Koozali.org: home of the SME Server
Other Languages => Italiano => Topic started by: simone686 on April 21, 2021, 09:51:38 PM
-
Salve a tutti..
Utilizzo lo sme da anni...per diversi clienti realizzo piccoli nas come server di backup..Per PC Windows...
Accedendo da questi verso sme con sftp..oppure utilizzando rsync con programmi come Acronis o BackupAssist..
Ieri ho voluto provare la versione 10...Ma con entrambi i programmi non riesco ad accedere..Con putty riesco invece ad accedere senza problemi..
Dall'errore di BackupAssist sembra che i sistemi non riescano a mettersi d'accordo sul modo di scambiarsi le informazioni di autorizzazione. Utilizzo sovente anche Centos 7 puro e non ho mai avuto problemi.
Qualcuno sa dirmi cosa può essere cambiato?
Con la versione 9..8...7..mai avuto problemi..
Grazie
-
Hi,
sorry for the answer in English.
SME Server 10 has limited access to only known secured ciphers and MACs algorithm. So this could be the issue you encounter.
Best way to debug your specific issue, is to
- first, read carefully the exact error offered by your client program ( Dall'errore di BackupAssist sembra che i sistemi non riescano a mettersi d'accordo sul modo di scambiarsi le informazioni di autorizzazione. )
- second, check your logs while trying to connect:
# tail -f /var/log/sshd/sshd.log
also here is the list of accepted ciphers and MACs :
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
for information CentOS 7 default are
KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1, diffie-hellman-group1-sha1
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-sha1-96,hmac-md5-96,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160@openssh.com
SME 9,8,7 allowed ciphers and encoding algorithms that are known to be insecure in 2021, so if your program does not allow one of the offered algorithm it might need to be updated.
-
Hi..and thanks for replying...
I have updated the program..but nothing..same error
"Unable to negotiate with 192.168.1.239 port 57977: no matching MAC found. Their offer: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 [preauth]"
as they are only backup server...how can i add these to the sshd config..?
They are always rewritten on service restart....
Thanks
-
In the algorithm names, -etm means "encrypt-then-mac", i.e. the message authentication code is calculated after encryption. It is recommended to use these algorithms because they are considered safer.
Also md5 MAC are unsafe. 32 bits
SHA1 are unsafe too. 160 bits.
Secure is nowaday at least 256, but will be soon 512
You should open a bug against your software to ask them to make this software secure again,
you might do that as a TEMPORARY workaround. The reason is that by doing that you will allow this cipher to anyone able to connect, making their connection insecure and open to access to the exchanged information, including the content of your backup.
mkdir -p /etc/e-smith/templates-custom/etc/ssh/sshd_config/
printf "#temp workaround for using Backup software with insecure options\nMACs=+hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com\n\n\n" > /etc/e-smith/templates-custom/etc/ssh/sshd_config/34MACsLocalAdd
expand-template /etc/ssh/sshd_config
systemctl restart sshd
for information winSCP allow the following MACs (https://winscp.net/eng/docs/ssh_algorithms):
Message authentication codes (MACs): hmac-md5, hmac-sha1, hmac-sha1-96, hmac-sha2-256, hmac-md5-etm@openssh.com, hmac-sha1-etm@openssh.com, hmac-sha1-96-etm@openssh.com, hmac-sha2-256-etm@openssh.com