search for: kexalgorithm

Displaying 20 results from an estimated 69 matches for "kexalgorithm".

Did you mean: kexalgorithms
2020 Jun 19
9
[Bug 3184] New: Unable to add deprecated KexAlgorithms back for host via config file
https://bugzilla.mindrot.org/show_bug.cgi?id=3184 Bug ID: 3184 Summary: Unable to add deprecated KexAlgorithms back for host via config file Product: Portable OpenSSH Version: 8.2p1 Hardware: All OS: All Status: NEW Severity: major Priority: P5 Component: ssh Assignee: unassigned-bugs at m...
2014 Jun 06
1
Patch: Ciphers, MACs and KexAlgorithms on Match
Hi all, this is a patch to make Ciphers, MACs and KexAlgorithms available in Match blocks. Now I can reach a -current machine with some Android terminal app without changing the default ciphers for all clients: Match Address 192.168.1.2 Ciphers aes128-cbc MACs hmac-sha1 KexAlgorithms diffie-hellman-group-exchange-sha1 Index: servconf.c ================...
2024 Jan 25
2
enable strong KexAlgorithms, Ciphers and MACs in /etc/ssh/sshd_config file on RHEL 8.x Linux OS
...8.7 (Ootpa). The details are as follows. # rpm -qa | grep openssh openssh-8.0p1-16.el8.x86_64 openssh-askpass-8.0p1-16.el8.x86_64 openssh-server-8.0p1-16.el8.x86_64 openssh-clients-8.0p1-16.el8.x86_64 # cat /etc/redhat-release Red Hat Enterprise Linux release 8.7 (Ootpa) # How do I enable strong KexAlgorithms, Ciphers and MACs in /etc/ssh/sshd_config file as per the above ssh server version. For example as per below setting. KexAlgorithms ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1305 at openssh.com,aes256-gcm at openssh.com, aes...
2024 Jun 13
1
[Bug 3701] New: KexAlgorithms documentation is unclear as to default vs. supported distinction
https://bugzilla.mindrot.org/show_bug.cgi?id=3701 Bug ID: 3701 Summary: KexAlgorithms documentation is unclear as to default vs. supported distinction Product: Portable OpenSSH Version: 9.7p1 Hardware: All OS: All Status: NEW Severity: minor Priority: P5 Component: Documenta...
2015 Jan 07
4
[Bug 2333] New: forbid old Ciphers, KexAlgorithms and MACs by default
https://bugzilla.mindrot.org/show_bug.cgi?id=2333 Bug ID: 2333 Summary: forbid old Ciphers, KexAlgorithms and MACs by default Product: Portable OpenSSH Version: 6.6p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: Miscellaneous Assignee: unassigned-bugs at mindrot.org...
2017 Jan 29
3
[Bug 2671] New: make possible to remove default ciphers/kexalgorithms/mac algorithms
https://bugzilla.mindrot.org/show_bug.cgi?id=2671 Bug ID: 2671 Summary: make possible to remove default ciphers/kexalgorithms/mac algorithms Product: Portable OpenSSH Version: 7.4p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org Rep...
2015 Sep 11
3
sshd key exchange security
...Anyway it appears that most ssh servers, when using DHE key exchange, use the 1024-bit Oakley Group 2 and there is suspicion the NSA has done the pre-computations needed to passively decrypt any tls communication using DHE with that particular prime group. They recommend setting the following: KexAlgorithms curve25519-sha256 at libssh.org I don't even see that directive in my sshd config to set it, I suppose it may be one that is manually added when needed but I want to verify it actually means something in CentOS 7 ssh. Also I'm a little worried that maybe curve25519 is one of the curves...
2015 May 23
2
Weak DH primes and openssh
> Can this be addressed in ssh_config/sshd_config with the KexAlgorithms setting? weakdh.org/sysadmin.html recommends adding: KexAlgorithms curve25519-sha256 at libssh.org But this thread makes it sound as if it's not necessary. Can anyone confirm? Personally I'm on openssh-6.7. - Grant > You will be aware of https://weakdh.org/ by now, I presume; t...
2024 Jan 27
1
enable strong KexAlgorithms, Ciphers and MACs in /etc/ssh/sshd_config file on RHEL 8.x Linux OS
BTW based on your output it looks like the DEFAULT policy is just fine, If you really want to turn etm HMAC and chacha20 off, you should follow the RHEL security alert https://access.redhat.com/security/cve/cve-2023-48795 cipher at SSH = -CHACHA20-POLY1305 ssh_etm = 0 by putting these lines into `/etc/crypto-policies/policies/modules/CVE-2023-48795.pmod`, applying the resulting subpolicy
2016 Nov 08
2
one host only: ssh_dispatch_run_fatal
...t;> different wording. > > I set up the same versions (server:OpenSSH_6.6p1, OpenSSL 1.0.1s 1 > Mar 2016, client: OpenSSH_7.3p1, OpenSSL 1.0.1s 1 Mar 2016) on Linux > to try to reproduce it but failed. > > ./ssh -p 2022 -vvv -o ciphers=chacha20-poly1305 at openssh.com -o > kexalgorithms=diffie-hellman-group-exchange-sha256 localhost > [...] > debug1: kex: algorithm: diffie-hellman-group-exchange-sha256 > debug1: kex: host key algorithm: ssh-ed25519 > debug1: kex: server->client cipher: chacha20-poly1305 at openssh.com MAC: > <implicit> compression: none &g...
