VKontakte.DJ
forum traveling
 

Celestial Software

...better by design

Home Support SSH Client Forums
Welcome, Guest
Please Login or Register.    Lost Password?
More secure key exchange (1 viewing) (1) Guest
Go to bottom Favoured: 0
TOPIC: More secure key exchange
#6611
More secure key exchange 2 Years, 9 Months ago  
Hi,

In order to tighten up security, we're changing our SSH server to only support the following key exchanges:

    curve25519-sha256
    diffie-hellman-group-exchange-sha256


Most of our users are using PuTTY, which handles these algorithms fine; however our AbsoluteTelnet user receives the following error:

Code:

failed to negotiate key exchange algorithm


It looks like AbsoluteTelnet doesn't support SHA256-based key exchange algorithms.

Is support for these more secure algorithms under active development at the moment? If so, I'm happy to beta test.

E
rhyven (User)
Fresh Boarder
Posts: 2
graphgraph
User Offline Click here to see the profile of this user
Logged Logged  
 
The administrator has disabled public write access.  
#6623
Re:More secure key exchange 2 Years, 9 Months ago  
Thanks for the report!


I've been working on some improvements to Absolute to help combat this issue, adding new key exchange and message authentication algorithms as specified in RFC4419 and RFC6668. If you'd like to take it for a spin, grab the latest release candidate here:

www.celestialsoftware.net/telnet/AbsoluteTelnet9.84RC10.exe


Brian
bpence (Admin)
Admin
Posts: 1328
graph
User Offline Click here to see the profile of this user
Logged Logged  
 
Brian Pence
Celestial Software
SSH , SFTP, and Telnet in a tabbed interface for Windows XP, Vista, Mobile, and others
 
The administrator has disabled public write access.  
#6624
Re:More secure key exchange 2 Years, 9 Months ago  
Hi Brian,

Thanks for the quick work! I can confirm that the new version is connecting with:

  • A Key Exchange protocol of diffie-hellman-group-exchange-sha256

  • Encrypting using the aes256-ctr Cipher

  • Authenticating messages using hmac-sha2-512


Great work, thanks for such a quick response.

Eric
rhyven (User)
Fresh Boarder
Posts: 2
graphgraph
User Offline Click here to see the profile of this user
Logged Logged  
 
The administrator has disabled public write access.  
#6632
Re:More secure key exchange 2 Years, 9 Months ago  
I'm encountering the same error trying to log into a Synology NAS device. I've just tried the 9.84rc version without any improvement. Putty connects just fine. Any suggestions ?
gdsokoll (User)
Fresh Boarder
Posts: 8
graphgraph
User Offline Click here to see the profile of this user
Logged Logged  
 
The administrator has disabled public write access.  
#6633
Re:More secure key exchange 2 Years, 9 Months ago  
Geoff,

Can you provide any more detail? For example, what is the *EXACT* error message you're getting?

Also, make sure you are using the latest. It should say "RELEASE CANDIDATE 10" in the title bar when you run it.

Brian
bpence (Admin)
Admin
Posts: 1328
graph
User Offline Click here to see the profile of this user
Logged Logged  
 
Brian Pence
Celestial Software
SSH , SFTP, and Telnet in a tabbed interface for Windows XP, Vista, Mobile, and others
 
The administrator has disabled public write access.  
#6634
Re:More secure key exchange 2 Years, 9 Months ago  
Definitely running rc10 - downloaded from the link you gave above, and it shows a popup on startup saying that it is a release candidate etc etc.

The text in the AbsoluteTelnet window during login attempt is as follows:
Code:

Connecting to abcdefg:49613
   attempting 192.168.13.10:49613...     Success!
disconnected: failed to negotiate client to server encryption algorithm



The sshd log files shows:
Code:

Feb 19 09:26:15 DS212J sshd[5347]: Connection from 192.168.13.50 port 56157 on 192.168.13.10 port 49613
Feb 19 09:26:15 DS212J sshd[5347]: SSH: Server;Ltype: Version;Remote: 192.168.13.50-56157;Protocol: 2.0;Client: 1.81 sshlib: AbsoluteTelnet
Feb 19 09:26:15 DS212J sshd[5347]: fatal: no matching cipher found: client twofish256-cbc,blowfish-cbc,3des-cbc,aes256-cbc,arcfour,cast128-cbc server aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com [preauth]



Let me know if there is anything else I can provide to help with this.
gdsokoll (User)
Fresh Boarder
Posts: 8
graphgraph
User Offline Click here to see the profile of this user
Logged Logged  
 
The administrator has disabled public write access.  
#6635
Re:More secure key exchange 2 Years, 9 Months ago  
This is neither a KEX or MAC problem, just simple encryption algorithm selection. Based on the message, it seems you have the CTR-mode AES encryptions disabled.

Go to options->Properties->Connection->ssh2 and click the 'encryption' button. Move at lease AES-256-CTR up to the top of the list. Connect again.

Post here with your results

Hope this helps


Brian
bpence (Admin)
Admin
Posts: 1328
graph
User Offline Click here to see the profile of this user
Logged Logged  
 
Brian Pence
Celestial Software
SSH , SFTP, and Telnet in a tabbed interface for Windows XP, Vista, Mobile, and others
 
The administrator has disabled public write access.  
#6636
Re:More secure key exchange 2 Years, 9 Months ago  
Yes, thanks. That sorted it.
gdsokoll (User)
Fresh Boarder
Posts: 8
graphgraph
User Offline Click here to see the profile of this user
Logged Logged  
 
The administrator has disabled public write access.  
Go to top