Page MenuHomePhabricator

vyatta-cfg-system -> SSH: Failure to correctly alter Ciphers and MACs
Closed, ResolvedPublicBUG


When changing the Ciphers or MACs parameters in set service ssh <option>, an existing line within sshd_config would not be altered but a new line appended instead, resulting in multiple Ciphers / MACs lines existing in sshd_config.

To fix this, and at the same time, adapt SSH config options to the new capabilities of OpenSSH 6.7, I propose the attached patch to the vyatta-cfg-system package. SSH service configuration will then look as follows:

vyos@vyos# set service ssh 
Possible completions:
   allow-root   Enable root login over ssh
   ciphers      Allowed ciphers
                Don't validate the remote host name with DNS
                Don't allow unknown user to login with password
   key-exchange Allowed key exchange algorithms
+  listen-address
                Local addresses SSH service should listen on
   loglevel     Log Level
   macs         Allowed message authentication algorithms
   port         Port for SSH service





  • I failed to use the correcty syntax for git diff in order to include new files into the patch set. This was fixed with this edit.
  • For quick evaluation, I attached a vyatta-cfg-system deb package you may install on the fly.


Difficulty level
Unknown (require assessment)
vyatta-cfg-system 0.20.44+vyos2+current7 (VyOS 1.2.x)
Why the issue appeared?
Will be filled on close

Event Timeline

alainlamar updated the task description. (Show Details)Dec 31 2017, 1:56 PM
alainlamar updated the task description. (Show Details)Dec 31 2017, 2:04 PM
c-po added a subscriber: c-po.EditedDec 31 2017, 2:29 PM

@alainlamar thanks for the contribution.

If you're interested can help you setup a Github fork so you can just send in a Pull Request that can be automatically merged?

Maybe we can have a similar manual like for working with pull requests.

c-po added a comment.Dec 31 2017, 2:37 PM

Dissecting your patch .. I come up with those commits:

Could you please verify this?

alainlamar added a comment.EditedDec 31 2017, 3:16 PM


thanks for the advice! My Git skills suck, but I'll try to catch up quickly. I cloned your repo, checked out branch z507-sshd and did a git diff c5e11462769bea9769335944f0f8a8f5411d027e > t507_c-po.patch which is the last commit prior to T507 commits. Then I ran diff on that patch file and the one I created before. No difference, which means, your commits are nicely done!

Thanks for your support!

c-po moved this task from Need Triage to Finished on the VyOS 1.2 Crux board.Dec 31 2017, 3:23 PM
syncer closed this task as Resolved.Jan 14 2018, 5:42 PM
syncer claimed this task.