ML
    • Register
    • Login
    • Search
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups

    SFTP and cipher strength

    IT Discussion
    5
    14
    923
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • brandon220
      brandon220 last edited by

      I set up a SFTP server on Vultr a few months ago. No issues with it and everything is fine. The vendor that is going to be connecting to it to send us files sent an email stating they don't support the ciphers that it is using until end of 3rd quarter in 2018.

      From them: Our client supports AES128, AES192, and AES256 but does not work with the “-CTR” ciphers. The new version of our client “should” work with the “-CTR” ciphers, but will not be available until about 3rd quarter in 2018. So, unless the customer can enable standard AES ciphers, you’ll have to try FTPS or some other available method. Can you enable the standard AES ciphers on your sftp server? Please advise. Thanks!

      I am guessing they are running outdated client software. I can connect just fine with WinSCP and other clients. Is there a way to add the older ciphers to Fedora? This company is always behind on everything. They never told me they needed anything other than an SFTP server. Very frustrating.

      JaredBusch 1 Reply Last reply Reply Quote 0
      • JaredBusch
        JaredBusch @brandon220 last edited by

        @brandon220 Just do a little Google searching on configuring SSH ciphers because that’s all this is.

        brandon220 1 Reply Last reply Reply Quote 2
        • brandon220
          brandon220 @JaredBusch last edited by

          @jaredbusch I can see in the ssh_config and sshd_config files where the ciphers are listed but they are commented out. In fact, most of the lines in the files are commented out. I am struggling to find where it is actually getting its config from. I'll keep poking at it.

          JaredBusch 1 Reply Last reply Reply Quote 0
          • JaredBusch
            JaredBusch @brandon220 last edited by

            @brandon220 said in SFTP and cipher strength:

            @jaredbusch I can see in the ssh_config and sshd_config files where the ciphers are listed but they are commented out. In fact, most of the lines in the files are commented out. I am struggling to find where it is actually getting its config from. I'll keep poking at it.

            They are coming it out because it’s simply using default which is what should be coming it out on commenting those should have no change in your behavior. So you’ll end up modifying those lines and I’m commenting them to get the end that you desire.

            Driving down the road the moment otherwise I would try to get you some screenshots

            Dashrender dafyre 2 Replies Last reply Reply Quote 0
            • Dashrender
              Dashrender @JaredBusch last edited by

              @jaredbusch said in SFTP and cipher strength:

              @brandon220 said in SFTP and cipher strength:

              @jaredbusch I can see in the ssh_config and sshd_config files where the ciphers are listed but they are commented out. In fact, most of the lines in the files are commented out. I am struggling to find where it is actually getting its config from. I'll keep poking at it.

              They are coming it out because it’s simply using default which is what should be coming it out on commenting those should have no change in your behavior. So you’ll end up modifying those lines and I’m commenting them to get the end that you desire.

              Driving down the road the moment otherwise I would try to get you some screenshots

              Siri was not nice to you!

              JaredBusch 1 Reply Last reply Reply Quote 2
              • JaredBusch
                JaredBusch @Dashrender last edited by

                @dashrender said in SFTP and cipher strength:

                @jaredbusch said in SFTP and cipher strength:

                @brandon220 said in SFTP and cipher strength:

                @jaredbusch I can see in the ssh_config and sshd_config files where the ciphers are listed but they are commented out. In fact, most of the lines in the files are commented out. I am struggling to find where it is actually getting its config from. I'll keep poking at it.

                They are coming it out because it’s simply using default which is what should be coming it out on commenting those should have no change in your behavior. So you’ll end up modifying those lines and I’m commenting them to get the end that you desire.

                Driving down the road the moment otherwise I would try to get you some screenshots

                Siri was not nice to you!

                translate for me thanks

                Dashrender 1 Reply Last reply Reply Quote 0
                • Dashrender
                  Dashrender @JaredBusch last edited by

                  @jaredbusch said in SFTP and cipher strength:

                  @dashrender said in SFTP and cipher strength:

                  @jaredbusch said in SFTP and cipher strength:

                  @brandon220 said in SFTP and cipher strength:

                  @jaredbusch I can see in the ssh_config and sshd_config files where the ciphers are listed but they are commented out. In fact, most of the lines in the files are commented out. I am struggling to find where it is actually getting its config from. I'll keep poking at it.

                  They are coming it out because it’s simply using default which is what should be coming it out on commenting those should have no change in your behavior. So you’ll end up modifying those lines and I’m commenting them to get the end that you desire.

