Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
cvega-nrel
Explorer

SSH key exchange algorithms

We're needing to tighten up our SSH settings if possible.

These two lines have been set in /etc/ssh/sshd_config and are producing the expected results.

Ciphers aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha1

However, trying to set the key exchange algorithms with this does not work:

KexAlgorithms diffie-hellman-group14-sha1

I've tried various combos; the actual goal is to disable this one, as it shows up as available: diffie-hellman-group-exchange-sha1

| ssh2-enum-algos:
| kex_algorithms: (2)
| diffie-hellman-group-exchange-sha1
| diffie-hellman-group14-sha1

Regardless, the result of trying to set KexAlgorithms in any way is:

Starting sshd: /etc/ssh/sshd_config: line 89: Bad configuration option: KexAlgorithms
/etc/ssh/sshd_config: terminating, 1 bad configuration options
[FAILED]

 

I thought CP uses standard OpenSSH, so in theory that option should work correct?

We're on R80.10 if that matters. Anyone have any ideas? Thanks!

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

R80.10 is using an older version of OpenSSH which may not support those options.
This is required due to the older Linux kernel version in R80.10.
When we updated the Linux kernel in R80.40, we also updated OpenSSH and many other userspace tools.

It is not likely we will update OpenSSH in versions prior to R80.40.

0 Kudos
LostBoY
Advisor

Did you find a solution to this ? 

0 Kudos
Bob_Zimmerman
Advisor

SecurePlatform and GAiA versions with the 2.6 kernel (I think all firewalls from R65 through R80.40 and all managements from R65 through R80.30) have OpenSSH 4.3p2. That version is too old to support configurable key exchange protocols. You have to upgrade to a newer OS version (R80.40 or R81) to get the newer kernel (3.10) and newer OpenSSH (now 7.8p1). Once you have upgraded, KexAlgorithms should be a valid option in the sshd_config.