We help IT Professionals succeed at work.
Private
Troubleshooting Question

Issues with OpenSsh: updates/patching & maintenance

65 Views
Last Modified: 2020-10-20
We have an internal brainstorming on which free (it has to be free) sftp softwares
 to run on our Win2019 server:
between OpenSsh (which is now supported by MS) or SolarWinds free sftp server

Q1:
https://redmondmag.com/articles/2018/12/11/microsoft-now-supports-openssh-in-windows-server-2019.aspx
As OpenSsh is now supported by MS, will OpenSsh patching/updates be supported by WSUS?

Q2:
Is MS rolling out OpenSsh patches or we have to get it from the open source site of Openssh?
Will Openssh updates/patches be published together with Windows monthly updates
notifications?

Q3:
SolarWinds free sftp server doesn't support keys exchange, only credentials authentication.

Wintel colleague felt that Solarwinds is a 'set & forget' software, seldom requiring patching
or updating while Openssh, being open source tends to have more vulnerabilities & thus
more frequent patching.  The other concern is this sftp server will be quite crucial to our
operations & each time we update/patch it, we'll need to verify services are not affected.

IT Security felt the ability to support keys exchange is crucial as relying on credentials
authentication alone (as in the free Solarwinds) is weaker.

IT Security felt that with MS support, patching can be facilitated by WSUS while
Solarwinds patching is not supported by WSUS & manual patch tracking/deployment
of Solarwinds will be manual: is this correct??

Q4:
Anyone has comparison of how frequent the Solarwinds sftp updates/patching
is compared to OpenSsh's updates/patching?

Q5:
Anyone has experience with issues after updating/patching OpenSsh?
Guess the testing is only a matter of doing an sftp transfer (or even just
a ssh login to the Openssh?)?   An ex-colleague just shared that the
Openssh he obtained from the open source site (not from MS) that has
been in use for last 3.5 years do not have audit trail/logs to investigate
when a transfer fails: is this still not there with MS-supported Openssh?

Q6:
Between an sftp that's static (hardly need update, so requirement to test after
a patch is less) vs an sftp that could support keys exchange with WSUS
regular patch, which two viewpoints/sftp server should we opt for?

Q7:
We're placing this sftp server in DMZ for internal servers to sftp to it while
this server in DMZ will act as sftp client to sftp out to one of our vendor's
Cloud (via Internet).  Wintel colleague argues that being open source,
it's more vulnerable to attacks (as source codes publicly available) while
in mitigation, IT Security felt that it does not have a public IP (as it act
as sftp client), thus the risk of attack via Internet is lesser though it sits
in DMZ.  What are your views on arguments here?
Comment
Watch Question

nociSoftware Engineer
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
CERTIFIED EXPERT
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
David FavorFractional CTO
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
David FavorFractional CTO
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Tip: When running Linux software.

Using an actual Linux Distro, that's been around for decades, will always work better than any Microsoft code.

For example, take Ubuntu Focal.

1) This code is LTS (long term service) so updates for 5+ years.

2) Code is free.

3) Code is rock solid.

4) To use ssh/sshd, you install a single ssh package.

5) To use sftp, you install a single package. MySecureShell being the most sane of all SFTP packages I've used on Linux since the 90s.

If you use a Linux Distro like Ubuntu, then everything will work as expected.

If you use WSUS, likely you'll always have to invest additional time... asking questions like those above, rarely having clear answers, then also Microsoft could change it's policy about updates anytime or just retire the entire WSUS project.

Use WSUS for Linux is like publishing conservative political videos on YouTube, nothing will work as expected + everything (all rules) can change, rendering your choice a huge problem hole to dig out of... over a very long/expensive timeline.

Tip: If you have unlimited time/budget/will/expertise, use WSUS.

If you have any constraints, use a Linux Distro. Either Ubuntu Focal or CentOS 8.
CERTIFIED EXPERT
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION

Author

Commented:
>tried and true PuTTY suite
Is there an sftp server for Putty?  I just know it has ssh, sftp, scp clients.

>sftp bridges are generally a bad idea.
>it is actually more secure in many ways to let your internal hosts connect to the vendor's server directly
We spoke to Oracle's security consultant: if we have a site-to-site VPN/tunnel between Oracle & us where
the tunnel ends in our firewall, yes, we sftp to Oracle direct & do away with this proxy/staging sftp in our
DMZ.  However, we are not prepared to have a site-to-site tunnel with Oracle & at Oracle's end, they
have an sftp proxy too (as they don't want us to sftp direct to their server).  Permitting two layers of
firewalls to allow sftp out to Oracle via Internet is not aligned with the concept of 'network segmentation'
unless we have a point-to-point link with Oracle.

Thanks, my view about patches/support is that open source or not, it really depends
on how many & quality of people working on it: in its heydays, SunMicro put in a lot of
resource to develop Solaris patches & now that Solaris is sun set (at one time Oracle
made it OpenSolaris but not many look at it), the # of CVEs for each quarter's Solaris
patches is now very little.  I worked on OpenVMS: despite it's made opensource in its
last ten years or so, there's little interest in it.

I'm not sure if my view below makes sense:
OpenSsh is adopted in many Linuxes & UNIXes so it can be found in F5 BigIP, some
firewalls & Apple's products that are derived from FreeBSD & maybe older Cisco IOS
as well:  I would say it really depends on how much efforts/resource each vendor
further develop/support their patches.

Next question: if a vulnerability for the open source OpenSsh is found, is it necessarily
all vendors (F5, MS, Redhat) will create patches for it or some will & some won't?
I think MS being a big player, would not lag far behind.

