Question

Having problem with remote login on Ubuntu after being updated to 15.04

Posted August 7, 2015 4.8k views
Linux Basics Security

I updated my server from 14.1 to 15.04 and I having issues logging in with one of my IDE’s. I kept getting this errror, 

establishing sftp connection failed no suitable key exchange algorithm could be agreed

I found this page with a solution https://nikinuryadin.wordpress.com/2015/05/19/aptana-studio-3-sftp-key-exchange/

It says to add this line to my /etc/ssh/sshd_config file

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,blowfish-cbc,aes128-cbc,3des-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
KexAlgorithms=curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

My question is, will this weaken my security or cause any major security risks by adding these ciphers?

Add a comment
dirk2099
By:
dirk2099
Add a comment

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

1 answer
asb June 2, 2016

A number of those ciphers have been deemed as legacy by the OpenSSH team and are no longer supported by default. While for some attacks are still just theoretical, it’s still encouraged to regenerate your keys to use stronger a cipher. diffie-hellman-group1-sha1 in particular was commonly used. You can read more about its weaknesses here:

We further estimate that an academic team can break a 768-bit prime and that a nation-state can break a 1024-bit prime. Breaking the single, most common 1024-bit prime used by web servers would allow passive eavesdropping on connections to 18% of the Top 1 Million HTTPS domains. A second prime would allow passive decryption of connections to 66% of VPN servers and 26% of SSH servers. A close reading of published NSA leaks shows that the agency’s attacks on VPNs are consistent with having achieved such a break.

You can regenerate the server’s host keys using:

  • sudo dpkg-reconfigure openssh-server
Reply Report
Submit an Answer

Related

Looking for something else?

Ask a new question Search for more help