Thursday, May 31, 2018

OPENSSH 7.1 (7.1.102.1100) -- issues





OPENSSH 7.1 (7.1.102.1100)  .

1.       Addition of ciphers  using “+” sign

After adding below lines in sshd_config

Ciphers  + blowfish-cbc,arcfour256,arcfour128

#ssh -vv test123

debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctrchacha20-poly1305@openssh.com,,blowfish-cbc,arcfour256,arcfour128
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctrchacha20-poly1305@openssh.com,,blowfish-cbc,arcfour256,arcfour128

      The issue seems to be with the double comma , that prevents  the ciphers to work .

2.       The unsupported Ciphers  showing in the OPENSSH package itself

List of supported Ciphers in OPENSSH7.1 Package

$ssh -Q cipher
3des-cbc
blowfish-cbc
cast128-cbc
arcfour
arcfour128
arcfour256
aes128-cbc
aes192-cbc
aes256-cbc
rijndael-cbc@lysator.liu.se
aes128-ctr
aes192-ctr
aes256-ctr
chacha20-poly1305@openssh.com


As per the sshd_config Man page , The default Cipher List .


chacha20-poly1305@openssh.com, aes128-ctr,aes192-ctr,aes256-ctr, aes256-gcm@openssh.com 



Connectivity result before applying the Ciphers

$ ssh -vv test123
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctrchacha20-poly1305@openssh.com, >>>List of ciphers supported by default by OPENSSH7.1
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctrchacha20-poly1305@openssh.com,

It refers to me that the default Cipher that the OPENSSH7.1  supports  is something different that we see in the man page of sshd_config .  “aes256-gcm@openssh.com” cipher doesn’t exists in the default Cipher list,  when we do connectivity test .  



Below Ciphers list were added  as per the different site references  .

Ciphers blowfish-cbc,aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,chacha20-poly1305@openssh.com,aes128-gcm@openssh.com,aes256-gcm@openssh.com


Working Configuration



But when we tried this options after removing the gcm cipher , it worked .

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com,aes256-cbc,3des-cbc


Common errors :

Unable to negotiate with x.x.x.x.: no matching cipher found. Their offer: aes128-cbc,blowfish-cbc,3des-cbc lost connection

 solution ) add the below lines in sshd_config configuration file 

 Ciphers aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com,aes256-cbc,3des-cbc.blowfish-cbc

 stop and start  the ssh services 

  error 2) sometimes noticed that passwordless authentication or the authentication negotiations are happening using only  the dsa keys , then it will fail ?
ans) in openssh7 ,the dsa keys are by default disabled , it means that any key negotiations or connections that uses only dsa keys will be failing . In this scenario , we need to first validate the connectivity using the ssh -vv  <server-name>  check for the keys which it is accepting   to confirm the exact issue . 

 add the below lines in sshd_config to allow the dsa keys . 

 HostKeyAlgorithms +ssh-dss 

PubkeyAcceptedKeyTypes +ssh-dss 

 stop and start the sshd services . 

 test the connectivity . 

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)