Looks Confd has its own sshd daemon to handle SSH for port 2022. My question is that how can I change the cipher suite for the Confd SSH daemon?
I looked at confd.conf.full and did not find any way to do this. Also user manual does not mention how to do this.
Please let me know if there’s a way to change the cipher suite for ssh.
Thanks
From confd.conf man page, also available as an appendix to the ConfD UG:
/confdConfig/netconf/transport/ssh/port (confd:inetPortNumber) [2022]
port is a valid port number to be used in combination with /confdConfig/netconf/transport/ssh/ip. Note that the standard port for NETCONF over SSH is 830.
The confd.conf.full list this configuration without any settings:
<algorithms> <serverHostKey></serverHostKey> <kex></kex> <mac></mac> <encryption></encryption> </algorithms>
Take a look at the confd.conf man page encryption, mac, etc options:
/confdConfig/ssh/algorithms
If you need a cipher suite other than those supported by the internal ConfD SSH server, then you will need to use an external SSH server such as OpenSSH.
Has anyone been able to successfully specify the cipher, key exchange, and mac algorithms to be used by ConfD?
The ConfD reference manual describes the appropriate configuration format. This is what I have entered in confd.conf:
ssh-rsa
diffie-helman-group14-sha1,diffie-helman-group-exchange-sha1,diffie-helman-group-exchange-sha256
hmac-sha2-256,hmac-sha2-512
aes128-ctr,aes192-ctr,aes256-ctr
With this configuration in place, the ConfD ssh server accepts no connections at all. I have tried two ssh clients (putty and and a fairly recent version of OpenSSH). The only way I can get a ConfD CLI is via the console.
Via the console, f I view the running configuration (“show full-configuration”), that ssh configuration has been applied successfully. The elements are present in the CDB. But instead of limiting the algorithms to the ones I have chosen, it’s not accepting any incoming ssh connections. The error displayed by the client indicates that “no matching key exchange method was found”.
If I instruct the client to use diffie-hellman-group14-sha1 (which the client does support), it claims that the server does not support this kex algorithm. But I have listed it in the ConfD config. Is there something incorrect in the configuration syntax I have shown above?
Mac-VM:~ jude$ ssh -Q kex
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256@libssh.org
gss-gex-sha1-
gss-group1-sha1-
gss-group14-sha1-
Mac-VM:~ jude$
Mac-VM:~ jude$
Mac-VM:~ jude$ ssh -oKexAlgorithms=diffie-hellman-group14-sha1 admin@10.9.75.111
ssh_dispatch_run_fatal: Connection to 10.9.75.111: no matching key exchange method found
Mac-VM:~ jude$
You have a typo in the algorithm name.
It should be: hellman
Thank you Nabil, that was the problem. It works with the correct spelling.
Some ssh servers allow the configuration of a server key regeneration interval, sometimes called a key lifetime. I was not able to find any reference to this in the ConfD User Guide. Is such a parameter supported by ConfD’s ssh server?
I guess you are looking for this, from the OpenSSH sshd_config(5) man page:
KeyRegenerationInterval
In protocol version 1, the ephemeral server key is automatically
regenerated after this many seconds (if it has been used). [...]
As mentioned there, this is protocol version 1 functionality, not used in version 2 (see also the AUTHENTICATION section in the sshd(8) man page). SSHv1 is essentially unused for years, due to its security shortcomings. The ConfD SSH server rejects connections from SSHv1 clients, i.e. it will never use SSHv1.