• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Ssh changes in 2.3.2 ?

Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
8 Posts 4 Posters 4.9k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • A
    AndrewZ
    last edited by Jul 26, 2016, 7:40 AM

    The update went smoothly, but afterwards I'm not able to access the router via ssh from Windows with java-based minderm. Linux ssh still works. It was a problem with putty too, but updating the binary resolved the issue.
    From the logs:

    Connection closed by 192.168.5.61 port 51532 [preauth]

    Mindterm:

    Error generating DiffieHellman keys: java.security.InvalidAlgorithmParameterException: Prime size must be multiple of 64, and can only range from 512 to 2048 (inclusive)
    

    Any suggestion?

    1 Reply Last reply Reply Quote 0
    • J
      jimp Rebel Alliance Developer Netgate
      last edited by Jul 26, 2016, 2:17 PM

      We disabled some older insecure Key Exchange Algorithms. You might need to update whatever library is used for SSH in that application.

      Remember: Upvote with the πŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      • J
        johnpoz LAYER 8 Global Moderator
        last edited by Jul 26, 2016, 2:34 PM Jul 26, 2016, 2:29 PM

        Nice… Did you enable ed25519 for kex and chacha20 for cipher?  I had edited the config to enable them, but be nice not to have to edit the config on an update.

        debug1: Authenticating to pfsense.local.lan:22 as 'root'
        debug1: SSH2_MSG_KEXINIT sent
        debug1: SSH2_MSG_KEXINIT received
        debug1: kex: algorithm: curve25519-sha256@libssh.org
        debug1: kex: host key algorithm: ssh-ed25519
        debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit>compression: none
        debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit>compression: none
        debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
        debug1: Server host key: ssh-ed25519 SHA256:I0WQR9Eyjlcgf/vN</implicit></implicit>

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • J
          jimp Rebel Alliance Developer Netgate
          last edited by Jul 26, 2016, 2:33 PM

          KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
          
          
          Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
          MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
          
          

          Remember: Upvote with the πŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • J
            johnpoz LAYER 8 Global Moderator
            last edited by Jul 26, 2016, 2:35 PM

            nice!!  Now if could just get cisco to update their shit, all my ssh stuff would be chacha20 and ed25519…

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            G 1 Reply Last reply Jun 27, 2018, 7:49 PM Reply Quote 0
            • G
              guardian Rebel Alliance @johnpoz
              last edited by Jun 27, 2018, 7:49 PM

              Sorry if it's bad form to bring this back from the dead, but I was searching looking for the post where the merits of the various algos were discussed. Can someone point me in the right direction.
              (Even a short offsite article would be fine.)

              What kex / crypto algos should I be using (and NOT using)?

              @johnpoz you get so many people bitching that I'd like to add a bit of balance. Yes it is a PITA when these programs don't work, but I agree that outdated/ineffective security is almost worse than no security at all (For those who know how they should file bug reports--and maybe provide instructions so lots of others can add their voice and hopefully increase the priority).

              It is because of pfSense and excellent commentary here in the form that I (a non-it-professional) have an understanding of and access to good gateway security. I no longer have to deal with cludgy dd-wrt flashes or put up with the consumer $#it - which is often full of holes. The pfSense team is top notch, and there are a lot of very bright people in the community looking over their shoulders to catch things that might slip. Thanks to all for your excellent work.

              @johnpoz said in Ssh changes in 2.3.2 ?:

              nice!! Now if could just get cisco to update their shit, all my ssh stuff would be chacha20 and ed25519…
              Come on @johnpoz why would Cisco want to do that and make life difficult for the NSA? πŸ˜‰

              If you find my post useful, please give it a thumbs up!
              pfSense 2.7.2-RELEASE

              1 Reply Last reply Reply Quote 1
              • J
                johnpoz LAYER 8 Global Moderator
                last edited by Jun 27, 2018, 8:21 PM

                Not sure exactly what your looking for - but here is a blog post by the person that brought chacha20 to openssh and has some reasons why he did so, etc.

                http://blog.djm.net.au/2013/11/chacha20-and-poly1305-in-openssh.html

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                G 1 Reply Last reply Jun 27, 2018, 8:38 PM Reply Quote 0
                • G
                  guardian Rebel Alliance @johnpoz
                  last edited by Jun 27, 2018, 8:38 PM

                  @johnpoz said in Ssh changes in 2.3.2 ?:

                  Not sure exactly what your looking for - but here is a blog post by the person that brought chacha20 to openssh and has some reasons why he did so, etc.

                  http://blog.djm.net.au/2013/11/chacha20-and-poly1305-in-openssh.html
                  Thanks @johnpoz good article. I hadn't heard of these before.

                  There was a post that listed which algos were best/safe for OpenSSH-can't remember what else. Something with general best parctices would be helpful.

                  If you find my post useful, please give it a thumbs up!
                  pfSense 2.7.2-RELEASE

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                    [[user:consent.lead]]
                    [[user:consent.not_received]]