SSH ciphers

Rick Mann
Tera Expert

We have some Linux servers that only allow aes128-ctr,aes192-ctr,aes256-ctr

 

  When we run discovery against these servers, we see the "SSH authentication error".   Is there a way to configure a midserver/discovery to only use these ciphers?

 

Thanks

 

Rick

4 REPLIES 4

tim_broberg
ServiceNow Employee
ServiceNow Employee

Support for aes128-ctr is added in Calgary Patch 3 / Dublin.



      - Tim.


Running Fuji, we have Linux servers that also only allow Ciphers aes128-ctr,aes192-ctr,aes256-ctr and HMACs hmac-sha2-256,hmac-sha2-512. When running discovery, we get the following error in the UNIX Classify probe:




Could not agree on client-to-server MAC algorithm


Client: [hmac-sha1-96, hmac-sha1, hmac-md5, hmac-md5-96]


Server: []:



From the error message it appears the probe only support the less secure HMAC algorithms. Is there any way the probe can be modified to use the more secure HMAC algorithms?



Thanks,


Martin


The listed algorithms are plenty secure for hmac purposes.



If you use a weak hash algorithm on a certificate, the attacker has all the time in the world to saw on the thing and forge documents with your signature, making the algorithm inappropriate.



In ssh, an attacker has to change live network traffic and fool us into thinking it's genuine, so he has to forge a hash before the connection times out. Oh, and they have to crack the encryption at the same time. You and I will be safely retired and/or dead before anybody can crack hmac-md5 in real time. http://events.iaik.tugraz.at/HashWorkshop07/slides/ekr_Indigestion.pdf,   RFC 2104 - HMAC: Keyed-Hashing for Message Authentication



Be that as it may, support for hmac-sha2-256 and hmac-sha2-512 is added for sncssh in Fuji Patch 9.


      - Tim.


Community Alums
Not applicable

Hi,

 

Is there a way to configure MID Server to use a Specific Chiper ?