diff -b sshd_config_2889 sshd_config_289163,64d62< X11Forwarding yes< X11DisplayOffset 1087a86> Banner /etc/issue.net89a89,93> X11Forwarding no> MaxAuthTries 3>> Ciphers chacha20...@openssh.com,aes25...@openssh.com,aes12...@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr> MACs hmac-sha...@openssh.com,hmac-sha...@openssh.com,hmac-ripe...@openssh.com,umac-1...@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
Dear community,Can someone explain me why "/etc/sshd_config" is much more strict on the v 2891 of the bosh-stemcell vsphere-esxi-ubuntu-trusty-go_agent (see diff below).
diff -b sshd_config_2889 sshd_config_289163,64d62< X11Forwarding yes< X11DisplayOffset 1087a86> Banner /etc/issue.net89a89,93> X11Forwarding no> MaxAuthTries 3>
> Ciphers chacha20...@openssh.com,aes25...@openssh.com,aes128-g...@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr> MACs hmac-sha...@openssh.com,hmac-sha...@openssh.com,hmac-ripe...@openssh.com,umac-1...@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
Hello Jon,Did you notice this problem with the stemcell 2891 or with 2889? I may also have the problem with 2889, I am double checking at the moment. My SSH client works with 2824. I try to figure out when did the regression happen.
Cyrille
On Thu, Mar 26, 2015 at 2:53 PM, <hel...@acm.org> wrote:
Fabric also breaks. We use it to back up the Cloud Foundry postgresql databases. For now, we have changed ssh config of the postgres node
manually.Jon
On Thursday, March 26, 2015 at 1:10:47 PM UTC+1, Cyrille Le Clerc wrote:
Dear community,Can someone explain me why "/etc/sshd_config" is much more strict on the v 2891 of the bosh-stemcell vsphere-esxi-ubuntu-trusty-go_agent (see diff below).
diff -b sshd_config_2889 sshd_config_289163,64d62< X11Forwarding yes< X11DisplayOffset 1087a86> Banner /etc/issue.net89a89,93> X11Forwarding no> MaxAuthTries 3>
> Ciphers chacha20...@openssh.com,aes256-g...@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr> MACs hmac-sha...@openssh.com,hmac-sha2-2...@openssh.com,hmac-ripemd...@openssh.com,umac-1...@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
Jenkins' Java SSH library (trilead-ssh2) fails to establish an ssh connection to such SSH server with a "fatal: no matching mac found: client ..." appearing in the auth.log of the ssh server (ie the Jenkins slave).
Will future ubuntu stemcell continue to be hardened like this?Is there a release-note of the stemcells? The "changes between" mentioned on http://boshartifacts.cloudfoundry.org/ does not give a lot of details (e.g. here).Cyrille
Thanks Jon,I was not aware of this convenient site to track changes: http://git_pipeline.cfapps.io/pipelines/bosh/versionsThe diff of 90ca88e shows that Ciphers and MACs have been restricted a lot (see below). Could we have an explanation? I will have to share this with the Jenkins Community if this choice is definitive to get Jenkins working with these limited MACs and Ciphers. Could Corey Innis <cin...@pivotal.io> who signed-off this pull-request help me on this ?Cyrille
- Ciphers chacha20...@openssh.com,aes25...@openssh.com,aes128-g...@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr+ Ciphers arcfour,arcfour128,arcfour256,aes128-ctr,aes192-ctr,aes256-ctr,aes12...@openssh.com,aes256...@openssh.com,chacha20-poly...@openssh.com- MACs hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripe...@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-s...@openssh.com,hmac-sha...@openssh.com,hmac-sha...@openssh.com,hmac-ripe...@openssh.com,umac-1...@openssh.com
+ MACs hmac-sha...@openssh.com,hmac-sha...@openssh.com,hmac-ripe...@openssh.com,umac-1...@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160