You are not logged in.
- Topics: Active | Unanswered
#1 2017-10-06 12:23:24
- matteoipri
- Member
- Registered: 2016-06-08
- Posts: 17
[SOLVED] Today's OpenSSH 7.6p1-1 update blocked me out of my server
Hi all,
Today I updated my machines running archlinux as I frequently do.
One of such machine is the desktop I'm typing on right now. After the OpenSSH update I tried to ssh into other Ubuntu servers I work with and ssh failed complaining about wrong MACs specified in the config file.
One of such machine is an headless server. I perfomed the updates and rebooted since there was also an update linux kernel. After reboot I could not log in. Attaching a monitor and keyboard to this server I found out that sshd was not starting for wrong SSHv2 MACs specified in the config file.
SOLUTION:
Since I configured all ma=y machine following the archwiki, I also used the recomended lists of MACs found here: https://stribika.github.io/2015/01/04/s … shell.html
Looking at the github repo of that website I found that the culprit are two MACs listed on that page, see issue here: https://github.com/stribika/stribika.gi … /issues/46
I just removed those two MACs (hmac-ripemd160-etm and hmac-ripemd160) and everything works as expected.
I hope this helps someone else.
PS: Please, let me know if this is the wrong way to communicate such self solved issue. Thanks
Offline
#2 2017-10-07 17:13:11
- ChuckHL
- Member
- Registered: 2015-07-12
- Posts: 2
Re: [SOLVED] Today's OpenSSH 7.6p1-1 update blocked me out of my server
Thank you for pointing me in the right direction to fix the problem. In my case, the macs were not the problem, but the ciphers. I had enabled a cipher (archfour) that is no longer supported. (I dont really know why I even had it enabled though...)
Offline
#3 2017-10-09 21:28:48
- TheColonel
- Member
- Registered: 2017-01-31
- Posts: 10
Re: [SOLVED] Today's OpenSSH 7.6p1-1 update blocked me out of my server
I also had an issue after upgrading to 7.6p1-1. I have an old MIPS-based ubiquiti network-controllable power strip that requires diffie-hellman-group1-sha1, and some scripts which I use to control it. This is I assume part of SSH1 - support of which was removed in OpenSSH 7.6
There might be another workaround, but I solved it by installing dropbear and reworking my scripts to use dbclient accordingly.
Offline
#4 2017-10-09 21:41:55
- brebs
- Member
- Registered: 2007-04-03
- Posts: 3,742
Re: [SOLVED] Today's OpenSSH 7.6p1-1 update blocked me out of my server
I had enabled a cipher (archfour) that is no longer supported. (I dont really know why I even had it enabled though...)
Probably because arcfour was fast, on old CPUs.
It is too insecure to use nowadays.
Offline