[Bug 2070326] Re: Unable to Disable ChaCha20-Poly1305 Encryption to Mitigate Terrapin SSH Attack

Sam King 2070326 at bugs.launchpad.net
Tue Jun 25 04:50:21 UTC 2024 

It sounds like you're encountering difficulties in disabling the
ChaCha20-Poly1305 encryption cipher to mitigate the Terrapin SSH attack.
Your approach to modify the SSH configuration files and restart the SSH
daemon seems correct. Here are a few additional steps and considerations
based on your report:

Steps to Reproduce:

Edit /etc/ssh/sshd_config.d/anti-terrapin-attack.conf to include Ciphers -<email address hidden>.
Edit /etc/ssh/ssh_config.d/anti-terrapin-attack.conf similarly.
Restart the SSH daemon using systemctl restart sshd.
Check the available ciphers using ssh -Q cipher.
Expected Behavior:
The ChaCha20-Poly1305 cipher should be disabled and should not appear in the list of available ciphers after the configuration changes and SSH daemon restart.

Actual Behavior:
Despite making the changes and restarting SSH, the ChaCha20-Poly1305 cipher continues to be listed among the available ciphers.

Additional Information:

Could you please provide the operating system version and SSH version you are using?
It would also be helpful to see the output of ssh -Q cipher before and after making the configuration changes.
Any relevant logs or error messages from /var/log/auth.log or SSH logs might provide clues.
Resolution Attempted:
You've already tried editing the SSH configuration files and restarting the SSH daemon, which is the correct approach.

Impact:
The persistence of the ChaCha20-Poly1305 cipher poses a security risk, leaving the system vulnerable to the Terrapin SSH attack.

Next Steps:

Investigate if there are additional steps or configuration parameters needed to effectively disable the cipher.
Consider consulting SSH documentation or community forums for insights into similar issues reported by others.
If you have any updates or further details, please share them. We're here to help troubleshoot and find a resolution.

Best regards,

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2070326

Title:
  Unable to Disable ChaCha20-Poly1305 Encryption to Mitigate Terrapin
  SSH Attack

Status in openssh package in Ubuntu:
  New

Bug description:
  I've tried the following commands to disable  the below cipher but it
  still showing up. Am i missing something here

  echo 'Ciphers -chacha20-poly1305 at openssh.com' > /etc/ssh/sshd_config.d/anti-terrapin-attack.conf
  echo 'Ciphers -chacha20-poly1305 at openssh.com' > /etc/ssh/ssh_config.d/anti-terrapin-attack.conf

   systemctl restart sshd
  The user Rajandran has reported attempting to disable the ChaCha20-Poly1305 encryption cipher to mitigate the Terrapin SSH attack using the following commands:

  bash
  Copy code
  echo 'Ciphers -<email address hidden>' > /etc/ssh/sshd_config.d/anti-terrapin-attack.conf
  echo 'Ciphers -<email address hidden>' > /etc/ssh/ssh_config.d/anti-terrapin-attack.conf
  systemctl restart sshd
  However, despite these steps, the cipher is still appearing as available.

  Steps to Reproduce:

  Edit /etc/ssh/sshd_config.d/anti-terrapin-attack.conf to include Ciphers -<email address hidden>.
  Edit /etc/ssh/ssh_config.d/anti-terrapin-attack.conf similarly.
  Restart the SSH daemon using systemctl restart sshd.
  Check the available ciphers using ssh -Q cipher.
  Expected Behavior:
  The ChaCha20-Poly1305 cipher should be disabled and not listed among the available ciphers after making the above configuration changes and restarting SSH.

  Actual Behavior:
  Despite the configuration changes and SSH daemon restart, the ChaCha20-Poly1305 cipher continues to appear in the list of available ciphers.

  Additional Information:

  Operating System: [Insert OS version]
  SSH Version: [Insert SSH version]
  Output of ssh -Q cipher before and after attempted configuration changes.
  Any relevant logs or error messages from /var/log/auth.log or SSH logs.
  Resolution Attempted:

  Editing sshd_config and ssh_config files as described.
  Restarting SSH daemon.
  Impact:
  The continued availability of the ChaCha20-Poly1305 cipher leaves the system vulnerable to the Terrapin SSH attack, impacting security.

  Next Steps:

  Investigate if there are additional configuration changes required or if a different approach is needed to effectively disable the cipher.
  Consult SSH documentation or community forums for insights or similar reported issues.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2070326/+subscriptions

More information about the foundations-bugs mailing list