Configure sshd ciphers to use aes128-ctr

[Nathan1980]

I need to configure sshd to use AES128-ctr or chacha20.
But it keeps falling to aes256.
I can force it from a test client at least to chacha20 by avoiding aes at all, but the client im forced to use has no such setting, so the server need to do the trick not the client.

I can not find, where the cipher list is configured, nor in /etc/ssh/sshd_config or in /etc/local/ssh/sshd_config which is created by the service gui.

When I add in GUI -> Services -> SSH -> Advanced -> "Auxiliary Parameters" -> "Ciphers +aes128-ctr"
the ssh daemon no longer starts.
Same ifI try to remove a cyper by adding the line "Ciphers -aes256-cbc".

Any tipp how to limit the cipers only to the two named above?

 

[Nathan1980]

Im 1 step closer. At least I know why SSH is not starting again after defining my Cipers. Its blocked by TrueNAS Python package:

[2021/08/22 08:01:44] (WARNING) middlewared.plugins.service_.services.base_freebsd.freebsd_service():134 - openssh onerestart failed with code 1: "Performing sanity check on openssh configuration.\n/usr/local/etc/ssh/sshd_config line 19: Directive 'Ciphers' is not allowed within a Match block\r\n"

And the config file is not inherited from /etc/ssh/sshd_config, so that placing it there is also no change...
Why should truenas block this setting? mysterios...

 

[Nathan1980]

Modifying the script: /usr/local/lib/python3.9/site-packages/middlewared/etc_files/local/ssh/sshd_config
from: Ciphers +aes128-cbc
to: Ciphers aes128-ctr

works. But its not the solution, this change will be overwritten next truenas update.
So it is not a sshd problem or with my configuration attempt.
Problem is, that truenas is actifly filtering out this option.

Question remains: Why? And how to skip this filter without editing the truenas scripts?