Created attachment 195510 [details] patch Currently the following error was being raised by sshd on GCE image: /etc/ssh/sshd_config line 125: Bad SSH2 cipher spec 'aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc'. That happens on OpenSSL v7.6 and upwards (below the relevant part of "Potentially-incompatible changes" section on release notes[1]): ssh(1)/sshd(8): remove support for the arcfour, blowfish and CAST ciphers. Note: The FreeBSD 12 is using the OpenSSL v7.7 and the FreeBSD 11 is using OpenSSL v7.5. [1] https://www.openssh.com/txt/release-7.6
Severity: sshd server won't start with those bad ciphers on the list.
It's unclear to me why GCE has this explicit Cipher configuration anyway. The SSH default is much more sane: The default is: chacha20-poly1305@openssh.com, aes128-ctr,aes192-ctr,aes256-ctr, aes128-gcm@openssh.com,aes256-gcm@openssh.com, aes128-cbc,aes192-cbc,aes256-cbc
Ok -- it just dates to initial GCE support 3.5 years ago: r277263. Not sure why it was explicitly set then, either. I'd suggest just removing the explicit configuration line unless there is a good reason to have explicit configuration on GCE nowadays. I did some research and can't find any knowledgebase article about specific cipher requirements on GCE today.
(In reply to Conrad Meyer from comment #3) I agree. Comparing with the new Ubuntu 18.04 (which has OpenSSH_7.6p1), it doesn't explicitly configure any ciphers to be used. If that's the final solution, I can gladly change my patch.
Yes, I think that's the right change. If we do not hear from someone more familiar with GCE in the next day or so I think it would be a reasonable change to make. Thanks!
Created attachment 195511 [details] patch-v2: use default ciphers
A commit references this bug: Author: cem Date: Sat Jul 28 19:35:49 UTC 2018 New revision: 336836 URL: https://svnweb.freebsd.org/changeset/base/336836 Log: Remove insecure ciphers from GCE sshd configuration They were added for unclear reasons in r277263. The current OpenSSH defaults (7.5+) are reasonable, and do not include the insecure rc4 cipher: chacha20-poly1305@openssh.com, aes128-ctr,aes192-ctr,aes256-ctr, aes128-gcm@openssh.com,aes256-gcm@openssh.com, aes128-cbc,aes192-cbc,aes256-cbc I think I recall there being a reason for a specific list of ciphers on GCE at the time, but I do not recall what it was, and cannot find any current GCE documentation of such a list. So, just revert the explicit configuration and use sane openssh defaults. PR: 230092 Submitted by: Gustavo Scalet <gustavo.scalet AT collabora.com> MFC after: 3 days Security: yes Changes: head/release/tools/gce.conf
Addressed in CURRENT in r336836. I don't do stable branches, though, so if this should be addressed on 11 someone else should feel free to MFC it.
(In reply to Conrad Meyer from comment #8) On 11 it should not be a problem because it's using OpenSSL v7.5. This error will only occur on v7.6+. FreeBSD 12 uses OpenSSL v7.7
(In reply to gustavo.scalet from comment #9) rc4 is still a weak cipher even when OpenSSL doesn't warn about it :-).
Change is inside, shouldn't this be closed now?
(In reply to gustavo.scalet from comment #11) I'd keep it open if someone wants the rc4 ciphers removed on stable. But we can close since no one seems to be asking for that.