Ubuntu
openssh package

Unable to Disable ChaCha20-Poly1305 Encryption to Mitigate Terrapin SSH Attack

Bug #2070326 reported by Sam King
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

I've tried the following commands to disable the below cipher but it still showing up. Am i missing something here

echo 'Ciphers -<email address hidden>' > /etc/ssh/sshd_config.d/anti-terrapin-attack.conf
echo 'Ciphers -<email address hidden>' > /etc/ssh/ssh_config.d/anti-terrapin-attack.conf

 systemctl restart sshd
The user Rajandran has reported attempting to disable the ChaCha20-Poly1305 encryption cipher to mitigate the Terrapin SSH attack using the following commands:

bash
Copy code
echo 'Ciphers -<email address hidden>' > /etc/ssh/sshd_config.d/anti-terrapin-attack.conf
echo 'Ciphers -<email address hidden>' > /etc/ssh/ssh_config.d/anti-terrapin-attack.conf
systemctl restart sshd
However, despite these steps, the cipher is still appearing as available.

Steps to Reproduce:

Edit /etc/ssh/sshd_config.d/anti-terrapin-attack.conf to include Ciphers -<email address hidden>.
Edit /etc/ssh/ssh_config.d/anti-terrapin-attack.conf similarly.
Restart the SSH daemon using systemctl restart sshd.
Check the available ciphers using ssh -Q cipher.
Expected Behavior:
The ChaCha20-Poly1305 cipher should be disabled and not listed among the available ciphers after making the above configuration changes and restarting SSH.

Actual Behavior:
Despite the configuration changes and SSH daemon restart, the ChaCha20-Poly1305 cipher continues to appear in the list of available ciphers.

Additional Information:

Operating System: [Insert OS version]
SSH Version: [Insert SSH version]
Output of ssh -Q cipher before and after attempted configuration changes.
Any relevant logs or error messages from /var/log/auth.log or SSH logs.
Resolution Attempted:

Editing sshd_config and ssh_config files as described.
Restarting SSH daemon.
Impact:
The continued availability of the ChaCha20-Poly1305 cipher leaves the system vulnerable to the Terrapin SSH attack, impacting security.

Next Steps:

Investigate if there are additional configuration changes required or if a different approach is needed to effectively disable the cipher.
Consult SSH documentation or community forums for insights or similar reported issues.

Revision history for this message
Sam King (sam0090) wrote :

It sounds like you're encountering difficulties in disabling the ChaCha20-Poly1305 encryption cipher to mitigate the Terrapin SSH attack. Your approach to modify the SSH configuration files and restart the SSH daemon seems correct. Here are a few additional steps and considerations based on your report:

Steps to Reproduce:

Edit /etc/ssh/sshd_config.d/anti-terrapin-attack.conf to include Ciphers -<email address hidden>.
Edit /etc/ssh/ssh_config.d/anti-terrapin-attack.conf similarly.
Restart the SSH daemon using systemctl restart sshd.
Check the available ciphers using ssh -Q cipher.
Expected Behavior:
The ChaCha20-Poly1305 cipher should be disabled and should not appear in the list of available ciphers after the configuration changes and SSH daemon restart.

Actual Behavior:
Despite making the changes and restarting SSH, the ChaCha20-Poly1305 cipher continues to be listed among the available ciphers.

Additional Information:

Could you please provide the operating system version and SSH version you are using?
It would also be helpful to see the output of ssh -Q cipher before and after making the configuration changes.
Any relevant logs or error messages from /var/log/auth.log or SSH logs might provide clues.
Resolution Attempted:
You've already tried editing the SSH configuration files and restarting the SSH daemon, which is the correct approach.

Impact:
The persistence of the ChaCha20-Poly1305 cipher poses a security risk, leaving the system vulnerable to the Terrapin SSH attack.

Next Steps:

Investigate if there are additional steps or configuration parameters needed to effectively disable the cipher.
Consider consulting SSH documentation or community forums for insights into similar issues reported by others.
If you have any updates or further details, please share them. We're here to help troubleshoot and find a resolution.

Best regards,

Revision history for this message
Rajandran (nrajandr) wrote :

Hi Sam

This is the OS version - Ubuntu 20.04.6 LTS".

And for the steps to include email address Ciphers -<email address hidden>, what email address should be added here.

root@warc-npa-005:/var/log# ssh -Q cipher
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
<email address hidden>
aes128-ctr
aes192-ctr
aes256-ctr
<email address hidden>
<email address hidden>
<email address hidden>

Revision history for this message
Rajandran (nrajandr) wrote :
Revision history for this message
Rajandran (nrajandr) wrote :

/etc/ssh/ssh_config.d# ssh -V
OpenSSH_8.2p1 Ubuntu-4ubuntu0.11, OpenSSL 1.1.1f 31 Mar 2020

Revision history for this message
Rajandran (nrajandr) wrote :

Hi Sam,

Would you able to advise what is the next step.

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Hello,

"ssh -Q cipher" will output the ciphers supported by your SSH *client*, not the server. What you did by creating the file /etc/ssh/sshd_config.d/anti-terrapin-attack.conf is to disable the cipher on the *server*, and that should have worked fine. You can confirm that the server does not support the cipher anymore by issuing the following command:

# sshd -T | grep -i ciphers

I am going to mark this bug as Invalid because I could confirm that disabling the cipher works fine here. If you still experience any issues, feel free to reopen it.

Thanks.

Changed in openssh (Ubuntu):
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.