d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Remove insecure ciphers from GCE sshd configuration

Browse Source 
They were added for unclear reasons in r277263.  The current OpenSSH
defaults (7.5+) are reasonable, and do not include the insecure rc4 cipher:

                   chacha20-poly1305@openssh.com,
                   aes128-ctr,aes192-ctr,aes256-ctr,
                   aes128-gcm@openssh.com,aes256-gcm@openssh.com,
                   aes128-cbc,aes192-cbc,aes256-cbc

I think I recall there being a reason for a specific list of ciphers on GCE
at the time, but I do not recall what it was, and cannot find any
current GCE documentation of such a list.

So, just revert the explicit configuration and use sane openssh defaults.

PR:		230092
Submitted by:	Gustavo Scalet <gustavo.scalet AT collabora.com>
MFC after:	3 days
Security:	yes
This commit is contained in:
Conrad Meyer 2018-07-28 19:35:49 +00:00
parent bbc5c8ee32
commit 858178a142
1 changed files with 0 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
release/tools/gce.conf
View File

@ -66,7 +66,6 @@ EOF
ChallengeResponseAuthentication no
X11Forwarding no
AcceptEnv LANG
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
AllowAgentForwarding no
ClientAliveInterval 420
EOF