SSH issue with Key Exchange algorithms


#1

I’m having a problem logging in to server “taylor” (shared account) via SSH. It used to be fine, I don’t know when it changed. If I use Putty, I can get in. It shows Kex Algorithms as follows:

Outgoing packet type 20 / 0x14 (SSH2_MSG_KEXINIT)
~diffie-hellman-group-exchange-sha256,
diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,
diffie-hellman-group1-sha1,ssh-rsa,ss...

I’d like to be able to use the diffie-hellman-group1-sha1 algorithm, which is the only one supported by both the server and my terminal client. Note that diffie-hellman-group14-sha1 is there. But when I connect in from a different client, this is what the server returns:

SSH2 server algorithm list:
key exchange: curve25519-sha256@libssh.org,
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
diffie-hellman-group-exchange-sha256

This is the same server and port 22, but a different list.

I added the following to my home folder but it didn’t help:

[taylor]$ cat .ssh/config
KexAlgorithms +diffie-hellman-group14-sha1
[taylor]$ 

Here is the KEX list from the server:

[taylor]$ ssh -Q kex | more
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
diffie-hellman-group1-sha1
curve25519-sha256@libssh.org
[taylor]$

It seems some of them go to putty, others go to my other emulator, and I don’t know how to control either one. Note again, the server isn’t sending what the client will accept. The server sends its list first, and then the client offers its list for negotiation. So something is making the decision for the server to send specific subsets from the whole list.

Hmm, this is interesting, as I’m checking my note here I see that diffie-hellman-group1-sha1 is in that last list twice. I thought that might be due to my config file, but I commented that out, exited, came back in, and the list is the same. I wonder if that’s a factor?

Thanks!


#2

It’s apparent that I’m confusing client-side outbound SSH and inbound SSH configs. I’ve been informed by Support that diffie-hellman-group1-sha1 was recently removed for security concerns.

These are the currently supported inbound algorithms:

===ssh-kex
curve25519-sha256@libssh.org
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
diffie-hellman-group-exchange-sha256
===ssh-key
ssh-rsa
===ssh-ciphers
aes128-ctr
aes192-ctr
aes256-ctr
===ssh-hmacs
hmac-sha2-256
hmac-sha2-512

I’m good with that explanation.

I’ve followed-up with Support to ask when they might plan to update the OpenSSH server from v6.6.1 to v7.6+. They’re obviously concerned about security. This would seem to be rather important. I’m guessing updating OpenSSH comes behind OS updates, and in shared space I know that’s a huge hassle.

I’ll post the response here.


#3

If you want to make your site run entirely under SSL, there are two pieces to that:

a) Zen Cart side:

HTTP_SERVER should use your https:// address instead of an http:// address
ENABLE_SSL should be set to ‘false’ (because ENABLE_SSL is only set to ‘true’ when you want ZC to switch back and forth between http and https for certain secured pages)
*NOTE: Some people have reported that setting ENABLE_SSL to ‘false’ in this case may cause confusion to some payment module configurations which expect SSL and rely on the ENABLE_SSL setting to confirm it. Thus, in some cases it may still be wise to leave ENABLE_SSL set to ‘true’ even when using https on all pages.
b) Server side:
You might want to also make some Apache configurations to redirect any non-SSL URLs to the SSL equivalent. Often this is done in .htaccess. Consult your hosting company for the best way to do this on your particular server. (There are lots of possible approaches posted all over the internet, but your hosting company knows the best way for your particular server.)
with regards
3ds emulator app Cartoon HD app playbox app


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.