(longer) Reply-To: Hi smartos-discuss,
I've played a bit with SmartOS and found out that I can't really use SunSSH to connect to recent OpenBSD (5.7), because the cyphers don't really overlap. [root@70-71-bc-8b-6f-b1 ~]# ssh 192.168.4.1 no common kex alg: client 'diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1', server '[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1' So I grabbed OpenSSH 6.9 via pkgin and have some observations: 1. sshd method -c does not really generate keys if sshd uses default paths (i.e. HostKey is hashed out - doesn't tell a thing if the key is enabled or disabled) If the keys are enabled, it generates only dsa and rsa keys (ignores ecdsa and ed25519) 2. svcadm restart openssh kills all sessions - I have no idea why, alpine linux and openbsd uses HUP to restart the daemon and sessions do stay alive. It seems that this is because of privsep not being used/compiled ... I have manually compiled OpenSSH7.0 with libressl and privsep support and sending HUP to master process reloads config file (I've added banner) and keeps sessions open. Is there a description of pkgsrc packages build process somewhere? I'm not exactly sure where to fix the openssh package and how to send the fix in ... Are there any plans to switch from SunSSH to OpenSSH in base zone image and in hypervisor? Thank you, Jan ### proof that privsep is not working, in all cases only one remote SSH user logged in ### SMARTOS zone 15.2 janus@ssh15:/$ ps -ef | grep ssh root 10894 9790 0 22:17:42 ? 0:00 /opt/local/sbin/sshd root 10902 10894 0 22:18:08 ? 0:00 /opt/local/sbin/sshd -R root 10278 9818 0 21:41:12 console 0:00 /usr/lib/saf/ttymon -g -d /dev/console -l console -m ldterm,ttcompat -h -p ssh1 janus 10921 10903 0 22:18:34 pts/2 0:00 grep ssh ### SMARTOS zone 14.x LTS janus@sshtest:/$ ps -ef | grep ssh root 10980 6793 0 22:35:44 ? 0:00 /opt/local/sbin/sshd -R root 6793 3304 0 21:29:09 ? 0:00 /opt/local/sbin/sshd root 6769 3462 0 21:29:08 console 0:00 /usr/lib/saf/ttymon -g -d /dev/console -l console -m ldterm,ttcompat -h -p ssht janus 11006 10981 0 22:36:14 pts/1 0:00 grep ssh # SMARTOS zone 14.x LTS, openssh 7.0 + libressl compiled by hand anus@base:/$ ps -ef | grep ssh root 11046 11043 0 22:37:34 ? 0:00 /opt/sbin/sshd -R janus 11055 11049 0 22:37:39 pts/1 0:00 grep ssh janus 11048 11046 0 22:37:36 ? 0:00 /opt/sbin/sshd -R ^^^^^^^^^^ WORKS FINE root 11043 3409 0 22:37:22 ? 0:00 /opt/sbin/sshd ### SSH METHOD START - diff against SmartOS 15.2 - to generate keys ### --- /root/sshd.orig Thu Aug 13 21:45:35 2015 +++ /opt/local/lib/svc/method/sshd Thu Aug 13 22:31:46 2015 @@ -9,8 +9,10 @@ KEYGEN="/opt/local/bin/ssh-keygen -q" PIDFILE=/var/run/sshd.pid -# Checks to see if RSA, and DSA host keys are available +# Checks to see if RSA1, RSA, DSA, ECDSA and ED25519 host keys are available # if any of these keys are not present, the respective keys are created. +# Match for hashed out keys too, this means only default path. +# Does not tell if keys are enabled/disabled. create_key() { keypath=$1 @@ -17,12 +19,9 @@ keytype=$2 if [ ! -f $keypath ]; then - grep "^HostKey $keypath" $SSHDIR/sshd_config > /dev/null 2>&1 - if [ $? -eq 0 ]; then echo Creating new $keytype public/private host key pair $KEYGEN -f $keypath -t $keytype -N '' return $? - fi fi return 0 @@ -36,10 +35,13 @@ # arguments.. case $1 in - # sysidconfig/sys-unconfig arguments (-c and -u) '-c') + # copycat OpenBSD behavior - generate all keys by default + create_key $SSHDIR/ssh_host_key rsa1 create_key $SSHDIR/ssh_host_rsa_key rsa create_key $SSHDIR/ssh_host_dsa_key dsa + create_key $SSHDIR/ssh_host_ecdsa_key ecdsa + create_key $SSHDIR/ssh_host_ed25519_key ed25519 ;; '-u') ### METHOD DIFF END ### -- Be the change you want to see in the world. ------------------------------------------- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
