Synchronet v3.19b-Win32 (install) has been released (Jan-2022).

You can donate to the Synchronet project using PayPal.

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revisionBoth sides next revision
faq:tcpip [2019/01/17 16:17] – [FTP NAT] Fixed typos. Removed stale info. digital manfaq:tcpip [2019/04/02 13:51] – Added ssh cipher algo work-around digital man
Line 14: Line 14:
   * [[#bandwidth|How many nodes/clients/users can I support with my Internet connection]]?    * [[#bandwidth|How many nodes/clients/users can I support with my Internet connection]]? 
   * [[#block_hackers|Can Synchronet automatically block the IP address of hackers]]?   * [[#block_hackers|Can Synchronet automatically block the IP address of hackers]]?
-  * [[#ssh_kex_algo|Why do some SSH clients fail to connect to my BBS]]?+  * [[#ssh_algo|Why do some SSH clients fail to connect to my BBS]]?
   * [[#ssh_session_key|How do resolve the SSH error: importing session key to protect private key]]?   * [[#ssh_session_key|How do resolve the SSH error: importing session key to protect private key]]?
  
Line 296: Line 296:
 Yes, see [[howto:Block-Hackers]] for detailed instructions. Yes, see [[howto:Block-Hackers]] for detailed instructions.
  
-===== SSH Kex Algo =====+===== SSH Algo =====
 :?: **Question:**\\ :?: **Question:**\\
 Why do some SSH clients (e.g. [[http://www.openssh.com/|OpenSSH]]) fail to connect to the Synchronet SSH Server? Why do some SSH clients (e.g. [[http://www.openssh.com/|OpenSSH]]) fail to connect to the Synchronet SSH Server?
 +
 +:!: **Answer:**\\
 +SSH supports a variety of cryptographic algorithms for encryption (privacy), integrity (mac) and authentication (key-exchange). As stronger algorithms are introduced, older (less-strong) algorithms are deprecated. As a result, when using a newer version of any SSH client (especially OpenSSH), it may fail to connect to SSH servers which only support less-than-the-strongest (newest) algorithms. There is no permanent solution to this issue as cryptographic algorithms are constantly improving (becoming stronger) and older (weaker) algorithms are going out of favor.
 +
 +
 +==== SSH Cipher Algo ====
 +
 +Example:
 +  $ ssh vert.synchro.net
 +  Unable to negotiate with vert.synchro.net port 22: no matching cipher found. Their offer: aes128-cbc,3des-cbc
 +  
 +Workarounds for OpenSSH:
 +
 +  $ ssh -c aes128-cbc user@yourbbs.com
 +  
 +or in the ''~/.ssh/config'' file (OpenSSH v6):
 +
 +  Host yourbbs.com
 +  Ciphers aes128-cbc
 +  
 +==== SSH Kex Algo ====
  
 Example: Example:
   $ ssh vert.synchro.net   $ ssh vert.synchro.net
-  Received disconnect from 71.95.196.34: 2: Handshake failed+  Received disconnect from 71.95.196.34: 2: Handshake failed
      
 or: or:
   Unable to negotiate with legacyhost: no matching key exchange method found.   Unable to negotiate with legacyhost: no matching key exchange method found.
   Their offer: diffie-hellman-group1-sha1   Their offer: diffie-hellman-group1-sha1
- 
-:!: **Answer:**\\ 
- 
-//**NOTE: This has been fixed in CVS now.**// 
- 
-Synchronet uses [[http://www.cs.auckland.ac.nz/~pgut001/cryptlib/|Cryptlib]], a cryptographic library, for SSH and TSL/SSL support in Synchronet. Cryptlib's v3.4.2 SSH support uses an older "Key Exchange Algorithm". OpenSSH has deprecated support for this older key exchange algorithm. Cryptlib v3.4.4, the currently latest version of Cryptlib now used by Synchronet, does not have this problem. 
  
 From the OpenSSH [[http://www.openssh.com/legacy.html|legacy page]]: From the OpenSSH [[http://www.openssh.com/legacy.html|legacy page]]:
Line 336: Line 351:
 Note: Run ''ssh -V'' to see what version of OpenSSH you have. Note: Run ''ssh -V'' to see what version of OpenSSH you have.
  
-:!: **Answer:**\\+==== SSH MAC Algo ==== 
 Another observed problem is with the negotiated Message Authentication Code (MAC) algorithm. Another observed problem is with the negotiated Message Authentication Code (MAC) algorithm.
  

Trace: