Nasty SSH behaviour on LTS server upgrade

Colin Watson cjwatson at ubuntu.com
Sat Aug 13 15:54:50 UTC 2016 

On Fri, Aug 12, 2016 at 09:27:15PM +0100, Nikhil Nair wrote:
> I've been SSH'ing in from a Windows machine, using an old version of
> SecureCRT, a commercial SSH client.  I've hda no trouble connecting to
> 14.04.* LTS Ubuntu servers, but as soon as the upgrade to 16.04.1 LTS was
> completed and the machine was rebooted, the SSH client could no longer
> connect.  The message was as follows:
> 
> SecureCRT
> No compatible key exchange method. The server supports these methods: curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-ex
> change-sha256,diffie-hellman-group14-sha1
> No compatible Cipher. The server supports these ciphers: chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.com,aes256-gcm at open
> ssh.com
> 
> I've verified, however, that I'm able to connect to the 16.04.1 LTS system
> *from* another not-yet-upgraded Ubuntu system (i.e. still running 14.04.5
> LTS).
> 
> While I'm no expert on SSH servers, I'm guessing some compatibility options
> were disabled during the upgrade.  Is that right?  I'd have thought a
> custom sshd.conf (which I definitely had) should have been left alone, and
> that no functionality would be rmeoved from the ssh daemon, without a lot
> of very careful consideration, at least...
> 
> This behaviour wasn't deliberate, was it?

As others have said, this was an intentional change.  I'd like to
clarify that it was a change made by OpenSSH upstream, but as the
package maintainer I made a conscious decision not to revert it in
Debian/Ubuntu.  The ciphers that are now disabled by default are
effectively broken and should not be used.

The reason that a custom sshd_config made no difference is that this
change was made in the defaults in the C source code, not in the
configuration file (although it can be overridden back in the
configuration file for the time being, much though I'd encourage you not
to do so as you should expect the broken ciphers to be entirely removed
at some point).

I'd like to add that the disabled CBC-mode ciphers were the subject of a
SecureCRT security advisory nearly eight years ago, as well as
corresponding advisories for several other SSH implementation, and so
any version from 6.1.3 onward (released on 2008-12-02) will be good
enough:

  https://www.vandyke.com/support/advisory/2008/12/cpni-957037.html

  https://www.kb.cert.org/vuls/id/958563

I regret the inconvenience, and I appreciate that upgrading proprietary
software can be a hassle, but you would really be best off upgrading at
least to a slightly newer version of your client that has less broken
cryptography available.

Cheers,

-- 
Colin Watson                                       [cjwatson at ubuntu.com]

More information about the ubuntu-users mailing list