ssh -vv and examine the algorithms around the KEXINIT events. For example, OpenSSH client at higher verbosity will say exactly what the client and server has for algorithms. Get the ssh client to say what KEX was attempted. Wireshark can do some detailed dissection of ssh protocol, to see what happens in the packets. While troubleshooting this, start a packet capture on the server for its ssh port. Have them update their sftp software to be sure it has modern algorithms. Key exchange algorithms are updated over time as cryptography research makes older methods insecure. Compare to ensuring a TLS encrypted https session exists before sending secrets to a web server. The entire point of the ssh protocol is to establish an encrypted channel where it is possible to send such weak authentication as passwords over insecure networks. This is different from user authentication, where user keys or passwords or Kerberos are among the options. SSH key exchange establishes a one-time session key, and authenticates the server via its host key.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |