search for: kexalgorithm

https://bugzilla.mindrot.org/show_bug.cgi?id=3184 Bug ID: 3184 Summary: Unable to add deprecated KexAlgorithms back for host via config file Product: Portable OpenSSH Version: 8.2p1 Hardware: All OS: All Status: NEW Severity: major Priority: P5 Component: ssh Assignee: unassigned-bugs at m...

Hi all, this is a patch to make Ciphers, MACs and KexAlgorithms available in Match blocks. Now I can reach a -current machine with some Android terminal app without changing the default ciphers for all clients: Match Address 192.168.1.2 Ciphers aes128-cbc MACs hmac-sha1 KexAlgorithms diffie-hellman-group-exchange-sha1 Index: servconf.c ================...

...8.7 (Ootpa). The details are as follows. # rpm -qa | grep openssh openssh-8.0p1-16.el8.x86_64 openssh-askpass-8.0p1-16.el8.x86_64 openssh-server-8.0p1-16.el8.x86_64 openssh-clients-8.0p1-16.el8.x86_64 # cat /etc/redhat-release Red Hat Enterprise Linux release 8.7 (Ootpa) # How do I enable strong KexAlgorithms, Ciphers and MACs in /etc/ssh/sshd_config file as per the above ssh server version. For example as per below setting. KexAlgorithms ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1305 at openssh.com,aes256-gcm at openssh.com, aes...

https://bugzilla.mindrot.org/show_bug.cgi?id=2333 Bug ID: 2333 Summary: forbid old Ciphers, KexAlgorithms and MACs by default Product: Portable OpenSSH Version: 6.6p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: Miscellaneous Assignee: unassigned-bugs at mindrot.org...

https://bugzilla.mindrot.org/show_bug.cgi?id=2671 Bug ID: 2671 Summary: make possible to remove default ciphers/kexalgorithms/mac algorithms Product: Portable OpenSSH Version: 7.4p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org Rep...

...Anyway it appears that most ssh servers, when using DHE key exchange, use the 1024-bit Oakley Group 2 and there is suspicion the NSA has done the pre-computations needed to passively decrypt any tls communication using DHE with that particular prime group. They recommend setting the following: KexAlgorithms curve25519-sha256 at libssh.org I don't even see that directive in my sshd config to set it, I suppose it may be one that is manually added when needed but I want to verify it actually means something in CentOS 7 ssh. Also I'm a little worried that maybe curve25519 is one of the curves...

> Can this be addressed in ssh_config/sshd_config with the KexAlgorithms setting? weakdh.org/sysadmin.html recommends adding: KexAlgorithms curve25519-sha256 at libssh.org But this thread makes it sound as if it's not necessary. Can anyone confirm? Personally I'm on openssh-6.7. - Grant > You will be aware of https://weakdh.org/ by now, I presume; t...

BTW based on your output it looks like the DEFAULT policy is just fine, If you really want to turn etm HMAC and chacha20 off, you should follow the RHEL security alert https://access.redhat.com/security/cve/cve-2023-48795 cipher at SSH = -CHACHA20-POLY1305 ssh_etm = 0 by putting these lines into `/etc/crypto-policies/policies/modules/CVE-2023-48795.pmod`, applying the resulting subpolicy

...t;> different wording. > > I set up the same versions (server:OpenSSH_6.6p1, OpenSSL 1.0.1s 1 > Mar 2016, client: OpenSSH_7.3p1, OpenSSL 1.0.1s 1 Mar 2016) on Linux > to try to reproduce it but failed. > > ./ssh -p 2022 -vvv -o ciphers=chacha20-poly1305 at openssh.com -o > kexalgorithms=diffie-hellman-group-exchange-sha256 localhost > [...] > debug1: kex: algorithm: diffie-hellman-group-exchange-sha256 > debug1: kex: host key algorithm: ssh-ed25519 > debug1: kex: server->client cipher: chacha20-poly1305 at openssh.com MAC: > <implicit> compression: none &g...

...a | grep openssh > openssh-8.0p1-16.el8.x86_64 > openssh-askpass-8.0p1-16.el8.x86_64 > openssh-server-8.0p1-16.el8.x86_64 > openssh-clients-8.0p1-16.el8.x86_64 > > # cat /etc/redhat-release > Red Hat Enterprise Linux release 8.7 (Ootpa) > # > > How do I enable strong KexAlgorithms, Ciphers and MACs in > /etc/ssh/sshd_config file as per the above ssh server version. For > example > as per below setting. > > KexAlgorithms > ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie- > hellman-group-exchange-sha256 > Ciphers chacha20-poly1305 at o...

