yourself. You can also choose to upgrade to the latest beta.

If this isn't to your satisfaction then my only advice is to seek out an alternative OS to use that isn't an appliance-based OS.

 

[solarisguy]

@austin comstock, FreeNAS 9.3, i.e. the next version after 9.2.1.6, is planned to allow upgrade of modules.

See also https://bugs.freenas.org/issues/5167

 

[cyberjock]

@austin comstock, FreeNAS 9.3, i.e. the next version after 9.2.1.6, is planned to allow upgrade of modules.

Not quite. it allows for patches to be issued without having to upgrade the whole OS.

 

[austin comstock]

Glad to see they're planning on including it in 9.2.1.6 at the very least. Can anybody confirm if it's in the nightly/beta?

 

[cyberjock]

Updated my Mini 2 nights ago...

Code:

[root@mini] ~# openssl version -a
OpenSSL 0.9.8za-freebsd 5 Jun 2014
built on: date not available
platform: FreeBSD-amd64
options:  bn(64,64) md2(int) rc4(ptr,int) des(idx,cisc,16,int) blowfish(idx)
compiler: cc
OPENSSLDIR: "/etc/ssl"

 

[austin comstock]

I also confirmed last night the latest nightly 9.2.1.6 build contains OpenSSL 0.9.8za. Issued a rescan and the high vulnerability went away! :)

For future encounters, does anybody have a guide on hand for compiling a FreeNAS installation iso/txz with one or more of newer packages such as openssh? Does this work for just fresh installations or can it be used to upgrade through GUI, etc? I briefly looked around last night before bed and couldn't find much.

 

[cyberjock]

There's a semi-useful guide on github.