RHEL 7.4 - quebras de atualização do FileZilla SFTP

2

Depois de atualizar vários dos meus servidores na noite passada, agora não conseguimos nos conectar a eles com o cliente FileZilla SFTP. Aqui está o log do FileZilla:

2017-08-09 16:26:54 7294 3 Status: Connecting to my.rhel74.server...
2017-08-09 16:26:54 7294 3 Response: fzSftp started
2017-08-09 16:26:54 7294 3 Command: keyfile "/home/acoder/.ssh/fz"
2017-08-09 16:26:54 7294 3 Command: open "[email protected]" 22
2017-08-09 16:26:54 7294 3 Error: Server unexpectedly closed network connection
2017-08-09 16:26:54 7294 3 Error: Could not connect to server
2017-08-09 16:26:54 7294 3 Status: Waiting to retry...
2017-08-09 16:26:59 7294 3 Status: Connecting to my.rhel74.server...
2017-08-09 16:26:59 7294 3 Response: fzSftp started
2017-08-09 16:26:59 7294 3 Command: keyfile "/home/acoder/.ssh/fz"
2017-08-09 16:26:59 7294 3 Command: open "[email protected]" 22
2017-08-09 16:27:00 7294 3 Error: Server unexpectedly closed network connection
2017-08-09 16:27:00 7294 3 Error: Could not connect to server

Verificando o log de erros do servidor, eu encontrei:

Aug 9 17:05:45 rhel74server sshd[5278]: FIPS mode initialized

Aug 9 17:05:45 rhel74server sshd[5278]: fatal: no matching mac found: client hmac-sha1,hmac-sha1-96,hmac-md5 server hmac-sha2-512,hmac-sha2-256 [preauth]

Aqui está a configuração ssh do servidor:

# /etc/ssh/sshd_config
Protocol 2
KexAlgorithms diffie-hellman-group-exchange-sha256
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512,hmac-sha2-256

Somos obrigados a executar essas Cifras e MACs, então alterar ou adicionar qualquer um é problemático. A configuração acima funcionou bem até que o sistema operacional do servidor foi atualizado do RHEL 7.3 para 7.4 no dia anterior.

Aqui estão os MACs que meu sistema local usa:

user@linux-mint ~ $ nmap --script ssh2-enum-algos -sV -p 22 rhel74server

Starting Nmap 6.40 ( http://nmap.org ) at 2017-08-10 14:42 EDT
Nmap scan report for rhel74server (170.140.203.50)
Host is up (0.0026s latency).
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh2-enum-algos: 
|   kex_algorithms (1)
|       diffie-hellman-group-exchange-sha256
|   server_host_key_algorithms (3)
|       ssh-rsa
|       rsa-sha2-512
|       rsa-sha2-256
|   encryption_algorithms (3)
|       aes256-ctr
|       aes192-ctr
|       aes128-ctr
|   mac_algorithms (2)
|       hmac-sha2-512
|       hmac-sha2-256
|   compression_algorithms (2)
|       none
|_      [email protected]

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.38 seconds
user@linux-mint ~ $ 

Os MACs do servidor em uso são hmac-sha2-512 e hmac-sha2-256 , que correspondem ao que o sistema operacional cliente está usando.

O Filezilla parece ignorar o que meu sistema operacional cliente configurou e está enviando os seguintes MACs para o servidor:

fatal: no matching mac found: client
hmac-sha1,
hmac-sha1-96,
hmac-md5 

Estou na versão mais recente do FileZilla (3.27.0.1).

Alguma pista sobre o que mais eu tentaria fazer com que isso funcionasse novamente?

    
por a coder 09.08.2017 / 23:12

1 resposta

0

Recurso obsoleto devido à sua inerente falta de segurança!

No seu exemplo, pode ver que o cliente está oferecendo:

  • hmac-sha1
  • hmac-sha1-96
  • hmac-md5

Mas seu servidor está oferecendo apenas

  • hmac-sha2-512
  • hmac-sha2-256

Portanto, nenhuma correspondência foi encontrada. Provavelmente que antes de atualizar o servidor felizmente oferecido hmac-sha1.

Deprecation of insecure algorithms

Following up with Deprecation of Insecure Algorithms in RHEL 6.9, legacy algorithms that potentially pose a more serious threats to deployments are being disabled. That, in RHEL 7.4, affects the RC4 ciphers, as well as MD5, RIPE-MD160, and truncated SHA-1 MACs on both client and server side. The ciphers Blowfish, Cast128, and 3DES were removed from the default set of algorithms accepted by the client but are still supported in the server.

If these algorithms are still needed for interoperability with legacy servers or clients, they can be enabled on a per-host basis as described in the upstream documentation. The following example describes how to enable 3des-cbc cipher in a client:

Host legacy.example.org
  Ciphers +3des-cbc

Another example, enabling hmac-md5 in a server for legacy.example.org client:

Match Host legacy.example.org
  MACs +hmac-md5
    
por 09.08.2017 / 23:29