#8488 closed enhancement (fixed)
Support for key exchange algorithm diffie-hellman-group-exchange-sha256
Reported by: | zepi | Owned by: | dkocher |
---|---|---|---|
Priority: | normal | Milestone: | 4.8 |
Component: | sftp | Version: | 4.6.1 |
Severity: | normal | Keywords: | ssh, cipher, kex |
Cc: | lbort@…, andi@… | Architecture: | Intel |
Platform: | Mac OS X 10.10 |
Description (last modified by zepi)
After latest Snowden leaks it seems that default OpenSSH settings are no longer acceptable for secure communication. See: https://stribika.github.io/2015/01/04/secure-secure-shell.html
Having the following lines in sshd_config in server side prevents Cyberduck connecting with a error message:
Connection Failed
Unable to reach a settlement: [diffie-hellman-group14-sha1, diffie-hellman-group1-sha1] and [curve25519-sha256@libssh.org, diffie-hellman-group-exchange-sha256]. The connection attempt was rejected. The server may be down, or your network may not be properly configured
I get no entries to log drawer.
Sshd config on server side:
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
At least by the look of it, diffie-helman-group-exchange-sha256 and curve25519-sha256@… are enabled in these kex settings, so my guess is that the incompatibility is either due lack of appropriate ciphers or a bug in kex implementation.
I'm connecting to OpenSSH_6.6.1p1 Debian-4~bpo70+1, OpenSSL 1.0.1e 13
Change History (15)
comment:1 Changed on Jan 14, 2015 at 9:09:49 PM by dkocher
comment:2 Changed on Jan 15, 2015 at 8:42:29 AM by dkocher
- Description modified (diff)
comment:3 Changed on Jan 15, 2015 at 9:11:40 AM by zepi
- Description modified (diff)
I checked with the latest Version 4.7 (16463) and it fails with the same error message.
For example my OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011 that is integrated with OSX works without a hitch.
comment:4 Changed on Jan 15, 2015 at 9:46:37 AM by dkocher
- Milestone set to 4.7
- Status changed from new to assigned
comment:5 Changed on Jan 15, 2015 at 1:05:31 PM by dkocher
The negotiation fails because we find no matching key exchange algorithm. We currently support diffie-hellman-group14-sha1 and diffie-hellman-group1-sha1.
comment:6 Changed on Jan 15, 2015 at 1:18:33 PM by dkocher
- Summary changed from Connection failed to hardened SSH-server to No support for key exchange algorithm diffie-hellman-group-exchange-sha256
- Type changed from defect to enhancement
comment:7 Changed on Jan 15, 2015 at 7:01:35 PM by offenbach
my findings
Cyberduck does not provide HMAC and key-exchange algorithms yet, that are required to access SSH servers that have been configured following the mentioned blog entry.
longer description
My SSH server is hardened the same way. I checked with 4.7 and had no luck connecting.
First error was "no matching mac found"
no matching mac found: client hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,hmac-sha2-256,hmac-sha2-512 server hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com [preauth]
I re-enabled "hmac-sha2-512" in sshd settings /etc/ssh/sshd_config:
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512
Now sshd complains about not being able to agree upon a key exchange method
debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 [preauth] debug2: kex_parse_kexinit: ssh-rsa,ssh-ed25519 [preauth] debug2: kex_parse_kexinit: chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr [preauth] debug2: kex_parse_kexinit: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512 [preauth] debug2: kex_parse_kexinit: none,zlib@openssh.com [preauth] debug2: kex_parse_kexinit: diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth] debug2: kex_parse_kexinit: ecdsa-sha2-nistp256,ssh-rsa,ssh-dss [preauth] debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,blowfish-cbc [preauth] debug2: kex_parse_kexinit: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,hmac-sha2-256,hmac-sha2-512 [preauth] debug2: kex_parse_kexinit: zlib@openssh.com,zlib,none [preauth] debug2: mac_setup: setup hmac-sha2-512 [preauth] debug2: kex: client->server aes128-ctr hmac-sha2-512 zlib@openssh.com [preauth] Unable to negotiate a key exchange method [preauth]
Cyberduck does not provide the hardened key exchange methods "curve25519-sha256@…" nor "diffie-hellman-group-exchange-sha256". So if you want to connect to your SSH server, you need to use a less secure key exchange method. Fortunately Cyberduck's error dialog reveals possible algorithms. I choose "diffie-hellman-group14-sha1". So tweak your SSH settings in case you need to access your server with Cyberduck:
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
comment:8 Changed on Jan 27, 2015 at 10:14:44 AM by dkocher
- Summary changed from No support for key exchange algorithm diffie-hellman-group-exchange-sha256 to Support for key exchange algorithm diffie-hellman-group-exchange-sha256
comment:9 Changed on Jan 27, 2015 at 10:15:04 AM by dkocher
See also #8528.
comment:10 Changed on Feb 6, 2015 at 5:28:31 PM by lbort
- Cc lbort@… added
comment:11 Changed on Feb 20, 2015 at 2:25:37 PM by dkocher
- Milestone 4.7 deleted
comment:12 Changed on Apr 10, 2015 at 11:27:00 AM by andreas hubel
- Cc andi@… added
Any updates on this issue?
comment:13 Changed on May 20, 2015 at 12:28:05 PM by dkocher
Referencing sshj#167.
comment:14 Changed on Oct 29, 2015 at 1:03:32 PM by dkocher
Upstream fix.
comment:15 Changed on Oct 29, 2015 at 1:11:04 PM by dkocher
- Milestone set to 4.8
- Resolution set to fixed
- Status changed from assigned to closed
In r18434.
Can you verify that the connection also fails using the latest snapshot build available.