Displaying 20 results from an estimated 69 matches for "kexalgorithms".
2020 Jun 19
9
[Bug 3184] New: Unable to add deprecated KexAlgorithms back for host via config file
https://bugzilla.mindrot.org/show_bug.cgi?id=3184
Bug ID: 3184
Summary: Unable to add deprecated KexAlgorithms back for host
via config file
Product: Portable OpenSSH
Version: 8.2p1
Hardware: All
OS: All
Status: NEW
Severity: major
Priority: P5
Component: ssh
Assignee: unassigned-bugs at mi...
2014 Jun 06
1
Patch: Ciphers, MACs and KexAlgorithms on Match
Hi all,
this is a patch to make Ciphers, MACs and KexAlgorithms available in
Match blocks. Now I can reach a -current machine with some Android
terminal app without changing the default ciphers for all clients:
Match Address 192.168.1.2
Ciphers aes128-cbc
MACs hmac-sha1
KexAlgorithms diffie-hellman-group-exchange-sha1
Index: servconf.c
=================...
2024 Jan 25
2
enable strong KexAlgorithms, Ciphers and MACs in /etc/ssh/sshd_config file on RHEL 8.x Linux OS
...8.7
(Ootpa). The details are as follows.
# rpm -qa | grep openssh
openssh-8.0p1-16.el8.x86_64
openssh-askpass-8.0p1-16.el8.x86_64
openssh-server-8.0p1-16.el8.x86_64
openssh-clients-8.0p1-16.el8.x86_64
# cat /etc/redhat-release
Red Hat Enterprise Linux release 8.7 (Ootpa)
#
How do I enable strong KexAlgorithms, Ciphers and MACs in
/etc/ssh/sshd_config file as per the above ssh server version. For example
as per below setting.
KexAlgorithms
ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305 at openssh.com,aes256-gcm at openssh.com,
aes1...
2024 Jun 13
1
[Bug 3701] New: KexAlgorithms documentation is unclear as to default vs. supported distinction
https://bugzilla.mindrot.org/show_bug.cgi?id=3701
Bug ID: 3701
Summary: KexAlgorithms documentation is unclear as to default
vs. supported distinction
Product: Portable OpenSSH
Version: 9.7p1
Hardware: All
OS: All
Status: NEW
Severity: minor
Priority: P5
Component: Documentat...
2015 Jan 07
4
[Bug 2333] New: forbid old Ciphers, KexAlgorithms and MACs by default
https://bugzilla.mindrot.org/show_bug.cgi?id=2333
Bug ID: 2333
Summary: forbid old Ciphers, KexAlgorithms and MACs by default
Product: Portable OpenSSH
Version: 6.6p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: Miscellaneous
Assignee: unassigned-bugs at mindrot.org...
2017 Jan 29
3
[Bug 2671] New: make possible to remove default ciphers/kexalgorithms/mac algorithms
https://bugzilla.mindrot.org/show_bug.cgi?id=2671
Bug ID: 2671
Summary: make possible to remove default
ciphers/kexalgorithms/mac algorithms
Product: Portable OpenSSH
Version: 7.4p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Repo...
2015 Sep 11
3
sshd key exchange security
...Anyway it appears that most ssh servers, when using DHE key exchange,
use the 1024-bit Oakley Group 2 and there is suspicion the NSA has done
the pre-computations needed to passively decrypt any tls communication
using DHE with that particular prime group.
They recommend setting the following:
KexAlgorithms curve25519-sha256 at libssh.org
I don't even see that directive in my sshd config to set it, I suppose
it may be one that is manually added when needed but I want to verify it
actually means something in CentOS 7 ssh.
Also I'm a little worried that maybe curve25519 is one of the curves...
2015 May 23
2
Weak DH primes and openssh
> Can this be addressed in ssh_config/sshd_config with the KexAlgorithms setting?
weakdh.org/sysadmin.html recommends adding:
KexAlgorithms curve25519-sha256 at libssh.org
But this thread makes it sound as if it's not necessary. Can anyone
confirm? Personally I'm on openssh-6.7.
- Grant
> You will be aware of https://weakdh.org/ by now, I presume; th...
2024 Jan 27
1
enable strong KexAlgorithms, Ciphers and MACs in /etc/ssh/sshd_config file on RHEL 8.x Linux OS
BTW based on your output it looks like the DEFAULT policy is just fine,
If you really want to turn etm HMAC and chacha20 off, you should follow the RHEL security alert
https://access.redhat.com/security/cve/cve-2023-48795
cipher at SSH = -CHACHA20-POLY1305
ssh_etm = 0
by putting these lines into `/etc/crypto-policies/policies/modules/CVE-2023-48795.pmod`, applying the resulting subpolicy
2016 Nov 08
2
one host only: ssh_dispatch_run_fatal
...t;> different wording.
>
> I set up the same versions (server:OpenSSH_6.6p1, OpenSSL 1.0.1s 1
> Mar 2016, client: OpenSSH_7.3p1, OpenSSL 1.0.1s 1 Mar 2016) on Linux
> to try to reproduce it but failed.
>
> ./ssh -p 2022 -vvv -o ciphers=chacha20-poly1305 at openssh.com -o
> kexalgorithms=diffie-hellman-group-exchange-sha256 localhost
> [...]
> debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
> debug1: kex: host key algorithm: ssh-ed25519
> debug1: kex: server->client cipher: chacha20-poly1305 at openssh.com MAC:
> <implicit> compression: none
>...
