You are not logged in.

#1 2014-11-07 09:07:27

renegat
Member
From: Europe
Registered: 2012-12-28
Posts: 74

Cannot connect to ssh-server anymore!

EDIT: Due to splitting this thread from https://bbs.archlinux.org/viewtopic.php?id=188613 the context was lost.

In the release6.7.txt of openssh there is a hint:

Changes since OpenSSH 6.6
=========================

Potentially-incompatible changes

* sshd(8): The default set of ciphers and MACs has been altered to
   remove unsafe algorithms. In particular, CBC ciphers and arcfour*
   are disabled by default.
   The full set of algorithms remains available if configured
   explicitly via the Ciphers and MACs sshd_config options.

* sshd(8): Support for tcpwrappers/libwrap has been removed.

* OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections
   using the curve25519-sha256@libssh.org KEX exchange method to fail
   when connecting with something that implements the specification
   correctly. OpenSSH 6.7 disables this KEX method when speaking to
   one of the affected versions.

Since that update my raspberry with openelec/xbmc cannot connect to the server which is running arch.

XBMC log claims about:

kex error : did not find one of algos diffie-hellman-group1-sha1 in list curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1 for kex algos

I added every cipher,mac and kexalgorithm found with ssh -Q to sshd_config but I can still not connect:

Ciphers 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,arcfour128,arcfour256,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,ae
s192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com

MACs hmac-sha1,hmac-sha1-96,hmac-sha2-256,hmac-sha2-512,hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-ripemd160@openssh.com,umac-64@openssh.com,umac-12
8@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-md5-etm@open
ssh.com,hmac-md5-96-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com

KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-
sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,curve25519-sha256@libssh.org

I have no idea about these cryptical ssh cyphers - just want this stuff to work like before.
Could someone please post a sshd_config (or even the lines to add to it) to restore previous behavior of ssh for the normal users who just still want to use their servers furthermore?

Last edited by renegat (2014-11-08 19:43:35)

Offline

#2 2014-11-07 13:10:09

fsckd
Forum Fellow
Registered: 2009-06-15
Posts: 4,173

Re: Cannot connect to ssh-server anymore!

Split from https://bbs.archlinux.org/viewtopic.php?id=188613 as this is a different topic (key exchange).


aur S & M :: forum rules :: Community Ethos
Resources for Women, POC, LGBT*, and allies

Offline

#3 2015-04-19 13:51:18

pacorrop
Member
Registered: 2010-02-05
Posts: 9

Re: Cannot connect to ssh-server anymore!

Sorry for the bump.

For me, adding this only line to /etc/ssh/sshd_config worked like a charm. However, I don't remember where I got it from, sorry smile

KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

Hope it helps!

Offline

#4 2015-09-14 20:31:30

kozaki
Member
From: London >. < Paris
Registered: 2005-06-13
Posts: 670
Website

Re: Cannot connect to ssh-server anymore!

Sorry for the bump

+1

In the log above, "kex error : did not find one of algos diffie-hellman-group1-sha1" goes for the KexAlgorithms.

Trying to ssh my server from an Android with 'Terminal IDE'

(server): fatal: Unable to negotiate with 192.168.1.4: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]

Added the 'KexAlgorimths' found with (client) 'ssh -Q kex' to my server's sshd_config and it works fine.
Then, when trying to connect from a Zindozw phone with 'The SSH Client'

(server): fatal: Unable to negotiate with <IP>: no matching cipher found. Their offer: aes128-cbc,blowfish-cbc,3des-cbc [preauth]

Add the 'Ciphers' found with (client) 'ssh -Q cipher' to to my server's sshd_config and it runs instantly, yeap:)
Also I had a

ssh_exchange_identification: read: Connection reset by peer

and

fatal: /etc/ssh/sshd_config line 158: Directive 'Ciphers'/'KexAlgorithms' are not allowed within a Match block

in journalctl, before I moved the Ciphers and KexAlgorithms lines out of the Match restricted block :-}
Now the appropriate part in sshd_config:

 # Ciphers and keying                                                                                                                            
Ciphers +3des-cbc,blowfish-cbc,cast128-cbc,arcfour,arcfour128,arcfour256,aes128-cbc,aes192-cbc,aes256-cbc
#RekeyLimit default none
KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,     ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521

PS: Thank you for this double thread! I may use kokoko3k's testing ssh ciphers's bash script for a modest but real-life benchmark I'm doing between a few distros and machines.

Last edited by kozaki (2015-09-14 21:21:04)


Seeded last month: Arch 50 gig, derivatives 1 gig
Desktop @3.3GHz 8 gig RAM, linux-ck
laptop #1 Atom 2 gig RAM, Arch linux stock i686 (6H w/ 6yrs old battery smile) #2: ARM Tegra K1, 4 gig RAM, ChrOS
Atom Z520 2 gig RAM, OMV (Debian 7) kernel 3.16 bpo on SDHC | PGP Key: 0xFF0157D9

Offline

Board footer

Powered by FluxBB