SSH ciphers

Rick Mann · ‎01-16-2014

We have some Linux servers that only allow aes128-ctr,aes192-ctr,aes256-ctr

When we run discovery against these servers, we see the "SSH authentication error". Is there a way to configure a midserver/discovery to only use these ciphers?

Thanks

Rick

tim_broberg · ‎02-21-2014

Support for aes128-ctr is added in Calgary Patch 3 / Dublin.

- Tim.

martin_wenger · ‎11-18-2015

Running Fuji, we have Linux servers that also only allow Ciphers aes128-ctr,aes192-ctr,aes256-ctr and HMACs hmac-sha2-256,hmac-sha2-512. When running discovery, we get the following error in the UNIX Classify probe:

Could not agree on client-to-server MAC algorithm

Client: [hmac-sha1-96, hmac-sha1, hmac-md5, hmac-md5-96]

Server: []:

From the error message it appears the probe only support the less secure HMAC algorithms. Is there any way the probe can be modified to use the more secure HMAC algorithms?

Thanks,

Martin

tim_broberg · ‎11-18-2015

The listed algorithms are plenty secure for hmac purposes.

If you use a weak hash algorithm on a certificate, the attacker has all the time in the world to saw on the thing and forge documents with your signature, making the algorithm inappropriate.

In ssh, an attacker has to change live network traffic and fool us into thinking it's genuine, so he has to forge a hash before the connection times out. Oh, and they have to crack the encryption at the same time. You and I will be safely retired and/or dead before anybody can crack hmac-md5 in real time. http://events.iaik.tugraz.at/HashWorkshop07/slides/ekr_Indigestion.pdf, RFC 2104 - HMAC: Keyed-Hashing for Message Authentication

Be that as it may, support for hmac-sha2-256 and hmac-sha2-512 is added for sncssh in Fuji Patch 9.

- Tim.

Community Alums · ‎03-27-2022

Hi,

Is there a way to configure MID Server to use a Specific Chiper ?