OpenSSH client access issues after patching to version 7
After OpenSSH has been patched from vulnerable version 5 to the latest secure version 7.1p, we have encountered some connection issues with some of the clients.
Error:
# tail -f /var/log/messages
...
fatal: Unable to negotiate with 213.61.200.74: no matching cipher found.
Their offer: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,arcfour [preauth]
Root Cause:
Based on the version 7.1 release note, many ciphers have been disabled due to security issues:
OpenSSH 7.1 release note:
* Several ciphers will be disabled by default: blowfish-cbc,
cast128-cbc, all arcfour variants and the rijndael-cbc aliases
for AES.
Solution:
Need to add legacy ciphers to sshd_config in order to support the ssh client:
# vim /etc/ssh/sshd_config
...
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,blowfish-cbc,aes128-cbc,3des-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,arcfour
Error:
After adding the ciphers and restarting daemon, same client encounter different error:
# tail -f /var/log/messages
...
fatal: Unable to negotiate with 213.61.200.74: no matching key exchange method found. Their offer:
diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1 [preauth]
Root Cause:
Based on the version 7.0 release note, some of the key exchange methods have been disabled
OpenSSH 7.0 release note:
* Support for the 1024-bit diffie-hellman-group1-sha1 key exchange
is disabled by default at run-time. It may be re-enabled using
the instructions at http://www.openssh.com/legacy.html
* ssh(1), sshd(8): extend Ciphers, MACs, KexAlgorithms,
HostKeyAlgorithms, PubkeyAcceptedKeyTypes and HostbasedKeyTypes
options to allow appending to the default set of algorithms
instead of replacing it. Options may now be prefixed with a '+'
to append to the default, e.g. "HostKeyAlgorithms=+ssh-dss".
Solution:
To add the legacy MAC and key exchange algorithms back:
# vim /etc/ssh/sshd_config
...
MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
KexAlgorithms +diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1
Well written .Keep updating Devops Online Course
ReplyDeleteI think that we have to be competent and experienced enough in this field in order to freely perform such an action. Anyway, thank you for the description.
ReplyDelete