Nasty SSH behaviour on LTS server upgrade
Nils Kassube
kassube at gmx.net
Fri Aug 12 21:14:33 UTC 2016
Nikhil Nair wrote:
> I've just done the latest LTS upgrade from 14.04.5 LTS (I think it
> was) to 16.04.1 LTS, using `sudo do-release-upgrade'.
>
> I've been SSH'ing in from a Windows machine, using an old version of
> SecureCRT, a commercial SSH client. I've hda no trouble connecting to
> 14.04.* LTS Ubuntu servers, but as soon as the upgrade to 16.04.1 LTS
> was completed and the machine was rebooted, the SSH client could no
> longer connect. The message was as follows:
>
> SecureCRT
> No compatible key exchange method. The server supports these methods:
> curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecd
> h-sha2-nistp521,diffie-hellman-group-ex
> change-sha256,diffie-hellman-group14-sha1
> No compatible Cipher. The server supports these ciphers:
> chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-
> gcm at openssh.com,aes256-gcm at open ssh.com
>
> I've verified, however, that I'm able to connect to the 16.04.1 LTS
> system *from* another not-yet-upgraded Ubuntu system (i.e. still
> running 14.04.5 LTS).
>
> While I'm no expert on SSH servers, I'm guessing some compatibility
> options were disabled during the upgrade. Is that right? I'd have
> thought a custom sshd.conf (which I definitely had) should have been
> left alone, and that no functionality would be rmeoved from the ssh
> daemon, without a lot of very careful consideration, at least...
>
> This behaviour wasn't deliberate, was it?
Yes obviously it was intentional. See the xenial release notes [1] -
several weak chiphers were disabled for the new version. There is also a
link to upstream instructions to reenable some of them. Of course it
would be better to upgrade the ssh client to a modern version which can
use the new chiphers.
Nils
[1] <https://wiki.ubuntu.com/XenialXerus/ReleaseNotes#OpenSSH_7.2p2>
More information about the ubuntu-users
mailing list