|
More secure key exchange 8 Years, 10 Months ago
|
|
Hi,
In order to tighten up security, we're changing our SSH server to only support the following key exchanges:
curve25519-sha256
diffie-hellman-group-exchange-sha256
Most of our users are using PuTTY, which handles these algorithms fine; however our AbsoluteTelnet user receives the following error:
| Code: |
failed to negotiate key exchange algorithm
|
It looks like AbsoluteTelnet doesn't support SHA256-based key exchange algorithms.
Is support for these more secure algorithms under active development at the moment? If so, I'm happy to beta test.
E |
|
rhyven (User)
Fresh Boarder
Posts: 2
|
 Logged
|
|
|
The administrator has disabled public write access.
|
|
|
Re:More secure key exchange 8 Years, 10 Months ago
|
|
Thanks for the report!
I've been working on some improvements to Absolute to help combat this issue, adding new key exchange and message authentication algorithms as specified in RFC4419 and RFC6668. If you'd like to take it for a spin, grab the latest release candidate here:
www.celestialsoftware.net/telnet/AbsoluteTelnet9.84RC10.exe
Brian |
|
bpence (Admin)
Admin
Posts: 1402
|
Logged
|
|
|
Brian Pence
Celestial Software
SSH , SFTP, and Telnet in a tabbed interface for Windows XP, Vista, Mobile, and others
|
|
|
The administrator has disabled public write access.
|
|
|
Re:More secure key exchange 8 Years, 10 Months ago
|
|
Hi Brian,
Thanks for the quick work! I can confirm that the new version is connecting with:
- A Key Exchange protocol of diffie-hellman-group-exchange-sha256
- Encrypting using the aes256-ctr Cipher
- Authenticating messages using hmac-sha2-512
Great work, thanks for such a quick response.
Eric |
|
rhyven (User)
Fresh Boarder
Posts: 2
|
Logged
|
|
|
The administrator has disabled public write access.
|
|
|
Re:More secure key exchange 8 Years, 9 Months ago
|
|
|
I'm encountering the same error trying to log into a Synology NAS device. I've just tried the 9.84rc version without any improvement. Putty connects just fine. Any suggestions ?
|
|
|
Logged
|
|
|
The administrator has disabled public write access.
|
|
|
Re:More secure key exchange 8 Years, 9 Months ago
|
|
|
Geoff,
Can you provide any more detail? For example, what is the *EXACT* error message you're getting?
Also, make sure you are using the latest. It should say "RELEASE CANDIDATE 10" in the title bar when you run it.
Brian
|
|
bpence (Admin)
Admin
Posts: 1402
|
Logged
|
|
|
Brian Pence
Celestial Software
SSH , SFTP, and Telnet in a tabbed interface for Windows XP, Vista, Mobile, and others
|
|
|
The administrator has disabled public write access.
|
|
|
Re:More secure key exchange 8 Years, 9 Months ago
|
|
Definitely running rc10 - downloaded from the link you gave above, and it shows a popup on startup saying that it is a release candidate etc etc.
The text in the AbsoluteTelnet window during login attempt is as follows:
| Code: |
Connecting to abcdefg:49613
attempting 192.168.13.10:49613... Success!
disconnected: failed to negotiate client to server encryption algorithm
|
The sshd log files shows:
| Code: |
Feb 19 09:26:15 DS212J sshd[5347]: Connection from 192.168.13.50 port 56157 on 192.168.13.10 port 49613
Feb 19 09:26:15 DS212J sshd[5347]: SSH: Server;Ltype: Version;Remote: 192.168.13.50-56157;Protocol: 2.0;Client: 1.81 sshlib: AbsoluteTelnet
Feb 19 09:26:15 DS212J sshd[5347]: fatal: no matching cipher found: client twofish256-cbc,blowfish-cbc,3des-cbc,aes256-cbc,arcfour,cast128-cbc server aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com [preauth]
|
Let me know if there is anything else I can provide to help with this. |
|
|
Logged
|
|
|
The administrator has disabled public write access.
|
|
|
Re:More secure key exchange 8 Years, 9 Months ago
|
|
|
This is neither a KEX or MAC problem, just simple encryption algorithm selection. Based on the message, it seems you have the CTR-mode AES encryptions disabled.
Go to options->Properties->Connection->ssh2 and click the 'encryption' button. Move at lease AES-256-CTR up to the top of the list. Connect again.
Post here with your results
Hope this helps
Brian
|
|
bpence (Admin)
Admin
Posts: 1402
|
Logged
|
|
|
Brian Pence
Celestial Software
SSH , SFTP, and Telnet in a tabbed interface for Windows XP, Vista, Mobile, and others
|
|
|
The administrator has disabled public write access.
|
|
|
Re:More secure key exchange 8 Years, 9 Months ago
|
|
|
Yes, thanks. That sorted it.
|
|
|
Logged
|
|
|
The administrator has disabled public write access.
|
|
|
Favoured: 0
