ICE

TCP/IP Products => TCP-PRO => Topic started by: Bob on March 01, 2017, 02:43:21 pm

Title: sshd configuration for use with TelnetPro
Post by: Bob on March 01, 2017, 02:43:21 pm

With newer versions of sshd (for example version 6.7 included with debian 8 (jessie)) you need to modify the the sshd_config file so sshd supports the ciphers and key exchange methods in TelnetPro.

To do this add the following to the end of your sshd_config script and restart sshd

Code: [Select]

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour

KexAlgorithms diffie-hellman-group1-sha1


Title: Re: sshd configuration for use with TelnetPro
Post by: mikedenzler on March 10, 2017, 08:24:32 am

Bob,

We have recently applied a security update to our HPUX and RHEL databases to use OpenSSH 7.3. The update disables support for SHA-1. The update is causing all ssh connections from ICETCP Pro to be disallowed. My UNIX admins have made the suggested change below, but that does not work. Is there any plan to update the ICETCP Pro product to support SHA-2? If not is it possible to have JRiver recompile a version of ICETCP Pro for use that will support SHA-2?

Title: Re: sshd configuration for use with TelnetPro
Post by: Bob on March 14, 2017, 03:51:41 pm

Quote from: mikedenzler on March 10, 2017, 08:24:32 am

Bob,

We have recently applied a security update to our HPUX and RHEL databases to use OpenSSH 7.3. The update disables support for SHA-1. The update is causing all ssh connections from ICETCP Pro to be disallowed. My UNIX admins have made the suggested change below, but that does not work. Is there any plan to update the ICETCP Pro product to support SHA-2? If not is it possible to have JRiver recompile a version of ICETCP Pro for use that will support SHA-2?

I did some debugging on this after getting an OpenSSH 7 system running.
The problem connecting isn't directly related to SHA-2, I have it working now with some changes to the Pro code and the settings from the message above.

Title: Re: sshd configuration for use with TelnetPro
Post by: Bob on August 15, 2017, 03:22:50 pm

After playing with this a bit more I've found the minimum necessary additions to the sshd_config for allowing TelnetPro to login for systems that have disabled sha1 by default, the minimum requirement is to have diffie-hellman-group1-sha1 like this:

Code: [Select]

KexAlgorithms diffie-hellman-group1-sha1

Though you will likely have more like this:

Code: [Select]

KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,curve25519-sha256
and for Ciphers, aes192-cbc needs to be added to the default list. On my machine this results in the following line for Ciphers:

Code: [Select]

Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes192-cbc

You can find out what your current ssh servers defaults are by using nmap on a machine that has it. (search for Ciphers in the output):

Code: [Select]

nmap --script ssh2-enum-algos -sV -p 22 localhostWould work if you have nmap on the server that's running ssh and ssh uses port 22 and listens on localhost. Change to work with your specific setup.

Note that this doesn't seem to work for sshd 7.3. That would require a change in TelnetPro.

Edit: updated the KexAlgorithms line.