Welcome to the VanDyke Software Forums

Join the discussion today!


Go Back   VanDyke Software Forums > Secure Shell

Reply
 
Thread Tools Display Modes
  #1  
Old 01-09-2018, 02:33 PM
ChuckS@CAM-Ohio's Avatar
ChuckS@CAM-Ohio ChuckS@CAM-Ohio is offline
Registered User
 
Join Date: Jun 2017
Location: Ohio, USA
Posts: 6
vshelld_config Ciphers

We have a trading partner which is stipulating that we disable AES128. We believe that we will be able to do that by adding the following line to /usr/local/etc/vshelld_config:
Ciphers { aes192-ctr,aes256-ctr,aes192-cbc,aes256-cbc,twofish-cbc,blowfish-cbc,3des-cbc,arcfour }

Our questions are:
1. Will this change completely disable EAS128?
2. Will we be able to issue /etc/init.d/vshell reload to make the change take effect?
3. Are all of the ciphers listed supported? (We got the list from the man page...)
4. Are all of the listed ciphers secure, or are there some which should not be on the list?
5. Are there any additional ciphers which should be added to the list?

Thank you.
Chuck
Reply With Quote
  #2  
Old 01-09-2018, 03:40 PM
jdev's Avatar
jdev jdev is offline
VanDyke Technical Support
 
Join Date: Nov 2003
Location: Albuquerque, NM
Posts: 823
Quote:
Originally Posted by ChuckS@CAM-Ohio View Post
We have a trading partner which is stipulating that we disable AES128.
All AES-128*, regardless if it's CBC or CTR?

AES-*-CBC ciphers are considered to be weaker than the *CTR counterparts, but I'm unaware of AES-128-CTR being so weak that it would be banned/avoided. If the suggestion of your trading partner is to disable AES-128 (either variant), you'd certainly want to avoid 3DES and RC4 for sure since they're considered to be weaker.

Quote:
Originally Posted by ChuckS@CAM-Ohio View Post
We believe that we will be able to do that by adding the following line to /usr/local/etc/vshelld_config:
Ciphers { aes192-ctr,aes256-ctr,aes192-cbc,aes256-cbc,twofish-cbc,blowfish-cbc,3des-cbc,arcfour }

1. Will this change completely disable EAS128?
If you remove both instances of the aes-128* entries in the cipher list, they won't be presented/offered/supported when a client connects and attempts to perform key exchange to secure the transport layer.

You can test your configuration once you've reloaded the config by using the vsh command line utility that ships with VShell. For example:

Code:
$ vsh -v localhost
...
[LOCAL] : Available Remote Send Ciphers = chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,twofish-cbc,blowfish-cbc
[LOCAL] : Selected Send Cipher = aes256-ctr
[LOCAL] : Available Remote Recv Ciphers = chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,twofish-cbc,blowfish-cbc
[LOCAL] : Selected Recv Cipher = aes256-ctr
...
If you notice, as in the above output, that the aes128-* ciphers are not offered, then you'll have your confirmation that they've been disabled.


Quote:
Originally Posted by ChuckS@CAM-Ohio View Post
2. Will we be able to issue /etc/init.d/vshell reload to make the change take effect?
/etc/init.d/vshelld reload will effectuate the change for all new connections that are established after the reload is accomplished (don't forget the trailing 'd' on 'vshelld').

Quote:
Originally Posted by ChuckS@CAM-Ohio View Post
3. Are all of the ciphers listed supported? (We got the list from the man page...)
Which version of VShell do you have installed? The list of supported ciphers depends on the version of VShell. The version of VShell current at the time of this posting is 4.3.1, which supports the following ciphers:
Code:
Cipher Name        Config String
--------------------------------------------------
AES-128-CTR        aes128-ctr
AES-192-CTR        aes192-ctr
AES-256-CTR        aes256-ctr
AES-128            aes128-cbc
AES-192            aes192-cbc
AES-256            aes256-cbc
ChaCha20-Poly1305  chacha20-poly1305@openssh.com
Twofish            twofish-cbc
Blowfish           blowfish-cbc
3DES               3des-cbc
RC4                arcfour
Quote:
Originally Posted by ChuckS@CAM-Ohio View Post
4. Are all of the listed ciphers secure, or are there some which should not be on the list?
That depends on how you define "secure". "Secure" means different things to different people; even for the same person, "secure" can mean different things depending on the context of the situation.

If security is of the utmost concern (compatibility and performance/speed as a "zero" concern), you would disable all but the strongest ciphers, but if you need to be compatible with a wide variety of old/new clients, disabling older/weaker ciphers may not be a good idea since those clients may no longer be able to successfully connect.

3DES/3des and RC4/arcfour are probably the weakest ciphers in the list.

For the AES-* ciphers, the CBC ciphers are generally considered weaker than their CTR counterparts; the cbc ciphers don't have "cbc" as part of their name. The CTR ciphers have '-ctr' as part of their name.

Some consider the ChaCha20-Poly1305 to be the most secure cipher of those that VShell currently supports.

Quote:
Originally Posted by ChuckS@CAM-Ohio View Post
5. Are there any additional ciphers which should be added to the list?
Depends on the version of VShell you have installed. You may want to add more ciphers to the list, but if your version of VShell doesn't support them, vshelld will complain to syslog when you reload the config.

--Jake
__________________
Jake Devenport
VanDyke Software
Technical Support
support@vandyke.com
http://www.vandyke.com/support
Reply With Quote
  #3  
Old 01-10-2018, 09:59 AM
ChuckS@CAM-Ohio's Avatar
ChuckS@CAM-Ohio ChuckS@CAM-Ohio is offline
Registered User
 
Join Date: Jun 2017
Location: Ohio, USA
Posts: 6
vshelld_config Ciphers

We are checking with our trading partner on their stance regarding AES128-CTR.

Our VShell server appears to be running version 4.2.2:
vsh version 7.5.0 (build 1121) starting. (Using SSH2Core version 7.5.0.1121.)
[LOCAL] : SSH2Core version 7.5.0.1121
[LOCAL] : Connecting to localhost:22 ...
[LOCAL] : Changing state from STATE_NOT_CONNECTED to STATE_EXPECT_KEX_INIT
[LOCAL] : Using protocol SSH2
[LOCAL] : RECV : Remote Identifier = 'SSH-2.0-VShell_4_2_2_1121 VShell'
Reply With Quote
  #4  
Old 01-10-2018, 10:17 AM
jdev's Avatar
jdev jdev is offline
VanDyke Technical Support
 
Join Date: Nov 2003
Location: Albuquerque, NM
Posts: 823
Quote:
Originally Posted by ChuckS@CAM-Ohio View Post
Our VShell server appears to be running version 4.2.2

VShell version 4.2. supports the following ciphers (from man vshelld_config):
Code:
Name         String
----------------------------
AES-128-CTR  aes128-ctr
AES-192-CTR  aes192-ctr
AES-256-CTR  aes256-ctr
AES-128      aes128-cbc
AES-192      aes192-cbc
AES-256      aes256-cbc
Twofish      twofish-cbc
Blowfish     blowfish-cbc
3DES         3des-cbc
RC4          arcfour
__________________
Jake Devenport
VanDyke Software
Technical Support
support@vandyke.com
http://www.vandyke.com/support
Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -6. The time now is 04:18 AM.