Controller Based WLANs

Add CBC cipher support to openssh server 6.7

by ‎10-18-2016 03:02 PM - edited ‎10-18-2016 03:02 PM
Problem:

Since AOS 6.4.4.0 the AOS mobility controllers now only support cbc cipher algorithms.  This is outlined in the community post here, http://community.arubanetworks.com/t5/Wireless-Access/SSH-and-AES-CBC/m-p/248919

In Openssh version 6.7 these ciphers have been disabled and customers may find that they are unable to scp files from the mobility controller to their ssh server running openssh 6.7.

http://www.openssh.com/txt/release-6.7

Changes since OpenSSH 6.6
=========================

Potentially-incompatible changes

 * sshd(8): The default set of ciphers and MACs has been altered to
   remove unsafe algorithms. In particular, CBC ciphers and arcfour*
   are disabled by default.

In order to resolve this, the following change is necessary on the given server to the sshd config.  The following change was applied to a Raspberry Pi, but should be applicable to any linux based server running openssh 6.7 and above.

  • Edit the file as root located at /etc/ssh/sshd_config  --> this may vary depending on your distribution
  • Insert the following line of config in the file and save.
    • Ciphers aes128-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr
  • Restart the sshd service with the following command, service ssh restart or  /etc/init.d/ssh restart  --> this may vary depending on your distribution.

Note:  Ensure that you have console access to server in case of being locked out and needing to roll back the changes.

You should now be able to copy files from the mobility controller to your ssh server using scp.



Diagnostics:

With the default sshd config we can see that CBC ciphers are not offered.

nmap --script ssh2-enum-algos -sV -p 22 192.168.1.101
22/tcp open  ssh     (protocol 2.0)
| ssh2-enum-algos:
|   encryption_algorithms: (6)
|       aes128-ctr
|       aes192-ctr
|       aes256-ctr
|       aes128-gcm@openssh.com
|       aes256-gcm@openssh.com
|       chacha20-poly1305@openssh.com
SF:r(NULL,29,"SSH-2\.0-OpenSSH_6\.7p1\x20Raspbian-5\+deb8u3\r\n");

When we attempt to use scp to transfer a file from the mobility controller to ssh server, the following error is seen.



Solution

In order to resolve this, the following change is necessary on the given server to the sshd config.  The following change was applied to a Raspberry Pi, but should be applicable to any linux based server running openssh 6.7 and above.

  • Edit the file as root located at /etc/ssh/sshd_config  --> this may vary depending on your distribution
  • Insert the following line of config in the file and save.
    • Ciphers aes128-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr
  • Restart the sshd service with the following command, service ssh restart or  /etc/init.d/ssh restart  --> this may vary depending on your distribution.

Note:  Ensure that you have console access to server in case of being locked out and needing to roll back the changes.

An nmap scan of the server now shows the following

nmap --script ssh2-enum-algos -sV -p 22 192.168.1.101
22/tcp open  ssh     (protocol 2.0)
| ssh2-enum-algos:
|   encryption_algorithms: (5)
|       aes128-cbc
|       aes256-cbc
|       aes128-ctr
|       aes192-ctr
|       aes256-ctr
SF:r(NULL,29,"SSH-2\.0-OpenSSH_6\.7p1\x20Raspbian-5\+deb8u3\r\n");

You should now be able to copy files from the mobility controller to your ssh server using scp.

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.