Page MenuHomeVyOS Platform
Create Task
Maniphest T8098

ssh: defining cipher rijndael-cbc@lysator.liu.se will break SSH daemon
Closed, ResolvedPublicFEATURE REQUEST
Actions

Description

Defining SSH cipher rijndael-cbc@lysator.liu.se as

set service ssh ciphers rijndael-cbc@lysator.liu.se

will break the daemon (found here https://github.com/vyos/vyos-1x/pull/4896#pullrequestreview-3571265564 by @natali-rs1985)

Dec 13 20:08:27 systemd[1]: Starting OpenBSD Secure Shell server...
Dec 13 20:08:27 ip[5411]: /run/sshd/sshd_config line 53: Bad SSH2 cipher spec 'rijndael-cbc@lysator.liu.se'.
Dec 13 20:08:27 systemd[1]: ssh@default.service: Main process exited, code=exited, status=255/EXCEPTION
Dec 13 20:08:27 systemd[1]: ssh@default.service: Failed with result 'exit-code'.
Dec 13 20:08:27 systemd[1]: Failed to start OpenBSD Secure Shell server.
Dec 13 20:08:38 systemd[1]: ssh@default.service: Scheduled restart job, restart counter is at 10.
Dec 13 20:08:38 systemd[1]: Stopped OpenBSD Secure Shell server.

According to https://bbs.archlinux.org/viewtopic.php?id=188613 rijndael-cbc@lysator.liu.se was removed in OpenSSH 6.7 https://www.openssh.org/txt/release-6.7

sshd(8): The default set of ciphers and MACs has been altered to remove unsafe algorithms. In particular, CBC ciphers and arcfour* are disabled by default.

The currently supported cipher list in Debian Bookworm (VyOS 1.4 and VyOS 1.5) is:

vyos@vyos:~$ ssh -Q cipher
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com

Details

Version
1.4.3
Is it a breaking change?
Config syntax change (migratable)
Issue type
Feature (new functionality)

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedFEATURE REQUESTc-poT8090 sshd: add support for config test mode
 ResolvedFEATURE REQUESTc-poT8098 ssh: defining cipher rijndael-cbc@lysator.liu.se will break SSH daemon

Event Timeline

c-po created this task.Sat, Dec 13, 7:09 PM
c-po changed the task status from Open to In progress.
c-po claimed this task.
c-po triaged this task as High priority.
c-po added a project: VyOS 1.4 Sagitta (1.4.4).
c-po changed Version from - to 1.4.3.
c-po updated the task description. (Show Details)Sat, Dec 13, 7:19 PM
c-po updated the task description. (Show Details)
c-po updated the task description. (Show Details)Sat, Dec 13, 7:24 PM
c-po added a subscriber: natali-rs1985.
c-po added a comment.Mon, Dec 15, 4:33 PM

https://github.com/vyos/vyos-1x/pull/4896

c-po mentioned this in rVYOSONEXef13a6319a21: ssh: T8098: rename "ciphers" CLI node to "cipher".Mon, Dec 15, 7:33 PM
c-po mentioned this in rVYOSONEX812eea9a3a20: ssh: T8098: remove support for deprecated "rijndael-cbc@lysator.liu.se" cipher.
Restricted Repository Identity mentioned this in rVYOSONEX31ce591f9bd3: Merge pull request #4896 from c-po/ssh-config-test.Mon, Dec 15, 7:33 PM
dmbaturin subscribed.Tue, Dec 16, 5:08 PM

https://www.lysator.liu.se/rijndael/

We could migrate it to aes256-cbc it seems.

dmbaturin removed a project: VyOS 1.4 Sagitta (1.4.4).Tue, Dec 16, 5:12 PM
dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Config syntax change (migratable).
c-po moved this task from Need Triage to Completed on the VyOS Rolling board.Wed, Dec 17, 8:02 PM
c-po mentioned this in rVYOSONEX74b9f249cf1f: ssh: T8098: migrate "rijndael-cbc@lysator.liu.se" to "aes256-cbc" cipher.Thu, Dec 18, 3:23 PM
Restricted Repository Identity mentioned this in rVYOSONEXd1d4554a44fc: Merge pull request #4903 from c-po/ssh-migrate-aes256-cbc.Thu, Dec 18, 3:23 PM
c-po closed this task as Resolved.Mon, Dec 22, 8:07 PM