Print Page | Close Window

SSH KEX List

Printed From: Rocket Software
Category: AccuTerm Knowledge Base (read only)
Forum Name: Connectivity
Forum Description: Questions about serial, modem, telnet and secure shell connections?
URL: https://forum.asent.com/forum_posts.asp?TID=2696
Printed Date: February 02 2023 at 1:21pm
Software Version: Web Wiz Forums 12.03 - http://www.webwizforums.com


Topic: SSH KEX List
Posted By: TonyG
Subject: SSH KEX List
Date Posted: September 05 2018 at 5:10pm
I commented on a post by http://forum.asent.com/accuterm-openssh-and-the-bane-of-pci-compliance_topic2695.html" rel="nofollow - Steven about KEx negotiation. Then this got a little weird.

Guided by http://forum.asent.com/connecting-with-fips-ssh_topic2651.html" rel="nofollow - this other thread by Auctor, I installed the AccuTerm 7.3 Debug build. Then when I connect to this Ubuntu server with Putty, I get this list of Kex algorithms :

Outgoing packet type 20 / 0x14 (SSH2_MSG_KEXINIT)
~diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,
diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,ssh-rsa,ss...

So group14 is there.

But when I use AT7.3 in Debug mode :

SSH2 server algorithm list:
key exchange: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256


Yes, this is the same server, same port, same SSHD. No group14

I created a file under /home/myuser/.ssh/config with this line, but it doesn't change the list sent to AccuTerm.

KexAlgorithms +diffie-hellman-group14-sha1

Any idea why a server would cough up a different Kex list? Thanks!

-------------
Tony Gravagno Nebula Research & Development
TG@ Nebula-RnD . com
http://Nebula-RnD.com/blog
http://Twitter.com/TonyGravagno
http://groups.google.com/group/mvdbms
https://www.linkedin.com/groups/64935



Replies:
Posted By: TonyG
Date Posted: September 06 2018 at 4:05pm
Follow-up: It looks like I was confusing a couple things. First, when debugging the Putty exchanges, note that I have the "Outgoing packet type". I'm thinking that might be outgoing from Putty, not outgoing from the server. So Putty is reporting that it supports those algorithms, not the server.

I got a note from the server admin that they removed diffie-hellman-group14-sha1 a couple months ago for security reasons. Well, that's like pruning a rotten plant because they are still using an old OpenSSH 6.6.1. But at least I now know that AccuTerm cannot communicate with that server anymore.

At some point soon I'll try to run a secure tunnel from my PC to the server, and then I'll try to run into that from AccuTerm.

I believe I read elsewhere that v8.0 supports newer algorithms. I can deal with that.

-------------
Tony Gravagno Nebula Research & Development
TG@ Nebula-RnD . com
http://Nebula-RnD.com/blog
http://Twitter.com/TonyGravagno
http://groups.google.com/group/mvdbms
https://www.linkedin.com/groups/64935


Posted By: sdavmor
Date Posted: September 06 2018 at 7:43pm
I also removed diffie-helman-group14-sha1 a few months ago, when Trustwave started failing my customers on the monthly security scan for "weak KEX algorithms".


-------------
SDM -- A 21st century schizoid man



Print Page | Close Window

Forum Software by Web Wiz Forums® version 12.03 - http://www.webwizforums.com
Copyright ©2001-2019 Web Wiz Ltd. - https://www.webwiz.net