[rancid] Request to remove hardcoded SSH 3des cipher

Mark Felder feld at FreeBSD.org
Tue Aug 16 20:47:23 UTC 2016


Hello,

RANCID broke on my FreeBSD test box running 11.0-PRERELEASE due to a
newer version of OpenSSH. The problem was due to a default SSH cipher
"3des" being hardcoded into the various RANCID modules. I fixed this in
FreeBSD ports/packages by patching RANCID to use the more specific
3des-cbc cipher instead, but this is still not ideal. SSH 2.0 can handle
auto-negotiation of ciphers so there's no reason to force connections to
be 3des by default. I believe this feature could be removed from RANCID
entirely. If needed you can control the ciphers on a per-device basis in
~/.ssh/config.

You should also keep in mind that modern versions of OpenSSH disable
SSHv1, CBC ciphers, and DSA keys. While this is unlikely to affect Linux
distros in the near future, it is still something that should be planned
for. I can't be sure if it's better for RANCID to stop supporting older
devices or to stop supporting newer versions of OpenSSH, but we've
nearly reached a crossroads where this decision needs to be made.


Thanks to all, RANCID has been an invaluable tool.

-- 
  Mark Felder
  ports-secteam member
  feld at FreeBSD.org



More information about the Rancid-discuss mailing list