LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 05-01-2018, 03:12 PM   #1
JockVSJock
Senior Member
 
Registered: Jan 2004
Location: SATX
Distribution: RHEL/CentOS
Posts: 1,301
Blog Entries: 4

Rep: Reputation: 148Reputation: 148
Adding Ciphers to /etc/ssh/ssh_config and confirming


I've added the following Ciphers to /etc/ssh/ssh_config, all on one line:

Code:
    
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour

I've restarted the ssh daemon and and tried to run the following:

Code:
ssh -v 

ssh -vvv
Trying to determine if those Ciphers are enabled or not. From the output I can't tell.

Is their a way to determine other then looking into the file /etc/ssh/ssh_config?

thanks


EDIT:

None of these work:

Code:
[root@ ~]# sshd -T | grep "\(ciphers\|macs\|kexalgorithms\)"
sshd: illegal option -- T
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
usage: sshd [-46Ddeiqt] [-b bits] [-f config_file] [-g login_grace_time]
            [-h host_key_file] [-k key_gen_time] [-o option] [-p port] [-u len]

[root@ ~]# ssh -Q cipher
ssh: illegal option -- Q
usage: ssh [-1246AaCfgkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec]
           [-D [bind_address:]port] [-e escape_char] [-F configfile]
           [-i identity_file] [-L [bind_address:]port:host:hostport]
           [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
           [-R [bind_address:]port:host:hostport] [-S ctl_path]
           [-w tunnel:tunnel] [user@]hostname [command]

[root@ ~]# ssh -V
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

Last edited by JockVSJock; 05-01-2018 at 03:29 PM.
 
Old 05-02-2018, 12:06 AM   #2
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 4,112
Blog Entries: 3

Rep: Reputation: 2003Reputation: 2003Reputation: 2003Reputation: 2003Reputation: 2003Reputation: 2003Reputation: 2003Reputation: 2003Reputation: 2003Reputation: 2003Reputation: 2003
The file /etc/ssh/ssh_config is the global configuration file for the clients.

In the client configuration file for the OpenSSH client, options are set based on first-match. The more specific definitions must come first and the more general defaults at the end. So check to make sure you added Ciphers in the right place, which should be at the beginning in order to apply to all connections.

Unsafe ciphers were removed in OpenSSH 7.2. So if you have that version of the client, the unsage ciphers you are trying to add won't be recognized or available.
Then on the server, I doubt that new ciphers are supported by the old version of OpenSSH you are showing unless Red Hat has backported them. Check the change log, or get some mileage out of the support contract you are paying for.

Code:
rpm -q --changelog openssh | less
See "man ssh" and "man sshd" on the server regarding the options -T and -Q, which might not be on such an old version. The -T test mode was added to the server in OpenSSH 5.1 and the client gained -Q in version 6.3


I hope a newer version of the OpenSSH server is available for you in backports because that would be the way to go so that you can use safer ciphers on the server side of things and won't need to damage the client settings.
 
Old 05-02-2018, 08:08 AM   #3
JockVSJock
Senior Member
 
Registered: Jan 2004
Location: SATX
Distribution: RHEL/CentOS
Posts: 1,301

Original Poster
Blog Entries: 4

Rep: Reputation: 148Reputation: 148
According to Red Hat these are the Ciphers to use under /etc/ssh/ssh_config for RHEL5.

Code:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr',arcfour128,arcfour256,arcfour

Here is a URL for more references:

https://access.redhat.com/solutions/420283

EDIT:

This is how I tested:

Code:
ssh -vvv username@server_ip_address or hostname 


debug1: Reading configuration data /etc/ssh/ssh_config
debug3: cipher ok: aes128-ctr [aes128-ctr,aes192-ctr,aes256-ctr,arcfour128,arcfour256,arcfour]
debug3: cipher ok: aes192-ctr [aes128-ctr,aes192-ctr,aes256-ctr,arcfour128,arcfour256,arcfour]
debug3: cipher ok: aes256-ctr [aes128-ctr,aes192-ctr,aes256-ctr,arcfour128,arcfour256,arcfour]
debug3: cipher ok: arcfour128 [aes128-ctr,aes192-ctr,aes256-ctr,arcfour128,arcfour256,arcfour]
debug3: cipher ok: arcfour256 [aes128-ctr,aes192-ctr,aes256-ctr,arcfour128,arcfour256,arcfour]
debug3: cipher ok: arcfour [aes128-ctr,aes192-ctr,aes256-ctr,arcfour128,arcfour256,arcfour]
debug3: ciphers ok: [aes128-ctr,aes192-ctr,aes256-ctr,arcfour128,arcfour256,arcfour]

Last edited by JockVSJock; 05-02-2018 at 08:44 AM.
 
