After OpenSSH has been patched from vulnerable version 5 to the latest secure version 7.1p, we have encountered some connection issues with some of the clients.
Error:
# tail -f /var/log/messages
...
fatal: Unable to negotiate with 213.61.200.74: no matching cipher found.
Their offer: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,arcfour [preauth]
Root Cause:
Based on the version 7.1 release note, many ciphers have been disabled due to security issues:
OpenSSH 7.1 release note:
* Several ciphers will be disabled by default: blowfish-cbc,
cast128-cbc, all arcfour variants and the rijndael-cbc aliases
for AES.
Solution:
Need to add legacy ciphers to sshd_config in order to support the ssh client:
# vim /etc/ssh/sshd_config
...
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,blowfish-cbc,aes128-cbc,3des-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,arcfour
Error:
After adding the ciphers and restarting daemon, same client encounter different error:
# tail -f /var/log/messages
...
fatal: Unable to negotiate with 213.61.200.74: no matching key exchange method found. Their offer:
diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1 [preauth]
Root Cause:
Based on the version 7.0 release note, some of the key exchange methods have been disabled
OpenSSH 7.0 release note:
* Support for the 1024-bit diffie-hellman-group1-sha1 key exchange
is disabled by default at run-time. It may be re-enabled using
the instructions at http://www.openssh.com/legacy.html
* ssh(1), sshd(8): extend Ciphers, MACs, KexAlgorithms,
HostKeyAlgorithms, PubkeyAcceptedKeyTypes and HostbasedKeyTypes
options to allow appending to the default set of algorithms
instead of replacing it. Options may now be prefixed with a '+'
to append to the default, e.g. "HostKeyAlgorithms=+ssh-dss".
Solution:
To add the legacy MAC and key exchange algorithms back:
# vim /etc/ssh/sshd_config
...
MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
KexAlgorithms +diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1
Well written .Keep updating Devops Online Course
ReplyDelete