2024 Jan 25
1
enable strong KexAlgorithms, Ciphers and MACs in /etc/ssh/sshd_config file on RHEL 8.x Linux OS
...a | grep openssh
> openssh-8.0p1-16.el8.x86_64
> openssh-askpass-8.0p1-16.el8.x86_64
> openssh-server-8.0p1-16.el8.x86_64
> openssh-clients-8.0p1-16.el8.x86_64
>
> # cat /etc/redhat-release
> Red Hat Enterprise Linux release 8.7 (Ootpa)
> #
>
> How do I enable strong KexAlgorithms, Ciphers and MACs in
> /etc/ssh/sshd_config file as per the above ssh server version. For
> example
> as per below setting.
>
> KexAlgorithms
> ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-
> hellman-group-exchange-sha256
> Ciphers chacha20-poly1305 at op...
2018 Nov 23
2
Debian Stretch 9.6: openssh-server and old dropbear client don't work togheter
...wer is to run a newer client.
>
> If there's no way to do that, least worst is probably to connect to
> a jump host on the LAN (locked-down as much as possible), running
> modern OpenSSH sshd but with weak kex/ciphers enabled, in this
> case you could use something like
>
> KexAlgorithms +diffie-hellman-group1-sha1
> Ciphers +aes128-cbc
>
> This is still not recommended, but at least you could keep the weak
> crypto off the internet this way.
Thanks Stuart
I have tried to use the right KexAlgorithm and Ciphers, but dropbear
client fail always
myhostname sshd[3905]: d...
2016 Oct 19
2
SSH Weak Ciphers
...gt; concerned about then I am left with Ciphers
>> aes128-ctr,aes192-ctr,aes256-ctr for both /etc/ssh/sshd_config and
>> /etc/ssh/ssh_config.
>
> If you're going to go down this road, you should probably look at key exchanges and HMACs as well. On CentOS 7, I use:
>
> KexAlgorithms curve25519-sha256 at libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
> Ciphers chacha20-poly1305 at openssh.com,aes256-gcm at openssh.com,aes128-gcm at openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
> MACs hmac-sha2-512-etm at openssh.com...
2014 Mar 07
12
[Bug 2209] New: Problem logging into Cisco devices under 6.5p1 (kexgexc.c)
https://bugzilla.mindrot.org/show_bug.cgi?id=2209
Bug ID: 2209
Summary: Problem logging into Cisco devices under 6.5p1
(kexgexc.c)
Product: Portable OpenSSH
Version: 6.5p1
Hardware: amd64
OS: FreeBSD
Status: NEW
Severity: normal
Priority: P5
Component: ssh
2013 May 07
2
SSH key exchange algorithm negotiation payload growth
...Am I correct in reading RFC 4253 sections 6.2 - 6.5 and section 7.1 as saying that implementations must be prepared to accept an arbitrary number of algorithms of each type during initial key exchange?
When I was troubleshooting this issue I tried playing around with different combinations of -o KexAlgorithms and -o HostKeyAlgorithms at the command line. Are there other configuration paramters for the other name-lists during algorithm negotiation, e.g. encryption_algorithms_client_to_server, compression_algorithms_server_to_client, etc?
Thanks in advance!
Best,
Kent
2015 Sep 20
4
OpenSSH Always Hangs When Connecting to Remote
On 09/20/2015 03:25 AM, Darren Tucker wrote:
> I suspect a path mtu problem. The key exchange packet is one of the
> first large ones in an SSH connection so it tends to show up such problems.
>
> Seehttp://www.snailbook.com/faq/mtu-mismatch.auto.html
> <http://www.snailbook.com/faq/mtu-mismatch.auto.html>
Has this been changed? SSH used to work fine on my old machine. My
2018 Nov 22
2
Debian Stretch 9.6: openssh-server and old dropbear client don't work togheter
Hi, I have compatibility issues with the latest version of
openssh-server and an old dropbear client, the dopbear client stops at
preauth
ov 22 14:34:03 myhostname sshd[3905]: debug1: Client protocol version
2.0; client software version dropbear_0.46
Nov 22 14:34:03 myhostname sshd[3905]: debug1: no match: dropbear_0.46
Nov 22 14:34:03 myhostname sshd[3905]: debug1: Local version string
2020 Feb 06
3
Call for testing: OpenSSH 8.2
On 2020-02-06 at 13:28 +1100, Darren Tucker wrote:
> Like this.
> --- a/sshd_config.5
> +++ b/sshd_config.5
The ssh_config.5 also has a copy of this and presumably needs the same
change, unless I've misunderstood.
-Phil
2015 Sep 11
0
sshd key exchange security
Once upon a time, Alice Wonder <alice at domblogger.net> said:
> They recommend setting the following:
>
> KexAlgorithms curve25519-sha256 at libssh.org
>
> I don't even see that directive in my sshd config to set it, I
> suppose it may be one that is manually added when needed but I want
> to verify it actually means something in CentOS 7 ssh.
>
> Also I'm a little worried that maybe curv...
2016 Oct 19
1
SSH Weak Ciphers
Once upon a time, Erik Laxdal <elaxdal at ece.uvic.ca> said:
> The supported KexAlgorithms, Ciphers, and MACs are generally listed
> in the sshd_config man page. So 'man sshd_config' then look for the
> section of the item of interest.
Note that the man page does not always match the actual compiled binary
(the build process does not update the man page to match configura...