[rancid] Request to remove hardcoded SSH 3des cipher

heasley heas at shrubbery.net
Tue Aug 16 22:19:23 UTC 2016

Tue, Aug 16, 2016 at 03:47:23PM -0500, Mark Felder:
> Hello,
> RANCID broke on my FreeBSD test box running 11.0-PRERELEASE due to a
> newer version of OpenSSH. The problem was due to a default SSH cipher
> "3des" being hardcoded into the various RANCID modules. I fixed this in
> FreeBSD ports/packages by patching RANCID to use the more specific
> 3des-cbc cipher instead, but this is still not ideal. SSH 2.0 can handle
> auto-negotiation of ciphers so there's no reason to force connections to
> be 3des by default. I believe this feature could be removed from RANCID
> entirely. If needed you can control the ciphers on a per-device basis in
> ~/.ssh/config.
> You should also keep in mind that modern versions of OpenSSH disable
> SSHv1, CBC ciphers, and DSA keys. While this is unlikely to affect Linux
> distros in the near future, it is still something that should be planned
> for. I can't be sure if it's better for RANCID to stop supporting older
> devices or to stop supporting newer versions of OpenSSH, but we've
> nearly reached a crossroads where this decision needs to be made.

Please try ftp://ftp.shrubbery.net/pub/rancid/alpha/rancid-3.4.99.tar.gz
which will be 3.5 and should address this.

More information about the Rancid-discuss mailing list