Share This:

Originally posted as part of the Zythum Pre-release 1 but thought I would make this more public with some additional information.

 

We have tightened the list of supported Ciphers and HMAC algorithms that the SSH server on the ADDM appliance will allow.

 

What does this mean? Well, for the most part - with any luck - you probably won't even notice Where you will encounter issues is where you're connecting to the appliance with older versions of software that allow you to connect to the appliance with ssh. This occurs because the list of Ciphers of HMAC algorithms that is available in the software may not contain the necessary Ciphers and HMACs required to negotiate with the SSH server.

 

There are a number of ciphers and hashing algorithms that are regarded weak because some part of the cipher (which is actually a cipher-block) or the algorithm have been proved fallible. In addition, there is a limited list of ciphers and algorithms that are FIPS approved leaving us with a very limited list that we can configure the server with.

 

Internally, we encountered the issue in very few places. Updating to the latest version of the software in question fixed it for the most part. In one instance (Paramiko) we had to update to a development branch because the software was using an older 3rd party library. Latest versions of Putty, MobaXterm, mRemoteNG and ssh from Linux systems as far back as Fedora Core 5 all worked fine.

 

For those technically interested the list of supported ciphers and macs is below:

Ciphers aes128-ctr,aes192-ctr,aes256-ctr

MACs hmac-sha2-256,hmac-sha2-512

 

The message or error you'll see will be something like "failed to negotiate client to server MAC algorithm".


The information is also in the 10.2 Enhancements documentation.


*edit: Updated with link.