Discovery of Linux servers with MACs and ciphers enabled for SSH connections

chodavarapu · ‎11-21-2017

Linux Engineering Team want to enable MACs and ciphers for all SSH connections to all Linux servers. We tried discovering one of the test servers with MACs and ciphers enabled. The discovery failed on SSH authentication. Please suggest on how we overcome this issue.

tim_broberg · ‎11-21-2017

First, make sure you're using sncssh rather than j2ssh. The menu of algorithms is pretty limited with j2ssh.

That should resolve the issue, but, if not, can you please login to the test machine and run ssh -vv to identify what algorithms you need to connect and post here like this:

[tbroberg@sheepserve ~]$ ssh -vv localhost 2>&1 | grep kexinit

debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss

debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se

debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit: first_kex_follows 0

debug2: kex_parse_kexinit: reserved 0

debug2: kex_parse_kexinit: ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1

debug2: kex_parse_kexinit: ssh-rsa,ssh-dss

debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se

debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: none,zlib@openssh.com

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit: first_kex_follows 0

debug2: kex_parse_kexinit: reserved 0

tbroberg@localhost's password:

[tbroberg@sheepserve ~]$

chodavarapu · ‎11-21-2017

Please find below the email from our Linux architect to my Operations lead. Hope this will provide some information.

Each Linux server runs an SSH service that accepts connections from various other hosts. There are several parameters that we can tune to force strong encryption. One is requiring strong Message Authentication Codes (MACs) on the Linux host. It seems Service Now requires the weak and broken SHA1 MAC. The standard is to use something stronger (SHA2)

hmac-sha2-512-etm

hmac-sha2-256-etm

umac-128-etm

hmac-sha2-512Each

hmac-sha2-256

umac-128

Thanks,

Please find above the SHA2 MACs that might be used henceforth. Please suggest what changes are to be made to discovery. We are using Istanbul version.

tim_broberg · ‎11-21-2017

Well, you're in luck then. As listed below, hmac-sha2-256, hmac-sha2-512 are supported in sncssh.

tim_broberg · ‎11-21-2017

Here are the algorithms currently supported by sncssh:

Key Exchange Algorithms: diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha256, diffie-hellman-group1-sha1

Signature Algorithms: ssh-dss, ssh-rsa

Client-to-Server Cipher Algorithms: aes128-ctr, aes192-ctr, aes256-ctr, 3des-ctr, aes128-cbc, aes192-cbc, aes256-cbc, 3des-cbc, none

Client-to-Server MAC Algorithms: hmac-sha1, hmac-sha1-96, hmac-sha2-256, hmac-sha2-512, hmac-md5, hmac-md5-96

Client-to-Server Compression Algorithms: none