Old 05-02-2018, 08:18 AM   #4
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 4,112
Blog Entries: 3

Rep: Reputation: 2003Reputation: 2003Reputation: 2003Reputation: 2003Reputation: 2003Reputation: 2003Reputation: 2003Reputation: 2003Reputation: 2003Reputation: 2003Reputation: 2003
Hmm.

OpenSSH 6.7 was from 2014 so that should have been reflected in the late 2016 RHEL document.
OpenSSH 7.2 was from earl 2016 so that should have also been in the RHEL document.

Get your money back from RHEL.

Upstream moved on. The unsafe MACs were removed in 6.7 and, I point out again, the unsafe ciphers removed in 7.2 and arcfour-* were mentioned explicitly.

Check the release notes, or the CVS change logs, too.
 
Old 05-02-2018, 09:00 AM   #5
JockVSJock
Senior Member
 
Registered: Jan 2004
Location: SATX
Distribution: RHEL/CentOS
Posts: 1,301

Original Poster
Blog Entries: 4

Rep: Reputation: 148Reputation: 148
Quote:
Originally Posted by Turbocapitalist View Post
Hmm.

OpenSSH 6.7 was from 2014 so that should have been reflected in the late 2016 RHEL document.
OpenSSH 7.2 was from earl 2016 so that should have also been in the RHEL document.

Get your money back from RHEL.

Upstream moved on. The unsafe MACs were removed in 6.7 and, I point out again, the unsafe ciphers removed in 7.2 and arcfour-* were mentioned explicitly.

Check the release notes, or the CVS change logs, too.
Well, I'm no Linux guru, however you got me curious as I really don't know alot about the changelogs or go thru them when facing an issue. I would like to get more into this habit.

I looked thru the release notes for OpenSSH 4.3p2 and didn't see any mention of arcfour Ciphers that were supposed to be removed. However I do see it where you mention it on the openssh changelog along with the removal of CBC ciphers.

I looked thru the changelog of openssh as well. I'm not going to post it as it goes all the way back to 27 Oct 1999. However RHEL5 was released sometime in 2007 and I started to look thru the log there and don't see any mention of arch cipher nor cbc.

thanks
 
Old 03-13-2019, 02:42 PM   #6
Jlove130
LQ Newbie
 
Registered: Apr 2008
Distribution: Fedora
Posts: 25

Rep: Reputation: 0
Testing Ciphers Mac and Kex

Another way to test from another machine using nmap:

nmap -Pn -n -p22 -vv --open --script=ssh2-enum-algos.nse <IP ADDRESS>


Quote:
Originally Posted by JockVSJock View Post
According to Red Hat these are the Ciphers to use under /etc/ssh/ssh_config for RHEL5.

Code:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr',arcfour128,arcfour256,arcfour

Here is a URL for more references:

https://access.redhat.com/solutions/420283

EDIT:

This is how I tested:

Code:
ssh -vvv username@server_ip_address or hostname 


debug1: Reading configuration data /etc/ssh/ssh_config
debug3: cipher ok: aes128-ctr [aes128-ctr,aes192-ctr,aes256-ctr,arcfour128,arcfour256,arcfour]
debug3: cipher ok: aes192-ctr [aes128-ctr,aes192-ctr,aes256-ctr,arcfour128,arcfour256,arcfour]
debug3: cipher ok: aes256-ctr [aes128-ctr,aes192-ctr,aes256-ctr,arcfour128,arcfour256,arcfour]
debug3: cipher ok: arcfour128 [aes128-ctr,aes192-ctr,aes256-ctr,arcfour128,arcfour256,arcfour]
debug3: cipher ok: arcfour256 [aes128-ctr,aes192-ctr,aes256-ctr,arcfour128,arcfour256,arcfour]
debug3: cipher ok: arcfour [aes128-ctr,aes192-ctr,aes256-ctr,arcfour128,arcfour256,arcfour]
debug3: ciphers ok: [aes128-ctr,aes192-ctr,aes256-ctr,arcfour128,arcfour256,arcfour]
 
  


Reply

Tags
ciphers, ssh


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Adding new ciphers to linux , can it be done? sordfish Programming 2 02-22-2013 08:12 AM
Can't get /etc/ssh/ssh_config changes to stick CoffeeKing!!! Linux - Security 3 01-30-2009 01:09 AM
Regarding /etc/ssh/ssh_config (CLUSTERS) nedian123 Linux - Networking 1 08-14-2004 05:22 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 11:16 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration