• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

SSH: Couldn't agree a key algorithm (available: curve25519-sha256@libssh.org)

Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
38 Posts 14 Posters 114.8k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    johnpoz LAYER 8 Global Moderator
    last edited by Jan 19, 2017, 1:25 PM

    Yeah I just emailed her, says on my thread to contact her for access to the prebeta ;)

    An intelligent man is sometimes forced to be drunk to spend time with his fools
    If you get confused: Listen to the Music Play
    Please don't Chat/PM me for help, unless mod related
    SG-4860 24.11 | Lab VMs 2.7.2, 24.11

    1 Reply Last reply Reply Quote 0
    • C
      chrcoluk
      last edited by Jan 20, 2017, 12:48 AM

      yeah she emailed me about it some days back, no GCM still but at least CHACHA is something.

      pfSense CE 2.7.2

      1 Reply Last reply Reply Quote 0
      • J
        johnpoz LAYER 8 Global Moderator
        last edited by Jan 20, 2017, 11:32 AM

        So got the new secure beta.. And finally

        [LOCAL] : Available Remote Send Ciphers = chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
        [LOCAL] : Selected Send Cipher = chacha20-poly1305@openssh.com
        [LOCAL] : Available Remote Recv Ciphers = chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
        [LOCAL] : Selected Recv Cipher = chacha20-poly1305@openssh.com

        Now they just need to add GCM ;)

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 0
        • R
          riahc3 Banned
          last edited by Apr 20, 2017, 9:03 AM

          @jimp:

          FYI- We disabled some older, weaker, ssh key exchange algorithms. It won't be uncommon to find some older programs that use ssh directly or via things like libssh, that will need to be updated.

          How do you reenable them?

          1 Reply Last reply Reply Quote 0
          • J
            johnpoz LAYER 8 Global Moderator
            last edited by Apr 20, 2017, 9:34 AM

            Why would you need to re-enable them.. They have been disabled for a reason, ie not secure.. Update your client is the correct fix here..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            1 Reply Last reply Reply Quote 0
            • R
              riahc3 Banned
              last edited by Apr 20, 2017, 9:51 AM Apr 20, 2017, 9:47 AM

              @johnpoz:

              Why would you need to re-enable them.. They have been disabled for a reason, ie not secure.. Update your client is the correct fix here..

              Thats awesome.

              How do you reenable them?

              (For the record, yes, I am fully aware that many companies in 2016-2017, made SHA1 deprecated)

              1 Reply Last reply Reply Quote 0
              • K
                kpa
                last edited by Apr 20, 2017, 9:53 AM

                You re-enable them by rolling your own custom version of pfSense where you enable them in the openssh configuration. Oh and forget any official support if you follow that route.

                1 Reply Last reply Reply Quote 0
                • R
                  riahc3 Banned
                  last edited by Apr 20, 2017, 9:58 AM

                  @kpa:

                  You re-enable them by rolling your own custom version of pfSense where you enable them in the openssh configuration. Oh and forget any official support if you follow that route.

                  No.

                  From the posts in this thread, they were disabled not removed (ala PPTP). They should be able to be enabled (under your own responsability)

                  The issue for example is that PPTP was warned several months in advance that it was going to get removed. Maybe I missed it for SHA1 but…

                  The point is that this thread only talks about it is disabled, not removed so...

                  1 Reply Last reply Reply Quote 0
                  • J
                    johnpoz LAYER 8 Global Moderator
                    last edited by Apr 20, 2017, 10:39 AM Apr 20, 2017, 10:32 AM

                    "How do you reenable them?"

                    You edit your sshd_conf to use the what you want.. But again I am going to stress they were disabled for a REASON!!!

                    
                    [2.4.0-BETA][root@pfsense.local.lan]/etc/ssh: cat sshd_config 
                    # This file is automatically generated at startup
                    KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
                    Port 22
                    Protocol 2
                    HostKey /etc/ssh/ssh_host_rsa_key
                    HostKey /etc/ssh/ssh_host_ed25519_key
                    Compression yes
                    ClientAliveInterval 30
                    PermitRootLogin yes
                    # Login via Key only
                    ChallengeResponseAuthentication no
                    PasswordAuthentication no
                    PubkeyAuthentication yes
                    UsePAM no
                    UseDNS no
                    LoginGraceTime 30s
                    VersionAddendum none
                    X11Forwarding no
                    Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
                    MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
                    # override default of no subsystems
                    Subsystem       sftp    /usr/libexec/sftp-server
                    
                    

                    Notice the part that says this file created at startup.. So you would have to edit sshd script that does the creation.  Or you could use the sshd_extra file pretty sure..

