sshd - is DH group 14 used by default?

T

tpattgeek

Let me first start by saying I am no way close to being a FreeBSD expert, but I'm here because we're having an issue uploading files via SFTP to our new server. It is running FreeBSD 8.3-RELEASE (GENERIC) and OpenSSH.

My issue is our Cisco Secure ACS appliance cannot reach this server over SFTP. Other devices can connect using SFTP, but the ACS appliance cannot. I found out that the ACS now uses DH group 14 because it is FIPS compliant, but I'm not sure how to tell if the server is negotiating with that group. How can I find out if DH group 14 is available and how do I specify it as an option when connecting? Thanks for the help!
 
By the way, I can connect via FTP to other servers from the appliance, and I can connect to the FreeBSD server from other devices, so I know there's not a connectivity issue with either of these devices.
 
Check the logs on your FreeBSD box. They're located in /var/log/ folder and the ones you're interested in is /var/log/auth.log and -maybe- /var/log/messages. The command you should run is tail(1), so for seeing "live" what is written in the first case, your command will be:

# tail -f /var/log/auth.log

Then, tell us the error log output.
 
There is nothing in either of the logs except local user authentications.

Does this need to be entered into the sshd_config file?
Code: 
KexAlgorithms "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521","diffie-hellman-group-exchange-sha256", "diffie-hellman-group-exchange-sha1", "diffie-hellman-group14-sha1", "diffie-hellman-group1-sha1"

Is this the proper syntax for it? Right now, there is no mention of this in the config file.
 
well according to RFC 4253 DH14 is supported in SSH, I found the keyword KexAlgorithms in the sshd_config manpage:

KexAlgorithms
Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must be comma-separated. The default is "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group-exchange-sha1", "diffie-hellman-group14-sha1", "diffie-hellman-group1-sha1".

So it should just be a matter of setting this to diffie-hellman-group14-sha1, restarting the daemon:
/etc/rc.d/sshd restart
and it should work.
 
jnbek said:
well according to RFC 4253 DH14 is supported in SSH, I found the keyword KexAlgorithms in the sshd_config manpage:

KexAlgorithms
Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must be comma-separated. The default is "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group-exchange-sha1", "diffie-hellman-group14-sha1", "diffie-hellman-group1-sha1".

So it should just be a matter of setting this to diffie-hellman-group14-sha1, restarting the daemon:
/etc/rc.d/sshd restart
and it should work.
Click to expand...

Yes, I found that as well, but only for OpenBSD. We are running FreeBSD and there is no mention of KexAlgorithms in the sshd_config file nor is it found in the man page for FreeBSD's OpenSSH. Do we need to add the keyword AND the configuration? I was under the impression all of the algorithms were accepted by default and only needed if you wanted to specify one or two. If we need to add it, what exactly does it need to look like in the file?
 
This is what happened after adding the KexAlgorighms to the file:

/etc/rc.d/sshd start
Starting sshd.
/etc/ssh/sshd_config: line 50: Bad configuration option: KexAlgorithms
/etc/ssh/sshd_config: terminating, 1 bad configuration options
/etc/rc.d/sshd: WARNING: failed to start sshd
 
Well I was referencing This Manpage Here when I made my reference to KexAlgorithms being supported. It is possible that the manpage is for the port as opposed to the base version. I apologize for not making the distinction. As wblock@ mentioned, the security/openssh-portable port will most likely be the source of your peace, love and happiness. Again I apologize for failing to make the proper distinction.
 
You must log in or register to reply here.
Back
Top