How to modify Ciphers, MACs, KexAlgoritms for SSH client in RHEL8

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 8

Issue

  • How to fix issues reported for MACs and KexAlgorithms when connecting from RHEL8 client to other linux or windows system.

  • While connecting from RHEL8 to windows system, getting errors as below.

    # ssh username@node.example.com
Unable to negotiate with x.x.x.x port 22: no matching MAC found. Their offer: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96

  • On fixing MAC issue, seeing DH group issue.

    # ssh username@node.example.com
Received disconnect from x.x.x.x port 22:2: Protocol error: no matching DH grp found
Disconnected from x.x.x.x port 22
Connection closed

Resolution

  • Change preference for MAC 'hmac-sha1' and KexAlgorithms 'diffie-hellman-group-exchange-sha1' on RHEL8 client.

    # vi /etc/ssh/ssh_config

MACs hmac-sha1,hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,umac-128@openssh.com,hmac-sha2-512

KexAlgorithms diffie-hellman-group-exchange-sha1,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha1

  • This configuration is only when RHEL8 system is acting as ssh client which connects to another sshd server.

  • For configuration of server side (sshd), refer How to modify Ciphers, MACs, KexAlgoritms in SSHD for RHEL 8

Root Cause

  • Windows server supports stronger MACs and Key Exchange Algorithms which results in failure of negotiation between RHEL8 client and Windows ssh/sftp server.

Diagnostic Steps

  • Check client side MACs and KexAlgorithms supported by default as per system wide cryptographic policy.

    # update-crypto-policies --show
DEFAULT

# cat /etc/crypto-policies/back-ends/openssh.config 
Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc

MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512

GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1-

KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1

  • Confirm if MACs and KexAlgorithms required by server are included and if so, check preferences of the MACs and KexAlgorithms.

  • To configure custom parameters for ssh client on RHEL8, define parameters in /etc/ssh/ssh_config file or create file *.conf in directory /etc/ssh/ssh_config.d/ directory.

  • Check ssh client verbose logs to see what MACs and KexAlgorithms are being negotiated.

    # ssh -vvv username@server-ip

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments