LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Other *NIX Forums > Solaris / OpenSolaris
User Name
Password
Solaris / OpenSolaris This forum is for the discussion of Solaris and OpenSolaris.
General Sun, SunOS and Sparc related questions also go here.

Notices

Reply
 
Search this Thread
Old 10-31-2011, 11:35 AM   #1
Mark_667
Member
 
Registered: Aug 2005
Location: Manchester, England
Distribution: Ubuntu 12.10
Posts: 257

Rep: Reputation: 25
Specifying ciphers for SSH


I'm trying to get ssh on OpenSolaris to work with plink with the -ssh option. Plink can use the following ciphers:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour128,arcfour256,arcfour

SSH v2:
'aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour'

I tried specifying the v2 ciphers in my /etc/ssh/sshd_config file (see below) but after restarting the service I get a connection refused, even after changing it back and restarting it again. Can anyone tell me where I'm going wrong here?
Code:
#
# Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
# Configuration file for sshd(1m)

# Protocol versions supported
#
# The sshd shipped in this release of Solaris has support for major versions
# 1 and 2.  It is recommended due to security weaknesses in the v1 protocol
# that sites run only v2 if possible. Support for v1 is provided to help sites
# with existing ssh v1 clients/servers to transition. 
# Support for v1 may not be available in a future release of Solaris.
#
# To enable support for v1 an RSA1 key must be created with ssh-keygen(1).
# RSA and DSA keys for protocol v2 are created by /etc/init.d/sshd if they
# do not already exist, RSA1 keys for protocol v1 are not automatically created.

# Uncomment ONLY ONE of the following Protocol statements.

# Only v2 (recommended)
#Protocol 2

# Both v1 and v2 (not recommended)
Protocol 2,1

# Only v1 (not recommended)
#Protocol 1

# Listen port (the IANA registered port number for ssh is 22)
Port 22

# The default listen address is all interfaces, this may need to be changed
# if you wish to restrict the interfaces sshd listens on for a multi homed host.
# Multiple ListenAddress entries are allowed.

# IPv4 only
#ListenAddress 0.0.0.0
# IPv4 & IPv6
ListenAddress ::

# Port forwarding
AllowTcpForwarding no

# If port forwarding is enabled, specify if the server can bind to INADDR_ANY. 
# This allows the local port forwarding to work when connections are received
# from any remote host.
GatewayPorts no

# X11 tunneling options
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes

# The maximum number of concurrent unauthenticated connections to sshd.
# start:rate:full see sshd(1) for more information.
# The default is 10 unauthenticated clients.
#MaxStartups 10:30:60

# Banner to be printed before authentication starts.
#Banner /etc/issue

# Should sshd print the /etc/motd file and check for mail.
# On Solaris it is assumed that the login shell will do these (eg /etc/profile).
PrintMotd no

# KeepAlive specifies whether keep alive messages are sent to the client.
# See sshd(1) for detailed description of what this means.
# Note that the client may also be sending keep alive messages to the server.
KeepAlive yes

# Syslog facility and level 
SyslogFacility auth
LogLevel info

#
# Authentication configuration
# 

# Host private key files
# Must be on a local disk and readable only by the root user (root:sys 600).
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key

# Length of the server key
# Default 768, Minimum 512
ServerKeyBits 768

# sshd regenerates the key every KeyRegenerationInterval seconds.
# The key is never stored anywhere except the memory of sshd.
# The default is 1 hour (3600 seconds).
KeyRegenerationInterval 3600

# Ensure secure permissions on users .ssh directory.
StrictModes yes

# Length of time in seconds before a client that hasn't completed
# authentication is disconnected.
# Default is 600 seconds. 0 means no time limit.
LoginGraceTime 600

# Maximum number of retries for authentication
# Default is 6. Default (if unset) for MaxAuthTriesLog is MaxAuthTries / 2
MaxAuthTries	6
MaxAuthTriesLog	3

# Are logins to accounts with empty passwords allowed.
# If PermitEmptyPasswords is no, pass PAM_DISALLOW_NULL_AUTHTOK 
# to pam_authenticate(3PAM).
PermitEmptyPasswords no

# To disable tunneled clear text passwords, change PasswordAuthentication to no.
PasswordAuthentication yes

# Use PAM via keyboard interactive method for authentication.
# Depending on the setup of pam.conf(4) this may allow tunneled clear text
# passwords even when PasswordAuthentication is set to no. This is dependent
# on what the individual modules request and is out of the control of sshd
# or the protocol.
PAMAuthenticationViaKBDInt yes

