Forum

More secure key exc...
 
Notifications
Clear all

More secure key exchange

0 Posts
3 Users
0 Reactions
142 Views
(@rhyven)
New Member
Joined: 9 years ago
Posts: 2
Topic starter  

Hi,

In order to tighten up security, we're changing our SSH server to only support the following key exchanges:

[ul]curve25519-sha256
diffie-hellman-group-exchange-sha256[/ul]

Most of our users are using PuTTY, which handles these algorithms fine; however our AbsoluteTelnet user receives the following error:

failed to negotiate key exchange algorithm

It looks like AbsoluteTelnet doesn't support SHA256-based key exchange algorithms.

Is support for these more secure algorithms under active development at the moment? If so, I'm happy to beta test.

E


   
ReplyQuote
(@bpence)
Member Admin
Joined: 8 months ago
Posts: 1374
 

Thanks for the report! I've been working on some improvements to Absolute to help combat this issue, adding new key exchange and message authentication algorithms as specified in RFC4419 and RFC6668. If you'd like to take it for a spin, grab the latest release candidate here:

  http://www.celestialsoftware.net/telnet/beta_software.html

 

Brian

This post was modified 2 months ago by bpence

   
ReplyQuote
(@rhyven)
New Member
Joined: 9 years ago
Posts: 2
Topic starter  

Hi Brian,

Thanks for the quick work! I can confirm that the new version is connecting with:

[ul][li]A Key Exchange protocol of diffie-hellman-group-exchange-sha256[/li]
[li]Encrypting using the aes256-ctr Cipher[/li]
[li]Authenticating messages using hmac-sha2-512[/li][/ul]

Great work, thanks for such a quick response.

Eric


   
ReplyQuote
(@gdsokoll)
Active Member
Joined: 21 years ago
Posts: 8
 

I'm encountering the same error trying to log into a Synology NAS device. I've just tried the 9.84rc version without any improvement. Putty connects just fine. Any suggestions ?


   
ReplyQuote
(@bpence)
Member Admin
Joined: 8 months ago
Posts: 1374
 

Geoff,

Can you provide any more detail? For example, what is the *EXACT* error message you're getting?

Also, make sure you are using the latest. It should say "RELEASE CANDIDATE 10" in the title bar when you run it.

Brian


   
ReplyQuote
(@gdsokoll)
Active Member
Joined: 21 years ago
Posts: 8
 

Definitely running rc10 - downloaded from the link you gave above, and it shows a popup on startup saying that it is a release candidate etc etc.

The text in the AbsoluteTelnet window during login attempt is as follows:

Connecting to abcdefg:49613
   attempting 192.168.13.10:49613...     Success!
disconnected: failed to negotiate client to server encryption algorithm

The sshd log files shows:

Feb 19 09:26:15 DS212J sshd[5347]: Connection from 192.168.13.50 port 56157 on 192.168.13.10 port 49613
Feb 19 09:26:15 DS212J sshd[5347]: SSH: Server;Ltype: Version;Remote: 192.168.13.50-56157;Protocol: 2.0;Client: 1.81 sshlib: AbsoluteTelnet
Feb 19 09:26:15 DS212J sshd[5347]: fatal: no matching cipher found: client twofish256-cbc,blowfish-cbc,3des-cbc,aes256-cbc,arcfour,cast128-cbc server aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com [preauth]

Let me know if there is anything else I can provide to help with this.


   
ReplyQuote
(@bpence)
Member Admin
Joined: 8 months ago
Posts: 1374
 

This is neither a KEX or MAC problem, just simple encryption algorithm selection. Based on the message, it seems you have the CTR-mode AES encryptions disabled.

Go to options->Properties->Connection->ssh2 and click the 'encryption' button. Move at lease AES-256-CTR up to the top of the list. Connect again.

Post here with your results

Hope this helps

Brian


   
ReplyQuote
(@gdsokoll)
Active Member
Joined: 21 years ago
Posts: 8
 

Yes, thanks. That sorted it.


   
ReplyQuote
Share: