Topic: [INFO] Default ssh *client* ciphers in SME 9.2

[mmccarn]

When trying to connect *from* my SME server *to* CentOS 7 (openssh v7.4), Ubuntu 16.04 (openssh v7.2), or a Ubiquiti Edgerouter (openssh 6.6), I get this error:

Code: [Select]

no matching cipher found: client arcfour256,blowfish-cbc,aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc,cast128-cbc,arcfour server chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com

I can connect if I add "-c aes256-ctr" on the command line, like this:

Code: [Select]

# ssh -c aes256-ctr username@ubuntu-16.04-server-ip

# ssh -c aes256-ctr root@centos7-ip

# ssh -c aes256-ctr admin@ubiquiti-edgerouter-ip

I've submitted an NFR in bugzilla asking to have the default ssh client cipher list updated to include aes256-ctr:
Bug 10621

For now I've updated my own defaults using a custom template:

Code: [Select]

mkdir -p /etc/e-smith/templates-custom/etc/ssh/ssh_config
sed s/\ arcfour256/\ aes256-ctr,arcfour256/ /etc/e-smith/templates/etc/ssh/ssh_config/30Ciphers > /etc/e-smith/templates-custom/etc/ssh/ssh_config/30Ciphers
expand-template /etc/ssh/ssh_config

When done:

#------------------------------------------------------------
#          !!DO NOT MODIFY THIS FILE!!
#
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer's guide, which is available
# at http://www.contribs.org/development/
#
# Copyright (C) 1999-2006 Mitel Networks Corporation
#------------------------------------------------------------
Host *
Port 22
Protocol 2
Cipher blowfish
Ciphers aes256-ctr,arcfour256,blowfish-cbc,aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc,cast128-cbc,arcfour
GSSAPIAuthentication yes
#ForwardX11 no
# If this option is set to yes then remote X11 clients will have full access
# to the original X11 display. As virtually no X11 client supports the untrusted
# mode correctly we set this to yes.
ForwardX11Trusted yes
# Send locale-related environment variables
SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
SendEnv LC_IDENTIFICATION LC_ALL

[ReetP]

Interesting as I have found this myself quite a lot recently.

I too have custom templates.

I can patch it but not sure what ciphers should really be in the list.

I'll try and find out via the bug.

[Brave Dave]

This post helped me communicating to Fedora 33
Thanks

[ReetP]

https://wiki.contribs.org/SSL_Settings