Connecting with FIPS SSH

Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic

   I use Accuterm to connect to a variety of clients using both Telnet and SSH.  One of the SSH clients recently started requiring FIPS-compliant SSH connections.

I installed a second copy of Accuterm as a portable app, using the FIPS140 custom option.  However, I still get "No supported key exchange scheme exists (SSH)" when I try to connect.

The system admin of the Red Hat Linux server tells me that "After the latest patches, it seems that the
combination of FIPS compliance settings and the latest version of SSHD broke Accuterm.  Putty has no problem."

My questions are:

1.  Is my portable installation actually FIPS compliant, or is that only an option for a local installation?

2. Where do I configure the FIPS-compliant parts of the connection?  (I didn't see anything different between the portable FIPS version and the local non-FIPS version.)

3. Is this a problem on the server end?

4. How can I debug the problem?

5. Am I out of luck and have to switch to a different, inferior terminal emulator that actually works with FIPS?

Dennis

Author	Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic
Auctor Members Profile Find Members Posts Newbie Joined: February 28 2017 Status: Offline Points: 16	Post Options Post Reply Quote Auctor Report Post Thanks(0) Quote Reply Topic: Connecting with FIPS SSH Posted: October 20 2017 at 5:20am
	I use Accuterm to connect to a variety of clients using both Telnet and SSH. One of the SSH clients recently started requiring FIPS-compliant SSH connections. I installed a second copy of Accuterm as a portable app, using the FIPS140 custom option. However, I still get "No supported key exchange scheme exists (SSH)" when I try to connect. The system admin of the Red Hat Linux server tells me that "After the latest patches, it seems that the combination of FIPS compliance settings and the latest version of SSHD broke Accuterm. Putty has no problem." My questions are: 1. Is my portable installation actually FIPS compliant, or is that only an option for a local installation? 2. Where do I configure the FIPS-compliant parts of the connection? (I didn't see anything different between the portable FIPS version and the local non-FIPS version.) 3. Is this a problem on the server end? 4. How can I debug the problem? 5. Am I out of luck and have to switch to a different, inferior terminal emulator that actually works with FIPS? Dennis

PSchellenbach Members Profile Find Members Posts Admin Group Moderator Joined: December 15 2003 Location: United States Status: Offline Points: 2150	Post Options Post Reply Quote PSchellenbach Report Post Thanks(0) Quote Reply Posted: October 20 2017 at 10:04am
	Hi Dennis - When you use the FIPS140 option during installation, an entry is saved in atwin71.ini to indicate that you need to only use FIPS-certified crypto algorithms. Normally, this is used in conjunction with Windows FIPS-140 configuration: The Windows operating system provides a group (or local) security policy setting, “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing”, which is used by many Microsoft products to determine whether to operate in a FIPS-approved mode. When this policy is set, the validated cryptographic modules in Windows will also operate in a FIPS-approved mode. When AccuTerm is configured this way, non-FIPS-certified algorithms are disabled, like Blowfish and MD5. So when AccuTerm and the server exchange algorithm lists, all non-FIPS-certified algorithms are excluded from the lists that AccuTerm sends to the server. The current release of AccuTerm 7 supports two key exchange algorithms: diffie-hellman-group14-sha1 diffie-hellman-group1-sha1 Diffie-hellman is not a certified FIPS algorithm, however FIPS 140 has an exception that allows diffie-hellman key exchange in a FIPS certified environment. The error you are seeing is because the server is not offering either of these two key exchange algorithms, hence the error. They are certainly permitted in a FIPS-140 environment, but the admin of the server has elected to exclude them. The upcoming AccuTerm 8 will support additional key exchange algorithms, however at this time only these two are supported. Thanks, Pete

Auctor Members Profile Find Members Posts Newbie Joined: February 28 2017 Status: Offline Points: 16	Post Options Post Reply Quote Auctor Report Post Thanks(0) Quote Reply Posted: October 23 2017 at 6:13am
	Thanks, Pete. I'll contact the client to see if they are willing to allow those two algorithms. Dennis

Auctor Members Profile Find Members Posts Newbie Joined: February 28 2017 Status: Offline Points: 16	Post Options Post Reply Quote Auctor Report Post Thanks(0) Quote Reply Posted: October 24 2017 at 5:11am
	Pete, The system admin provided this information from the server: # ssh -Q kex diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 diffie-hellman-group14-sha256 diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 curve25519-sha256 curve25519-sha256@libssh.org gss-gex-sha1- gss-group1-sha1- gss-group14-sha1- # ssh -Q mac hmac-sha1 hmac-sha2-256 hmac-sha2-512 hmac-sha1-etm@openssh.com hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com So the two Diffie-hellman algorithms are supported on the server. However, when I try to connect, Accuterm still claims that the server does not support those algorithms. Is there anything else I can try, or do I have to wait until Accuterm 8? Dennis

PSchellenbach Members Profile Find Members Posts Admin Group Moderator Joined: December 15 2003 Location: United States Status: Offline Points: 2150	Post Options Post Reply Quote PSchellenbach Report Post Thanks(0) Quote Reply Posted: October 24 2017 at 9:14am
	Hi Dennis - Based on the algorithms reported, everything should work fine. Can you install the debug version of AccuTerm 7 and run a log of the connection process? The debug version is on the downloads page: http://www.zumasys.com/products/accuterm/support/download it is the last file in the first section. After installing, you should find AccuTerm 7 Debug Log in your Start menu. Run that, select atcomm71 from the program list, click the atcomm71 tab and select errors, secure shell and detail options. Click OK. Try to open an ssh connection to the server. When the connection fails, switch to the log, and copy the log to an email to accuterm at zumasys dot com. Thanks, Pete

Auctor Members Profile Find Members Posts Newbie Joined: February 28 2017 Status: Offline Points: 16	Post Options Post Reply Quote Auctor Report Post Thanks(0) Quote Reply Posted: January 04 2018 at 9:46am
	If anyone has this problem in the future and is wondering what happened, Pete analyzed the output from the debug version of Accuterm and provided this response: "Here is the line from the log that shows the problem: 06:51:49.789 key exchange: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 This is the list of key exchange algorithms that the server sent to AccuTerm. Notice that neither diffie-hellman-group1-sha1 nor diffie-hellman-group14-sha1 are included in the list. Those are the two that AccuTerm 7 supports, but they are not being sent to the client during algorithm negotiation."