Koozali.org formerly Contribs.org

[INFO] Default ssh *client* ciphers in SME 9.2

Offline mmccarn

  • *
  • 2,546
[INFO] Default ssh *client* ciphers in SME 9.2
« on: August 26, 2018, 05:07:17 PM »
When trying to connect *from* my SME server *to* CentOS 7 (openssh v7.4), Ubuntu 16.04 (openssh v7.2), or a Ubiquiti Edgerouter (openssh 6.6), I get this error:
Code: [Select]
no matching cipher found: client arcfour256,blowfish-cbc,aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc,cast128-cbc,arcfour server chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com

I can connect if I add "-c aes256-ctr" on the command line, like this:
Code: [Select]
# ssh -c aes256-ctr username@ubuntu-16.04-server-ip

# ssh -c aes256-ctr root@centos7-ip

# ssh -c aes256-ctr admin@ubiquiti-edgerouter-ip

I've submitted an NFR in bugzilla asking to have the default ssh client cipher list updated to include aes256-ctr:
Bug 10621

For now I've updated my own defaults using a custom template:
Code: [Select]
mkdir -p /etc/e-smith/templates-custom/etc/ssh/ssh_config
sed s/\ arcfour256/\ aes256-ctr,arcfour256/ /etc/e-smith/templates/etc/ssh/ssh_config/30Ciphers > /etc/e-smith/templates-custom/etc/ssh/ssh_config/30Ciphers
expand-template /etc/ssh/ssh_config

When done:
Quote from: /etc/ssh/ssh_config
#------------------------------------------------------------
#          !!DO NOT MODIFY THIS FILE!!
#
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer's guide, which is available
# at http://www.contribs.org/development/
#
# Copyright (C) 1999-2006 Mitel Networks Corporation
#------------------------------------------------------------
Host *
Port 22
Protocol 2
Cipher blowfish
Ciphers aes256-ctr,arcfour256,blowfish-cbc,aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc,cast128-cbc,arcfour
GSSAPIAuthentication yes
#ForwardX11 no
# If this option is set to yes then remote X11 clients will have full access
# to the original X11 display. As virtually no X11 client supports the untrusted
# mode correctly we set this to yes.
ForwardX11Trusted yes
# Send locale-related environment variables
SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
SendEnv LC_IDENTIFICATION LC_ALL

Offline ReetP

  • *
  • 2,676
Re: [INFO] Default ssh *client* ciphers in SME 9.2
« Reply #1 on: August 26, 2018, 07:34:44 PM »
Interesting as I have found this myself quite a lot recently.

I too have custom templates.

I can patch it but not sure what ciphers should really be in the list.

I'll try and find out via the bug.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Re: [INFO] Default ssh *client* ciphers in SME 9.2
« Reply #2 on: November 08, 2020, 10:00:18 PM »
This post helped me communicating to Fedora 33
Thanks
.:DB:.

Offline ReetP

  • *
  • 2,676
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation