| View previous topic :: View next topic |
| Author |
Message |
datwood100
Joined: 03 Sep 2015
Posts: 10
|
 Posted: Thu Sep 03, 2015 10:54 am Post subject: SSH test - Protocol error |
 |
|
For a lot of the Linux servers I need to monitor, I cannot run the SSH test, it fails with "Protocol error. Encryption ciphers are not supported by client". I understand this is due to server protocol configuration. But I cannot get the servers changed, it is outside my control.
I am running older version of HM, and downloaded the current version trial to see if current version supported newer protocols. But it still fails.
Question: Can HM SSH test support other protocols, like PLINK does ?
Thanks, DAtwood
PS. Below is output from KSSSHCMD to show the exact issue.
D:\HostMonitor>KSSSHCMD.EXE -host:armball3c -user:btl112 -password:xxxx -cmd
:"ls" -hmacdebug -debug
[9/2/2015 12:28:11 PM] Communication started.
[9/2/2015 12:28:11 PM] Server Version: SSH-2.0-OpenSSH_4.3
[9/2/2015 12:28:11 PM] Protocol Version: 2
[9/2/2015 12:28:11 PM] Packet received: 20
[9/2/2015 12:28:11 PM] Send Packet: 1
[9/2/2015 12:28:11 PM] Communication finished.
Protocol error. Encryption ciphers are not supported by client |
|
| Back to top |
|
 |
KS-Soft
Joined: 03 Apr 2002
Posts: 12795
Location: USA
|
| Posted: Thu Sep 03, 2015 1:41 pm Post subject: |
|
|
We can add new code in new version.
Question is what exactly cipher should be added - what protocols supported by your server?
Regards
Alex |
|
| Back to top |
|
|
datwood100
Joined: 03 Sep 2015
Posts: 10
|
| Posted: Fri Sep 04, 2015 12:35 pm Post subject: |
|
|
| Please give me a couple of days, I need to get the list of supported ciphers from our Unix team. |
|
| Back to top |
|
|
datwood100
Joined: 03 Sep 2015
Posts: 10
|
| Posted: Fri Jan 08, 2016 4:20 pm Post subject: |
|
|
Sorry for not being able to followup. I got reassigned to another project, but now need to return to this.
When connecting with putty, the putty event log returns this. Hopefully that is enough you to tell which cipher will work.
Thanks,
DAtwood
2016-01-08 16:06:36 Looking up host "jap0003v3c"
2016-01-08 16:06:36 Connecting to 10.14.58.103 port 22
2016-01-08 16:06:36 Server version: SSH-2.0-OpenSSH_5.3
2016-01-08 16:06:36 Using SSH protocol version 2
2016-01-08 16:06:36 We claim version: SSH-2.0-PuTTY_Release_0.62
2016-01-08 16:06:36 Doing Diffie-Hellman group exchange
2016-01-08 16:06:36 Doing Diffie-Hellman key exchange with hash SHA-256
2016-01-08 16:06:36 Host key fingerprint is:
2016-01-08 16:06:36 ssh-rsa 2048 3d:ce:4e:10:6e:71:b5:39:91:e7:17:45:95:60:ef:b1
2016-01-08 16:06:36 Initialised AES-256 SDCTR client->server encryption
2016-01-08 16:06:36 Initialised HMAC-SHA1 client->server MAC algorithm
2016-01-08 16:06:36 Initialised AES-256 SDCTR server->client encryption
2016-01-08 16:06:36 Initialised HMAC-SHA1 server->client MAC algorithm
2016-01-08 16:06:36 Pageant is running. Requesting keys.
2016-01-08 16:06:36 Pageant has 2 SSH-2 keys
2016-01-08 16:06:42 Trying Pageant key #0
2016-01-08 16:06:42 Server refused our key
2016-01-08 16:06:42 Trying Pageant key #1
2016-01-08 16:06:42 Server refused our key
2016-01-08 16:06:42 Using SSPI from SECUR32.DLL
2016-01-08 16:06:42 Attempting GSSAPI authentication
2016-01-08 16:06:42 GSSAPI authentication request refused
2016-01-08 16:06:44 Sent password
2016-01-08 16:06:45 Access granted
2016-01-08 16:06:45 Opened channel for session
2016-01-08 16:06:45 Allocated pty (ospeed 38400bps, ispeed 38400bps)
2016-01-08 16:06:45 Started a shell/command
PS: also, here is result of 'openssl ciphers' cmd run from the linux box. Perhaps that could be useful.
$ openssl ciphers
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:DES-CBC3-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA:PSK-3DES-EDE-CBC-SHA:KRB5-IDEA-CBC-SHA:KRB5-DES-CBC3-SHA:KRB5-IDEA-CBC-MD5:KRB5-DES-CBC3-MD5:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:KRB5-RC4-SHA:KRB5-RC4-MD5 |
|
| Back to top |
|
|
KS-Soft Europe
Joined: 16 May 2006
Posts: 2832
|
| Posted: Fri Jan 08, 2016 6:05 pm Post subject: |
|
|
Could you try to use HostMonitor 10.06 Beta?
It comes with newer OpenSSL libraries.
Note1: please check if your registration code is valid for version 10.06 using menu Help -> Update check.
Note2: you may install HostMonitor 10.06 Beta (evaluation mode) into some test system. |
|
| Back to top |
|
|
datwood100
Joined: 03 Sep 2015
Posts: 10
|
| Posted: Mon Jan 11, 2016 11:54 am Post subject: |
|
|
| just completed a test install of 10.06 beta. It did the same "Protocol error: Encryption ciphers are not supported by client" |
|
| Back to top |
|
|
KS-Soft
Joined: 03 Apr 2002
Posts: 12795
Location: USA
|
| Posted: Mon Jan 18, 2016 4:44 pm Post subject: |
|
|
Sorry for delay,
we want to provide update with AES128-ctr, AES192-ctr and AES256-ctr ciphers support but it does not work yet.
AES128-cbc, AES192-cbc and AES256-cbc ciphers work in new version while old version supports AES128_cbc only (plus 3des-cbc, blowfish-cbc...)
Also diffie-hellman-group1-sha1 key exchange algorithm should be enabled (KexAlgorithms parameter in sshd_config file)
Regards
Alex |
|
| Back to top |
|
|
datwood100
Joined: 03 Sep 2015
Posts: 10
|
| Posted: Tue Jan 19, 2016 11:23 am Post subject: |
|
|
ok, good luck with the update. I'll monitor for new updates.
Unfortunately, our security group won't let me change any sshd settings. For now, I can invoke plink via script for the more critical tests.
Thanks,
DAtwood |
|
| Back to top |
|
|
datwood100
Joined: 03 Sep 2015
Posts: 10
|
| Posted: Thu Jan 28, 2016 11:25 am Post subject: |
|
|
Hmm, I saw that 10.08 Beta was available & had updates for AES256 encryption on the SSH test. But after downloading & testing, I still get same error message.
It's hard for me to believe our servers are so non-standard, but our security group is very quick to disable obsolete or broken ciphers. Is no one else seeing this issue ?
Thanks,
Dwayne |
|
| Back to top |
|
|
KS-Soft
Joined: 03 Apr 2002
Posts: 12795
Location: USA
|
| Posted: Thu Jan 28, 2016 12:06 pm Post subject: |
|
|
10.08 comes with AES-cbc.
AES-ctr does not work yet.
Regards
Alex |
|
| Back to top |
|
|
KS-Soft
Joined: 03 Apr 2002
Posts: 12795
Location: USA
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in
