Page MenuHomeVyOS Platform

Make the list of SSH server ciphers configurable
In progress, NormalPublicBUG

Description

Hi All

I've just started to upgrade by couple of routers running 1.3.4 and have found an issue with 1.4rc1.

For security reasons for one of my instances I've disabled SSH password authentication and only user certificates. However, in 1.4rc1, despite the config accepting the certificate, it seems the algorithm isn't enabled with sshd.

Here are the lines of my config:

set system login user chris authentication public-keys chris@router key 'blah blah'
set system login user chris authentication public-keys chris@router type 'ssh-rsa'
set service ssh disable-password-authentication

but I get the following error in the log when I try to connect:

sshd[7380]: userauth_pubkey: signature algorithm ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]

It seems there's been a change in sshd which disabled some old algorithms by default, so luckily the error message is self explanatory and if I add the following line to /run/ssh/sshd_conf, all works again (I also re-enabled password authentication before the upgrade just in case so I could log in):

PubkeyAcceptedAlgorithms +ssh-rsa

..so as part of 1.4 it might be a good idea to consider adding the above in the config upgrades, or add the option in the CLI (I couldn't seem to find it) and add if found in the existing config.

Thanks

Chris..

Details

Difficulty level
Unknown (require assessment)
Version
1.4rc1
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Improvement (missing useful functionality)

Event Timeline

well i was checking this issue and i guess we had to concider

1.the problem here is that the users with this problem are using a old key signed with ssh-rsa-1 that is not concidered safe anymore we want that users with weak keys can login?
2.In case we want to support deprecated algorithms how we going to doit .. silently or setting on the ssh thing like "set service ssh support-unsecure-ciphers" to make aware the users that is not safe anymore?

syncer renamed this task from SSH certificate issue with 1.4rc1 to Add option to allow unsecure ciphers in SSH.May 19 2024, 1:26 PM
syncer lowered the priority of this task from High to Normal.
HollyGurza changed the task status from Open to In progress.Wed, Jun 26, 8:24 AM
HollyGurza moved this task from Need Triage to In Progress on the VyOS 1.4 Sagitta (1.4.0-GA) board.
dmbaturin renamed this task from Add option to allow unsecure ciphers in SSH to Make the list of SSH server ciphers configurable.Wed, Jul 3, 1:33 PM
dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.
dmbaturin changed Issue type from Unspecified (please specify) to Improvement (missing useful functionality).