SSH Service Fails to start with "extra options" enabled
Description
Problem/Justification
Impact
SmartDraw Connector
Katalon Manual Tests (BETA)
Activity
Jorgen Kruger May 7, 2019 at 3:11 PM
Hi Waqar,
thank you for the feedback. Using the info you provided, I tested each algorithm and it seems all arcfour* and algorithms ending in *cbc have been removed. Updated and service starts successfully with the following Ciphers and Algorithms:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
Appreciate the feedback.
Waqar Ahmed May 6, 2019 at 12:46 PM
Hello @Jorgen Kruger, so for some of the ciphers listed, the support has been removed by openssh ( https://github.com/openssh/openssh-portable ). I am afraid this isn't our issue to resolve ( if you want, you can file an issue with them ). Thank you for your time and patience!
Jorgen Kruger May 2, 2019 at 8:51 AM
Hi Jeff,
Uploaded as requested. 
Jeff Ervin May 1, 2019 at 7:12 PM
Hey Jorgen,
Would you just toss a Debug into the document vault (System->Advanced->Save Debug) please? Don't know if it's needed, but would rather have it than not.
Recently upgraded from 11.1-U7 to latest 11.2-U3.
SSH service wouldn't initiated on startup. Restarting service errors out with:
root: /usr/local/etc/rc.d/openssh: WARNING: failed precmd routine for openssh
Removed "Extra Options" under SSH service settings:
Ciphers 3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,arcfour,arcfour128,arcfour256,blowfish-cbc,cast128-cbc,chacha20-poly1305@openssh.com
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
This resolved the issue.
This is a reoccurrance of a bug previous logged during 11.0 pre-release. 25068 was the ID on the previous bug system. Bug tracker link is inactive, but here is the link to the official post:
link title
I believe it would be beneficial to retain this functionality, and even though deprecated ciphers and algorithms may be unsafe for traversal over public internet, it can provide a performance benefit when utilized on internal network infrastructure. With correct hardware and cipher its possible to saturate most networks interfaces. Additionally, replicating/migrating data away from older linux systems (that are no longer maintained) using remote replication is far more convenient than driving over and plugging in a drive.
Thank you.