[Ach] OpenSSH settings
Andy Wenk
andy at nms.de
Fri Jan 3 19:12:21 CET 2014
Hi everybody,
here is my report for further examinations on this topic. I have the
following sshd_config (as requested form Aaron):
https://gist.github.com/andywenk/fa461dbaf2abf3442a3a
As you can see, the three configuration paramaters Ciphers, MACs and
KexAlgorithms are commented out. When activating the Ciphers solely and
testing the configuration ( /usr/sbin/sshd -t) I get:
/etc/ssh/sshd_config line 90: Bad SSH2 cipher spec 'aes256-gcm at openssh.com,
aes128-gcm at openssh.com,aes256-ctr,aes128-ctr'.
When activation MACs solely and testing the configuration I get:
/etc/ssh/sshd_config line 93: Bad SSH2 mac spec 'umac-128-etm at openssh.com
,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160'.
Finally, when activating KexAlgorithms solely and testing I get:
/etc/ssh/sshd_config line 96: Bad SSH2 KexAlgorithms '
curve25519-sha256 at libssh.org
,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1'.
So either I have a typo or something, because copying from the PDF is not
possible, or my system can not deal with these or some of these settings.
But as this is a quite new Ubuntu, I propose to add more information to the
section 2.2.1 OpenSSH in the way, that a user can see on which machines
this is working.
I would be happy to help here if it is clearer for me:
/ what the problem is with my configuration
/ how I or a user can test exactly if the settings are working or not
Best
Andy
On 3 January 2014 18:26, Andy Wenk <andy at nms.de> wrote:
> On 3 January 2014 16:59, Aaron Zauner <azet at azet.org> wrote:
>
>> Hi Andy,
>>
>> > Following the instructions in 2.2.1. OpenSSH of the draft document, I
>> added the settings for Ciphers, MACs and KexAlgorithms to
>> /etc/ssh/sshd_config of my Ubuntu 12.04.3 LTS box. Unfortunately after
>> having restarted the service (service ssh restart), I was not able to login
>> to the box via ssh. So my question is: how do I have to create the ssh keys
>> to be able to login. Her is the output I receive when trying to login:
>>
>> Could you send the whole /etc/sshd_config file as well as the output to
>> the whole connection with verbose debugging (-vvv)?
>>
>
> Hi Aaron,
>
> I habe to examin this a little more and will then report ...
>
> Thanks for your help!
>
> Cheers
>
> Andy
>
>
> --
> Andy Wenk
> Hamburg - Germany
> RockIt!
>
> http://www.couchdb-buch.de
> http://www.pg-praxisbuch.de
>
> GPG fingerprint: C044 8322 9E12 1483 4FEC 9452 B65D 6BE3 9ED3 9588
>
> https://people.apache.org/keys/committer/andywenk.asc
>
--
Andy Wenk
Hamburg - Germany
RockIt!
http://www.couchdb-buch.de
http://www.pg-praxisbuch.de
GPG fingerprint: C044 8322 9E12 1483 4FEC 9452 B65D 6BE3 9ED3 9588
https://people.apache.org/keys/committer/andywenk.asc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/ach/attachments/20140103/affbd85a/attachment.html>
More information about the Ach
mailing list