Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Need a way to disable SSH Cipher

    Scheduled Pinned Locked Moved General pfSense Questions
    10 Posts 4 Posters 3.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jcouillardboreal-is.com
      last edited by

      As per requirement for our production site, CBC and RC4 mode for SSH must be denied.
      Every time I edit /etc/ssh/sshd_config it last only until a reboot or a reconfiguration of the SSHd daemon.
      Is there a way to make that change permanent ?

      Thanks

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        You might be able to include your config in the sshd_extra file that is loaded from /etc/ to do stuff to the config that survives reboot.  This is where you can banner cmd for example.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • J
          jcouillardboreal-is.com
          last edited by

          Hi Johnpoz,
          Thanks for the reply. But the file is not present, and if I create it and put "Ciphers aes128-ctr,aes256-ctr" in it while the sshd_config is back at it's regular state (with Ciphers aes128-ctr,aes256-ctr,arcfour256,arcfour,aes128-cbc,aes256-cbc as the first line). When I test for CBC or RC4 mode the are still present, so the override does not work.

          I'm using pfSense 2.3

          Thanks again

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            yeah you have to create it..  It is loaded after the config

            
                  /* Apply package SSHDCond settings if config file exists */
                    if (file_exists("/etc/sshd_extra")) {
                            $fdExtra = fopen("/etc/sshd_extra", 'r');
                            $szExtra = fread($fdExtra, 1048576); // Read up to 1MB from extra file
                            $sshconf .= $szExtra;
                            fclose($fdExtra);
                    }
            
            

            So yeah changing something that is done in the config might not work..  Pretty sure you would have to edit the /etc/sshd file

            it has the stuff that is put in the config

            /* Include default configuration for pfSense */
                    $sshconf = "# This file is automatically generated at startup\n";
                    $sshconf .= "Ciphers aes128-ctr,aes256-ctr,arcfour256,arcfour,aes128-cbc,aes256-cbc\n";

            But this would most likely get put back next time pfsense updates.

            Best solution to this stuff would be feature request for pfsense to be able to pick the ciphers from the gui.  But an edit of this file should do what you want until you update pfsense again and this file gets changed..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • H
              heper
              last edited by

              yeah best create a PR against master or releng_2_3

              below could be stored in config & adjustable by GUI
              https://github.com/pfsense/pfsense/blob/master/src/etc/sshd#L102

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                Curious are you allowing ssh from the public to pfsense?  Or is this internal access only?  Normally only ones that should be able to access pfsense admin be it gui or ssh should be locked to admin devices anyway.  Having to restrict specific ciphers that can be used seems a bit over the top..  But the ability to easy change this along with the ssl/tls algo used in the web gui sure are some nice bells and whistles ;)

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • J
                  jcouillardboreal-is.com
                  last edited by

                  The file was put under /etc/ssh which is incorrect. Once moved under /etc/ i've restarted SSHd and the line Ciphers get appended to the file, so it create a double definition of that parameter and the first one seem to be used. (i use the nmap script ssh2-enum-algos.nse to test it).

                  I'll go for that feature request. +1 for the inclusion of the same concept but for the webgui when on https is a good idea.

                  And for your question SSHd is allowed only for a specific subset of IPs and password logon are denied.

                  How can I ask for that feature ? Newbie here on the forum.

                  Thanks

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    bounty section is where you normally ask for something ;)

                    You can edit the /etc/sshd file do have it do whatever ciphers want that would be quick fix until/if a way gets put into do it from the qui.

                    I just edited mine so I could use the new chacha20 ;)  kept meaning to do this, this thread got my fire started ;)

                    So you can see big bang zoom and there you go

                    debug1: kex: algorithm: curve25519-sha256@libssh.org
                    debug1: kex: host key algorithm: ecdsa-sha2-nistp256
                    debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit>compression: none
                    debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit>compression: none
                    debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
                    debug1: Server host key: ecdsa-sha2-nistp256 SHA256:iLeLI4NVkAcglcXPyBw44OgCt4JmJdewn8cUhgEpfK0
                    debug1: Host 'pfsense.local.lan' is known and matches the ECDSA host key.

                    edit /etc/sshd

                    
                    $sshconf .= "Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\n";
                    $sshconf .= "KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256\n";
                    $sshconf .= "MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com\n";
                    
                    ```</implicit></implicit>

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • J
                      jcouillardboreal-is.com
                      last edited by

                      Terrific, thanks a lot.

                      1 Reply Last reply Reply Quote 0
                      • C
                        CloudJourneyman
                        last edited by

                        +1 for this being a feature in the GUI for selecting SSH and WebUI Ciphers and SSL/TLS versions.

                        Did you end up requesting it in the bounty section couillard45682? If so, perhaps post the link in this thread so everyone can find it and give it a bump.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.