[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Haven't seen this ssh output before

Le 27.11.2014 00:04, Harry Putnam a écrit :
Harry Putnam <reader@newsguy.com> writes:

I'm not at all clear on how one would go about making an adjustment in sshd_config to allow the algs used by my REMOTE-sol to be recognized.

REMOTE-sol does not appear to be using OpenSSH .. maybe a solaris
version of SSH.

In light of the comments above; if you have any more info on this and
have the time... please post.

I managed to get a bit of a solution after careful study of the error
output and man sshd_config (Largely from being guided by your post)

It shows the default kex algorithems and the possible kex alg.

I thought of just adding one that matched the list of my clients
available  choices to sshd_config on REMOTE-deb like so:

  KexAlgorithms  diffie-hellman-group-exchange-sha1

Then restart sshd.

That works, but I was afraid that might mean the defaults would be
dropped and only `diffie-hellman-group-exchange-sha1' would be
offered.  I was afraid that might cause failure on some other hosts.

Thanks for sharing the solution, one might needs it someday, especially considering the fact you are using the future debian stable.

Any opinions on what I may have created?

I'm not a security guy (not even a sysadmin, just a dev, but I am feeling concerned with security of computers anyway...), not that I do not want to learn about it, but it's a very complex thing. But, since you seem to be afraid of security holes, I would like to point to a package I have discovered recently (in a search about netBSD good points, the author was saying that a tool listing CVEs of packages you are trying to install was lacking on other systems, and made an edit because someone gave him this tool's name for Debian): debsecan.

This is a tool which lists CVE (Common Vulnerabilities and Exposures) that the packages you installed contains. I think you might get some hints if you make a diff between the old (you said you have un-upgraded systems) and the new (the system which gaves you problems) systems.

Now, I can't find any CVE with it on (one of) my computer, which have only openSSH's client installed, so it might not help you. Security is a really complex thing, that I do not understand a lot so the problem might not be caused by any CVE of openSSH itself, but, AFAIK, openSSH is using libssl, which is, according to aptitude: "a part of openSSL's implementation for SSL", and with this command:
$ debsecan |grep ssl -i
I have 2 CVEs (no idea if they apply to you btw):
CVE-2014-3566 libssl1.0.0 (remotely exploitable, medium urgency)
CVE-2014-3566 openssl (remotely exploitable, medium urgency)

Maybe your updated machine have fixed one of them?

Reply to: