SMG 10.7.5 sshd-config change kex

Question

Hello,

with the update to 10.7.5 there have been changes to sshd-config which are neither documented in the release notes nor in the administration documentation.

With
sshd-config -?
you receive an updated list of options, one of them being --kexalgorithms.
I was waiting for something like that since the previous version propagated the availability of the insecure

Diffie-Hellman key exchange using 1024-bit modulus and hash SHA-1

I would like to remove the support, but I do not know how to use the tool to reset the available kex-algorithms. The command-line documentation is not sufficient - at least not for someone with my limited knowledge of cryptography.

Is there some documentation or knowledge base, I missed?
Which algorithms are supported?

Thank you,

Manuel

Accepted Answer

I don't know of any existing SMG specific how-to/tutorial and I don't think I could fit everything into a forum post, so I'll try to cut this down as much as possible.
Here is the "proposed" list from an SMG running 10.7.5 that is using the "default" (i.e. you haven't used sshd-config to change anything) and the

KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

I have highlighted the one you are concerned about as well as the group14, which is still considered "OK", but you may want to exclude as well.
so you are looking at something like:

[10.7.5-4]> sshd-config -k 'curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256'
Previous setting for KexAlgorithms:
default
New setting for KexAlgorithms:
curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
Do you wish to make this change? (yes/no) yes

At which time your existing ssh session will be killed, due to sshd daemon restart, and you will have to re-login and you can run the sshd-config -v to see how things look...

[10.7.5-4]> sshd-config -v
Attribute 'protocol' is set to 'default'.
Attribute 'ciphers' is set to '3des-cbc,blowfish-cbc,cast128-cbc,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr'.
Attribute 'macs' is set to 'hmac-sha2-256,hmac-sha2-512'.
Attribute 'kexalgorithms' is set to 'curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256'

To verify that things are working the way you expect, go to another Unix/Linux box that has the ssh client installed and try to access your SMG using one of the deleted key exchange algorithms:

[tpa-nut80 ~]$ ssh -ladmin -o'kexAlgorithms diffie-hellman-group-exchange-sha1' mysmg
Unable to negotiate with 10.33.24.123 port 22: no matching key exchange method found. Their offer: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256

One more time with something that "should" work:
tpa-nut80 ~]$ ssh -l admin -o'kexAlgorithms diffie-hellman-group-exchange-sha256' mysmg
admin@10.33.24.123's password:
Last login: Mon Dec 6 17:07:58 2021 from 10.230.0.131
[10.7.5-4]>

Hopefully this gets you where you want to be!

Messaging Gateway

SMG 10.7.5 sshd-config change kex