Disabling CBC Cipher mode causes login problems


Login or Register for Dates, Times and to Reply

 
Thread Tools Search this Thread
Top Forums UNIX for Advanced & Expert Users Disabling CBC Cipher mode causes login problems
# 1  
Disabling CBC Cipher mode causes login problems

Hi,

As part of the security hardening activity in our team, we have to disable CBC mode cipher encryption, and enable CTR or GCM cipher mode encryption.

To do this, in sshd_config I comment out these lines :

Code:
Ciphers aes128-cbc,blowfish-cbc,3des-cbc
MACS   hmac-sha1,hmac-md5

and add this line :

Code:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr

However after doing this, and restarting ssh, I get this error :

Code:
/etc/ssh/sshd_config line 88: Bad SSH2 cipher spec 'aes128-ctr,aes192-ctr,aes256-ctr'

Also, I am not able to ssh into the server anymore.

Please provide a suggestion on how to disable the CBC option and enable the CTR/GCM option without causing problems.
The sshd_config file in the server is sshd_config(4) and thus does not support CTR/GCM.

Regards,
ana
# 2  
What, then, are the allowed ciphers according to sshd_config?
# 3  
According to the sshd_config man page (ubuntu):


Code:
 Ciphers
             Specifies the ciphers allowed.  Multiple ciphers must be comma-separated.  If the
             specified value begins with a ‘+’ character, then the specified ciphers will be
             appended to the default set instead of replacing them.

             The supported ciphers are:

                   3des-cbc
                   aes128-cbc
                   aes192-cbc
                   aes256-cbc
                   aes128-ctr
                   aes192-ctr
                   aes256-ctr
                   aes128-gcm@openssh.com
                   aes256-gcm@openssh.com
                   arcfour
                   arcfour128
                   arcfour256
                   blowfish-cbc
                   cast128-cbc
                   chacha20-poly1305@openssh.com

             The default is:

                   chacha20-poly1305@openssh.com,
                   aes128-ctr,aes192-ctr,aes256-ctr,
                   aes128-gcm@openssh.com,aes256-gcm@openssh.com

             The list of available ciphers may also be obtained using the -Q option of ssh(1)
             with an argument of “cipher”.

# 4  
Update:

Here is an example of checking for supported ciphers:

Linux

Code:
/home/neo# ssh -Q cipher
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
rijndael-cbc@lysator.liu.se
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com

and on another box:

MacOS

Code:
 Tim$ ssh -Q cipher
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
rijndael-cbc@lysator.liu.se
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com

# 5  
OBTW did you try this?

To disable CBC mode ciphers and weak MAC algorithms (MD5 and -96), add the following lines into the /etc/ssh/sshd_config file.

Code:
 Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128
 MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160

Then (on linux)

Code:
 service sshd restart

# 6  
Sorry I forgot to mention that my box is Solaris 9.

And I already tried adding the line :

Code:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr

And it throws the error I mentioned (After I restarted ssh) :

Code:
/etc/ssh/sshd_config line 88: Bad SSH2 cipher spec 'aes128-ctr,aes192-ctr,aes256-ctr'

I have also commented out the MAC line :

Code:
MACS   hmac-sha1,hmac-md5

This does not cause any problems.
# 7  
Does this command work on Solaris?

Code:
ssh -Q cipher

Sorry, I don't have a Solaris box handy.

Please run ssh -Q cipher and update us with the results.

Also, Oracle says this is all you need to do to disable those weak ciphers:

Code:
   
cp -p /etc/ssh/sshd_config /etc/ssh/sshd_config.`date +%d-%b-%Y-%H-%M`

vi /etc/ssh/sshd_config

Ciphers aes128-ctr,aes192-ctr,aes256-ctr
Macs hmac-sha2-256,hmac-sha2-512

svcadm restart ssh

Edit and Update:

I see from the Oracle docs that Solaris does not support ssh -Q

Oracle Docs: ssh - man pages section 1: User Commands
Login or Register for Dates, Times and to Reply

Previous Thread | Next Thread
Thread Tools Search this Thread
Search this Thread:
Advanced Search

Test Your Knowledge in Computers #324
Difficulty: Medium
The IBM PC used an Intel 8008 microprocessor clocked at 4.77 MHz and 8 kilobytes of memory.
True or False?

9 More Discussions You Might Find Interesting

1. Solaris

Need to disable CBC mode cipher encryption along with MD5 & 96 bit MAC algorithm

Hi All Is any one know how to diable CBC mode cipher encryption along with MD5 & 96 bit MAC algorithm in solaris 10. Regards (4 Replies)
Discussion started by: amity
4 Replies

2. Linux

Not able to login in graphical mode

Hi Guys After installing my CentOS in virtual machine i am not able to get the graphical mode. By default it is going in TUI mode. Please help how to get the graphical mode by default. I am already in init 5..... Thanks...:wall: (1 Reply)
Discussion started by: deviltech
1 Replies

3. Debian

Disabling emergency and init mode

Hello all friends I recently disable runlevel 1 i want to know , is there any way to disable emergency mode and init mode init mode means if any user pass kernel parameter at grub i.e init=/bin/bash then bash shell appears I want to disable it for security purpose System = Debian 6... (4 Replies)
Discussion started by: rink
4 Replies

4. Ubuntu

Login Problems when the system is grub mode

Hi Experts, I am using ubuntu.When i am trying to login it is showing grub ..How i can overcome to this problem..Pls reply me ASAP.. Thanks, Sree (1 Reply)
Discussion started by: sree vasu
1 Replies

5. OS X (Apple)

Script Implementation for Disabling Re-Opening Previous Login

Ok guys, I'm just getting back to this amongst several other projects, but I thought I'd re-address it. I'm creating the script to disable windows from the previous login under 10.7. In order to do this it seems I need to create the same script for applications that launch and create the... (6 Replies)
Discussion started by: unimachead
6 Replies

6. Shell Programming and Scripting

Unable to login into GUI mode.

hii all, I am unable to login into GUI mode in solaris 10. It is only prompting me to command mode credentials not going further to GUI mode.. Please help.. Thanks & regards, Bhagi (3 Replies)
Discussion started by: bhargav90
3 Replies

7. AIX

disabling telnet login for root only

Hi, I want to disable telnet login for root only so that other users can telnet? Regards, Manoj (8 Replies)
Discussion started by: manoj.solaris
8 Replies

8. AIX

Problems with disabling remote root login

Hello! I'm going through security checklist for AIX 5.3 and i just can't disable remote login for root through ssh. What i did: - in /etc/security/user i added a line: rlogin = false which works fine when i try to login through telnet - after installation of openSSH i edited... (3 Replies)
Discussion started by: veccinho
3 Replies

9. SCO

Disabling root login

Hy, Coud someone tell me how to disable root login via terminal (only from console should be allowed). There is no ssh installed, only telnet. I created a user which will have permission to su to root, but now i don't know where and what to modify to disable root login? SCO OpenServer 5 ... (1 Reply)
Discussion started by: veccinho
1 Replies