2024 Jan 25
1
enable strong KexAlgorithms, Ciphers and MACs in /etc/ssh/sshd_config file on RHEL 8.x Linux OS
...a | grep openssh > openssh-8.0p1-16.el8.x86_64 > openssh-askpass-8.0p1-16.el8.x86_64 > openssh-server-8.0p1-16.el8.x86_64 > openssh-clients-8.0p1-16.el8.x86_64 > > # cat /etc/redhat-release > Red Hat Enterprise Linux release 8.7 (Ootpa) > # > > How do I enable strong KexAlgorithms, Ciphers and MACs in > /etc/ssh/sshd_config file as per the above ssh server version. For > example > as per below setting. > > KexAlgorithms > ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie- > hellman-group-exchange-sha256 > Ciphers chacha20-poly1305 at o...
2018 Nov 23
2
Debian Stretch 9.6: openssh-server and old dropbear client don't work togheter
...wer is to run a newer client. > > If there's no way to do that, least worst is probably to connect to > a jump host on the LAN (locked-down as much as possible), running > modern OpenSSH sshd but with weak kex/ciphers enabled, in this > case you could use something like > > KexAlgorithms +diffie-hellman-group1-sha1 > Ciphers +aes128-cbc > > This is still not recommended, but at least you could keep the weak > crypto off the internet this way. Thanks Stuart I have tried to use the right KexAlgorithm and Ciphers, but dropbear client fail always myhostname sshd[3905]:...
2016 Oct 19
2
SSH Weak Ciphers
...gt; concerned about then I am left with Ciphers >> aes128-ctr,aes192-ctr,aes256-ctr for both /etc/ssh/sshd_config and >> /etc/ssh/ssh_config. > > If you're going to go down this road, you should probably look at key exchanges and HMACs as well. On CentOS 7, I use: > > KexAlgorithms curve25519-sha256 at libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 > Ciphers chacha20-poly1305 at openssh.com,aes256-gcm at openssh.com,aes128-gcm at openssh.com,aes256-ctr,aes192-ctr,aes128-ctr > MACs hmac-sha2-512-etm at openssh.co...
2014 Mar 07
12
[Bug 2209] New: Problem logging into Cisco devices under 6.5p1 (kexgexc.c)
https://bugzilla.mindrot.org/show_bug.cgi?id=2209 Bug ID: 2209 Summary: Problem logging into Cisco devices under 6.5p1 (kexgexc.c) Product: Portable OpenSSH Version: 6.5p1 Hardware: amd64 OS: FreeBSD Status: NEW Severity: normal Priority: P5 Component: ssh
2013 May 07
2
SSH key exchange algorithm negotiation payload growth
...Am I correct in reading RFC 4253 sections 6.2 - 6.5 and section 7.1 as saying that implementations must be prepared to accept an arbitrary number of algorithms of each type during initial key exchange? When I was troubleshooting this issue I tried playing around with different combinations of -o KexAlgorithms and -o HostKeyAlgorithms at the command line. Are there other configuration paramters for the other name-lists during algorithm negotiation, e.g. encryption_algorithms_client_to_server, compression_algorithms_server_to_client, etc? Thanks in advance! Best, Kent
2015 Sep 20
4
OpenSSH Always Hangs When Connecting to Remote
On 09/20/2015 03:25 AM, Darren Tucker wrote: > I suspect a path mtu problem. The key exchange packet is one of the > first large ones in an SSH connection so it tends to show up such problems. > > Seehttp://www.snailbook.com/faq/mtu-mismatch.auto.html > <http://www.snailbook.com/faq/mtu-mismatch.auto.html> Has this been changed? SSH used to work fine on my old machine. My
2018 Nov 22
2
Debian Stretch 9.6: openssh-server and old dropbear client don't work togheter
Hi, I have compatibility issues with the latest version of openssh-server and an old dropbear client, the dopbear client stops at preauth ov 22 14:34:03 myhostname sshd[3905]: debug1: Client protocol version 2.0; client software version dropbear_0.46 Nov 22 14:34:03 myhostname sshd[3905]: debug1: no match: dropbear_0.46 Nov 22 14:34:03 myhostname sshd[3905]: debug1: Local version string
2020 Feb 06
3
Call for testing: OpenSSH 8.2
On 2020-02-06 at 13:28 +1100, Darren Tucker wrote: > Like this. > --- a/sshd_config.5 > +++ b/sshd_config.5 The ssh_config.5 also has a copy of this and presumably needs the same change, unless I've misunderstood. -Phil
2015 Sep 11
0
sshd key exchange security
Once upon a time, Alice Wonder <alice at domblogger.net> said: > They recommend setting the following: > > KexAlgorithms curve25519-sha256 at libssh.org > > I don't even see that directive in my sshd config to set it, I > suppose it may be one that is manually added when needed but I want > to verify it actually means something in CentOS 7 ssh. > > Also I'm a little worried that maybe cur...
2016 Oct 19
1
SSH Weak Ciphers
Once upon a time, Erik Laxdal <elaxdal at ece.uvic.ca> said: > The supported KexAlgorithms, Ciphers, and MACs are generally listed > in the sshd_config man page. So 'man sshd_config' then look for the > section of the item of interest. Note that the man page does not always match the actual compiled binary (the build process does not update the man page to match configur...