For a lot of the Linux servers I need to monitor, I cannot run the SSH test, it fails with "Protocol error. Encryption ciphers are not supported by client". I understand this is due to server protocol configuration. But I cannot get the servers changed, it is outside my control.
I am running older version of HM, and downloaded the current version trial to see if current version supported newer protocols. But it still fails.
Question: Can HM SSH test support other protocols, like PLINK does ?
Thanks, DAtwood
PS. Below is output from KSSSHCMD to show the exact issue.
D:\HostMonitor>KSSSHCMD.EXE -host:armball3c -user:btl112 -password:xxxx -cmd
:"ls" -hmacdebug -debug
[9/2/2015 12:28:11 PM] Communication started.
[9/2/2015 12:28:11 PM] Server Version: SSH-2.0-OpenSSH_4.3
[9/2/2015 12:28:11 PM] Protocol Version: 2
[9/2/2015 12:28:11 PM] Packet received: 20
[9/2/2015 12:28:11 PM] Send Packet: 1
[9/2/2015 12:28:11 PM] Communication finished.
Protocol error. Encryption ciphers are not supported by client
SSH test - Protocol error
-
datwood100
- Posts: 10
- Joined: Thu Sep 03, 2015 10:42 am
-
datwood100
- Posts: 10
- Joined: Thu Sep 03, 2015 10:42 am
Sorry for not being able to followup. I got reassigned to another project, but now need to return to this.
When connecting with putty, the putty event log returns this. Hopefully that is enough you to tell which cipher will work.
Thanks,
DAtwood
2016-01-08 16:06:36 Looking up host "jap0003v3c"
2016-01-08 16:06:36 Connecting to 10.14.58.103 port 22
2016-01-08 16:06:36 Server version: SSH-2.0-OpenSSH_5.3
2016-01-08 16:06:36 Using SSH protocol version 2
2016-01-08 16:06:36 We claim version: SSH-2.0-PuTTY_Release_0.62
2016-01-08 16:06:36 Doing Diffie-Hellman group exchange
2016-01-08 16:06:36 Doing Diffie-Hellman key exchange with hash SHA-256
2016-01-08 16:06:36 Host key fingerprint is:
2016-01-08 16:06:36 ssh-rsa 2048 3d:ce:4e:10:6e:71:b5:39:91:e7:17:45:95:60:ef:b1
2016-01-08 16:06:36 Initialised AES-256 SDCTR client->server encryption
2016-01-08 16:06:36 Initialised HMAC-SHA1 client->server MAC algorithm
2016-01-08 16:06:36 Initialised AES-256 SDCTR server->client encryption
2016-01-08 16:06:36 Initialised HMAC-SHA1 server->client MAC algorithm
2016-01-08 16:06:36 Pageant is running. Requesting keys.
2016-01-08 16:06:36 Pageant has 2 SSH-2 keys
2016-01-08 16:06:42 Trying Pageant key #0
2016-01-08 16:06:42 Server refused our key
2016-01-08 16:06:42 Trying Pageant key #1
2016-01-08 16:06:42 Server refused our key
2016-01-08 16:06:42 Using SSPI from SECUR32.DLL
2016-01-08 16:06:42 Attempting GSSAPI authentication
2016-01-08 16:06:42 GSSAPI authentication request refused
2016-01-08 16:06:44 Sent password
2016-01-08 16:06:45 Access granted
2016-01-08 16:06:45 Opened channel for session
2016-01-08 16:06:45 Allocated pty (ospeed 38400bps, ispeed 38400bps)
2016-01-08 16:06:45 Started a shell/command
PS: also, here is result of 'openssl ciphers' cmd run from the linux box. Perhaps that could be useful.
$ openssl ciphers
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:DES-CBC3-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA:PSK-3DES-EDE-CBC-SHA:KRB5-IDEA-CBC-SHA:KRB5-DES-CBC3-SHA:KRB5-IDEA-CBC-MD5:KRB5-DES-CBC3-MD5:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:KRB5-RC4-SHA:KRB5-RC4-MD5
When connecting with putty, the putty event log returns this. Hopefully that is enough you to tell which cipher will work.
