[rancid] Request to remove hardcoded SSH 3des cipher

heasley heas at shrubbery.net
Wed Aug 17 06:05:27 UTC 2016


Tue, Aug 16, 2016 at 05:52:57PM -0400, Lee:
> > You should also keep in mind that modern versions of OpenSSH disable
> > SSHv1, CBC ciphers, and DSA keys. While this is unlikely to affect Linux
> > distros in the near future, it is still something that should be planned
> > for. I can't be sure if it's better for RANCID to stop supporting older
> > devices or to stop supporting newer versions of OpenSSH, but we've
> > nearly reached a crossroads where this decision needs to be made.
> 
> I disagree.  Change the
>   add cyphertype *		{3des}
> line in ~/.cloginrc and add
>   KexAlgorithms +diffie-hellman-group1-sha1
> in ~/.ssh/config and rancid works just fine.  Without having to drop
> support for anything.

There was a time that 3des was the only thing that many devices supported,
but they seem to be the minority now.  testing against the devices that I
can access, i've found that removing -c, which only allows v1 ciphers but
also affects v2 in openssh, seems to work more often than not.  And there
is the subtle but important nuance is that -c can break v2 negotiation,
which implies to me that -c simply should not be used any longer and instead
favor the -o varieties, which allow greater customization in your cloginrc.

so, it seems time to transition, more obvious with some recent EFTs.  i'm
open to other approaches, but it still seems clear that change is necessary.
Try the alpha and feedback.



More information about the Rancid-discuss mailing list