I recall when Linux 'shell shock' was discovered, Redhat was among the first to
release a patch & F5 (who derive its BigIP from Centos/RHEL) only came out with
patch a month or two later while a small PABX vendor whose PABX OS is based
on CentOS would ignore it.

CERTIFIED EXPERT
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
CERTIFIED EXPERT

Commented:
Putty is client only.  If you need an OpenSSH server, you really should use Unix/Linux or use the Cygwin's OpenSSH until WSL is more mature in another year or 2.  You're basically running their public Beta right now.

I've used OpenSolaris, and you really only use that for Intel Boxes, if you're one of the dinosaurs that only uses Solaris or you just need additional boxes in your mostly SUN environment to keep them more compatible.  I also recall that it existed before Oracle bought them.  I've used Open Solaris sourecs to recompile and extend their stupid POSIX tools, such as expanding last to display more that just 8 characters in usernames and other stupid limitations of old school POSIX commands.

Oracle killed Solaris.  I've been advocating a move away from it ever since Oracle purchased it and put everything behind their paywall just to get patches.  Anyone not seeing that Oracle was going to screw that up had their blinders on.
CERTIFIED EXPERT

Commented:
i would go for a frugal linux distrib or a bsd variant, maybe openbsd if security is indeed important.

and NOT a domain machine or actually anything using any external auth mechanism of the likes.

it should have no intenet access except sftp to the required location and maybe online repositories, and only expose a trivial service to the internal lan and a monitoring url.
nociSoftware Engineer
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
When the OpenBSD crew creates a new OpenSSH that is often distributed by other distro's in a matter of days (might depend on the patches needed to port to Linux) not even weeks.

For comparison there are a few Operating Systems with a better track record than OpenVMS or OpenBSD..... (check the CVE database).
they have LESS issues in years than Microsoft has in a single version of Windows in an average week.

Solaris had a sunset date, since IBM bought Redhat, Oracle discovered they also have some OS called Solaris and announced new versions.
(Oracle was also attempting to buy RedHat...).  How much any Oracle claim is really use full?  Oracle has a path behind it littered with gravestones of companies / products they bought and left out to die.
They bought Sun for only one reason: Java. All the other stuff was really to be dumped. (even the hardware etc...., the problem, they also bought the maintenance & support contracts when they bought Sun).

CERTIFIED EXPERT

Commented:
quite off topic sorry, but i do regret sun hardware, sleepeecat's berkeley db and many others... fortunately mariadb, zfs and virtualbox are alive and well... they can keep java, sun application servers... solaris would be a sort of grey zone but we can hope opensolaris, nexenta and the likes keep it alive. there is little technological point, though nowadays
nociSoftware Engineer
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Also off topic: Sun has (had) a few mainframe class High security Sparc  based systems (used primarily in banking)  that only had support from Solaris, until those die it needs some support.

On Topic: if you need security go for OpenBSD.

Author

Commented:
Last 2 questions:
is there any site/link that indicates how many updates
of MS Openssh on Win2019 since its release & by
being an "on-demand component" of Windows OS,
is OpenSsh's patch bundled as part of Windows OS
patch or it's a separate patch by itself?

Found from wikiversity.org the release dates of the public Openssh (not MS),
so are they indicative dates/frequency of updates/patches for MS Openssh?
  • OpenSSH 8.4. Security updates for FIDO keys; Sep 2020
  • OpenSSH 8.3. Bug fixes, not security updates; May 2020
  • OpenSSH 8.2. deprecates RSA/SHA1, add FIDO/U2F Support, Feb 2020
  • OpenSSH 8.1, protection for private keys at rest in RAM against Spectre, Meltdowns; released Oct 2019
  • OpenSSH 8.0  mitigation for scp's CVE-2019-6111 & client-side checking; released in Apr 2019.
  • OpenSSH 7.9, bug fixes & new features, not security updates; released in Oct 2018 <= Win2019 started with this?
  • OpenSSH 7.8, Bug fixes & new features, not security updates; released in August 2018.
  • OpenSSH 7.7, released in February 2018. ...
  • OpenSSH 7.6, released in October 2017. ...
  • OpenSSH 7.5, released in March 2017.

There's a suggestion in  https://github.com/PowerShell/Win32-OpenSSH/issues/1317
  that recommends not to keep rev'ing up the release of OpenSsh in Windows:


Software Engineer
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
CERTIFIED EXPERT
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
nociSoftware Engineer
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
you can setup ssh so that an account is scponly. (no shell access, one still needs to disable tunniling etc.).
CERTIFIED EXPERT

Commented:
agreed but that is done in the sshd config.

i guess you concur there is no point in running a privileged daemon with shell capabilities compared to a simple server running as a dedicated user in a chroot or other container and featuring a drop-only file access.

... which is why using sftp all over the place for "secure" file transfers is very bad as a generic practice.
nociSoftware Engineer
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
CERTIFIED EXPERT

Commented:
i would advocate agains scp for the same reasons as sftp and additionally scp requires an actual shell.

a secure setup could be a write only tftp, http posts, ... whatever can run with write only privs chrooted and is lightweight. even a trivial netcat or socat can do.

the real question is how to handle dups, confirmations, incomplete file submissions... and the likes.

Author

Commented:
We could enable Windows firewall in that sftp server to permit sftp from the
designated internal servers, permitting only supporting ports (eg: ntp, Wsus,
AV updates, Cyberark/PAM access) to this sftp server
CERTIFIED EXPERT

Commented:
that would help. but a dedicated lan, a non windows host, and a different protocol would help much more.

compared to opening just the target ips over ssh directly from the backend machines, this produces more exposure so there is little point to even bother setting such a machine up.