OpenSSH client access issues after patching to version 7

-
After OpenSSH has been patched from vulnerable version 5 to the latest secure version 7.1p, we have encountered some connection issues with some of the clients.

Error:
# tail -f /var/log/messages 
...
fatal: Unable to negotiate with 213.61.200.74: no matching cipher found. 
Their offer: aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,arcfour [preauth]

Root Cause:
Based on the version 7.1 release note, many ciphers have been disabled due to security issues:

OpenSSH 7.1 release note: 
 * Several ciphers will be disabled by default: blowfish-cbc,
   cast128-cbc, all arcfour variants and the rijndael-cbc aliases
   for AES.


Solution:
Need to add legacy ciphers to sshd_config in order to support the ssh client:

# vim /etc/ssh/sshd_config
...
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,blowfish-cbc,aes128-cbc,3des-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,arcfour


Error:
After adding the ciphers and restarting daemon, same client encounter different error:

# tail -f /var/log/messages 
...
fatal: Unable to negotiate with 213.61.200.74: no matching key exchange method found. Their offer: 
diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1 [preauth]

Root Cause:
Based on the version 7.0 release note, some of the key exchange methods have been disabled

OpenSSH 7.0 release note: 
 * Support for the 1024-bit diffie-hellman-group1-sha1 key exchange
   is disabled by default at run-time. It may be re-enabled using
   the instructions at http://www.openssh.com/legacy.html

 * ssh(1), sshd(8): extend Ciphers, MACs, KexAlgorithms,
   HostKeyAlgorithms, PubkeyAcceptedKeyTypes and HostbasedKeyTypes
   options to allow appending to the default set of algorithms
   instead of replacing it. Options may now be prefixed with a '+'
   to append to the default, e.g. "HostKeyAlgorithms=+ssh-dss".


Solution:
To add the legacy MAC and key exchange algorithms back:

# vim /etc/ssh/sshd_config
...
MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-sha1-96,hmac-md5-96

KexAlgorithms +diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1





Comments

  1. radha25 October 2018 at 15:15

    Well written .Keep updating Devops Online Course

    ReplyDelete
  2. Call Us For Help here11 April 2020 at 22:18

    I think that we have to be competent and experienced enough in this field in order to freely perform such an action. Anyway, thank you for the description.

    ReplyDelete

Post a Comment

Popular posts from this blog

Rebuild your new Yum repository after changing the packages

-
If you have done any  changes  to your local  repository  packages, adding new ones or deleting some, you can just simply update your yum sqlite metadata database for your changes to take effect, rather than creating the whole repository again which takes time if you have  thousands  of packages in your repository.  Here is how we rebuild our yum repository. 1. After you are done with adding/removing packages to your local repo, then: # createrepo --update /path/to/repo_dir 2. On the  client  side, you need to clean up the cached yum meta data in order to see the changes after repo rebuild: # yum clean all 3. Now update the  client  yum cache  # yum update
Read more

Running Docker Wildfly/JBoss Application Server in Debug mode via Eclipse

-
I have recently built the whole Development Environment of Java Enterprise Edition (J2EE) project on multiple Docker containers. It has saved the hassle of setting up a dev env for new developers. All it takes to setup the environment is to clone our github repositories and run the Docker images. I will explain the setup in a future post. Build Wildfly Docker Image with Debugging Enabled So basically in order to run the Wildfly in debug mode, we need to add --debug  flag to the Wildfly standalone.sh  startup script. Also we need to expose port 8787  in our image as it's the default port for Wildfly JVM debug mode. 1. Create or change your Wildfly Dockerfile as follows: $ cat Dockerfile FROM jboss/wildfly: 10.0 . 0 .Final EXPOSE 8787 CMD [ "/opt/jboss/wildfly/bin/standalone.sh" , "-b" , "0.0.0.0" , "-bmanagement" , "0.0.0.0" , "--debug" ] 2. Build and tag the image: $ docker build -t wildfly-debug . 3.
Read more

Linux and AIX user non expiry and force password change at first login

-
In Linux, if you want to set the password for an account to never expire, here is the command: # chage -I -1 -m 0 -M 99999 -E -1 username  And to force a user to change his password upon first login: # chage -d0 username Current status of the account can be checked via chage command : # chage -l username  Last password change                                    : Jun 18, 2013 Password expires                                        : never Password inactive                                       : never Account expires                                         : never Minimum number of days between password change          : 0 Maximum number of days between password change          : 99999 Number of days of warning before password expires       : 7 For AIX, to set the password to non expiry and force the user to change his password upon first login: # chuser expires=0 maxage=0 username  To check the username status in AIX: # lsuser -f username
Read more