Differences

This shows you the differences between two versions of the page.

--- faq:tcpip [2019/01/17 16:17] – [FTP NAT] Fixed typos. Removed stale info. digital man
+++ faq:tcpip [2020/02/13 23:41] – [SSH Kex Algo] Mention that aes128-ctr and aes256-ctr are supported now. deuce
@@ Line 14: / Line 14: @@
   * [[#bandwidth|How many nodes/clients/users can I support with my Internet connection]]?
   * [[#block_hackers|Can Synchronet automatically block the IP address of hackers]]?
-  * [[#ssh_kex_algo|Why do some SSH clients fail to connect to my BBS]]?
+  * [[#ssh_algo|Why do some SSH clients fail to connect to my BBS]]?
   * [[#ssh_session_key|How do resolve the SSH error: importing session key to protect private key]]?
@@ Line 296: / Line 296: @@
 Yes, see [[howto:Block-Hackers]] for detailed instructions.
-===== SSH Kex Algo =====
+===== SSH Algo =====
 :?: **Question:**\\
 Why do some SSH clients (e.g. [[http://www.openssh.com/|OpenSSH]]) fail to connect to the Synchronet SSH Server?
+:!: **Answer:**\\
+SSH supports a variety of cryptographic algorithms for encryption (privacy), integrity (mac) and authentication (key-exchange). As stronger algorithms are introduced, older (less-strong) algorithms are deprecated. As a result, when using a newer version of any SSH client (especially OpenSSH), it may fail to connect to SSH servers which only support less-than-the-strongest (newest) algorithms. There is no permanent solution to this issue as cryptographic algorithms are constantly improving (becoming stronger) and older (weaker) algorithms are going out of favor.
+==== SSH Cipher Algo ====
 Example:
   $ ssh vert.synchro.net
-  $ Received disconnect from 71.95.196.34: 2: Handshake failed
+  Unable to negotiate with vert.synchro.net port 22: no matching cipher found. Their offer: aes128-cbc,3des-cbc
-or:
+Workarounds for OpenSSH:
-  Unable to negotiate with legacyhost: no matching key exchange method found.
-  Their offer: diffie-hellman-group1-sha1
-:!: **Answer:**\\
+  $ ssh -c aes128-cbc user@yourbbs.com
+or in the ''~/.ssh/config'' file (OpenSSH v6):
-//**NOTE: This has been fixed in CVS now.**//
+  Host yourbbs.com
+  Ciphers aes128-cbc
+==== SSH Kex Algo ====
-Synchronet uses [[http://www.cs.auckland.ac.nz/~pgut001/cryptlib/|Cryptlib]], a cryptographic library, for SSH and TSL/SSL support in Synchronet. Cryptlib's v3.4.2 SSH support uses an older "Key Exchange Algorithm". OpenSSH has deprecated support for this older key exchange algorithm. Cryptlib v3.4.4, the currently latest version of Cryptlib now used by Synchronet, does not have this problem.
+Should be fixed as of Fri Feb 14 07:37:04 2020 UTC
+aes128-ctr and aes256-ctr support was added.
+Example:
+  $ ssh vert.synchro.net
+  Received disconnect from 71.95.196.34: 2: Handshake failed
+or:
+  Unable to negotiate with legacyhost: no matching key exchange method found.
+  Their offer: diffie-hellman-group1-sha1
 From the OpenSSH [[http://www.openssh.com/legacy.html|legacy page]]:
@@ Line 336: / Line 354: @@
 Note: Run ''ssh -V'' to see what version of OpenSSH you have.
-:!: **Answer:**\\
+==== SSH MAC Algo ====
 Another observed problem is with the negotiated Message Authentication Code (MAC) algorithm.
@@ Line 352: / Line 371: @@
 Rename/move or delete your ''[[dir:ctrl]]/cryptlib.key'' file.
+If you're using TLS for your other [[server:|Synchronet servers (e.g. web, mail, ftp, etc.)]], you may also need to rename/move or delete your ''[[dir:ctrl]]/ssl.cert'' file.
+These files (''cryptlib.key'' and ''ssl.cert'') are encrypted with the Synchronet //system password//, so if the system password is changed then these files must also be regenerated. The files are automatically recreated by //sbbs// upon startup if they do not already exist.
 ===== See Also =====
   * [[:server:|Servers]]

Trace:

Differences

Navigation

Search

Toolbox