RIght, sorry, I only read the last status message.
Here’s some nix-fu for checking whether you have the backported patch:
nix derivation show $(which ssh) | jq -r '.[].inputSrcs[]' | grep CVE-2024
5 Likes
I believe you need $(readlink -f $(which ssh)), otherwise it’ll be looking at the derivation that produced your /run/current-system/sw/bin, rather than the OpenSSH one. (So don’t panic if this seems to indicate you’re still vulnerable.)
8 Likes
Can we determine if a nixos machine is patched with a tool like vulnix?
Yes, vulnix -R $(readlink -f $(which ssh)) will show you if there is an active advisory on it or not. Under the hood, it does something similar to what the nix derivation show/jq/grep proposed a few posts ago does.
3 Likes
It’s worth noting that all these snippets rely on the contents of $PATH, which may or may not match up with whatever is running in the systemd service, especially if user channels or other heavier customization is involved. It’ll work most of the time, of course, but it might not, which is a bit scary. I can’t think of a simple, foolproof and generic check either, though.
Maybe we could make this easier upstream? What do other distros do? “Sadly” this CVE takes too long to exploit to write a simple distro-independent vulnerability checker for it.
3 Likes
Would vulnix -S help with that? Not sure if we can filter to only get openssh result? Otherwise, I guess it would take a while to scan everything.
Not 100% foolproof and generic, but I was doing this to see which sshd are running at the moment:
for p in $(pidof sshd); do readlink /proc/$p/exe; done | sort | uniq -c
Note in particular that switching the systemd service won’t immediately replace all of them. Thankfully, as for servers you’re probably doing the update over ssh.
1 Like
This would have been appreciated, as none of the snippets in this thread works for me (error: '/nix/store/ik1hrivpiw5lkmarlzmpk8armfgpxwcf-openssh-9.7p1' does not have a known deriver).
A quick systemctl status sshd check would be ideal, but it doesn’t scale with either CVEs or time: the name tweak must be removed some time (when the patch doesn’t have to be applied in nixpgks?)
I take it vulnix -R $(readlink -f $(which ssh)) doesn’t work for you either? I’m not sure what circumstances would cause this.
vulnix fails with the same error, yes.
Thanks. I’m curious if you know any details of your setup that might be unusual – Nix settings, Nixpkgs pins, substituters, overlays, …?
The most likely reasons for this to occur is that the machine configuration is built over another machine then pushed to it.
There is no derivation to show and scan because the derivation exists only on the machine having built the config.
5 Likes
I did just refactor my whole infra into proper flake modules on 24.05, substituters and overlays included. I’ll put an MWE on the agenda and file an issue if I find anything.
It is indeed on a remote server.
Hello, I apologise if i am asking a potentially stupid question. I’m on the stable 24.05 channel, I upgraded everything and the vulnix command above shows a pleasant green message, so I infer there’s a patch applied on my system.
However, I run this and i see the old version.
sshd --version
unknown option – -
OpenSSH_9.7p1, OpenSSL 3.0.14 4 Jun 2024
Similarly, on the NixOS Search search page I see openssh has still * Version: 9.7p1.
My question is: how do you guys get to see 9.8 without being on unstable? Thank you!
We patched 9.6p1 and 9.7p1 with a fix, so everything here is as expected.
3 Likes
Thanks @emily for your work on ensuring NixOS users received prompt OpenSSH updates during this! 
2 Likes