24 Replies Latest reply on Jul 8, 2016 3:00 PM by dl-it-networkadmin

    Cipher protocols supported by NCM SSH

    RichardLetts

      FYI, just hit an issue following the upgrade of the OS on some of our fortigate boxes [due to the backdoor password discovery] where the ssh provided in NCM 7.3.x doesn't have an agreeable set of cipher protocols.. which leads to non-SSH connection:

       

      Server (firewall) Algorithms

          kex_algorithms length: 61

          kex_algorithms string: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

          server_host_key_algorithms length: 15

          server_host_key_algorithms string: ssh-rsa,ssh-dss

          encryption_algorithms_client_to_server length: 135

          encryption_algorithms_client_to_server string: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr

          encryption_algorithms_server_to_client length: 135

          encryption_algorithms_server_to_client string: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr

          mac_algorithms_client_to_server length: 85

          mac_algorithms_client_to_server string: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

          mac_algorithms_server_to_client length: 85

          mac_algorithms_server_to_client string: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

          compression_algorithms_client_to_server length: 9

          compression_algorithms_client_to_server string: none,zlib

          compression_algorithms_server_to_client length: 9

          compression_algorithms_server_to_client string: none,zlib

          languages_client_to_server length: 0

          languages_client_to_server string: [Empty]

          languages_server_to_client length: 0

          languages_server_to_client string: [Empty]

          KEX First Packet Follows: 0

          Reserved: 00000000

       

      Client Algorithms

          kex_algorithms length: 111

          kex_algorithms string: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1

          server_host_key_algorithms length: 75

          server_host_key_algorithms string: ssh-rsa,ssh-dss,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256

          encryption_algorithms_client_to_server length: 175

          encryption_algorithms_client_to_server string: aes128-cbc,aes128-ctr,3des-cbc,blowfish-cbc,aes192-cbc,aes192-ctr,aes256-cbc,aes256-ctr,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc@lysator.liu.se,cast128-cbc

          encryption_algorithms_server_to_client length: 175

          encryption_algorithms_server_to_client string: aes128-cbc,aes128-ctr,3des-cbc,blowfish-cbc,aes192-cbc,aes192-ctr,aes256-cbc,aes256-ctr,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc@lysator.liu.se,cast128-cbc

          mac_algorithms_client_to_server length: 64

          mac_algorithms_client_to_server string: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96,hmac-md5,none

          mac_algorithms_server_to_client length: 64

          mac_algorithms_server_to_client string: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96,hmac-md5,none

          compression_algorithms_client_to_server length: 9

          compression_algorithms_client_to_server string: none,none

          compression_algorithms_server_to_client length: 9

          compression_algorithms_server_to_client string: none,none

          languages_client_to_server length: 0

          languages_client_to_server string: [Empty]

          languages_server_to_client length: 0

          languages_server_to_client string: [Empty]

          KEX First Packet Follows: 0

          Reserved: 00000000


      [the Fortigate simply drops the connection if it doesn't like the order or algorithms, which is somewhat less than helpful]


      Is there a way to control the order of the client algorithms used by the NCM client?


      [note: support cases 928417 and 927532]