Skip to content

SENT BY PHONE SUPPORT: shell lacks ECC support. Pls upgrade.

Advanced feature discussion, beta programs and unsupported "Labs" features.
4 posts Page 1 of 1
Post a reply

SENT BY PHONE SUPPORT: shell lacks ECC support. Pls upgrade.

by blakers » Fri May 09, 2014 8:14 am
I called in to phone support re: this issue; I was directed to post my request/inquiey here:

I'm tightening up my local security.

For OpenSSH comms between local and remote systems, I'm switching to NON-symmetric-rsa key encryption/exchange. I've specifically enabled and use ssh-ed25519/ecdsa-sha2-nistp521 as preferred KEXs; both fully supported by OpenSSH, and widely recommended for use.

Originally, at my sonic shell, I've

Code: Select all

	cat /home/.../.ssh/authorized_keys
	...
		ssh-rsa             AAAAB3N... myuser@sonic
	...
and @ local ssh_config,

Code: Select all

	cat /usr/local/etc/ssh/ssh_config
		...
		IdentityFile /usr/local/etc/ssh/ssh.sonic.rsa
		...
pubkey connect/auth from local -> sonic works as expected

Code: Select all

	ssh -v -l myuser shell.sonic.net
		...
		debug1: Authentications that can continue: publickey,password,keyboard-interactive
		debug1: Next authentication method: publickey
		debug1: Offering RSA public key: /usr/local/etc/ssh/ssh.sonic.rsa
		debug1: Server accepts key: pkalg ssh-rsa blen 279
		debug1: key_parse_private2: missing begin marker
		debug1: read PEM private key done: type RSA
		debug1: Enabling compression at level 6.
		debug1: Authentication succeeded (publickey).
		Authenticated to shell.sonic.net ([208.201.242.19]:22).
		...
Now, enabling for elliptic curve use, at my sonic shell, I changed

Code: Select all

	cat /home/.../.ssh/authorized_keys
		...
+		ssh-ed25519         AAAAC3N... myuser@sonic
+		ecdsa-sha2-nistp521 AAAAE2V... myuser@sonic
		ssh-rsa             AAAAB3N... myuser@sonic
		...
& at my local ssh_config

Code: Select all

	cat /usr/local/etc/ssh/ssh_config
		...
+		HostKeyAlgorithms ssh-ed25519,ecdsa-sha2-nistp521,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256,ssh-dss,ssh-rsa
+		IdentityFile /usr/local/etc/ssh/ssh.sonic.ed25519
+		IdentityFile /usr/local/etc/ssh/ssh.sonic.ecdsa
		IdentityFile /usr/local/etc/ssh/ssh.sonic.rsa
		...
With those in place, connection should still work in any cases, with fallback if/as necessary from ed25519 -> ecdsa -> rsa.

but,

Code: Select all

	ssh -v -l myuser shell.sonic.net
ignores the EC keys, falling back to default ssh-dss

Code: Select all

	...
	debug1: Authentications that can continue: publickey,password,keyboard-interactive
	debug1: Next authentication method: publickey
	debug1: Trying private key: /usr/local/etc/ssh/ssh.sonic.ed25519
	debug1: Authentications that can continue: publickey,password,keyboard-interactive
	debug1: Trying private key: /usr/local/etc/ssh/ssh.sonic.ecdsa
	debug1: key_parse_private2: missing begin marker
	debug1: read PEM private key done: type ECDSA
	debug1: Authentications that can continue: publickey,password,keyboard-interactive
	debug1: Offering RSA public key: /usr/local/etc/ssh/ssh.sonic.rsa
	debug1: Server accepts key: pkalg ssh-rsa blen 279
	debug1: key_parse_private2: missing begin marker
	debug1: read PEM private key done: type RSA
	debug1: Enabling compression at level 6.
	debug1: Authentication succeeded (publickey).
	Authenticated to shell.sonic.net ([208.201.242.19]:22).
where, checking my local known_hosts file after the connection I see the ssh-dss connection

Code: Select all

	shell.sonic.net ssh-dss AAAAB3Nza...
This lack of support appears due to a rather old, if not outdated, v4.4 SSH instance @ sonic, with an even older SSL,

Code: Select all

	uname -a
		Linux bolt.sonic.net 2.4.37.5 #1 SMP Mon Aug 17 10:15:36 PDT 2009 i686 unknown


	ssh -v -l myuser shell.sonic.net
		...
		debug1: Enabling compatibility mode for protocol 2.0
		debug1: Local version string SSH-2.0-OpenSSH_6.6
		debug1: Remote protocol version 1.99, remote software version OpenSSH_4.4_Sonic
!!		debug1: match: OpenSSH_4.4_Sonic pat OpenSSH_4* compat 0x00000000
		...

	ssh -V
		OpenSSH_4.1_Sonicp1, OpenSSL 0.9.6b [engine] 9 Jul 2001
noting,

Code: Select all

	@ http://www.openssl.org/news/vulnerabilities.html
		Note: OpenSSL 0.9.6 versions and 0.9.7 versions are no longer supported and will not receive security updates
Can Sonic shell's ssl/ssh get updated to something more modern, or at least versions that are maintained and receiving security updates?
by blakers » Mon May 19, 2014 4:19 pm
ping
by joemuller » Fri May 23, 2014 11:21 am
We definitely hear your concerns. As you've observed, many utilities and libraries are out of date on the shell server. Unfortunately, this prevents us from easily upgrading most programs, including OpenSSH.

We *are* working on an upgraded, shiny new shell server. Before we roll it out though, several backend systems need to be upgraded and patched. Shell touches nearly every major service we offer (mail, hosting, newsgroups), so it's important those all continue to function in the new setup.
I'm a proud employee of Sonic.net! :-)
by blakers » Thu Apr 30, 2015 4:13 pm
It's been ~ a year. Let's check ...

uname -a
Linux bolt.sonic.net 2.4.37.5 #1 SMP Mon Aug 17 10:15:36 PDT 2009 i686 unknown

ssh -v -l myuser shell.sonic.net
OpenSSH_4.1_Sonicp1, OpenSSL 0.9.6b [engine] 9 Jul 2001
...
debug1: Remote protocol version 1.99, remote software version OpenSSH_4.4_Sonic
debug1: match: OpenSSH_4.4_Sonic pat OpenSSH*
...
4 posts Page 1 of 1

Return to “Labs”