[rancid] Request to remove hardcoded SSH 3des cipher

Mark Felder feld at FreeBSD.org
Wed Aug 17 13:20:59 UTC 2016

On Tue, Aug 16, 2016, at 17:19, heasley wrote:
> Please try ftp://ftp.shrubbery.net/pub/rancid/alpha/rancid-3.4.99.tar.gz
> which will be 3.5 and should address this.

Thank you! I will do some testing.

A bit of feedback at first glance: In the FAQ you mention changing the
ssh config:

> Cipher 3des
> Ciphers 3des-cbc

This should be 

> Cipher +3des
> Ciphers +3des-cbc

You want the + so it's adding to those already enabled, not making it
the only one available and downgrading the security of all connections.
This way if a firmware upgrade for the device adds new SSH capabilities
the new connections will auto-negotiate better security.

  Mark Felder
  ports-secteam member
  feld at FreeBSD.org

More information about the Rancid-discuss mailing list