                    I can not stress this enough - do not lower the security of your sshd, up the security of the client your using to access it.  Putty is FREE it works just fine, they have a securecrt client closed beta you can get that supports the chacha stuff.  You can use just the mls windows version of openssh, which is what I use all the time.. also FREE

                    You should never lower your security to "make something work"…  This is just bad security 101..

                    What I did notice from this thread since I connected in with ssh -v into pfsense is they are behind on their ssh.. they are running 7.2 while 7.5 is current.

                    debug1: Local version string SSH-2.0-OpenSSH_7.5
                    debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2
                    debug1: match: OpenSSH_7.2 pat OpenSSH* compat 0x04000000

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                    1 Reply Last reply Reply Quote 0
                    • R
                      riahc3 Banned
                      last edited by Apr 20, 2017, 11:18 AM

                      @johnpoz:

                      "How do you reenable them?"

                      You edit your sshd_conf to use the what you want.. But again I am going to stress they were disabled for a REASON!!!

                      
                      [2.4.0-BETA][root@pfsense.local.lan]/etc/ssh: cat sshd_config 
                      # This file is automatically generated at startup
                      KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
                      Port 22
                      Protocol 2
                      HostKey /etc/ssh/ssh_host_rsa_key
                      HostKey /etc/ssh/ssh_host_ed25519_key
                      Compression yes
                      ClientAliveInterval 30
                      PermitRootLogin yes
                      # Login via Key only
                      ChallengeResponseAuthentication no
                      PasswordAuthentication no
                      PubkeyAuthentication yes
                      UsePAM no
                      UseDNS no
                      LoginGraceTime 30s
                      VersionAddendum none
                      X11Forwarding no
                      Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
                      MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
                      # override default of no subsystems
                      Subsystem       sftp    /usr/libexec/sftp-server
                      
                      

                      Notice the part that says this file created at startup.. So you would have to edit sshd script that does the creation.  Or you could use the sshd_extra file pretty sure..

                      I can not stress this enough - do not lower the security of your sshd, up the security of the client your using to access it.  Putty is FREE it works just fine, they have a securecrt client closed beta you can get that supports the chacha stuff.  You can use just the mls windows version of openssh, which is what I use all the time.. also FREE

                      You should never lower your security to "make something work"…  This is just bad security 101..

                      What I did notice from this thread since I connected in with ssh -v into pfsense is they are behind on their ssh.. they are running 7.2 while 7.5 is current.

                      debug1: Local version string SSH-2.0-OpenSSH_7.5
                      debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2
                      debug1: match: OpenSSH_7.2 pat OpenSSH* compat 0x04000000

                      Quoted in case of removal.

                      1 Reply Last reply Reply Quote 0
                      • R
                        riahc3 Banned
                        last edited by Apr 20, 2017, 11:22 AM

                        @johnpoz:

                        I can not stress this enough - do not lower the security of your sshd, up the security of the client your using to access it.  Putty is FREE it works just fine, they have a securecrt client closed beta you can get that supports the chacha stuff.  You can use just the mls windows version of openssh, which is what I use all the time.. also FREE

                        You should never lower your security to "make something work"…  This is just bad security 101..

                        Even though this is not my case why I asked how to enable it again and while I agree with you, you cannot have 1000 clients waiting to be updated and/or people that use older clients where there isnt development anymore, suddenly stop working. You need a solution now. That quickest solution (as much as a bandaid it is) is to enable the older standard (which is really irrelevent when the servers are internal non public facing and/or you have monitoring on your systems)

                        When you make sure that all clients are updated and compatible, THEN and ONLY then, can it be re disabled and use the newer and safer standard.

                        1 Reply Last reply Reply Quote 0
                        • jimpJ
                          jimp Rebel Alliance Developer Netgate
                          last edited by Apr 20, 2017, 11:40 AM

                          You re-enable them the same way you revert any change you don't want. Find the commits that made the change and revert them or manually change them back the way they were.

                          None of that banter belongs in this thread. Locking.

                          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                          Need help fast? Netgate Global Support!

                          Do not Chat/PM for help!

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                            This community forum collects and processes your personal information.
                            consent.not_received