Does pfsense have a old outdated SSHD version, and how to update it?
-
Hello community, I have MacOS Sequoia 15.7.1 with MacPorts, I dont use Apples SSHD / SSH, Im using the MacPorts version of OpenSSH, the version I actually use of OpenSSH is openssh @10.2p1_0
Now, when I connect to my pfsense, I get this warning:
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
[2.8.1-RELEASE]Is there a way, to fix that, or update sshd on pfsense?
Thanks for reading and help!
-
The short answer is no. But it will be in the next release: https://github.com/pfsense/FreeBSD-src/commit/8e28d84935f2f0ee081d44f9803f3052b960e50b
However you should be able to tell the client to connect to it anyway.
-
@stephenw10 OK, Thanks for the info, its no issue for me, as I only have allowed to connect to my pfsense via SSH by the LAN side, just been curious and wondered about the warning! Thank you
-
This message is truly bizarre to me as pfsense should have sntrup761x25519-sha512 already . . .
-
@zcrayfish It happened, after I updated my MacPorts stuff, and I saw also that OpenSSH has been updatet last week, since then, I get this message. But its not worrying me, as I only connect from LAN side via ssh to my pfsense. As stephenw10 said, it will be updatet with the next release. Cheers, by the way, I have also a ubuntu server which i often connect to via ssh, and there, the message doesnt appear ( I keep it always up to date).
-
@zcrayfish It appears to, but the script that generates sshd_config at boot does not include either PQ algorithm.
-
Mmm, looks like it should be added I agree. Let's see.....
Edit already a feature request open: https://redmine.pfsense.org/issues/16423
-
Seems to work fine. Here's a patch if you want to test it: 1252.diff
-
@stephenw10 Thank you for your effort! Excuse me my silly question, do I have to execute your mentioned Patch 1252.diff in shell of pfsense? I downloaded it already... but not sure, what to do with it...or if a file needs to be patched... ?
-
Install the System Patches package and then add it as a new patch.
https://docs.netgate.com/pfsense/en/latest/development/system-patches.html -
This post is deleted! -
@stephenw10 The Patch works, I did it like you said, and restarted sshd, now, when I login via ssh, the message:
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.htmlDoesnt appear anymore! Wonderfull, wished I could give a thumbs up..but Im not allowed to...Big Thanks again!
-
Nice! Thanks for testing.
