Rocket Software Homepage
Forum Home Forum Home > AccuTerm Knowledge Base (read only) > Connectivity
  New Posts New Posts RSS Feed - Accuterm, openSSH and the bane of PCI compliance
  FAQ FAQ  Forum Search   Register Register  Login Login

The AccuTerm forum has moved. Go to community.rocketsoftware.com to register for the new Rocket forum.

Forum LockedAccuterm, openSSH and the bane of PCI compliance

 Post Reply Post Reply
Author
Message
sdavmor View Drop Down
Newbie
Newbie
Avatar

Joined: April 08 2010
Location: United States
Status: Offline
Points: 14
Post Options Post Options   Thanks (0) Thanks(0)   Quote sdavmor Quote  Post ReplyReply Direct Link To This Post Topic: Accuterm, openSSH and the bane of PCI compliance
    Posted: September 04 2018 at 4:12pm
My largest customer is struggling with the credit card processing compliance.  Over the last six months I have got them closer to it but there is one thorny issue.  They fail the monthly Trustwave security scan on three points, two of which are directly connected to Accuterm.

The customer's Linux servers are running Centos 7.5 with D3 v10.2.  The openSSH installed is v7.6 (v7.4 ships with the o/s but had to be upgraded because of security holes).

The two Accuterm issues are:

1) Weak ssh2 key exchange algorithms.

A few months ago we removed diffie-hellman-group14-sha1 to satisfy the last round of "fails" from Trustwave.  That left us with only one Accuterm supported KEX, diffie-hellman-group1-sha1.  Which is, as of August 31st, on the "fail" list as far as Trustwave is concerned.

If I disable diffie-hellman-group1-sha1 on the Linux server side in sshd_config, I get an unable to connect from Accuterm citing "no supported key exchange scheme".

From sshd_config, our supported KEX export string is: KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1

2) weak ssh2 MAC algorithm.

We are being failed for the only two MACs that Accuterm supports.  That is hmac_md5 and hmac-sha1.

If I disable hmac-sha1 on the Linux server side in sshd_config, I get an unable to connect from Accuterm citing "no supported message authentication scheme (MAC)".

An additional annoying issue is that openSSH doesn't allow me to declare hmac_md5 insshd_config.  If I do the service will not restart.  It requires me to declare it as hmac-md5.  If I do that the Accuterm doesn't like it, since it is expecting to see hmac_md5.

From sshd_config, our supported MAC export string is: MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com,hmac-sha1

What am I missing?  Am I missing anything?  When might it be reasonable to expect Accuterm to support one or more of the other KEX or MAC algorithms?  
SDM -- A 21st century schizoid man
Back to Top
TonyG View Drop Down
Beta Tester
Beta Tester


Joined: February 04 2004
Location: United States
Status: Offline
Points: 127
Post Options Post Options   Thanks (0) Thanks(0)   Quote TonyG Quote  Post ReplyReply Direct Link To This Post Posted: September 05 2018 at 3:28pm
I have a very similar issue. Server seems to have updated to SHA and AES 256, etc, but they're still running OpenSSH 6.6.1p1 over Ubuntu. I can't SSH in anymore with AccuTerm. Putty works.

I don't suppose v7.3 will help?
Tony Gravagno Nebula Research & Development
TG@ Nebula-RnD . com
http://Nebula-RnD.com/blog
http://Twitter.com/TonyGravagno
http://groups.google.com/group/mvdbms
https://www.linkedin.com/groups/64935
Back to Top
sdavmor View Drop Down
Newbie
Newbie
Avatar

Joined: April 08 2010
Location: United States
Status: Offline
Points: 14
Post Options Post Options   Thanks (1) Thanks(1)   Quote sdavmor Quote  Post ReplyReply Direct Link To This Post Posted: September 05 2018 at 11:41pm
Your customer is several light years behind the curve with openSSH 6.6.1.  That is a non-starter WRT to any problem you're looking to solve.  Putty works because it continues to exist at the bleeding edge, and includes just about every KEX, cipher and MAC algorithm.  I love Accuterm as a tool, but if necessary I will look at another product.

Tony, nothing less than openSSH 7.6 will help *today*, and I am looking at openSSH 7.8 to get ahead of the curve of security issues.  Regardless of which level of openSSH you choose, this requires moving outside the official controlled upgrade path for openSSH.  Which was a huge pain in the arse.  If you decide to do this, let me save you dozens of hours banging your head on a wall. 

You get openSSH 7.2 with RHEL / Centos 7.  Upgrades to the O/S get you to openSSH 7.4 with RHEL / Centos 7.4 and 7.5.  RHEL / Centos 8, coming sometime in 2019 (early I hope) will ship with openSSH 7.6.

On Ubuntu 18.04, the long-term support release which I have on the machine I am typing on, you get openSSH 7.6.
SDM -- A 21st century schizoid man
Back to Top
sdavmor View Drop Down
Newbie
Newbie
Avatar

Joined: April 08 2010
Location: United States
Status: Offline
Points: 14
Post Options Post Options   Thanks (0) Thanks(0)   Quote sdavmor Quote  Post ReplyReply Direct Link To This Post Posted: September 07 2018 at 11:36am
Is there an announced timeframe for v8 of Accuterm to be available?  I'd be willing to be a beta tester since v8 will solve the "weak KEX algorithm" and "weak MAC algorithm" issues my customers are getting dinged for by Trustwave. 
SDM -- A 21st century schizoid man
Back to Top
PSchellenbach View Drop Down
Admin Group
Admin Group

Moderator

Joined: December 15 2003
Location: United States
Status: Offline
Points: 2150
Post Options Post Options   Thanks (0) Thanks(0)   Quote PSchellenbach Quote  Post ReplyReply Direct Link To This Post Posted: October 01 2018 at 2:45pm
Hi Steven -

We have an update for AccuTerm 7 in the works that should resolve the PCI issues. Stronger crypto is one of the features of AccuTerm 8, but we've heard from a few customers who are struggling with PCI issues now so wanted to address that before 8 is available. Diffie-Hellman Group Exchange and SHA256 HMAC will be included in release 7.4, and will be available to any customers who subscribe to maintenance. Contact accuterm@zumasys.com for information on adding maintenance.

Thanks,

Pete

Back to Top
sdavmor View Drop Down
Newbie
Newbie
Avatar

Joined: April 08 2010
Location: United States
Status: Offline
Points: 14
Post Options Post Options   Thanks (0) Thanks(0)   Quote sdavmor Quote  Post ReplyReply Direct Link To This Post Posted: October 24 2018 at 10:40am
That's is excellent news, Pete.  Thank you very much.
SDM -- A 21st century schizoid man
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 12.03
Copyright ©2001-2019 Web Wiz Ltd.