Skip navigation

Kerryn Wood's Blog

February 2015 Previous month Next month
Kerryn Wood

SSH connection Gotcha!

Posted by Kerryn Wood Moderator Feb 5, 2015
Share This:

In Zythum pre-release 1 (Zythum pre-release 1 now available!) we've made a change to the SSH server installed on the ADDM appliance that may catch some of you by surprise. We're nice like that

 

We have tightened the list of supported Ciphers and HMAC algorithms that the SSH server on the ADDM appliance will allow.

 

What does this mean? Well, for the most part - with any luck - you probably won't even notice Where you will encounter issues is where you're connecting to the appliance with older versions of software that allow you to connect to the appliance with ssh. This occurs because the list of Ciphers of HMAC algorithms that is available in the software may not contain the necessary Ciphers and HMACs required to negotiate with the SSH server.

 

There are a number of ciphers and hashing algorithms that are regarded weak because some part of the cipher (which is actually a cipher-block) or the algorithm have been proved fallible. In addition, there is a limited list of ciphers and algorithms that are FIPS approved leaving us with a very limited list that we can configure the server with.

 

Internally, we encountered the issue in very few places. Updating to the latest version of the software in question fixed it for the most part. In one instance (Paramiko) we had to update to a development branch because the software was using an older 3rd party library. Latest versions of Putty, MobaXterm, mRemoteNG and ssh from Linux systems as far back as Fedora Core 5 all worked fine.

 

For those technically interested the list of supported ciphers and macs is below:

Ciphers aes128-ctr,aes192-ctr,aes256-ctr

MACs hmac-sha2-256,hmac-sha2-512

 

Enjoy the pre-release!