Connecting with FIPS SSH
Printed From: Rocket Software
Category: AccuTerm Knowledge Base (read only)
Forum Name: Connectivity
Forum Description: Questions about serial, modem, telnet and secure shell connections?
URL: https://forum.asent.com/forum_posts.asp?TID=2651
Printed Date: March 26 2026 at 5:06pm
Software Version: Web Wiz Forums 12.03 - http://www.webwizforums.com
Topic: Connecting with FIPS SSH
Posted By: Auctor
Subject: Connecting with FIPS SSH
Date Posted: October 20 2017 at 5:20am
I use Accuterm to connect to a variety of clients using both Telnet and SSH. One of the SSH clients recently started requiring FIPS-compliant SSH connections.
I installed a second copy of Accuterm as a portable app, using the FIPS140 custom option. However, I still get "No supported key exchange scheme exists (SSH)" when I try to connect.
The system admin of the Red Hat Linux server tells me that "After the latest patches, it seems that the
combination of FIPS compliance settings and the latest version of SSHD broke Accuterm. Putty has no problem."
My questions are:
1. Is my portable installation actually FIPS compliant, or is that only an option for a local installation?
2. Where do I configure the FIPS-compliant parts of the connection? (I didn't see anything different between the portable FIPS version and the local non-FIPS version.)
3. Is this a problem on the server end?
4. How can I debug the problem?
5. Am I out of luck and have to switch to a different, inferior terminal emulator that actually works with FIPS?
Dennis
|
Replies:
Posted By: PSchellenbach
Date Posted: October 20 2017 at 10:04am
Hi Dennis -
When you use the FIPS140 option during installation, an entry is saved in atwin71.ini to indicate that you need to only use FIPS-certified crypto algorithms. Normally, this is used in conjunction with Windows FIPS-140 configuration:
The Windows operating system provides a group (or local) security policy
setting, “System cryptography: Use FIPS compliant algorithms for
encryption, hashing, and signing”, which is used by many Microsoft
products to determine whether to operate in a FIPS-approved mode. When
this policy is set, the validated cryptographic modules in Windows will
also operate in a FIPS-approved mode.
When AccuTerm is configured this way, non-FIPS-certified algorithms are disabled, like Blowfish and MD5. So when AccuTerm and the server exchange algorithm lists, all non-FIPS-certified algorithms are excluded from the lists that AccuTerm sends to the server.
The current release of AccuTerm 7 supports two key exchange algorithms:
diffie-hellman-group14-sha1
diffie-hellman-group1-sha1
Diffie-hellman is not a certified FIPS algorithm, however FIPS 140 has an exception that allows diffie-hellman key exchange in a FIPS certified environment.
The error you are seeing is because the server is not offering either of these two key exchange algorithms, hence the error. They are certainly permitted in a FIPS-140 environment, but the admin of the server has elected to exclude them.
The upcoming AccuTerm 8 will support additional key exchange algorithms, however at this time only these two are supported.
Thanks,
Pete
|
Posted By: Auctor
Date Posted: October 23 2017 at 6:13am
Thanks, Pete. I'll contact the client to see if they are willing to allow those two algorithms.
Dennis
|
Posted By: Auctor
Date Posted: October 24 2017 at 5:11am
Pete,
The system admin provided this information from the server:
# ssh -Q kex
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256
curve25519-sha256@libssh.org
gss-gex-sha1-
gss-group1-sha1-
gss-group14-sha1-
# ssh -Q mac
hmac-sha1
hmac-sha2-256
hmac-sha2-512
hmac-sha1-etm@openssh.com
hmac-sha2-256-etm@openssh.com
hmac-sha2-512-etm@openssh.com
So the two Diffie-hellman algorithms are supported on the server. However, when I try to connect, Accuterm still claims that the server does not support those algorithms. Is there anything else I can try, or do I have to wait until Accuterm 8?
Dennis
|
Posted By: PSchellenbach
Date Posted: October 24 2017 at 9:14am
Hi Dennis -
Based on the algorithms reported, everything should work fine. Can you install the debug version of AccuTerm 7 and run a log of the connection process? The debug version is on the downloads page: http://www.zumasys.com/products/accuterm/support/download" rel="nofollow - http://www.zumasys.com/products/accuterm/support/download
it is the last file in the first section. After installing, you should find AccuTerm 7 Debug Log in your Start menu. Run that, select atcomm71 from the program list, click the atcomm71 tab and select errors, secure shell and detail options. Click OK. Try to open an ssh connection to the server. When the connection fails, switch to the log, and copy the log to an email to accuterm at zumasys dot com.
Thanks,
Pete
|
Posted By: Auctor
Date Posted: January 04 2018 at 9:46am
If anyone has this problem in the future and is wondering what happened, Pete analyzed the output from the debug version of Accuterm and provided this response:
"Here is the line from the log that shows the problem:06:51:49.789 key
exchange:
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 This is the list of key exchange algorithms that the
server sent to AccuTerm. Notice that neither diffie-hellman-group1-sha1 nor
diffie-hellman-group14-sha1 are included in the list. Those are the two that
AccuTerm 7 supports, but they are
not being sent to the client during algorithm negotiation."
|
|