[Bug 2070326] Re: Unable to Disable ChaCha20-Poly1305 Encryption to Mitigate Terrapin SSH Attack
Sergio Durigan Junior
2070326 at bugs.launchpad.net
Wed Jun 26 16:24:55 UTC 2024
Hello,
"ssh -Q cipher" will output the ciphers supported by your SSH *client*,
not the server. What you did by creating the file
/etc/ssh/sshd_config.d/anti-terrapin-attack.conf is to disable the
cipher on the *server*, and that should have worked fine. You can
confirm that the server does not support the cipher anymore by issuing
the following command:
# sshd -T | grep -i ciphers
I am going to mark this bug as Invalid because I could confirm that
disabling the cipher works fine here. If you still experience any
issues, feel free to reopen it.
Thanks.
** Changed in: openssh (Ubuntu)
Status: New => Invalid
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2070326
Title:
Unable to Disable ChaCha20-Poly1305 Encryption to Mitigate Terrapin
SSH Attack
Status in openssh package in Ubuntu:
Invalid
Bug description:
I've tried the following commands to disable the below cipher but it
still showing up. Am i missing something here
echo 'Ciphers -chacha20-poly1305 at openssh.com' > /etc/ssh/sshd_config.d/anti-terrapin-attack.conf
echo 'Ciphers -chacha20-poly1305 at openssh.com' > /etc/ssh/ssh_config.d/anti-terrapin-attack.conf
systemctl restart sshd
The user Rajandran has reported attempting to disable the ChaCha20-Poly1305 encryption cipher to mitigate the Terrapin SSH attack using the following commands:
bash
Copy code
echo 'Ciphers -<email address hidden>' > /etc/ssh/sshd_config.d/anti-terrapin-attack.conf
echo 'Ciphers -<email address hidden>' > /etc/ssh/ssh_config.d/anti-terrapin-attack.conf
systemctl restart sshd
However, despite these steps, the cipher is still appearing as available.
Steps to Reproduce:
Edit /etc/ssh/sshd_config.d/anti-terrapin-attack.conf to include Ciphers -<email address hidden>.
Edit /etc/ssh/ssh_config.d/anti-terrapin-attack.conf similarly.
Restart the SSH daemon using systemctl restart sshd.
Check the available ciphers using ssh -Q cipher.
Expected Behavior:
The ChaCha20-Poly1305 cipher should be disabled and not listed among the available ciphers after making the above configuration changes and restarting SSH.
Actual Behavior:
Despite the configuration changes and SSH daemon restart, the ChaCha20-Poly1305 cipher continues to appear in the list of available ciphers.
Additional Information:
Operating System: [Insert OS version]
SSH Version: [Insert SSH version]
Output of ssh -Q cipher before and after attempted configuration changes.
Any relevant logs or error messages from /var/log/auth.log or SSH logs.
Resolution Attempted:
Editing sshd_config and ssh_config files as described.
Restarting SSH daemon.
Impact:
The continued availability of the ChaCha20-Poly1305 cipher leaves the system vulnerable to the Terrapin SSH attack, impacting security.
Next Steps:
Investigate if there are additional configuration changes required or if a different approach is needed to effectively disable the cipher.
Consult SSH documentation or community forums for insights or similar reported issues.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2070326/+subscriptions
More information about the foundations-bugs
mailing list