SFTP and cipher strength
-
I set up a SFTP server on Vultr a few months ago. No issues with it and everything is fine. The vendor that is going to be connecting to it to send us files sent an email stating they don't support the ciphers that it is using until end of 3rd quarter in 2018.
From them: Our client supports AES128, AES192, and AES256 but does not work with the “-CTR” ciphers. The new version of our client “should” work with the “-CTR” ciphers, but will not be available until about 3rd quarter in 2018. So, unless the customer can enable standard AES ciphers, you’ll have to try FTPS or some other available method. Can you enable the standard AES ciphers on your sftp server? Please advise. Thanks!
I am guessing they are running outdated client software. I can connect just fine with WinSCP and other clients. Is there a way to add the older ciphers to Fedora? This company is always behind on everything. They never told me they needed anything other than an SFTP server. Very frustrating.
-
@brandon220 Just do a little Google searching on configuring SSH ciphers because that’s all this is.
-
@jaredbusch I can see in the ssh_config and sshd_config files where the ciphers are listed but they are commented out. In fact, most of the lines in the files are commented out. I am struggling to find where it is actually getting its config from. I'll keep poking at it.
-
@brandon220 said in SFTP and cipher strength:
@jaredbusch I can see in the ssh_config and sshd_config files where the ciphers are listed but they are commented out. In fact, most of the lines in the files are commented out. I am struggling to find where it is actually getting its config from. I'll keep poking at it.
They are coming it out because it’s simply using default which is what should be coming it out on commenting those should have no change in your behavior. So you’ll end up modifying those lines and I’m commenting them to get the end that you desire.
Driving down the road the moment otherwise I would try to get you some screenshots
-
@jaredbusch said in SFTP and cipher strength:
@brandon220 said in SFTP and cipher strength:
@jaredbusch I can see in the ssh_config and sshd_config files where the ciphers are listed but they are commented out. In fact, most of the lines in the files are commented out. I am struggling to find where it is actually getting its config from. I'll keep poking at it.
They are coming it out because it’s simply using default which is what should be coming it out on commenting those should have no change in your behavior. So you’ll end up modifying those lines and I’m commenting them to get the end that you desire.
Driving down the road the moment otherwise I would try to get you some screenshots
Siri was not nice to you!
-
@dashrender said in SFTP and cipher strength:
@jaredbusch said in SFTP and cipher strength:
@brandon220 said in SFTP and cipher strength:
@jaredbusch I can see in the ssh_config and sshd_config files where the ciphers are listed but they are commented out. In fact, most of the lines in the files are commented out. I am struggling to find where it is actually getting its config from. I'll keep poking at it.
They are coming it out because it’s simply using default which is what should be coming it out on commenting those should have no change in your behavior. So you’ll end up modifying those lines and I’m commenting them to get the end that you desire.
Driving down the road the moment otherwise I would try to get you some screenshots
Siri was not nice to you!
translate for me thanks
-
@jaredbusch said in SFTP and cipher strength:
@dashrender said in SFTP and cipher strength:
@jaredbusch said in SFTP and cipher strength:
@brandon220 said in SFTP and cipher strength:
@jaredbusch I can see in the ssh_config and sshd_config files where the ciphers are listed but they are commented out. In fact, most of the lines in the files are commented out. I am struggling to find where it is actually getting its config from. I'll keep poking at it.
They are coming it out because it’s simply using default which is what should be coming it out on commenting those should have no change in your behavior. So you’ll end up modifying those lines and I’m commenting them to get the end that you desire.
Driving down the road the moment otherwise I would try to get you some screenshots
Siri was not nice to you!
translate for me thanks
I considered - but then I even realized I couldn't follow that dibble.
-
@jaredbusch said in SFTP and cipher strength:
@brandon220 said in SFTP and cipher strength:
@jaredbusch I can see in the ssh_config and sshd_config files where the ciphers are listed but they are commented out. In fact, most of the lines in the files are commented out. I am struggling to find where it is actually getting its config from. I'll keep poking at it.
They are coming it out because it’s simply using default which is what should be coming it out on commenting those should have no change in your behavior. So you’ll end up modifying those lines and I’m commenting them to get the end that you desire.
Driving down the road the moment otherwise I would try to get you some screenshots
English Translation:
The lines are commented out because they are using the default settings. Uncomment those lines and then change them to work with the AES ciphers.
-
I see the ciphers listed on the ssh_config file which is supposed to be the client side. In the sshd_config there are no ciphers listed. If I run the command:
sudo sshd -T | grep ciphers
it returns:
ciphers [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]I still cannot find where it is getting these from to be able to edit them.
-
@brandon220 said in SFTP and cipher strength:
I see the ciphers listed on the ssh_config file which is supposed to be the client side. In the sshd_config there are no ciphers listed. If I run the command:
sudo sshd -T | grep ciphers
it returns:
ciphers [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]I still cannot find where it is getting these from to be able to edit them.
Those are the default hardcoded into the application. Simply uncomment d the ones in the configuration and change them to suit
-
When I go to the MAN page (man sshd_config) it shows that:
The supported ciphers are:
3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr [email protected] [email protected] arcfour arcfour128 arcfour256 blowfish-cbc cast128-cbc [email protected]I tried adding AES128,AES192,AES256 and nothing changes. I did stop and restart the service. Seeing that the ones I need are not listed as supported, I am not sure if they will work.
-
Why are you using a client that doesn't support current SSH ciphers? What does this client do?
-
@scottalanmiller I am not connecting to the server. I just set it up and have no trouble connecting to it and moving files around for testing purposes. One of our vendors will connect to it and upload files. We will then go retrieve them. THEIR client software is not playing nice with the ciphers that are the default in Fedora. They as a company are always behind the curve on being up-to-date. They just need it to work. I've been reading for hours on end to make it compatible for them with no luck.
-
@brandon220 said in SFTP and cipher strength:
@scottalanmiller I am not connecting to the server. I just set it up and have no trouble connecting to it and moving files around for testing purposes. One of our vendors will connect to it and upload files. We will then go retrieve them. THEIR client software is not playing nice with the ciphers that are the default in Fedora. They as a company are always behind the curve on being up-to-date. They just need it to work. I've been reading for hours on end to make it compatible for them with no luck.
Right, I guess that's the question, if they can't keep their software secure, time to have a "come to Jesus" talk with them. This isn't a hard thing to do, the most incompetent IT department would still have current ciphers for their SSH. This implies that they are behind by decades and are laughing that you are still paying them when they aparently fired their IT staff in the 1990s.
