[rancid] Request to remove hardcoded SSH 3des cipher

Lee ler762 at gmail.com
Tue Aug 16 21:52:57 UTC 2016

On 8/16/16, Mark Felder <feld at freebsd.org> wrote:
> Hello,
> RANCID broke on my FreeBSD test box running 11.0-PRERELEASE due to a
> newer version of OpenSSH. The problem was due to a default SSH cipher
> "3des" being hardcoded into the various RANCID modules. I fixed this in
> FreeBSD ports/packages by patching RANCID to use the more specific
> 3des-cbc cipher instead, but this is still not ideal.

Right - because now the FreeBSD ports version of rancid is different
from everybody else's version of rancid.  I'd suggest that changing
add cyphertype  *  {3des}
line in cloginrc.sample would have been a better change.

> SSH 2.0 can handle
> auto-negotiation of ciphers so there's no reason to force connections to
> be 3des by default. I believe this feature could be removed from RANCID
> entirely. If needed you can control the ciphers on a per-device basis in
> ~/.ssh/config.

or in ~/.cloginrc

> You should also keep in mind that modern versions of OpenSSH disable
> SSHv1, CBC ciphers, and DSA keys. While this is unlikely to affect Linux
> distros in the near future, it is still something that should be planned
> for. I can't be sure if it's better for RANCID to stop supporting older
> devices or to stop supporting newer versions of OpenSSH, but we've
> nearly reached a crossroads where this decision needs to be made.

I disagree.  Change the
  add cyphertype *		{3des}
line in ~/.cloginrc and add
  KexAlgorithms +diffie-hellman-group1-sha1
in ~/.ssh/config and rancid works just fine.  Without having to drop
support for anything.


More information about the Rancid-discuss mailing list