dirk2099
By:
dirk2099

Having problem with remote login on Ubuntu after being updated to 15.04

August 7, 2015 2.9k views
Security Linux Basics

I updated my server from 14.1 to 15.04 and I having issues logging in with one of my IDE's. I kept getting this errror,

establishing sftp connection failed no suitable key exchange algorithm could be agreed

I found this page with a solution https://nikinuryadin.wordpress.com/2015/05/19/aptana-studio-3-sftp-key-exchange/

It says to add this line to my /etc/ssh/sshd_config file

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,blowfish-cbc,aes128-cbc,3des-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
KexAlgorithms=curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

My question is, will this weaken my security or cause any major security risks by adding these ciphers?

1 Answer

A number of those ciphers have been deemed as legacy by the OpenSSH team and are no longer supported by default. While for some attacks are still just theoretical, it's still encouraged to regenerate your keys to use stronger a cipher. diffie-hellman-group1-sha1 in particular was commonly used. You can read more about its weaknesses here:

We further estimate that an academic team can break a 768-bit prime and that a nation-state can break a 1024-bit prime. Breaking the single, most common 1024-bit prime used by web servers would allow passive eavesdropping on connections to 18% of the Top 1 Million HTTPS domains. A second prime would allow passive decryption of connections to 66% of VPN servers and 26% of SSH servers. A close reading of published NSA leaks shows that the agency's attacks on VPNs are consistent with having achieved such a break.

You can regenerate the server's host keys using:

  • sudo dpkg-reconfigure openssh-server
Have another answer? Share your knowledge.