[rancid] Request to remove hardcoded SSH 3des cipher
Lee
ler762 at gmail.com
Tue Aug 16 21:52:57 UTC 2016
On 8/16/16, Mark Felder <feld at freebsd.org> wrote:
> Hello,
>
> RANCID broke on my FreeBSD test box running 11.0-PRERELEASE due to a
> newer version of OpenSSH. The problem was due to a default SSH cipher
> "3des" being hardcoded into the various RANCID modules. I fixed this in
> FreeBSD ports/packages by patching RANCID to use the more specific
> 3des-cbc cipher instead, but this is still not ideal.
Right - because now the FreeBSD ports version of rancid is different
from everybody else's version of rancid. I'd suggest that changing
the
add cyphertype * {3des}
line in cloginrc.sample would have been a better change.
> SSH 2.0 can handle
> auto-negotiation of ciphers so there's no reason to force connections to
> be 3des by default. I believe this feature could be removed from RANCID
> entirely. If needed you can control the ciphers on a per-device basis in
> ~/.ssh/config.
or in ~/.cloginrc
> You should also keep in mind that modern versions of OpenSSH disable
> SSHv1, CBC ciphers, and DSA keys. While this is unlikely to affect Linux
> distros in the near future, it is still something that should be planned
> for. I can't be sure if it's better for RANCID to stop supporting older
> devices or to stop supporting newer versions of OpenSSH, but we've
> nearly reached a crossroads where this decision needs to be made.
I disagree. Change the
add cyphertype * {3des}
line in ~/.cloginrc and add
KexAlgorithms +diffie-hellman-group1-sha1
in ~/.ssh/config and rancid works just fine. Without having to drop
support for anything.
Regards,
Lee
More information about the Rancid-discuss
mailing list