{"id":298,"date":"2018-10-26T11:14:32","date_gmt":"2018-10-26T09:14:32","guid":{"rendered":"http:\/\/www.lambiek.eu\/blog\/?p=298"},"modified":"2018-10-26T11:33:14","modified_gmt":"2018-10-26T09:33:14","slug":"upgrading-solaris-11-3-to-11-4-ssh","status":"publish","type":"post","link":"https:\/\/www.lambiek.eu\/blog\/informational\/upgrading-solaris-11-3-to-11-4-ssh\/","title":{"rendered":"Upgrading Solaris 11.3 to 11.4 &#8211; SSH"},"content":{"rendered":"\n<p>When you upgrade from Solaris 11.3 to Solaris 11.4 there are a lot of changes where SSH is one of them. Where Solaris 11.3 defaults to use SunSSH, Solaris 11.4 changed this to OpenSSH.<\/p>\n\n\n\n<p>In the environment I work with, some hardening was configured to disallow certain unsafe Ciphers and MACs. Therefor the directives were configured as:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Ciphers aes128-ctr,aes192-ctr,aes256-ctr\n\nMACs hmac-sha1,hmac-sha1-96,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96<\/code><\/pre>\n\n\n\n<p>Those values reflect the manual page for sshd_config on FIPS-140:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Ciphers\n\n           Specifies the ciphers allowed for protocol version 2. Cipher order-\n           ing  on  the  server side is not relevant. Multiple ciphers must be\n           comma separated.\n\n           Valid ciphers are: aes128-ctr, aes192-ctr, aes256-ctr,  aes128-cbc,\n           aes192-cbc,  aes256-cbc, arcfour, arcfour128, arcfour256, 3des-cbc,\n           and blowfish-cbc.\n\n           The default cipher list is:\n\n             aes128-ctr,aes192-ctr,aes256-ctr,arcfour128,\n             arcfour256,arcfour\n\n           Using CBC modes on the server side is not recommended due to poten-\n           tial security issues in connection with the SSH protocol version 2.\n\n           When  configuring sshd to run OpenSSL in FIPS-140 mode, the default\n           cipher list is: aes128-cbc, aes192-cbc,  aes256-cbc.  Specifying  a\n           non-FIPS approved cipher will return an error.\n\n           For  the  case  of  ssh  with  FIPS-140 enabled logging into a non-\n           FIPS-140 sshd, the supported and  approved  FIPS  ciphers  must  be\n           explicitly  specified  in sshd_config using \"Ciphers\" for this sce-\n           nario.\n\n\nMACs\n\n       Specifies  the  available  MAC  (message authentication code) algo-\n       rithms. The MAC algorithm is used in protocol version  2  for  data\n       integrity  protection. Multiple algorithms must be comma-separated.\n       The default is  hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96,  hmac-\n       sha2-256, hmac-sha2-256-96, hmac-sha2-512, and hmac-sha2-512-96.\n\n       When  configuring sshd to run OpenSSL in FIPS-140 mode, the default\n       is hmac-sha1, hmac-sha1-96, hmac-sha2-256, hmac-sha2-256-96,  hmac-\n       sha2-512,  and hmac-sha2-512-96. Specifying a non-FIPS approved MAC\n       algorithm will return an error.<\/code><\/pre>\n\n\n\n<p>As said earlier Solaris 11.4 uses OpenSSH and the Ciphers and MACs are just a bit different in this version. The supported Ciphers and MACs are:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>The supported ciphers are:\n\n    3des-cbc\n    aes128-cbc\n    aes192-cbc\n    aes256-cbc\n    aes128-ctr\n    aes192-ctr\n    aes256-ctr\n    aes128-gcm@openssh.com\n    aes256-gcm@openssh.com\n    blowfish-cbc\n    chacha20-poly1305@openssh.com\n\nThe default is:\n\n    chacha20-poly1305@openssh.com,\n    aes128-ctr,aes192-ctr,aes256-ctr,\n    aes128-gcm@openssh.com,aes256-gcm@openssh.com\n\nThe following ciphers are FIPS-140 approved and are supported in\nFIPS-140 mode:\n\n    