Rocket Software Homepage
Forum Home Forum Home > AccuTerm Knowledge Base (read only) > Connectivity
  New Posts New Posts RSS Feed - Connecting with FIPS SSH
  FAQ FAQ  Forum Search   Register Register  Login Login

The AccuTerm forum has moved. Go to community.rocketsoftware.com to register for the new Rocket forum.

Forum LockedConnecting with FIPS SSH

 Post Reply Post Reply
Author
Message
Auctor View Drop Down
Newbie
Newbie


Joined: February 28 2017
Status: Offline
Points: 16
Post Options Post Options   Thanks (0) Thanks(0)   Quote Auctor Quote  Post ReplyReply Direct Link To This Post Topic: Connecting with FIPS SSH
    Posted: October 20 2017 at 5:20am
I use Accuterm to connect to a variety of clients using both Telnet and SSH.  One of the SSH clients recently started requiring FIPS-compliant SSH connections.

I installed a second copy of Accuterm as a portable app, using the FIPS140 custom option.  However, I still get "No supported key exchange scheme exists (SSH)" when I try to connect.

The system admin of the Red Hat Linux server tells me that "After the latest patches, it seems that the combination of FIPS compliance settings and the latest version of SSHD broke Accuterm.  Putty has no problem."

My questions are:

1.  Is my portable installation actually FIPS compliant, or is that only an option for a local installation?

2. Where do I configure the FIPS-compliant parts of the connection?  (I didn't see anything different between the portable FIPS version and the local non-FIPS version.)

3. Is this a problem on the server end?

4. How can I debug the problem?

5. Am I out of luck and have to switch to a different, inferior terminal emulator that actually works with FIPS?

Dennis

Back to Top
PSchellenbach View Drop Down
Admin Group
Admin Group

Moderator

Joined: December 15 2003
Location: United States
Status: Offline
Points: 2150
Post Options Post Options   Thanks (0) Thanks(0)   Quote PSchellenbach Quote  Post ReplyReply Direct Link To This Post Posted: October 20 2017 at 10:04am
Hi Dennis -

When you use the FIPS140 option during installation, an entry is saved in atwin71.ini to indicate that you need to only use FIPS-certified crypto algorithms. Normally, this is used in conjunction with Windows FIPS-140 configuration:

The Windows operating system provides a group (or local) security policy setting, “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing”, which is used by many Microsoft products to determine whether to operate in a FIPS-approved mode. When this policy is set, the validated cryptographic modules in Windows will also operate in a FIPS-approved mode.

When AccuTerm is configured this way, non-FIPS-certified algorithms are disabled, like Blowfish and MD5. So when AccuTerm and the server exchange algorithm lists, all non-FIPS-certified algorithms are excluded from the lists that AccuTerm sends to the server.

The current release of AccuTerm 7 supports two key exchange algorithms:

  diffie-hellman-group14-sha1
  diffie-hellman-group1-sha1

Diffie-hellman is not a certified FIPS algorithm, however FIPS 140 has an exception that allows diffie-hellman key exchange in a FIPS certified environment.

The error you are seeing is because the server is not offering either of these two key exchange algorithms, hence the error. They are certainly permitted in a FIPS-140 environment, but the admin of the server has elected to exclude them.

The upcoming AccuTerm 8 will support additional key exchange algorithms, however at this time only these two are supported.

Thanks,

Pete

Back to Top
Auctor View Drop Down
Newbie
Newbie


Joined: February 28 2017
Status: Offline
Points: 16
Post Options Post Options   Thanks (0) Thanks(0)   Quote Auctor Quote  Post ReplyReply Direct Link To This Post Posted: October 23 2017 at 6:13am
Thanks, Pete.  I'll contact the client to see if they are willing to allow those two algorithms.

Dennis
Back to Top
Auctor View Drop Down
Newbie
Newbie


Joined: February 28 2017
Status: Offline
Points: 16
Post Options Post Options   Thanks (0) Thanks(0)   Quote Auctor Quote  Post ReplyReply Direct Link To This Post Posted: October 24 2017 at 5:11am
Pete,

The system admin provided this information from the server:


# ssh -Q kex
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256
curve25519-sha256@libssh.org
gss-gex-sha1-
gss-group1-sha1-
gss-group14-sha1-

# ssh -Q mac
hmac-sha1
hmac-sha2-256
hmac-sha2-512
hmac-sha1-etm@openssh.com
hmac-sha2-256-etm@openssh.com
hmac-sha2-512-etm@openssh.com

So the two Diffie-hellman algorithms are supported on the server.  However, when I try to connect, Accuterm still claims that the server does not support those algorithms.  Is there anything else I can try, or do I have to wait until Accuterm 8?

Dennis

Back to Top
PSchellenbach View Drop Down
Admin Group
Admin Group

Moderator

Joined: December 15 2003
Location: United States
Status: Offline
Points: 2150
Post Options Post Options   Thanks (0) Thanks(0)   Quote PSchellenbach Quote  Post ReplyReply Direct Link To This Post Posted: October 24 2017 at 9:14am
Hi Dennis -

Based on the algorithms reported, everything should work fine. Can you install the debug version of AccuTerm 7 and run a log of the connection process? The debug version is on the downloads page: http://www.zumasys.com/products/accuterm/support/download

it is the last file in the first section. After installing, you should find AccuTerm 7 Debug Log in your Start menu. Run that, select atcomm71 from the program list, click the atcomm71 tab and select errors, secure shell and detail options. Click OK. Try to open an ssh connection to the server. When the connection fails, switch to the log, and copy the log to an email to accuterm at zumasys dot com.

Thanks,

Pete

Back to Top
Auctor View Drop Down
Newbie
Newbie


Joined: February 28 2017
Status: Offline
Points: 16
Post Options Post Options   Thanks (0) Thanks(0)   Quote Auctor Quote  Post ReplyReply Direct Link To This Post Posted: January 04 2018 at 9:46am
If anyone has this problem in the future and is wondering what happened, Pete analyzed the output from the debug version of Accuterm and provided this response:

"Here is the line from the log that shows the problem:

06:51:49.789    key exchange: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256

This is the list of key exchange algorithms that the server sent to AccuTerm. Notice that neither diffie-hellman-group1-sha1 nor diffie-hellman-group14-sha1 are included in the list. Those are the two that AccuTerm 7 supports, but they are not being sent to the client during algorithm negotiation."

Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 12.03
Copyright ©2001-2019 Web Wiz Ltd.