Ssh problems
-
latest version of pfsense is breaking most of my ssh clients when I try and ssh into pfsense. never had problems before.
My older version of secureCRT returns….
Key exchange failed.
No compatible key exchange method. The server supports these methods: curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
No compatible MAC. The server supports these MACs: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.comand syslog on pfsense shows...
fatal: Unable to negotiate with <client's ipv6="">port 53661: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth]I tried smarTTY, similar errors, client reports LIBSSH2_ERROR_KEX_FAILURE, and syslog says…
atal: Unable to negotiate with (my IP) port 50978: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 [preauth]latest putty works but i hate putty.
this is really annoying.</client's>
-
Hi,
Checkout https://forum.pfsense.org/index.php?topic=115736.0
-
Well complain to your fav ssh client maker to support current standards.. latest version of securecrt 8.0.2 support ed25519 but they do not support chacha20 yet.. Really just inconceivable that companies that do ssh for their business model not supporting current stuff.. Blows my freaking mind..
Your other option if you don't like putty is just grab the actual openssh client, there is a version for windows mls-software you can grab, or even ms is working on port of it, etc.
https://github.com/PowerShell/Win32-OpenSSH
http://www.mls-software.com/opensshd.html -
…. and for those who actually worked with those VT100 terminals and the like back then : You can only love Putty ......
-
yeah I don't get how you don't love putty.. 1 small exe.. Provides for all kinds of connection options, ssh, telnet for those really behind the times and even console (serial). It is just a great util to have in your toolbelt especially when stuck having to use a windows machine.
While for sure its not as polished as say securecrt in its looks, it has support for current kex and cipher options pretty much as soon as they become valid..
-
Part of being security-conscious is not just using encryption but keeping the clients, settings, and other standards up-to-date. Over time weaker ciphers, hashes and so on are found to be vulnerable (sometimes in theory, sometimes in reality) so they get disabled. Time marches on.
I wanted to keep using SecureCRT so I dropped some cash on a current version and made sure all my profiles had compatible ciphers, hashes, and MACs enabled. Now it's happy (aside from a keyboard-interactive issue in SecureCRT I'm still tracking before submitting a bug report). I bugged them about chacha20-poly1305, AES256-GCM, and curve25519-sha256 and they put in feature requests for them on my behalf.
If you're using an older version of SecureCRT because it was the only cracked one available on a torrent site, then I have no sympathy. Otherwise, if you like it, support them and grab an upgrade. It's not cheap, but it's an excellent client with superior session management. I've used it off and on since I was in college far too many years ago.
UEX for Linux was using an older libssh but they just put out a beta version that works. Recent versions of PuTTY and Filezilla and others are fine, too.
There are wrappers out there that use putty or command line ssh utilities (depending on your OS, things like PAC are interesting), but there isn't much of an excuse to not keep yourself and your infrastructure secure for the sake of ssh clients suffering from bit rot.
You might need to clear out older host key fingerprints from your ~/.ssh/known_hosts file if you use a command line client. See here for details: https://doc.pfsense.org/index.php/2.3.2_New_Features_and_Changes#SSH_Daemon
