[Bug 2070326] Re: Unable to Disable ChaCha20-Poly1305 Encryption to Mitigate Terrapin SSH Attack
Rajandran
2070326 at bugs.launchpad.net
Tue Jun 25 05:28:26 UTC 2024
** Attachment added: "auth.log"
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2070326/+attachment/5792161/+files/auth.log
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2070326
Title:
Unable to Disable ChaCha20-Poly1305 Encryption to Mitigate Terrapin
SSH Attack
Status in openssh package in Ubuntu:
New
Bug description:
I've tried the following commands to disable the below cipher but it
still showing up. Am i missing something here
echo 'Ciphers -chacha20-poly1305 at openssh.com' > /etc/ssh/sshd_config.d/anti-terrapin-attack.conf
echo 'Ciphers -chacha20-poly1305 at openssh.com' > /etc/ssh/ssh_config.d/anti-terrapin-attack.conf
systemctl restart sshd
The user Rajandran has reported attempting to disable the ChaCha20-Poly1305 encryption cipher to mitigate the Terrapin SSH attack using the following commands:
bash
Copy code
echo 'Ciphers -<email address hidden>' > /etc/ssh/sshd_config.d/anti-terrapin-attack.conf
echo 'Ciphers -<email address hidden>' > /etc/ssh/ssh_config.d/anti-terrapin-attack.conf
systemctl restart sshd
However, despite these steps, the cipher is still appearing as available.
Steps to Reproduce:
Edit /etc/ssh/sshd_config.d/anti-terrapin-attack.conf to include Ciphers -<email address hidden>.
Edit /etc/ssh/ssh_config.d/anti-terrapin-attack.conf similarly.
Restart the SSH daemon using systemctl restart sshd.
Check the available ciphers using ssh -Q cipher.
Expected Behavior:
The ChaCha20-Poly1305 cipher should be disabled and not listed among the available ciphers after making the above configuration changes and restarting SSH.
Actual Behavior:
Despite the configuration changes and SSH daemon restart, the ChaCha20-Poly1305 cipher continues to appear in the list of available ciphers.
Additional Information:
Operating System: [Insert OS version]
SSH Version: [Insert SSH version]
Output of ssh -Q cipher before and after attempted configuration changes.
Any relevant logs or error messages from /var/log/auth.log or SSH logs.
Resolution Attempted:
Editing sshd_config and ssh_config files as described.
Restarting SSH daemon.
Impact:
The continued availability of the ChaCha20-Poly1305 cipher leaves the system vulnerable to the Terrapin SSH attack, impacting security.
Next Steps:
Investigate if there are additional configuration changes required or if a different approach is needed to effectively disable the cipher.
Consult SSH documentation or community forums for insights or similar reported issues.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2070326/+subscriptions
More information about the foundations-bugs
mailing list