aes128-ctr,aes192-ctr,aes256-ctr,\n    aes128-gcm@openssh.com,aes256-gcm@openssh.com,\n    aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc\n\nThe supported MACs are:\n\n    hmac-ripemd160\n    hmac-sha1\n    hmac-sha1-96\n    hmac-sha2-256\n    hmac-sha2-512\n    umac-64@openssh.com\n    umac-128@openssh.com\n    hmac-ripemd160-etm@openssh.com\n    hmac-sha1-etm@openssh.com\n    hmac-sha1-96-etm@openssh.com\n    hmac-sha2-256-etm@openssh.com\n    hmac-sha2-512-etm@openssh.com\n    umac-64-etm@openssh.com\n    umac-128-etm@openssh.com\n\nThe default is:\n\n    umac-64-etm@openssh.com,umac-128-etm@openssh.com,\n    hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,\n    hmac-sha1-etm@openssh.com,\n    umac-64@openssh.com,umac-128@openssh.com,\n    hmac-sha2-256,hmac-sha2-512,hmac-sha1\n\nThe following MACs are FIPS-140 approved and are supported in\nFIPS-140 mode:\n\n    hmac-sha2-256-etm@openssh.com,\n    hmac-sha2-512-etm@openssh.com,\n    hmac-sha2-256,hmac-sha2-512,\n    hmac-sha1-etm@openssh.com,\n    hmac-sha1-96-etm@openssh.com\n    hmac-sha1,hmac-sha1-96<\/code><\/pre>\n\n\n\n<p>It seems that OpenSSH does not knows about the two MACs:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>hmac-sha2-256-96\nhmac-sha2-512-96<\/code><\/pre>\n\n\n\n<p>If you use one of those MACs specifically \/etc\/ssh\/sshd_config and you upgrade from Solaris 11.3 to Solaris 11.4 you will be unable to login using SSH because the SSH service will be in maintenance mode:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>tail \/var\/svc\/log\/network-ssh:default.log\n[ 2018 Oct  1 14:53:18 Executing start method (\"\/lib\/svc\/method\/sshd start\"). ]\n\/etc\/ssh\/sshd_config line 15: Bad SSH2 mac spec 'hmac-sha1,hmac-sha1-96,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96'.\n[ 2018 Oct  1 14:53:19 Method \"start\" exited with status 255. ]<\/code><\/pre>\n\n\n\n<p>The resolution is to login to the console, remove both MACs (or comment out the whole MACs directive) and clear the service:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>svcadm clear ssh<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>When you upgrade from Solaris 11.3 to Solaris 11.4 there are a lot of changes where SSH is one of them. Where Solaris 11.3 defaults to use SunSSH, Solaris 11.4 changed this to OpenSSH. In the environment I work with, some hardening was configured to disallow certain unsafe Ciphers and MACs. Therefor the directives were &#8230; <span class=\"more\"><a class=\"more-link\" href=\"https:\/\/www.lambiek.eu\/blog\/informational\/upgrading-solaris-11-3-to-11-4-ssh\/\">[Read more&#8230;]<\/a><\/span><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[26],"tags":[25],"_links":{"self":[{"href":"https:\/\/www.lambiek.eu\/blog\/wp-json\/wp\/v2\/posts\/298"}],"collection":[{"href":"https:\/\/www.lambiek.eu\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.lambiek.eu\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.lambiek.eu\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.lambiek.eu\/blog\/wp-json\/wp\/v2\/comments?post=298"}],"version-history":[{"count":2,"href":"https:\/\/www.lambiek.eu\/blog\/wp-json\/wp\/v2\/posts\/298\/revisions"}],"predecessor-version":[{"id":301,"href":"https:\/\/www.lambiek.eu\/blog\/wp-json\/wp\/v2\/posts\/298\/revisions\/301"}],"wp:attachment":[{"href":"https:\/\/www.lambiek.eu\/blog\/wp-json\/wp\/v2\/media?parent=298"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.lambiek.eu\/blog\/wp-json\/wp\/v2\/categories?post=298"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.lambiek.eu\/blog\/wp-json\/wp\/v2\/tags?post=298"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}