After upgrading our Cisco ASAs from 9.4(3)11 to 9.4(3)12, Rancid could no longer log in. Debugging by manually running clogin, the problem was clear: incompatibility with SSH ciphers. Rancid wanted to use 3DES (“Triple DES”), but the ASA only supported AES.
rancid@localhost:~$ clogin ciscoasa.mydomain.com
ciscoasa.mydomain.com
spawn ssh -c 3des -x -l rancid ciscoasa.mydomain.com
no matching cipher found: client 3des-cbc server aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr
By default, the ASA’s SSH server uses the “medium” cipher list. Sure enough, 3DES is no longer in the list:
ciscoasa/pri/act# show ssh ciphers
Available SSH Encryption and Integrity Algorithms
Encryption Algorithms:
low: 3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr
medium: aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr
fips: aes128-cbc aes256-cbc
high: aes256-cbc aes256-ctr
A quick and dirty work-around: configure the ASA to use the “low” cipher list. However, since it’s time to start phasing out 3DES anyway (it’s from the 90s), I instead wanted to tell Rancid to prefer AES and only use 3DES as a last resort. The first step was finding the possible cipher names, which were in /etc/ssh/ssh_config:
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
I simplified this a bit and added this line to Rancid’s .cloginrc:
add cyphertype * aes128-ctr,aes128-cbc,3des-cbc
This preference matches most of my devices since AES-CTR is supported in IOS 15 and is preferred over AES-CBC and 3DES. Good enough for me.
Layer 77 