putty (or another ssh client) fails to connect to SLES 12 SP2 and gives cipher errors

This document (7018729) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 12 Service Pack 2 (SLES 12 SP2)

Situation

A system has been installed with (or upgraded to) SLES 12 SP2.  At another system, putty (or another ssh/sftp client), which can connect to SLES 12 SP1 without an issue, gives cipher negotiation warnings when connection to SLES 12 SP2.  For example, putty might give:
 
 
Note:  The grammatical error is present in putty's message, so it is preserved here.

Resolution

The recommended resolution is to update the ssh client.  Popular clients usually have their supported cipher list updated from time to time as well.  For example, putty v0.58 will fail with the above message, but putty 0.62 will not.  (Versions in between were not tested by the author of this document.)
 
Another option (though NOT recommended, and not tested by the author of this document) is to explicitly define a list of ciphers (and possibly MACs) within /etc/ssh/sshd_config on the SLES 12 SP2 server, to expand the ciphers which openssh on SLES 12 SP2 will accept.  (See the "Ciphers" and "MACs" options within "man sshd_config").  HOWEVER, this could introduce weak or unsafe ciphers, where vulnerabilities may have been publicly identified.
 
This document will not attempt to cover adding specific Ciphers or MACs for specific clients.  This should only be done by someone with security encryption expertise.  For lists of the Ciphers and MACs which are supported by default on different versions of openssh, see "man sshd_config" from those particular versions of openssh.
 
 

Cause

SLES 12 SP2 contains openssh v7.2p2, whereas SP1 contained v6.6p1.  Between those releases, several ciphers which are considered to be less safe were dropped from the default list of supported ciphers.
 
To see the details of the change, one can access the openssh package changelog as follows:
 
rpm -q --changelog openssh | less
 
Then searching on the term "cipher" will show:
- OpenSSH 6.7
Potentially-incompatible changes:
* sshd(8): The default set of ciphers and MACs has been
altered to remove unsafe algorithms. In particular, CBC
ciphers and arcfour* are disabled by default.
The full set of algorithms remains available if configured
explicitly via the Ciphers and MACs sshd_config options.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7018729
  • Creation Date: 23-Mar-2017
  • Modified Date:03-Mar-2020
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback@suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center