Difference between revisions of "Enable Legacy Cipher in Linux for SecureCRT"
m |
|||
Line 1: | Line 1: | ||
+ | === why it broke === | ||
SecureCRT version 3.1.2 has a limited selection of available ciphers. It is an old version of the client. In the past when the selections | SecureCRT version 3.1.2 has a limited selection of available ciphers. It is an old version of the client. In the past when the selections | ||
*Cipher: 3DES | *Cipher: 3DES | ||
Line 30: | Line 31: | ||
*PubkeyAcceptedKeyTypes: the public key algorithms that the server can use to authenticate itself to | *PubkeyAcceptedKeyTypes: the public key algorithms that the server can use to authenticate itself to | ||
− | + | === making it work === | |
To get it up and running using weak ciphers as to support an old version of SecureCRT you must edit the sshd_config file. Before you do that, get a list of ciphers and macs that you can copy to later paste into the sshd_config file: | To get it up and running using weak ciphers as to support an old version of SecureCRT you must edit the sshd_config file. Before you do that, get a list of ciphers and macs that you can copy to later paste into the sshd_config file: | ||
Line 49: | Line 50: | ||
Monitor the log while attempting to connect with SecureCRT | Monitor the log while attempting to connect with SecureCRT | ||
tail -f /var/log/auth.log | tail -f /var/log/auth.log | ||
+ | |||
+ | === references === |
Revision as of 23:56, 26 February 2017
why it broke
SecureCRT version 3.1.2 has a limited selection of available ciphers. It is an old version of the client. In the past when the selections
- Cipher: 3DES
- MAC: MD5
where used, the client connected to the linux system sshd server (OpenSSH). SecureCRT is actually using the cipher "3des-cbc" specifically and "hmac-md5" for the MAC (Message Authentication Codes).
Supporting legacy ciphers for backwards compatibility is necessary to connect "ssh" with SecureCRT. The ssh server "sshd" ciphers can be configured via the file:
vi /etc/ssh/sshd_config
See what ciphers are available on your system:
ssh -Q cipher localhost ssh -Q mac localhost
Even though 3des-cbc is enabled in the configuration, the client using 3des-cbc is rejected, as evidence in the log
cat /var/log/auth.log
It turns out that number of version 2 ciphers have been disabled in the 6.7p1-1 release of openssh. Lets see what version of OpenSSH we have.
dpkg-query -l|grep -i openssh
Debian Linux Jessie reports openssh-server 1:6.7p1-5+deb8u3 which has the following ciphers disabled: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,arcfour128,arcfour256,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
* sshd(8): The default set of ciphers and MACs has been altered to remove unsafe algorithms. In particular, CBC ciphers and arcfour* are disabled by default. The full set of algorithms remains available if configured explicitly via the Ciphers and MACs sshd_config options.
When a SSH client connects to a server, each side offers lists of connection parameters to the other. These are, with the corresponding ssh_config keyword:
- KexAlgorithms: the key exchange methods that are used to generate per-connection keys
- Ciphers: the ciphers to encrypt the connection
- MACs: the message authentication codes used to detect traffic modification
- PubkeyAcceptedKeyTypes: the public key algorithms that the server can use to authenticate itself to
making it work
To get it up and running using weak ciphers as to support an old version of SecureCRT you must edit the sshd_config file. Before you do that, get a list of ciphers and macs that you can copy to later paste into the sshd_config file:
ssh -Q cipher localhost | paste -d , -s ssh -Q mac localhost | paste -d , -s
Copy that output into the sshd_config file along with a third line. Open sshd_config for editing:
vi /etc/ssh/sshd_config
Add the following lines near the top, under where it says "Protocol 2"
Ciphers 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,arcfour128,arcfour256,aes128-cbc,aes192-cbc,aes256-cbc MACs hmac-sha1,hmac-sha1-96,hmac-sha2-256,hmac-sha2-512,hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-ripemd160@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,curve25519-sha256@libssh.org
Remember we obtained the ciphers and macs from the list we generated with the preceding commands. Now we had to add a third line for the KexAlgorithms.
Restart the sshd service
service sshd restart
Monitor the log while attempting to connect with SecureCRT
tail -f /var/log/auth.log