TCP/IP Products > TCP-PRO
sshd configuration for use with TelnetPro
(1/1)
Bob:
With newer versions of sshd (for example version 6.7 included with debian 8 (jessie)) you need to modify the the sshd_config file so sshd supports the ciphers and key exchange methods in TelnetPro.
To do this add the following to the end of your sshd_config script and restart sshd
--- Code: ---Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour
KexAlgorithms diffie-hellman-group1-sha1
--- End code ---
mikedenzler:
Bob,
We have recently applied a security update to our HPUX and RHEL databases to use OpenSSH 7.3. The update disables support for SHA-1. The update is causing all ssh connections from ICETCP Pro to be disallowed. My UNIX admins have made the suggested change below, but that does not work. Is there any plan to update the ICETCP Pro product to support SHA-2? If not is it possible to have JRiver recompile a version of ICETCP Pro for use that will support SHA-2?
Bob:
--- Quote from: mikedenzler on March 10, 2017, 08:24:32 am ---Bob,
We have recently applied a security update to our HPUX and RHEL databases to use OpenSSH 7.3. The update disables support for SHA-1. The update is causing all ssh connections from ICETCP Pro to be disallowed. My UNIX admins have made the suggested change below, but that does not work. Is there any plan to update the ICETCP Pro product to support SHA-2? If not is it possible to have JRiver recompile a version of ICETCP Pro for use that will support SHA-2?
--- End quote ---
I did some debugging on this after getting an OpenSSH 7 system running.
The problem connecting isn't directly related to SHA-2, I have it working now with some changes to the Pro code and the settings from the message above.
Bob:
After playing with this a bit more I've found the minimum necessary additions to the sshd_config for allowing TelnetPro to login for systems that have disabled sha1 by default, the minimum requirement is to have diffie-hellman-group1-sha1 like this:
--- Code: ---KexAlgorithms diffie-hellman-group1-sha1
--- End code ---
Though you will likely have more like this:
--- Code: ---KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,curve25519-sha256
--- End code ---
and for Ciphers, aes192-cbc needs to be added to the default list. On my machine this results in the following line for Ciphers:
--- Code: ---Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes192-cbc
--- End code ---
You can find out what your current ssh servers defaults are by using nmap on a machine that has it. (search for Ciphers in the output):
--- Code: ---nmap --script ssh2-enum-algos -sV -p 22 localhost
--- End code ---
Would work if you have nmap on the server that's running ssh and ssh uses port 22 and listens on localhost. Change to work with your specific setup.
Note that this doesn't seem to work for sshd 7.3. That would require a change in TelnetPro.
Edit: updated the KexAlgorithms line.
Navigation
[0] Message Index
Go to full version