Page MenuHomeVyOS Platform
Create Task
Maniphest T5878

Make the list of SSH server ciphers configurable
Closed, ResolvedPublicBUG
Actions

Description

Hi All

I've just started to upgrade by couple of routers running 1.3.4 and have found an issue with 1.4rc1.

For security reasons for one of my instances I've disabled SSH password authentication and only user certificates. However, in 1.4rc1, despite the config accepting the certificate, it seems the algorithm isn't enabled with sshd.

Here are the lines of my config:

set system login user chris authentication public-keys chris@router key 'blah blah'
set system login user chris authentication public-keys chris@router type 'ssh-rsa'
set service ssh disable-password-authentication

but I get the following error in the log when I try to connect:

sshd[7380]: userauth_pubkey: signature algorithm ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]

It seems there's been a change in sshd which disabled some old algorithms by default, so luckily the error message is self explanatory and if I add the following line to /run/ssh/sshd_conf, all works again (I also re-enabled password authentication before the upgrade just in case so I could log in):

PubkeyAcceptedAlgorithms +ssh-rsa

..so as part of 1.4 it might be a good idea to consider adding the above in the config upgrades, or add the option in the CLI (I couldn't seem to find it) and add if found in the existing config.

Thanks

Chris..

Details

Difficulty level
Unknown (require assessment)
Version
1.4rc1
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Improvement (missing useful functionality)

Related Objects

Event Timeline

cmonck created this task.Dec 30 2023, 12:40 PM
pasik subscribed.Dec 30 2023, 12:41 PM
Viacheslav triaged this task as High priority.Jan 20 2024, 2:05 PM
josephillips85 subscribed.EditedJan 27 2024, 11:37 PM

well i was checking this issue and i guess we had to concider

1.the problem here is that the users with this problem are using a old key signed with ssh-rsa-1 that is not concidered safe anymore we want that users with weak keys can login?
2.In case we want to support deprecated algorithms how we going to doit .. silently or setting on the ssh thing like "set service ssh support-unsecure-ciphers" to make aware the users that is not safe anymore?

dmbaturin edited projects, added VyOS 1.4 Sagitta (1.4.0-epa3); removed VyOS 1.4 Sagitta.Apr 12 2024, 2:47 PM
syncer moved this task from 1.4.0-epa3 to 1.4.0-GA on the VyOS 1.4 Sagitta board.May 15 2024, 9:29 AM
syncer edited projects, added VyOS 1.4 Sagitta (1.4.0-GA); removed VyOS 1.4 Sagitta (1.4.0-epa3).
syncer renamed this task from SSH certificate issue with 1.4rc1 to Add option to allow unsecure ciphers in SSH.May 19 2024, 1:26 PM
syncer lowered the priority of this task from High to Normal.
HollyGurza claimed this task.Jun 25 2024, 7:12 AM
HollyGurza added a comment.Jun 25 2024, 10:39 AM

https://github.com/vyos/vyos-1x/pull/3721

HollyGurza changed the task status from Open to In progress.Jun 26 2024, 8:24 AM
HollyGurza moved this task from Need Triage to In Progress on the VyOS 1.4 Sagitta (1.4.0-GA) board.
Restricted Repository Identity mentioned this in rVYOSONEX0bd50e7ba9be: Merge pull request #3721 from HollyGurza/T5878.Jul 2 2024, 2:14 PM
Restricted Repository Identity mentioned this in rVYOSONEX06e6e011cdf1: ssh: T5878: Allow changing the PubkeyAcceptedAlgorithms option.Jul 2 2024, 2:14 PM
dmbaturin edited projects, added VyOS 1.4 Sagitta (1.4.1); removed VyOS 1.4 Sagitta (1.4.0-GA).Jul 2 2024, 7:29 PM
Restricted Repository Identity mentioned this in rVYOSONEX503fb7fb33b8: ssh: T5878: Allow changing the PubkeyAcceptedAlgorithms option.Jul 3 2024, 1:32 PM
dmbaturin renamed this task from Add option to allow unsecure ciphers in SSH to Make the list of SSH server ciphers configurable.Jul 3 2024, 1:33 PM
dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.
dmbaturin changed Issue type from Unspecified (please specify) to Improvement (missing useful functionality).
Restricted Repository Identity mentioned this in rVYOSONEX6f67cf62d20c: ssh: T5878: Allow changing the PubkeyAcceptedAlgorithms option.Jul 3 2024, 1:34 PM
Restricted Repository Identity mentioned this in rVYOSONEXc85e7223dbcc: Merge pull request #3758 from vyos/mergify/bp/circinus/pr-3721.Jul 3 2024, 5:24 PM
Restricted Repository Identity mentioned this in rVYOSONEXea4fb0c816cd: Merge pull request #3759 from vyos/mergify/bp/sagitta/pr-3721.Jul 4 2024, 12:00 PM
HollyGurza closed this task as Resolved.Jul 18 2024, 7:10 AM
HollyGurza moved this task from Backlog to Finished on the VyOS 1.4 Sagitta (1.4.1) board.