Difference between revisions of "Enable Legacy Cipher in Linux for SecureCRT"
m |
|||
Line 22: | Line 22: | ||
The full set of algorithms remains available if configured | The full set of algorithms remains available if configured | ||
explicitly via the Ciphers and MACs sshd_config options. | explicitly via the Ciphers and MACs sshd_config options. | ||
+ | |||
+ | When a SSH client connects to a server, each side offers lists of connection parameters to the other. These are, with the corresponding ssh_config keyword: | ||
+ | |||
+ | *KexAlgorithms: the key exchange methods that are used to generate per-connection keys | ||
+ | *Ciphers: the ciphers to encrypt the connection | ||
+ | *MACs: the message authentication codes used to detect traffic modification | ||
+ | *PubkeyAcceptedKeyTypes: the public key algorithms that the server can use to authenticate itself to |
Revision as of 23:46, 26 February 2017
SecureCRT version 3.1.2 has a limited selection of available ciphers. It is an old version of the client. In the past when the selections
- Cipher: 3DES
- MAC: MD5
where used, the client connected to the linux system sshd server (OpenSSH). SecureCRT is actually using the cipher "3des-cbc" specifically and "hmac-md5" for the MAC (Message Authentication Codes).
Supporting legacy ciphers for backwards compatibility is necessary to connect "ssh" with SecureCRT. The ssh server "sshd" ciphers can be configured via the file:
vi /etc/ssh/sshd_config
See what ciphers are available on your system:
ssh -Q cipher localhost ssh -Q mac localhost
Even though 3des-cbc is enabled in the configuration, the client using 3des-cbc is rejected, as evidence in the log
cat /var/log/auth.log
It turns out that number of version 2 ciphers have been disabled in the 6.7p1-1 release of openssh. Lets see what version of OpenSSH we have.
dpkg-query -l|grep -i openssh
Debian Linux Jessie reports openssh-server 1:6.7p1-5+deb8u3 which has the following ciphers disabled: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,arcfour128,arcfour256,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
* sshd(8): The default set of ciphers and MACs has been altered to remove unsafe algorithms. In particular, CBC ciphers and arcfour* are disabled by default. The full set of algorithms remains available if configured explicitly via the Ciphers and MACs sshd_config options.
When a SSH client connects to a server, each side offers lists of connection parameters to the other. These are, with the corresponding ssh_config keyword:
- KexAlgorithms: the key exchange methods that are used to generate per-connection keys
- Ciphers: the ciphers to encrypt the connection
- MACs: the message authentication codes used to detect traffic modification
- PubkeyAcceptedKeyTypes: the public key algorithms that the server can use to authenticate itself to