mscherer
commented
5 years ago Mhh, i do not understand. Nothing is blocked by default.
Open duck-rh opened 5 years ago
mscherer
commented
5 years ago Mhh, i do not understand. Nothing is blocked by default.
duck-rh
commented
5 years ago generating a list of ciphers while filtering nothing (the default setting) is IMHO useless and means upgrading will never bring better ciphers unless this role is applied at the same time.
duck-rh
commented
5 years ago In fact upgrading just break the world:
Sep 9 07:33:28 Catton systemd[1]: Starting OpenBSD Secure Shell server...
Sep 9 07:33:28 Catton sshd[4663]: /etc/ssh/sshd_config line 125: Bad SSH2 cipher spec '3des-cbc,blowfish-cbc,cast128-cbc,arcfour,arcfour128,arcfour256,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com'.
Sep 9 07:33:28 Catton systemd[1]: ssh.service: Control process exited, code=exited, status=255/EXCEPTIONI'd like to be able to disable this feature. As I already said the distro must be fixed and this is gonna be a pain to maintain.
mscherer
commented
5 years ago so, what kind of upgrade was it ?
mscherer
commented
5 years ago So, that's a upgrade from some debian version to another debian version, but so that mean there is a bug. The code is not supposed to change anything unless there is a filtered cipher, and by default, nothing is filtered. If this did result in filtering something (and so changing the configuration) while you didn't ask for it, that's not the behavior that was supposed to happen.
mscherer
commented
5 years ago It seems indeed that this was a bug. I guess this broke after 2.8 upgrade, as it was fine when I tested.
While I think the new feature is useful, having ciphers locked-up independently of openssh version changes while you did not request for such feature to be enabled, is IMHO a problem.