                  Driving down the road the moment otherwise I would try to get you some screenshots

                  Siri was not nice to you!

                  translate for me thanks

                  I considered - but then I even realized I couldn't follow that dibble.

                  1 Reply Last reply Reply Quote 0
                  • dafyre
                    dafyre @JaredBusch last edited by

                    @jaredbusch said in SFTP and cipher strength:

                    @brandon220 said in SFTP and cipher strength:

                    @jaredbusch I can see in the ssh_config and sshd_config files where the ciphers are listed but they are commented out. In fact, most of the lines in the files are commented out. I am struggling to find where it is actually getting its config from. I'll keep poking at it.

                    They are coming it out because it’s simply using default which is what should be coming it out on commenting those should have no change in your behavior. So you’ll end up modifying those lines and I’m commenting them to get the end that you desire.

                    Driving down the road the moment otherwise I would try to get you some screenshots

                    English Translation:

                    The lines are commented out because they are using the default settings. Uncomment those lines and then change them to work with the AES ciphers.

                    1 Reply Last reply Reply Quote 1
                    • brandon220
                      brandon220 last edited by

                      I see the ciphers listed on the ssh_config file which is supposed to be the client side. In the sshd_config there are no ciphers listed. If I run the command:
                      sudo sshd -T | grep ciphers
                      it returns:
                      ciphers [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]

                      I still cannot find where it is getting these from to be able to edit them.

                      JaredBusch 1 Reply Last reply Reply Quote 0
                      • JaredBusch
                        JaredBusch @brandon220 last edited by

                        @brandon220 said in SFTP and cipher strength:

                        I see the ciphers listed on the ssh_config file which is supposed to be the client side. In the sshd_config there are no ciphers listed. If I run the command:
                        sudo sshd -T | grep ciphers
                        it returns:
                        ciphers [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]

                        I still cannot find where it is getting these from to be able to edit them.

                        Those are the default hardcoded into the application. Simply uncomment d the ones in the configuration and change them to suit

                        1 Reply Last reply Reply Quote 0
                        • brandon220
                          brandon220 last edited by

                          When I go to the MAN page (man sshd_config) it shows that:

                          The supported ciphers are:

                                         3des-cbc
                                         aes128-cbc
                                         aes192-cbc
                                         aes256-cbc
                                         aes128-ctr
                                         aes192-ctr
                                         aes256-ctr
                                         [email protected]
                                         [email protected]
                                         arcfour
                                         arcfour128
                                         arcfour256
                                         blowfish-cbc
                                         cast128-cbc
                                         [email protected]
                          

                          I tried adding AES128,AES192,AES256 and nothing changes. I did stop and restart the service. Seeing that the ones I need are not listed as supported, I am not sure if they will work.

                          1 Reply Last reply Reply Quote 0
                          • scottalanmiller
                            scottalanmiller last edited by

                            Why are you using a client that doesn't support current SSH ciphers? What does this client do?

                            brandon220 1 Reply Last reply Reply Quote 0
                            • brandon220
                              brandon220 @scottalanmiller last edited by

                              @scottalanmiller I am not connecting to the server. I just set it up and have no trouble connecting to it and moving files around for testing purposes. One of our vendors will connect to it and upload files. We will then go retrieve them. THEIR client software is not playing nice with the ciphers that are the default in Fedora. They as a company are always behind the curve on being up-to-date. They just need it to work. I've been reading for hours on end to make it compatible for them with no luck.

                              scottalanmiller 1 Reply Last reply Reply Quote 0
                              • scottalanmiller
                                scottalanmiller @brandon220 last edited by

                                @brandon220 said in SFTP and cipher strength:

                                @scottalanmiller I am not connecting to the server. I just set it up and have no trouble connecting to it and moving files around for testing purposes. One of our vendors will connect to it and upload files. We will then go retrieve them. THEIR client software is not playing nice with the ciphers that are the default in Fedora. They as a company are always behind the curve on being up-to-date. They just need it to work. I've been reading for hours on end to make it compatible for them with no luck.

                                Right, I guess that's the question, if they can't keep their software secure, time to have a "come to Jesus" talk with them. This isn't a hard thing to do, the most incompetent IT department would still have current ciphers for their SSH. This implies that they are behind by decades and are laughing that you are still paying them when they aparently fired their IT staff in the 1990s.

                                1 Reply Last reply Reply Quote 1
                                • First post
                                  Last post