9

I'm trying to determine which cipher(s) an OpenSSH 7.1 server finds offensive. The OpenSSH 7.1 server was built with OpenSSL 1.0.2d.

Below, I added the line breaks below for readability, but there are no spaces or breaks in the line (other than after Ciphers):

$ sudo /usr/local/sbin/sshd -t -f /usr/local/etc/sshd_config
/usr/local/etc/sshd_config line 28: Bad SSH2 cipher spec '[email protected],\
[email protected],[email protected],aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,\
aes192-cbc,aes256-cbc'.

Which cipher(s) does the OpenSSH 7.1 server finds offensive?

Most commented lines have been removed from sshd_config below.

$ cat /usr/local/etc/sshd_config
#   $OpenBSD: sshd_config,v 1.97 2015/08/06 14:53:21 deraadt Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.
...

# The default requires explicit activation of protocol 1
Protocol 2

# HostKeys for protocol version 2
HostKey /usr/local/etc/ssh_host_ed25519_key
HostKey /usr/local/etc/ssh_host_ecdsa_key
HostKey /usr/local/etc/ssh_host_dsa_key
HostKey /usr/local/etc/ssh_host_rsa_key

# Ciphers and keying
# Ciphers [email protected],[email protected],[email protected],aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc

RekeyLimit 1G 4h

# Authentication:

LoginGraceTime 2m

KbdInteractiveAuthentication yes
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no

# Check only .ssh/authorized_keys
AuthorizedKeysFile  .ssh/authorized_keys

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing.
#UsePAM no

# Use Apple's sandbox. On later versions of OS X, the sandbox is a stand alone
#   library and requires config'ing with --with-libs="-lsandbox"
UsePrivilegeSeparation sandbox

# override default of no subsystems
Subsystem   sftp    /usr/local/libexec/sftp-server
Improve this question

1 Answer 1

Reset to default
18

You have got typo in [email protected], which should be [email protected].

Basically you can find out really simply by dividing the list to the ciphers and try each of them with sshd:

echo '[email protected],[email protected],[email protected],aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc' | sed -e "s/,/ /g"
for c in [email protected] [email protected] [email protected] aes128-ctr aes192-ctr aes256-ctr aes128-cbc aes192-cbc aes256-cbc; do
  sshd -t -o Ciphers=$c
done
Improve this answer
3
  • If you accept, I can gain some credit for it :) If it was helpful, you can accept it :)
    – Jakuje
    Commented Aug 24, 2015 at 17:07
  • 2
    The list of available ciphers may also be obtained using "ssh -Q cipher".
    – ıɾuǝʞ
    Commented Jul 24, 2018 at 5:40
  • In case of my OpenSSH 7.9 it was complaining about unknown ciphers: arcfour256,arcfour128,blowfish-cbc,cast128-cbc,arcfour. I guess they were removed from OpenSSH in some prior version.
    – Marki555
    Commented Aug 3, 2021 at 19:45

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .