LCMC 1.7.14 no longer works via SSH due to unsupported ciphers

rasto / lcmc

Pacemaker/DRBD/KVM/LVM Cluster GUI

Other

102 stars 21 forks source link

LCMC 1.7.14 no longer works via SSH due to unsupported ciphers #59

Open sammcj opened 8 years ago

sammcj commented 8 years ago

since upgrading to 1.7.10 there is no prompt to enter your password in the wizard or on your existing connections thus, there is no way to hit enter to make it just use your ssh keys, which always used to work.

OSX 10.11.x
Java(TM) SE Runtime Environment (build 1.8.0_51-b16)
Java HotSpot(TM) 64-Bit Server VM (build 25.51-b03, mixed mode)

screen shot 2016-03-30 at 3 07 24 pm

It looks like LCMC is trying to connect with some sort of unsupported cipher - perhaps a deprecated, old cypher?

Cyphers supported by OpenSSH on CentOS7 using recommended settings:

KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

sammcj commented 8 years ago

This is still a problem with 1.7.11

screen shot 2016-05-23 at 11 08 26 am

sammcj commented 8 years ago

On the host:

root@s1-san6: # lcmc-gui-helper-1.7.8
Died at /usr/local/bin/lcmc-gui-helper-1.7.8 line 51.

Looking at line 51 of that file:

my $action = shift @$ACTION_OPTIONS || die;

sammcj commented 8 years ago

Think I found the problem after enabling auditd on the server side:

type=CRYPTO_SESSION msg=audit(1463966687.274:502): pid=9614 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=unsupported-mac direction=? cipher=? ksize=? rport=63317 laddr=10.51.40.61 lport=22  exe="/usr/sbin/sshd" hostname=? addr=10.51.15.92 terminal=? res=failed'

It looks like LCMC is trying to connect with some sort of unsupported cipher - perhaps a deprecated, old cypher?

Cyphers supported by OpenSSH on CentOS7 using recommended settings:

KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

sammcj commented 8 years ago

@rasto - any input on this?

przemas75 commented 8 years ago

Yes, it uses the old version of https://github.com/maxd/ganymed-ssh-2 for ssh connections. Here: https://github.com/rasto/lcmc/blob/master/src/lib/ch/ethz/ssh2/crypto/digest/MAC.java One can see only these MACs in use: hmac-sha1-96", "hmac-sha1", "hmac-md5-96", "hmac-md5" Very poor. I have tried to update, but there is a change in scp in Ganymed, and further steps to adjust lcmc.

danyel2014 commented 6 years ago

The issue is still present on 1.7.14 . Are there any plans to fix this ?

Thank you

sammcj commented 6 years ago

Any update on a fix for this?