[security issue/feature request] Add "ctr" SSH algorithms

boen_robot · September 27, 2014, 7:28pm

RouterOS seems to support only “cbc” algorithms (e.g. aes256-cbc), and no “ctr” algorithms (e.g. aes256-ctr) when connecting via SSH.

There’s a vulnerability with such algorithms. See http://www.kb.cert.org/vuls/id/958563.

The standard library of Go doesn’t support “cbc” algorithms, most likely because of that (see this StackOverflow topic), but instead just “ctr” ones.

I’d like support for “ctr” algorithms, at least for security’s sake, if not for anything else (though I’ll admit this compatibility issue with a program written in Go was the reason I reached this point in the first place).

Ideally, there should also be an option to enable/disable certain algorithms for the sake of backwards compatibility with older SSH clients, perhaps with everything enabled by default when upgrading, for the sake of backwards compatibility.

boen_robot · October 23, 2014, 7:44pm

For the sake of anyone who might find this, and is interested in the outcome, here’s the answer from support (Ticket#2014102266000541):

Hello,

Thank you for suggestion, we do not have plans to implement ctr in near future, but maybe in v7 we will add this.

Regards,
Maris B.

(I’m not surprised; While there IS a security issue with CBC algorithms, it’s not as easy to exploit as heartbleed or poodlebleed to warrant immediate attention and fixing.)