Koozali.org: home of the SME Server

Sme 10 accesso sftp - ssh

Offline simone686

  • ***
  • 71
  • +0/-0
Sme 10 accesso sftp - ssh
« on: April 21, 2021, 09:51:38 PM »
Salve a tutti..
Utilizzo lo sme da anni...per diversi clienti realizzo piccoli nas come server di backup..Per PC Windows...
Accedendo da questi verso sme con sftp..oppure utilizzando rsync con programmi come Acronis o BackupAssist..
Ieri ho voluto provare la versione 10...Ma con entrambi i programmi non riesco ad accedere..Con putty riesco invece ad accedere senza problemi..
Dall'errore di BackupAssist sembra che i sistemi non riescano a mettersi d'accordo sul modo di scambiarsi le informazioni di autorizzazione. Utilizzo sovente anche Centos 7 puro e non ho mai avuto problemi.
Qualcuno sa dirmi cosa può essere cambiato?
Con la versione 9..8...7..mai avuto problemi..
Grazie


Offline Jean-Philippe Pialasse

  • *
  • 2,743
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Sme 10 accesso sftp - ssh
« Reply #1 on: April 21, 2021, 11:51:21 PM »
Hi,
sorry for the answer in English.
SME Server 10 has limited access to only known secured ciphers and MACs algorithm. So this could be the issue you encounter.

Best way to debug your specific issue, is to
- first, read carefully the exact error offered by your client program ( Dall'errore di BackupAssist sembra che i sistemi non riescano a mettersi d'accordo sul modo di scambiarsi le informazioni di autorizzazione. )
- second, check your logs while trying to connect:
Code: [Select]
# tail -f /var/log/sshd/sshd.log
also here is the list of accepted ciphers and MACs :
Code: [Select]
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

for information CentOS 7 default are
Code: [Select]
KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-sha1-96,hmac-md5-96,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160@openssh.com

SME 9,8,7 allowed ciphers and encoding algorithms that are known to be insecure in 2021, so if your program does not allow one of the offered algorithm it might need to be updated.

Offline simone686

  • ***
  • 71
  • +0/-0
Re: Sme 10 accesso sftp - ssh
« Reply #2 on: April 22, 2021, 03:08:37 PM »
Hi..and thanks for replying...
I have updated the program..but nothing..same error
"Unable to negotiate with 192.168.1.239 port 57977: no matching MAC found. Their offer: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 [preauth]"

as they are only backup server...how can i add these to the sshd config..?

They are always rewritten on service restart....

Thanks

Offline Jean-Philippe Pialasse

  • *
  • 2,743
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Sme 10 accesso sftp - ssh
« Reply #3 on: April 22, 2021, 06:00:41 PM »
In the algorithm names, -etm means "encrypt-then-mac", i.e. the message authentication code is calculated after encryption. It is recommended to use these algorithms because they are considered safer.
Also md5 MAC are unsafe. 32 bits
SHA1 are unsafe too. 160 bits.
Secure is nowaday at least 256, but will be soon 512

You should open a bug against your software to ask them to make this software secure again,


you might do that as a TEMPORARY  workaround. The reason is that by doing that you will allow this cipher to anyone able to connect, making their connection insecure and open to access to the exchanged information, including the content of your backup.

Code: [Select]
mkdir -p  /etc/e-smith/templates-custom/etc/ssh/sshd_config/
printf "#temp workaround for  using Backup software with insecure options\nMACs=+hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com\n\n\n" > /etc/e-smith/templates-custom/etc/ssh/sshd_config/34MACsLocalAdd
expand-template /etc/ssh/sshd_config
systemctl restart sshd

for information winSCP allow the following MACs (https://winscp.net/eng/docs/ssh_algorithms):
Message authentication codes (MACs): hmac-md5, hmac-sha1, hmac-sha1-96, hmac-sha2-256, hmac-md5-etm@openssh.com, hmac-sha1-etm@openssh.com, hmac-sha1-96-etm@openssh.com, hmac-sha2-256-etm@openssh.com