ICE

Please login or register.

Login with username, password and session length
Advanced search  

News:

ICETCP.PRO and ICETCP.PLUS are compatible with Windows 11!

Author Topic: sshd configuration for use with TelnetPro  (Read 4765 times)

Bob

  • Administrator
  • Ice Artist
  • *****
  • Posts: 1607
sshd configuration for use with TelnetPro
« on: March 01, 2017, 02:43:21 pm »

With newer versions of sshd (for example version 6.7 included with debian 8 (jessie)) you need to modify the the sshd_config file so sshd supports the ciphers and key exchange methods in TelnetPro.

To do this add the following to the end of your sshd_config script and restart sshd

Code: [Select]
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour

KexAlgorithms diffie-hellman-group1-sha1
Logged

mikedenzler

  • Newbie
  • *
  • Posts: 1
Re: sshd configuration for use with TelnetPro
« Reply #1 on: March 10, 2017, 08:24:32 am »

Bob,

We have recently applied a security update to our HPUX and RHEL databases to use OpenSSH 7.3. The update disables support for SHA-1. The update is causing all ssh connections from ICETCP Pro to be disallowed. My UNIX admins have made the suggested change below, but that does not work. Is there any plan to update the ICETCP Pro product to support SHA-2? If not is it possible to have JRiver recompile a version of ICETCP Pro for use that will support SHA-2?

Logged

Bob

  • Administrator
  • Ice Artist
  • *****
  • Posts: 1607
Re: sshd configuration for use with TelnetPro
« Reply #2 on: March 14, 2017, 03:51:41 pm »

Bob,

We have recently applied a security update to our HPUX and RHEL databases to use OpenSSH 7.3. The update disables support for SHA-1. The update is causing all ssh connections from ICETCP Pro to be disallowed. My UNIX admins have made the suggested change below, but that does not work. Is there any plan to update the ICETCP Pro product to support SHA-2? If not is it possible to have JRiver recompile a version of ICETCP Pro for use that will support SHA-2?

I did some debugging on this after getting an OpenSSH 7 system running.
The problem connecting isn't directly related to SHA-2, I have it working now with some changes to the Pro code and the settings from the message above.
Logged

Bob

  • Administrator
  • Ice Artist
  • *****
  • Posts: 1607
Re: sshd configuration for use with TelnetPro
« Reply #3 on: August 15, 2017, 03:22:50 pm »

After playing with this a bit more I've found the minimum necessary additions to the sshd_config for allowing TelnetPro to login for systems that have disabled sha1 by default, the minimum requirement is to have diffie-hellman-group1-sha1 like this:

Code: [Select]
KexAlgorithms diffie-hellman-group1-sha1

Though you will likely have more like this:
Code: [Select]
KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,curve25519-sha256
and for Ciphers, aes192-cbc needs to be added to the default list. On my machine this results in the following line for Ciphers:

Code: [Select]
Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes192-cbc

You can find out what your current ssh servers defaults are by using nmap on a machine that has it. (search for Ciphers in the output):
Code: [Select]
nmap --script ssh2-enum-algos -sV -p 22 localhostWould work if you have nmap on the server that's running ssh and ssh uses port 22 and listens on localhost. Change to work with your specific setup.

Note that this doesn't seem to work for sshd 7.3. That would require a change in TelnetPro.

Edit: updated the KexAlgorithms line.
« Last Edit: October 17, 2017, 12:02:11 pm by Bob »
Logged
 

Page created in 0.011 seconds with 21 queries.