KBI 311745 Issue Addressed: Failed To Connect To LINUX/Unix Server Using SSH After Hardening Linux Server

Version

Argent Advanced Technology 5.1A-1901-C and below

Date

Tuesday, 9 April 2019

Summary

Based on recommendation from Linux hardening best practices, SHA1 and MD5 Message Authentication Code (MAC) algorithms and cipher block chaining (CBC) encryption algorithms are considered unsafe or weak, such as hmac-sha1, hmac-sha1-96, hmac-md5, hmac-md5-96 and aes256-cbc, aes192-cbc, aes128-cbc and 3des-cbc

The currently considered safe or strong MACs are hmac-sha2-512, hmac-sha2-256, hmac-sha2-512-etm@openssh.com, hmac-sha2-256-etm@openssh.com, umac-128-etm@openssh.com, umac-128@openssh.com and aes256-ctr, aes192-ctr, aes128-ctr

Linux server hardening would require only specifying the strongest encryption algorithms in the configuration files on the SSH Daemon or Server

A SSH Daemon / Server configuration (/etc/ssh/sshd_config) with the following would be considered hardened

Ciphers aes128-ctr,aes192-ctr,aes256-ctr

MACs hmac-sha2-512,hmac-sha2-256

Technical Background

Argent AT Engine uses built-in SSH library by default to communicate with LINUX/Unix server

Argent AT Engine has to negotiate with LINUX/Unix server to pick encryption cipher that supported by both sides

By default, Argent AT Engine sends out aes256-cbc, 3des-cbc, aes256-ctr as the supported encryption algorithms and hmac-sha1, hmac-md5, hmac-sha1-96, hmac-md5-96 as the supported MAC algorithms

As Argent AT Engine does not know what ciphers are disabled by Linux, both sides might end up with an encryption algorithm or MAC that is disabled by OS

As a result, the SSH connection fails

To see the detail, do connectivity testing in License Manager

Outgoing client supported MACs in Argent Advanced Technology 5.1-1901-C and below:

hmac-sha1, hmac-md5, hmac-sha1-96 and hmac-md5-96

If no client / server MAC combination is found, an error occurs

The SSH daemon server configuration file (sshd_conf) should have a matching MAC

Argent Advanced Technology 5.1A-1904-B is enhanced to allow customization of supported MAC algorithms

Registry HKLM\Software\ARGENT\COMMON\SSH_SUPPORTED_MAC_ALGORITHM can be used to specify the supported MAC algorithms

Multiple algorithms are separated by comma

For example, the registry string value can be “hmac-sha2-256, hmac-sha2-128” for communicating with hardened Linux servers

Note: User may have to use registry HKLM\Software\ARGENT\COMMON\SSH_SUPPORTED_ENCRYPTION_ALGORITHM too if cipher algorithm is also hardened

See KBI 311665 Issue Addressed: Failed To Connect To LINUX/Unix Server Using SSH After Hardening Windows Server for detail

Resolution

Upgrade to Argent Advanced TechnologyT 5.1A-1904-B or above

For customer who cannot upgrade immediately, he needs to rollback using PLINK instead of built-in SSH library

To do so, change registry value to 1 for registry

HKLM\Software\Argent\COMMON\SSH_LIBRARY