# Are root logins permitted using sshd.
# Note that sshd uses pam_authenticate(3PAM) so the root (or any other) user
# maybe denied access by a PAM module regardless of this setting.
# Valid options are yes, without-password, no.
PermitRootLogin yes

# sftp subsystem
Subsystem	sftp	/usr/lib/ssh/sftp-server


# SSH protocol v1 specific options
#
# The following options only apply to the v1 protocol and provide
# some form of backwards compatibility with the very weak security
# of /usr/bin/rsh.  Their use is not recommended and the functionality
# will be removed when support for v1 protocol is removed.

# Should sshd use .rhosts and .shosts for password less authentication.
IgnoreRhosts yes
RhostsAuthentication no

# Rhosts RSA Authentication
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts.
# If the user on the client side is not root then this won't work on
# Solaris since /usr/bin/ssh is not installed setuid.
RhostsRSAAuthentication no

# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication.
#IgnoreUserKnownHosts yes

# Is pure RSA authentication allowed.
# Default is yes
RSAAuthentication yes

# SSH protocol v2 specific options
Ciphers ''aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
		 aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
		 aes256-cbc,arcfour''
 
Old 10-31-2011, 11:47 AM   #2
Blinker_Fluid
Member
 
Registered: Jul 2003
Location: Clinging to my guns and religion.
Posts: 682

Rep: Reputation: 63
When I've messed with Ciphers in the past I usually just uncommented the existing line that is commented out by default:
Code:
Ciphers        aes128-ctr,aes128-cbc,arcfour,3des-cbc,blowfish-cbc

by default the section just looks like this:

# Default Encryption algorithms and Message Authentication codes
#Ciphers        aes128-ctr,aes128-cbc,arcfour,3des-cbc,blowfish-cbc
#MACS   hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96
It looks like there is some quote marks that may be throwing the daemon off or it's in the wrong area.
 
Old 10-31-2011, 12:49 PM   #3
Mark_667
Member
 
Registered: Aug 2005
Location: Manchester, England
Distribution: Ubuntu 12.10
Posts: 257

Original Poster
Rep: Reputation: 25
I tried commenting out the Ciphers part and replacing it with teh Ciphers line you mention but I'm still getting a connection refused when I try to connect.

#svcs -d ssh
STATE STIME FMRI
disabled Oct_17 svc:/network/physical:default
disabled Oct_17 svc:/network/ipfilter:default

all the others are online, svcadm enable ssh doesn't make any difference, what would cause this?
 
Old 10-31-2011, 01:31 PM   #4
Blinker_Fluid
Member
 
Registered: Jul 2003
Location: Clinging to my guns and religion.
Posts: 682

Rep: Reputation: 63
Quote:
Originally Posted by Mark_667 View Post
I tried commenting out the Ciphers part and replacing it with teh Ciphers line you mention but I'm still getting a connection refused when I try to connect.

#svcs -d ssh
STATE STIME FMRI
disabled Oct_17 svc:/network/physical:default
disabled Oct_17 svc:/network/ipfilter:default

all the others are online, svcadm enable ssh doesn't make any difference, what would cause this?
svc:/network/physical:default is disabled? Do you have link light in the back? What does 'dladm show-dev' show? Normally it's online on the systems I work on (I've never noticed it in a disabled state).
 
Old 11-01-2011, 05:16 AM   #5
Mark_667
Member
 
Registered: Aug 2005
Location: Manchester, England
Distribution: Ubuntu 12.10
Posts: 257

Original Poster
Rep: Reputation: 25
My box just spits out a usage screen when I try dladm show-dev but

Code:
#dladm show-link
LINK	CLASS	MTU	STATE	OVER
dnet0	phys	1500	unknown	--
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh-agent, ssh-add and ssh-keygen AND CVS raylpc Linux - General 2 11-19-2008 02:50 AM
Nessus scan reveils weak ciphers neocontrol Linux - Security 1 03-18-2008 05:26 PM
Multiple Ciphers To Prevent Known Plaintext Attacks mistersnorfles Linux - Security 2 08-09-2007 01:38 AM
SSH - Problem with ciphers HaPagan Linux - Security 7 11-28-2005 05:49 AM
weak ssl ciphers in webmin hari_seldon99 Linux - Security 2 12-04-2004 06:33 AM


All times are GMT -5. The time now is 06:16 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration