SFTP and cipher strength
-
@jaredbusch said in SFTP and cipher strength:
@brandon220 said in SFTP and cipher strength:
@jaredbusch I can see in the ssh_config and sshd_config files where the ciphers are listed but they are commented out. In fact, most of the lines in the files are commented out. I am struggling to find where it is actually getting its config from. I'll keep poking at it.
They are coming it out because it’s simply using default which is what should be coming it out on commenting those should have no change in your behavior. So you’ll end up modifying those lines and I’m commenting them to get the end that you desire.
Driving down the road the moment otherwise I would try to get you some screenshots
Siri was not nice to you!
-
@dashrender said in SFTP and cipher strength:
@jaredbusch said in SFTP and cipher strength:
@brandon220 said in SFTP and cipher strength:
@jaredbusch I can see in the ssh_config and sshd_config files where the ciphers are listed but they are commented out. In fact, most of the lines in the files are commented out. I am struggling to find where it is actually getting its config from. I'll keep poking at it.
They are coming it out because it’s simply using default which is what should be coming it out on commenting those should have no change in your behavior. So you’ll end up modifying those lines and I’m commenting them to get the end that you desire.
Driving down the road the moment otherwise I would try to get you some screenshots
Siri was not nice to you!
translate for me thanks
-
@jaredbusch said in SFTP and cipher strength:
@dashrender said in SFTP and cipher strength:
@jaredbusch said in SFTP and cipher strength:
@brandon220 said in SFTP and cipher strength:
@jaredbusch I can see in the ssh_config and sshd_config files where the ciphers are listed but they are commented out. In fact, most of the lines in the files are commented out. I am struggling to find where it is actually getting its config from. I'll keep poking at it.
They are coming it out because it’s simply using default which is what should be coming it out on commenting those should have no change in your behavior. So you’ll end up modifying those lines and I’m commenting them to get the end that you desire.
Driving down the road the moment otherwise I would try to get you some screenshots
Siri was not nice to you!
translate for me thanks
I considered - but then I even realized I couldn't follow that dibble.
-
@jaredbusch said in SFTP and cipher strength:
@brandon220 said in SFTP and cipher strength:
@jaredbusch I can see in the ssh_config and sshd_config files where the ciphers are listed but they are commented out. In fact, most of the lines in the files are commented out. I am struggling to find where it is actually getting its config from. I'll keep poking at it.
They are coming it out because it’s simply using default which is what should be coming it out on commenting those should have no change in your behavior. So you’ll end up modifying those lines and I’m commenting them to get the end that you desire.
Driving down the road the moment otherwise I would try to get you some screenshots
English Translation:
The lines are commented out because they are using the default settings. Uncomment those lines and then change them to work with the AES ciphers.
-
I see the ciphers listed on the ssh_config file which is supposed to be the client side. In the sshd_config there are no ciphers listed. If I run the command:
sudo sshd -T | grep ciphers
it returns:
ciphers [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]I still cannot find where it is getting these from to be able to edit them.
-
@brandon220 said in SFTP and cipher strength:
I see the ciphers listed on the ssh_config file which is supposed to be the client side. In the sshd_config there are no ciphers listed. If I run the command:
sudo sshd -T | grep ciphers
it returns:
ciphers [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]I still cannot find where it is getting these from to be able to edit them.
Those are the default hardcoded into the application. Simply uncomment d the ones in the configuration and change them to suit
-
When I go to the MAN page (man sshd_config) it shows that:
The supported ciphers are:
3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr [email protected] [email protected] arcfour arcfour128 arcfour256 blowfish-cbc cast128-cbc [email protected]I tried adding AES128,AES192,AES256 and nothing changes. I did stop and restart the service. Seeing that the ones I need are not listed as supported, I am not sure if they will work.
-
Why are you using a client that doesn't support current SSH ciphers? What does this client do?
-
@scottalanmiller I am not connecting to the server. I just set it up and have no trouble connecting to it and moving files around for testing purposes. One of our vendors will connect to it and upload files. We will then go retrieve them. THEIR client software is not playing nice with the ciphers that are the default in Fedora. They as a company are always behind the curve on being up-to-date. They just need it to work. I've been reading for hours on end to make it compatible for them with no luck.
-
@brandon220 said in SFTP and cipher strength:
@scottalanmiller I am not connecting to the server. I just set it up and have no trouble connecting to it and moving files around for testing purposes. One of our vendors will connect to it and upload files. We will then go retrieve them. THEIR client software is not playing nice with the ciphers that are the default in Fedora. They as a company are always behind the curve on being up-to-date. They just need it to work. I've been reading for hours on end to make it compatible for them with no luck.
Right, I guess that's the question, if they can't keep their software secure, time to have a "come to Jesus" talk with them. This isn't a hard thing to do, the most incompetent IT department would still have current ciphers for their SSH. This implies that they are behind by decades and are laughing that you are still paying them when they aparently fired their IT staff in the 1990s.
