Rocket Software Homepage
Forum Home Forum Home > AccuTerm Knowledge Base (read only) > Connectivity
  New Posts New Posts RSS Feed - SSH KEX List
  FAQ FAQ  Forum Search   Register Register  Login Login

The AccuTerm forum has moved. Go to community.rocketsoftware.com to register for the new Rocket forum.

Forum LockedSSH KEX List

 Post Reply Post Reply
Author
Message
TonyG View Drop Down
Beta Tester
Beta Tester


Joined: February 04 2004
Location: United States
Status: Offline
Points: 127
Post Options Post Options   Thanks (0) Thanks(0)   Quote TonyG Quote  Post ReplyReply Direct Link To This Post Topic: SSH KEX List
    Posted: September 05 2018 at 5:10pm
I commented on a post by Steven about KEx negotiation. Then this got a little weird.

Guided by this other thread by Auctor, I installed the AccuTerm 7.3 Debug build. Then when I connect to this Ubuntu server with Putty, I get this list of Kex algorithms :

Outgoing packet type 20 / 0x14 (SSH2_MSG_KEXINIT)
~diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,
diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,ssh-rsa,ss...

So group14 is there.

But when I use AT7.3 in Debug mode :

SSH2 server algorithm list:
key exchange: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256


Yes, this is the same server, same port, same SSHD. No group14

I created a file under /home/myuser/.ssh/config with this line, but it doesn't change the list sent to AccuTerm.

KexAlgorithms +diffie-hellman-group14-sha1

Any idea why a server would cough up a different Kex list? Thanks!
Tony Gravagno Nebula Research & Development
TG@ Nebula-RnD . com
http://Nebula-RnD.com/blog
http://Twitter.com/TonyGravagno
http://groups.google.com/group/mvdbms
https://www.linkedin.com/groups/64935
Back to Top
TonyG View Drop Down
Beta Tester
Beta Tester


Joined: February 04 2004
Location: United States
Status: Offline
Points: 127
Post Options Post Options   Thanks (0) Thanks(0)   Quote TonyG Quote  Post ReplyReply Direct Link To This Post Posted: September 06 2018 at 4:05pm
Follow-up: It looks like I was confusing a couple things. First, when debugging the Putty exchanges, note that I have the "Outgoing packet type". I'm thinking that might be outgoing from Putty, not outgoing from the server. So Putty is reporting that it supports those algorithms, not the server.

I got a note from the server admin that they removed diffie-hellman-group14-sha1 a couple months ago for security reasons. Well, that's like pruning a rotten plant because they are still using an old OpenSSH 6.6.1. But at least I now know that AccuTerm cannot communicate with that server anymore.

At some point soon I'll try to run a secure tunnel from my PC to the server, and then I'll try to run into that from AccuTerm.

I believe I read elsewhere that v8.0 supports newer algorithms. I can deal with that.
Tony Gravagno Nebula Research & Development
TG@ Nebula-RnD . com
http://Nebula-RnD.com/blog
http://Twitter.com/TonyGravagno
http://groups.google.com/group/mvdbms
https://www.linkedin.com/groups/64935
Back to Top
sdavmor View Drop Down
Newbie
Newbie
Avatar

Joined: April 08 2010
Location: United States
Status: Offline
Points: 14
Post Options Post Options   Thanks (0) Thanks(0)   Quote sdavmor Quote  Post ReplyReply Direct Link To This Post Posted: September 06 2018 at 7:43pm
I also removed diffie-helman-group14-sha1 a few months ago, when Trustwave started failing my customers on the monthly security scan for "weak KEX algorithms".
SDM -- A 21st century schizoid man
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 12.03
Copyright ©2001-2019 Web Wiz Ltd.