Discovery of Linux servers with MACs and ciphers enabled for SSH connections

chodavarapu
Tera Contributor

Linux Engineering Team want to enable MACs and ciphers for all SSH connections to all Linux servers. We tried discovering one of the test servers with MACs and ciphers enabled. The discovery failed on SSH authentication. Please suggest on how we overcome this issue.

21 REPLIES 21

tim_broberg
ServiceNow Employee
ServiceNow Employee

First, make sure you're using sncssh rather than j2ssh. The menu of algorithms is pretty limited with j2ssh.



That should resolve the issue, but, if not, can you please login to the test machine and run ssh -vv to identify what algorithms you need to connect and post here like this:



[tbroberg@sheepserve ~]$ ssh -vv localhost 2>&1 | grep kexinit


debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1


debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss


debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se


debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se


debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96


debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96


debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib


debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib


debug2: kex_parse_kexinit:


debug2: kex_parse_kexinit:


debug2: kex_parse_kexinit: first_kex_follows 0


debug2: kex_parse_kexinit: reserved 0


debug2: kex_parse_kexinit: ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1


debug2: kex_parse_kexinit: ssh-rsa,ssh-dss


debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se


debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se


debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96


debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96


debug2: kex_parse_kexinit: none,zlib@openssh.com


debug2: kex_parse_kexinit: none,zlib@openssh.com


debug2: kex_parse_kexinit:


debug2: kex_parse_kexinit:


debug2: kex_parse_kexinit: first_kex_follows 0


debug2: kex_parse_kexinit: reserved 0


tbroberg@localhost's password:



[tbroberg@sheepserve ~]$


Please find below the email from our Linux architect to my Operations lead. Hope this will provide some information.



Each Linux server runs an SSH service that accepts connections from various other hosts. There are several parameters that we can tune to force strong encryption. One is requiring strong Message Authentication Codes (MACs) on the Linux host. It seems Service Now requires the weak and broken SHA1 MAC. The standard is to use something stronger (SHA2)



hmac-sha2-512-etm


hmac-sha2-256-etm


umac-128-etm


hmac-sha2-512Each


hmac-sha2-256


umac-128



Thanks,



Please find above the SHA2 MACs that might be used henceforth. Please suggest what changes are to be made to discovery. We are using Istanbul version.


Well, you're in luck then. As listed below, hmac-sha2-256, hmac-sha2-512 are supported in sncssh.


tim_broberg
ServiceNow Employee
ServiceNow Employee

Here are the algorithms currently supported by sncssh:


      Key Exchange Algorithms: diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha256, diffie-hellman-group1-sha1


      Signature Algorithms: ssh-dss, ssh-rsa


      Client-to-Server Cipher Algorithms: aes128-ctr, aes192-ctr, aes256-ctr, 3des-ctr, aes128-cbc, aes192-cbc, aes256-cbc, 3des-cbc, none


      Client-to-Server MAC Algorithms: hmac-sha1, hmac-sha1-96, hmac-sha2-256, hmac-sha2-512, hmac-md5, hmac-md5-96


      Client-to-Server Compression Algorithms: none