Error while upgrading from 1.2.X to 1.3.X, when multiple ciphers comma-sepparated are defined.
Steps to reproduce:
1 - On fresh install on VyOS 1.2.8:
service ssh ciphers aes128-ctr,aes192-ctr,aes256-ctr
2 - Add 1.3.0 system image and reboot
3 - After reboot, see error in last lines:
[ 20.769494] vyos-router[691]: Mounting VyOS Config...done. [ 26.181257] vyos-router[691]: Starting VyOS router: migrate rl-system firewall configure failed! [ 27.076590] vyos-config[708]: Configuration error Welcome to VyOS - vyos ttyS0 vyos login: vyos Password:
4 - Verify there's no ssh config loaded:
vyos@vyos:~$ show config comm | grep ssh vyos@vyos:~$
5 - Load config from config.boot file, verify ssh entries, and try to commit:
vyos@vyos# load /config/config.boot Loading configuration from '/config/config.boot' Load complete. Use 'commit' to make changes effective. [edit] vyos@vyos# compare [edit service] +ssh { + ciphers aes128-ctr,aes192-ctr,aes256-ctr + port 22 +} [edit] vyos@vyos# commit [ service ssh ciphers aes128-ctr,aes192-ctr,aes256-ctr ] [ service ssh ciphers aes128-ctr,aes192-ctr,aes256-ctr ] Invalid value [[service ssh]] failed Commit failed
On VyOs 1.3.0, ssh ciphers must be defined in different entries, and no in a single one using comma. For this example:
set service ssh ciphers aes128-ctr set service ssh ciphers aes192-ctr set service ssh ciphers aes256-ctr
This error is critical while remote administrating the router, because after upgrade, ssh is not loaded at all!