[rancid] Request to remove hardcoded SSH 3des cipher
Mark Felder
feld at FreeBSD.org
Wed Aug 24 13:46:16 UTC 2016
On Wed, Aug 17, 2016, at 09:11, heasley wrote:
> Wed, Aug 17, 2016 at 08:20:59AM -0500, Mark Felder:
> > On Tue, Aug 16, 2016, at 17:19, heasley wrote:
> > > Please try ftp://ftp.shrubbery.net/pub/rancid/alpha/rancid-3.4.99.tar.gz
> > > which will be 3.5 and should address this.
> >
> > Thank you! I will do some testing.
>
> thanks!
>
> > A bit of feedback at first glance: In the FAQ you mention changing the
> > ssh config:
> >
> > > Cipher 3des
> > > Ciphers 3des-cbc
> >
> > This should be
> >
> > > Cipher +3des
> > > Ciphers +3des-cbc
> >
> > You want the + so it's adding to those already enabled, not making it
> > the only one available and downgrading the security of all connections.
> > This way if a firmware upgrade for the device adds new SSH capabilities
> > the new connections will auto-negotiate better security.
>
> thanks!
And hot on the tails of this discussion, an attack on 3DES:
https://www.openssl.org/blog/blog/2016/08/24/sweet32/
3DES will no longer be compiled into OpenSSL by default in 1.1.0.
--
Mark Felder
ports-secteam member
feld at FreeBSD.org
More information about the Rancid-discuss
mailing list