...wer is to run a newer client. > > If there's no way to do that, least worst is probably to connect to > a jump host on the LAN (locked-down as much as possible), running > modern OpenSSH sshd but with weak kex/ciphers enabled, in this > case you could use something like > > KexAlgorithms +diffie-hellman-group1-sha1 > Ciphers +aes128-cbc > > This is still not recommended, but at least you could keep the weak > crypto off the internet this way. Thanks Stuart I have tried to use the right KexAlgorithm and Ciphers, but dropbear client fail always myhostname sshd[3905]:...

...gt; concerned about then I am left with Ciphers >> aes128-ctr,aes192-ctr,aes256-ctr for both /etc/ssh/sshd_config and >> /etc/ssh/ssh_config. > > If you're going to go down this road, you should probably look at key exchanges and HMACs as well. On CentOS 7, I use: > > KexAlgorithms curve25519-sha256 at libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 > Ciphers chacha20-poly1305 at openssh.com,aes256-gcm at openssh.com,aes128-gcm at openssh.com,aes256-ctr,aes192-ctr,aes128-ctr > MACs hmac-sha2-512-etm at openssh.co...

https://bugzilla.mindrot.org/show_bug.cgi?id=2209 Bug ID: 2209 Summary: Problem logging into Cisco devices under 6.5p1 (kexgexc.c) Product: Portable OpenSSH Version: 6.5p1 Hardware: amd64 OS: FreeBSD Status: NEW Severity: normal Priority: P5 Component: ssh

...Am I correct in reading RFC 4253 sections 6.2 - 6.5 and section 7.1 as saying that implementations must be prepared to accept an arbitrary number of algorithms of each type during initial key exchange? When I was troubleshooting this issue I tried playing around with different combinations of -o KexAlgorithms and -o HostKeyAlgorithms at the command line. Are there other configuration paramters for the other name-lists during algorithm negotiation, e.g. encryption_algorithms_client_to_server, compression_algorithms_server_to_client, etc? Thanks in advance! Best, Kent

On 09/20/2015 03:25 AM, Darren Tucker wrote: > I suspect a path mtu problem. The key exchange packet is one of the > first large ones in an SSH connection so it tends to show up such problems. > > Seehttp://www.snailbook.com/faq/mtu-mismatch.auto.html > <http://www.snailbook.com/faq/mtu-mismatch.auto.html> Has this been changed? SSH used to work fine on my old machine. My

Hi, I have compatibility issues with the latest version of openssh-server and an old dropbear client, the dopbear client stops at preauth ov 22 14:34:03 myhostname sshd[3905]: debug1: Client protocol version 2.0; client software version dropbear_0.46 Nov 22 14:34:03 myhostname sshd[3905]: debug1: no match: dropbear_0.46 Nov 22 14:34:03 myhostname sshd[3905]: debug1: Local version string

On 2020-02-06 at 13:28 +1100, Darren Tucker wrote: > Like this. > --- a/sshd_config.5 > +++ b/sshd_config.5 The ssh_config.5 also has a copy of this and presumably needs the same change, unless I've misunderstood. -Phil

Once upon a time, Alice Wonder <alice at domblogger.net> said: > They recommend setting the following: > > KexAlgorithms curve25519-sha256 at libssh.org > > I don't even see that directive in my sshd config to set it, I > suppose it may be one that is manually added when needed but I want > to verify it actually means something in CentOS 7 ssh. > > Also I'm a little worried that maybe cur...

Once upon a time, Erik Laxdal <elaxdal at ece.uvic.ca> said: > The supported KexAlgorithms, Ciphers, and MACs are generally listed > in the sshd_config man page. So 'man sshd_config' then look for the > section of the item of interest. Note that the man page does not always match the actual compiled binary (the build process does not update the man page to match configur...

....It ForwardAgent .It ForwardX11 +.It ForwardX11Timeout .It ForwardX11Trusted .It GatewayPorts .It GlobalKnownHostsFile @@ -438,6 +440,7 @@ For full details of the options listed b .It IdentityFile .It IdentitiesOnly .It IPQoS +.It KbdInteractiveAuthentication .It KbdInteractiveDevices .It KexAlgorithms .It LocalCommand