cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 16

Cipher protocols supported by NCM SSH

Jump to solution

FYI, just hit an issue following the upgrade of the OS on some of our fortigate boxes [due to the backdoor password discovery] where the ssh provided in NCM 7.3.x doesn't have an agreeable set of cipher protocols.. which leads to non-SSH connection:

Server (firewall) Algorithms

    kex_algorithms length: 61

    kex_algorithms string: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

    server_host_key_algorithms length: 15

    server_host_key_algorithms string: ssh-rsa,ssh-dss

    encryption_algorithms_client_to_server length: 135

    encryption_algorithms_client_to_server string: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr

    encryption_algorithms_server_to_client length: 135

    encryption_algorithms_server_to_client string: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr

    mac_algorithms_client_to_server length: 85

    mac_algorithms_client_to_server string: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

    mac_algorithms_server_to_client length: 85

    mac_algorithms_server_to_client string: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

    compression_algorithms_client_to_server length: 9

    compression_algorithms_client_to_server string: none,zlib

    compression_algorithms_server_to_client length: 9

    compression_algorithms_server_to_client string: none,zlib

    languages_client_to_server length: 0

    languages_client_to_server string: [Empty]

    languages_server_to_client length: 0

    languages_server_to_client string: [Empty]

    KEX First Packet Follows: 0

    Reserved: 00000000

Client Algorithms

    kex_algorithms length: 111

    kex_algorithms string: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1

    server_host_key_algorithms length: 75

    server_host_key_algorithms string: ssh-rsa,ssh-dss,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256

    encryption_algorithms_client_to_server length: 175

    encryption_algorithms_client_to_server string: aes128-cbc,aes128-ctr,3des-cbc,blowfish-cbc,aes192-cbc,aes192-ctr,aes256-cbc,aes256-ctr,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc@lysator.liu.se,cast128-cbc

    encryption_algorithms_server_to_client length: 175

    encryption_algorithms_server_to_client string: aes128-cbc,aes128-ctr,3des-cbc,blowfish-cbc,aes192-cbc,aes192-ctr,aes256-cbc,aes256-ctr,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc@lysator.liu.se,cast128-cbc

    mac_algorithms_client_to_server length: 64

    mac_algorithms_client_to_server string: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96,hmac-md5,none

    mac_algorithms_server_to_client length: 64

    mac_algorithms_server_to_client string: hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96,hmac-md5,none

    compression_algorithms_client_to_server length: 9

    compression_algorithms_client_to_server string: none,none

    compression_algorithms_server_to_client length: 9

    compression_algorithms_server_to_client string: none,none

    languages_client_to_server length: 0

    languages_client_to_server string: [Empty]

    languages_server_to_client length: 0

    languages_server_to_client string: [Empty]

    KEX First Packet Follows: 0

    Reserved: 00000000


[the Fortigate simply drops the connection if it doesn't like the order or algorithms, which is somewhat less than helpful]


Is there a way to control the order of the client algorithms used by the NCM client?


[note: support cases 928417 and 927532]




1 Solution
Level 18

RichardLetts‌,

I don't think you can control the order of encryption algorithms used by NCM, but I'll let our engineers confirm that through your support case.

What's the Fortigate OS version you upgraded to?

If it's 5.2.5, then it's a known issue and Fortigate is working on a fix.

Jiri

View solution in original post

24 Replies

The issue is resolved in FortiOS 5.2.8.

I have installed 5.2.8 and tested ssh access from NCM fine

0 Kudos

thank you very much. the fix solve my problem.

0 Kudos
Level 12

The fix for NCM is on the way, stay tuned

0 Kudos

The fix is available -- NCM v7.4.1 Hot Fix 3 is now Available

Jiri

It says 7.4.1 but... works on 7.3.2 as well (tested myself)

0 Kudos

While it might work with 7.3.2 it is only intended for 7.4.1.  Please proceed with caution applying this to other versions, as our Support team will not be able to assist if it breaks something on other versions.

0 Kudos
Level 8

We have multiple models of Fortigate in our environment. We only just started experiencing this on a 90D when upgrading to v5.2.6.

I called FortiNet, they confirmed the bug ID (0300588) listed in this article will be resolved in 5.2.7. There is no public article about the bug from FortiNet. I have escalated my case with them as I was told the higher tier of support can release some information about the bug to me.

I have a 300D and 311B running same firmware version that does not experience this issue. FortiNet told me this is not a model specific issue and obviously it isn't a firmware specific issue as multiple devices running same firmware don't experience the issue.

Given what I'm seeing I'm not so sure this is without a doubt an issue on FortiNet's side of things and not Solarwinds.

We're running Network Configuration Manager 7.4.1.

From NCM Support:

Currently, NCM supports key sizes of 1024 bits. I will check if I can send this as a feature request to Dev.

From FortiNet Support:

FortiGate 90D running v5.2.6 requires 2048 bits.

Someone has to give here. I really think NCM should have an option to use a more secure encryption key.

0 Kudos

Thanks Chad, I will add this as a feature request for NCM.

0 Kudos

I can tell you however if you're desperate you can upgrade your FortiOS to 5.4 and then use a command via the CLI to downgrade your encryption on your FortiGate to 1024. Not sure anyone wants to do that though. The downgrade is not supported in 5.2.6.

0 Kudos

chad.mowery​ Would you be able to open a case with Support so we can help investigate?  Once you open the case please post the case number here so I can track it.

Jeff

0 Kudos

That was the first thing I did. Case #960177 - "Fortigate SSH connection refused"

0 Kudos
Level 18

RichardLetts‌,

I don't think you can control the order of encryption algorithms used by NCM, but I'll let our engineers confirm that through your support case.

What's the Fortigate OS version you upgraded to?

If it's 5.2.5, then it's a known issue and Fortigate is working on a fix.

Jiri

View solution in original post

Yes, it's 5.2.5 -- do you have a reference number we can use to attach our case to it?

0 Kudos

Fortinet case should be BUG ID 0300588.

Jiri

According to info that I received from a customer, Fortigate should include the fix in release 5.2.7.

Jiri

In 5.2.7 problem remains

0 Kudos

Thanks for sharing.  We are actively working on this and hope to provide more details shortly.  I'll update the thread when I have some news.

Do you have any new news regarding to resolving to issue? As workaround solution, I set following command on FCT then I was able to back it up.

config sys global

set admin-ssh-v1 enable

end

0 Kudos