Thanks,
DAtwood
2016-01-08 16:06:36 Looking up host "jap0003v3c"
2016-01-08 16:06:36 Connecting to 10.14.58.103 port 22
2016-01-08 16:06:36 Server version: SSH-2.0-OpenSSH_5.3
2016-01-08 16:06:36 Using SSH protocol version 2
2016-01-08 16:06:36 We claim version: SSH-2.0-PuTTY_Release_0.62
2016-01-08 16:06:36 Doing Diffie-Hellman group exchange
2016-01-08 16:06:36 Doing Diffie-Hellman key exchange with hash SHA-256
2016-01-08 16:06:36 Host key fingerprint is:
2016-01-08 16:06:36 ssh-rsa 2048 3d:ce:4e:10:6e:71:b5:39:91:e7:17:45:95:60:ef:b1
2016-01-08 16:06:36 Initialised AES-256 SDCTR client->server encryption
2016-01-08 16:06:36 Initialised HMAC-SHA1 client->server MAC algorithm
2016-01-08 16:06:36 Initialised AES-256 SDCTR server->client encryption
2016-01-08 16:06:36 Initialised HMAC-SHA1 server->client MAC algorithm
2016-01-08 16:06:36 Pageant is running. Requesting keys.
2016-01-08 16:06:36 Pageant has 2 SSH-2 keys
2016-01-08 16:06:42 Trying Pageant key #0
2016-01-08 16:06:42 Server refused our key
2016-01-08 16:06:42 Trying Pageant key #1
2016-01-08 16:06:42 Server refused our key
2016-01-08 16:06:42 Using SSPI from SECUR32.DLL
2016-01-08 16:06:42 Attempting GSSAPI authentication
2016-01-08 16:06:42 GSSAPI authentication request refused
2016-01-08 16:06:44 Sent password
2016-01-08 16:06:45 Access granted
2016-01-08 16:06:45 Opened channel for session
2016-01-08 16:06:45 Allocated pty (ospeed 38400bps, ispeed 38400bps)
2016-01-08 16:06:45 Started a shell/command
PS: also, here is result of 'openssl ciphers' cmd run from the linux box. Perhaps that could be useful.
$ openssl ciphers
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:DES-CBC3-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA:PSK-3DES-EDE-CBC-SHA:KRB5-IDEA-CBC-SHA:KRB5-DES-CBC3-SHA:KRB5-IDEA-CBC-MD5:KRB5-DES-CBC3-MD5:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:KRB5-RC4-SHA:KRB5-RC4-MD5
-
KS-Soft Europe
- Posts: 2832
- Joined: Tue May 16, 2006 4:41 am
- Contact:
-
datwood100
- Posts: 10
- Joined: Thu Sep 03, 2015 10:42 am
Sorry for delay,
we want to provide update with AES128-ctr, AES192-ctr and AES256-ctr ciphers support but it does not work yet.
AES128-cbc, AES192-cbc and AES256-cbc ciphers work in new version while old version supports AES128_cbc only (plus 3des-cbc, blowfish-cbc...)
Also diffie-hellman-group1-sha1 key exchange algorithm should be enabled (KexAlgorithms parameter in sshd_config file)
Regards
Alex
we want to provide update with AES128-ctr, AES192-ctr and AES256-ctr ciphers support but it does not work yet.
AES128-cbc, AES192-cbc and AES256-cbc ciphers work in new version while old version supports AES128_cbc only (plus 3des-cbc, blowfish-cbc...)
Also diffie-hellman-group1-sha1 key exchange algorithm should be enabled (KexAlgorithms parameter in sshd_config file)
Regards
Alex
-
datwood100
- Posts: 10
- Joined: Thu Sep 03, 2015 10:42 am
-
datwood100
- Posts: 10
- Joined: Thu Sep 03, 2015 10:42 am
Hmm, I saw that 10.08 Beta was available & had updates for AES256 encryption on the SSH test. But after downloading & testing, I still get same error message.
It's hard for me to believe our servers are so non-standard, but our security group is very quick to disable obsolete or broken ciphers. Is no one else seeing this issue ?
Thanks,
Dwayne
It's hard for me to believe our servers are so non-standard, but our security group is very quick to disable obsolete or broken ciphers. Is no one else seeing this issue ?
Thanks,
Dwayne