Unable to Disable ChaCha20-Poly1305 Encryption to Mitigate Terrapin SSH Attack
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssh (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
I've tried the following commands to disable the below cipher but it still showing up. Am i missing something here
echo 'Ciphers -<email address hidden>' > /etc/ssh/
echo 'Ciphers -<email address hidden>' > /etc/ssh/
systemctl restart sshd
The user Rajandran has reported attempting to disable the ChaCha20-Poly1305 encryption cipher to mitigate the Terrapin SSH attack using the following commands:
bash
Copy code
echo 'Ciphers -<email address hidden>' > /etc/ssh/
echo 'Ciphers -<email address hidden>' > /etc/ssh/
systemctl restart sshd
However, despite these steps, the cipher is still appearing as available.
Steps to Reproduce:
Edit /etc/ssh/
Edit /etc/ssh/
Restart the SSH daemon using systemctl restart sshd.
Check the available ciphers using ssh -Q cipher.
Expected Behavior:
The ChaCha20-Poly1305 cipher should be disabled and not listed among the available ciphers after making the above configuration changes and restarting SSH.
Actual Behavior:
Despite the configuration changes and SSH daemon restart, the ChaCha20-Poly1305 cipher continues to appear in the list of available ciphers.
Additional Information:
Operating System: [Insert OS version]
SSH Version: [Insert SSH version]
Output of ssh -Q cipher before and after attempted configuration changes.
Any relevant logs or error messages from /var/log/auth.log or SSH logs.
Resolution Attempted:
Editing sshd_config and ssh_config files as described.
Restarting SSH daemon.
Impact:
The continued availability of the ChaCha20-Poly1305 cipher leaves the system vulnerable to the Terrapin SSH attack, impacting security.
Next Steps:
Investigate if there are additional configuration changes required or if a different approach is needed to effectively disable the cipher.
Consult SSH documentation or community forums for insights or similar reported issues.
It sounds like you're encountering difficulties in disabling the ChaCha20-Poly1305 encryption cipher to mitigate the Terrapin SSH attack. Your approach to modify the SSH configuration files and restart the SSH daemon seems correct. Here are a few additional steps and considerations based on your report:
Steps to Reproduce:
Edit /etc/ssh/ sshd_config. d/anti- terrapin- attack. conf to include Ciphers -<email address hidden>. ssh_config. d/anti- terrapin- attack. conf similarly.
Edit /etc/ssh/
Restart the SSH daemon using systemctl restart sshd.
Check the available ciphers using ssh -Q cipher.
Expected Behavior:
The ChaCha20-Poly1305 cipher should be disabled and should not appear in the list of available ciphers after the configuration changes and SSH daemon restart.
Actual Behavior:
Despite making the changes and restarting SSH, the ChaCha20-Poly1305 cipher continues to be listed among the available ciphers.
Additional Information:
Could you please provide the operating system version and SSH version you are using?
It would also be helpful to see the output of ssh -Q cipher before and after making the configuration changes.
Any relevant logs or error messages from /var/log/auth.log or SSH logs might provide clues.
Resolution Attempted:
You've already tried editing the SSH configuration files and restarting the SSH daemon, which is the correct approach.
Impact:
The persistence of the ChaCha20-Poly1305 cipher poses a security risk, leaving the system vulnerable to the Terrapin SSH attack.
Next Steps:
Investigate if there are additional steps or configuration parameters needed to effectively disable the cipher.
Consider consulting SSH documentation or community forums for insights into similar issues reported by others.
If you have any updates or further details, please share them. We're here to help troubleshoot and find a resolution.
Best regards,