[Ach] OpenSSH settings

Andy Wenk andy at nms.de
Fri Jan 3 19:12:21 CET 2014 

Hi everybody,

here is my report for further examinations on this topic. I have the
following sshd_config (as requested form Aaron):

https://gist.github.com/andywenk/fa461dbaf2abf3442a3a

As you can see, the three configuration paramaters Ciphers, MACs and
KexAlgorithms are commented out. When activating the Ciphers solely and
testing the configuration (  /usr/sbin/sshd -t) I get:

/etc/ssh/sshd_config line 90: Bad SSH2 cipher spec 'aes256-gcm at openssh.com,
aes128-gcm at openssh.com,aes256-ctr,aes128-ctr'.

When activation MACs solely and testing the configuration I get:

/etc/ssh/sshd_config line 93: Bad SSH2 mac spec 'umac-128-etm at openssh.com
,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160'.

Finally, when activating KexAlgorithms solely and testing I get:

/etc/ssh/sshd_config line 96: Bad SSH2 KexAlgorithms '
curve25519-sha256 at libssh.org
,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1'.

So either I have a typo or something, because copying from the PDF is not
possible, or my system can not deal with these or some of these settings.
But as this is a quite new Ubuntu, I propose to add more information to the
section 2.2.1 OpenSSH in the way, that a user can see on which machines
this is working.

I would be happy to help here if it is clearer for me:

/ what the problem is with my configuration
/ how I or a user can test exactly if the settings are working or not

Best

Andy


On 3 January 2014 18:26, Andy Wenk <andy at nms.de> wrote:

> On 3 January 2014 16:59, Aaron Zauner <azet at azet.org> wrote:
>
>> Hi Andy,
>>
>> > Following the instructions in 2.2.1. OpenSSH of the draft document, I
>> added the settings for Ciphers, MACs and KexAlgorithms to
>> /etc/ssh/sshd_config of my Ubuntu 12.04.3 LTS box. Unfortunately after
>> having restarted the service (service ssh restart), I was not able to login
>> to the box via ssh. So my question is: how do I have to create the ssh keys
>> to be able to login. Her is the output I receive when trying to login:
>>
>> Could you send the whole /etc/sshd_config file as well as the output to
>> the whole connection with verbose debugging (-vvv)?
>>
>
> Hi Aaron,
>
> I habe to examin this a little more and will then report ...
>
> Thanks for your help!
>
> Cheers
>
> Andy
>
>
> --
> Andy Wenk
> Hamburg - Germany
> RockIt!
>
> http://www.couchdb-buch.de
> http://www.pg-praxisbuch.de
>
> GPG fingerprint: C044 8322 9E12 1483 4FEC 9452 B65D 6BE3 9ED3 9588
>
> https://people.apache.org/keys/committer/andywenk.asc
>



-- 
Andy Wenk
Hamburg - Germany
RockIt!

http://www.couchdb-buch.de
http://www.pg-praxisbuch.de

GPG fingerprint: C044 8322 9E12 1483 4FEC 9452 B65D 6BE3 9ED3 9588

https://people.apache.org/keys/committer/andywenk.asc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/ach/attachments/20140103/affbd85a/attachment.html>

More information about the Ach mailing list