Page MenuHomePhabricator

vyatta-cfg-system -> SSH: Failure to correctly alter Ciphers and MACs
Closed, ResolvedPublicBUG

Description

When changing the Ciphers or MACs parameters in set service ssh <option>, an existing line within sshd_config would not be altered but a new line appended instead, resulting in multiple Ciphers / MACs lines existing in sshd_config.

To fix this, and at the same time, adapt SSH config options to the new capabilities of OpenSSH 6.7, I propose the attached patch to the vyatta-cfg-system package. SSH service configuration will then look as follows:

vyos@vyos# set service ssh 
Possible completions:
   allow-root   Enable root login over ssh
   ciphers      Allowed ciphers
   disable-host-validation
                Don't validate the remote host name with DNS
   disable-password-authentication
                Don't allow unknown user to login with password
   key-exchange Allowed key exchange algorithms
+  listen-address
                Local addresses SSH service should listen on
   loglevel     Log Level
   macs         Allowed message authentication algorithms
   port         Port for SSH service

      
[edit]
vyos@vyos#

Patch

vyatta-cfg-system

Edited:

  • I failed to use the correcty syntax for git diff in order to include new files into the patch set. This was fixed with this edit.
  • For quick evaluation, I attached a vyatta-cfg-system deb package you may install on the fly.

Details

Difficulty level
Unknown (require assessment)
Version
vyatta-cfg-system 0.20.44+vyos2+current7 (VyOS 1.2.x)
Why the issue appeared?
Will be filled on close
alainlamar updated the task description. (Show Details)Dec 31 2017, 1:56 PM
alainlamar updated the task description. (Show Details)Dec 31 2017, 2:04 PM
c-po added a subscriber: c-po.EditedDec 31 2017, 2:29 PM

@alainlamar thanks for the contribution.

If you're interested can help you setup a Github fork so you can just send in a Pull Request that can be automatically merged?

Maybe we can have a similar manual like https://wiki.vyos.net/wiki/Submit_a_patch for working with pull requests.

c-po added a comment.Dec 31 2017, 2:37 PM

Dissecting your patch .. I come up with those commits: https://github.com/c-po/vyatta-cfg-system/commits/t507-sshd

Could you please verify this?

alainlamar added a comment.EditedDec 31 2017, 3:16 PM

Hi,

thanks for the advice! My Git skills suck, but I'll try to catch up quickly. I cloned your repo, checked out branch z507-sshd and did a git diff c5e11462769bea9769335944f0f8a8f5411d027e > t507_c-po.patch which is the last commit prior to T507 commits. Then I ran diff on that patch file and the one I created before. No difference, which means, your commits are nicely done!

Thanks for your support!
Al

c-po moved this task from Need Triage to Finished on the VyOS 1.2.x board.Dec 31 2017, 3:23 PM
syncer closed this task as Resolved.Jan 14 2018, 5:42 PM
syncer claimed this task.