[SOLVED] /etc/ssh/ssh_config

tpolim008 · 08-24-2018, 12:03 PM

Hi all, I have installed Ubuntu 18.04 and seems I lost my SSH config from 16.04 server. I was messing around with /etc/ssh/ssh_config thought I backed it up, well I guess I didnt.. Does anyone know where I can get a default config as I have altered and lost the default Ciphers and MACs?

This is all my list contains and I know it was much longer before I altered it.

Code:

Ciphers aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
   MACs hmac-md5,hmac-sha1,umac-64@openssh.com

Thanks in advance

Turbocapitalist · 08-24-2018, 12:43 PM

The manual page should show the defaults. See "man ssh_config"

What you have listed are all the old, banned ciphers that were eliminated because they are considered insufficently secure these days. Instead try:

Code:

ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com

macs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

kexalgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1

Keep in mind that ssh_config is for the client, not the server.

tpolim008 · 08-24-2018, 12:52 PM

Thank you for the code I wasn’t aware that I could see the defaults via the man page as I’m still learning. Yes, I am aware this is for clients. I had to alter it as my rancid clogin would always default to spawn these old values. I have now found a way that I can tell the clogin file which oiphers to use and hope it works. Reason I discovered it no longer works I tried to ssh from this server to another server which would return and error of non-matching cipher values. I hope adding the default new ones in and then telling the clogin to use the called out value everything is happy and works.... if not I may return for additional help.

Turbocapitalist · 08-24-2018, 12:57 PM

Ok, but you can apply per-host configurations in the ssh_config file.

Code:

Host stanky stanky.example.com
        Ciphers aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
        MACs hmac-md5,hmac-sha1,umac-64@openssh.com

Host decrepit decrepit.example.com
        Ciphers aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
        MACs hmac-md5,hmac-sha1,umac-64@openssh.com

Host * 
        Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
        MACs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
        Kexalgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1

That way you won't be trying to use outdated ciphers and such on more up-to-date machines.

On the out of date machines try checking if there are some back-port repositories available with newer versions of OpenSSH.

tpolim008 · 08-24-2018, 01:01 PM

Thank you but my host file would be very large and hard to maintain as it would be over 700 devices as the company I work for is a nation wide Corp and we use rancid as backup server and use it to do various other number of tasks.

Quote:

Originally Posted by Turbocapitalist

Ok, but you can apply per-host configurations in the ssh_config file.

Code:

Host stanky stanky.example.com
        Ciphers aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
        MACs hmac-md5,hmac-sha1,umac-64@openssh.com

Host decrepit decrepit.example.com
        Ciphers aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
        MACs hmac-md5,hmac-sha1,umac-64@openssh.com

Host * 
        Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
        MACs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
        Kexalgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1

That way you won't be trying to use outdated ciphers and such on more up-to-date machines.

On the out of date machines try checking if there are some back-port repositories available with newer versions of OpenSSH.

Turbocapitalist · 08-24-2018, 01:12 PM

Quote:

Originally Posted by tpolim008

Thank you but my host file would be very large and hard to maintain as it would be over 700 devices as the company I work for is a nation wide Corp and we use rancid as backup server and use it to do various other number of tasks.

If there is a way to group them, you can use patterns in the Host directive. Or else the ssh_config file could be generated from lists by a shell script or perl script. That would make the connections to the new machines more secure.

tpolim008 · 08-24-2018, 04:25 PM

Quote:

Originally Posted by Turbocapitalist

If there is a way to group them, you can use patterns in the Host directive. Or else the ssh_config file could be generated from lists by a shell script or perl script. That would make the connections to the new machines more secure.

So say all my host start as uerxx.sitename.DNS are you saying I can group them all into a "catch-all" for this to work?

Turbocapitalist · 08-25-2018, 12:25 AM

Quote:

Originally Posted by tpolim008

So say all my host start as uerxx.sitename.DNS are you saying I can group them all into a "catch-all" for this to work?

Yes, though the * at the bottom is the catch-all for everything. See "man ssh_config" and scroll down to the section titled "PATTERNS"

The rules go into the ssh_config file in order from specific to general. So the first stanza applies to a particular machine, the second to a pattern of names, the third to a less specific set of names, the fourth more general still and the last to every connection:

Code:

Host stanky stanky.example.com
        Ciphers aes128-cbc,3des-cbc,aes192-cbc
        MACs hmac-md5,hmac-sha1
        
Host uer??.sitename.example.com
        Ciphers aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
        MACs hmac-md5,hmac-sha1,umac-64@openssh.com

Host *.sitename.example.com
        IdentitiesOnly yes

Host *.example.com
        Compression no
        ServerAliveCountMax 3
        ServerAliveInterval 15

Host * 
        Protocol 2
        Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
        MACs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
        Kexalgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
        ServerAliveCountMax 4
        ServerAliveInterval 60

Again, the rules are set first-match. So if Ciphers are set by one rule that applies another subsequent rule will not override that even if it matches and contains Ciphers again.

Habitual · 08-25-2018, 01:23 PM

tpolim008 · 08-26-2018, 03:38 PM

Quote:

Originally Posted by Turbocapitalist

Yes, though the * at the bottom is the catch-all for everything. See "man ssh_config" and scroll down to the section titled "PATTERNS"

The rules go into the ssh_config file in order from specific to general. So the first stanza applies to a particular machine, the second to a pattern of names, the third to a less specific set of names, the fourth more general still and the last to every connection:

Code:

Host stanky stanky.example.com
        Ciphers aes128-cbc,3des-cbc,aes192-cbc
        MACs hmac-md5,hmac-sha1
        
Host uer??.sitename.example.com
        Ciphers aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
        MACs hmac-md5,hmac-sha1,umac-64@openssh.com

Host *.sitename.example.com
        IdentitiesOnly yes

Host *.example.com
        Compression no
        ServerAliveCountMax 3
        ServerAliveInterval 15

Host * 
        Protocol 2
        Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
        MACs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
        Kexalgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
        ServerAliveCountMax 4
        ServerAliveInterval 60

Again, the rules are set first-match. So if Ciphers are set by one rule that applies another subsequent rule will not override that even if it matches and contains Ciphers again.

Thanks for the help everyone ended up doing the following after to restoring the config file to defaults in my rancid clogin.

add method * {ssh}
add cyphertype * {aes256-cbc}