# sshd - is DH group 14 used by default?



## tpattgeek (Oct 16, 2012)

Let me first start by saying I am no way close to being a FreeBSD expert, but I'm here because we're having an issue uploading files via SFTP to our new server.  It is running FreeBSD 8.3-RELEASE (GENERIC) and OpenSSH.

My issue is our Cisco Secure ACS appliance cannot reach this server over SFTP.  Other devices can connect using SFTP, but the ACS appliance cannot.  I found out that the ACS now uses DH group 14 because it is FIPS compliant, but I'm not sure how to tell if the server is negotiating with that group.  How can I find out if DH group 14 is available and how do I specify it as an option when connecting?  Thanks for the help!


----------



## tpattgeek (Oct 16, 2012)

By the way, I can connect via FTP to other servers from the appliance, and I can connect to the FreeBSD server from other devices, so I know there's not a connectivity issue with either of these devices.


----------



## tpattgeek (Oct 16, 2012)

I've also installed the Free SolarWinds SFTP Server and I am able to connect to it successfully.


----------



## mamalos (Oct 16, 2012)

Check the logs on your FreeBSD box. They're located in /var/log/ folder and the ones you're interested in is /var/log/auth.log and -maybe- /var/log/messages. The command you should run is tail(1), so for seeing "live" what is written in the first case, your command will be:

`# tail -f /var/log/auth.log`

Then, tell us the error log output.


----------



## tpattgeek (Oct 16, 2012)

There is nothing in either of the logs except local user authentications.

Does this need to be entered into the sshd_config file?

```
KexAlgorithms "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521","diffie-hellman-group-exchange-sha256", "diffie-hellman-group-exchange-sha1", "diffie-hellman-group14-sha1", "diffie-hellman-group1-sha1"
```

Is this the proper syntax for it?  Right now, there is no mention of this in the config file.


----------



## jnbek (Oct 17, 2012)

well according to RFC 4253 DH14 is supported in SSH, I found the keyword KexAlgorithms in the sshd_config manpage:

*KexAlgorithms*
_Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must be comma-separated. The default is "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group-exchange-sha1", "diffie-hellman-group14-sha1", "diffie-hellman-group1-sha1"._

So it should just be a matter of setting this to diffie-hellman-group14-sha1, restarting the daemon: 
/etc/rc.d/sshd restart
and it should work.


----------



## tpattgeek (Oct 17, 2012)

jnbek said:
			
		

> well according to RFC 4253 DH14 is supported in SSH, I found the keyword KexAlgorithms in the sshd_config manpage:
> 
> *KexAlgorithms*
> _Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must be comma-separated. The default is "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group-exchange-sha1", "diffie-hellman-group14-sha1", "diffie-hellman-group1-sha1"._
> ...



Yes, I found that as well, but only for OpenBSD.  We are running FreeBSD and there is no mention of KexAlgorithms in the sshd_config file nor is it found in the man page for FreeBSD's OpenSSH.  Do we need to add the keyword AND the configuration?  I was under the impression all of the algorithms were accepted by default and only needed if you wanted to specify one or two.  If we need to add it, what exactly does it need to look like in the file?


----------



## tpattgeek (Oct 17, 2012)

This is what happened after adding the KexAlgorighms to the file:

/etc/rc.d/sshd start
Starting sshd.
/etc/ssh/sshd_config: line 50: Bad configuration option: KexAlgorithms
/etc/ssh/sshd_config: terminating, 1 bad configuration options
/etc/rc.d/sshd: WARNING: failed to start sshd


----------



## wblock@ (Oct 17, 2012)

Maybe security/openssh-portable supports it.


----------



## jnbek (Oct 17, 2012)

Well I was referencing This Manpage Here when I made my reference to *KexAlgorithms* being supported. It is possible that the manpage is for the port as opposed to the base version. I apologize for not making the distinction. As wblock@ mentioned, the security/openssh-portable port will most likely be the source of your peace, love and happiness. Again I apologize for failing to make the proper distinction.


----------

