Context Navigation

← Previous Ticket
Next Ticket →

Opened on Jan 14, 2015 at 8:56:05 PM

Closed on Oct 29, 2015 at 1:11:04 PM

#8488 closed enhancement (fixed)

Support for key exchange algorithm diffie-hellman-group-exchange-sha256

Reported by:	zepi	Owned by:	dkocher
Priority:	normal	Milestone:	4.8
Component:	sftp	Version:	4.6.1
Severity:	normal	Keywords:	ssh, cipher, kex
Cc:	lbort@student.ethz.ch, andi@saerdnaer.de	Architecture:	Intel
Platform:	Mac OS X 10.10

Description (last modified by zepi)

After latest Snowden leaks it seems that default OpenSSH settings are no longer acceptable for secure communication. See: https://stribika.github.io/2015/01/04/secure-secure-shell.html

Having the following lines in sshd_config in server side prevents Cyberduck connecting with a error message:

Connection Failed

Unable to reach a settlement: [diffie-hellman-group14-sha1, diffie-hellman-group1-sha1] and [curve25519-sha256@libssh.org, diffie-hellman-group-exchange-sha256]. The connection attempt was rejected. The server may be down, or your network may not be properly configured

I get no entries to log drawer.

Sshd config on server side:

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256

At least by the look of it, diffie-helman-group-exchange-sha256 and curve25519-sha256@libssh.org are enabled in these kex settings, so my guess is that the incompatibility is either due lack of appropriate ciphers or a bug in kex implementation.

I'm connecting to OpenSSH_6.6.1p1 Debian-4~bpo70+1, OpenSSL 1.0.1e 13

Change History (15)

comment:1 Changed on Jan 14, 2015 at 9:09:49 PM by dkocher

Can you verify that the connection also fails using the latest snapshot build available.

comment:2 Changed on Jan 15, 2015 at 8:42:29 AM by dkocher

Description modified (diff)

comment:3 Changed on Jan 15, 2015 at 9:11:40 AM by zepi

Description modified (diff)

I checked with the latest Version 4.7 (16463) and it fails with the same error message.

For example my OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011 that is integrated with OSX works without a hitch.

comment:4 Changed on Jan 15, 2015 at 9:46:37 AM by dkocher

Milestone set to 4.7
Status changed from new to assigned

comment:5 Changed on Jan 15, 2015 at 1:05:31 PM by dkocher

The negotiation fails because we find no matching key exchange algorithm. We currently support diffie-hellman-group14-sha1 and diffie-hellman-group1-sha1.

comment:6 Changed on Jan 15, 2015 at 1:18:33 PM by dkocher

Summary changed from Connection failed to hardened SSH-server to No support for key exchange algorithm diffie-hellman-group-exchange-sha256
Type changed from defect to enhancement

comment:7 Changed on Jan 15, 2015 at 7:01:35 PM by offenbach

my findings
Cyberduck does not provide HMAC and key-exchange algorithms yet, that are required to access SSH servers that have been configured following the mentioned blog entry.

longer description
My SSH server is hardened the same way. I checked with 4.7 and had no luck connecting. First error was "no matching mac found"

no matching mac found: client hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,hmac-sha2-256,hmac-sha2-512 server hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com [preauth]

I re-enabled "hmac-sha2-512" in sshd settings /etc/ssh/sshd_config:

MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512

Now sshd complains about not being able to agree upon a key exchange method

debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 [preauth]
debug2: kex_parse_kexinit: ssh-rsa,ssh-ed25519 [preauth]
debug2: kex_parse_kexinit: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr [preauth]
debug2: kex_parse_kexinit: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512 [preauth]
debug2: kex_parse_kexinit: none,zlib@openssh.com [preauth]
debug2: kex_parse_kexinit: diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth]
debug2: kex_parse_kexinit: ecdsa-sha2-nistp256,ssh-rsa,ssh-dss [preauth]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,blowfish-cbc [preauth]
debug2: kex_parse_kexinit: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,hmac-sha2-256,hmac-sha2-512 [preauth]
debug2: kex_parse_kexinit: zlib@openssh.com,zlib,none [preauth]
debug2: mac_setup: setup hmac-sha2-512 [preauth]
debug2: kex: client->server aes128-ctr hmac-sha2-512 zlib@openssh.com [preauth]
Unable to negotiate a key exchange method [preauth]

Cyberduck does not provide the hardened key exchange methods "curve25519-sha256@libssh.org" nor "diffie-hellman-group-exchange-sha256". So if you want to connect to your SSH server, you need to use a less secure key exchange method. Fortunately Cyberduck's error dialog reveals possible algorithms. I choose "diffie-hellman-group14-sha1". So tweak your SSH settings in case you need to access your server with Cyberduck:

KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1

comment:8 Changed on Jan 27, 2015 at 10:14:44 AM by dkocher

Summary changed from No support for key exchange algorithm diffie-hellman-group-exchange-sha256 to Support for key exchange algorithm diffie-hellman-group-exchange-sha256