SUSE Linux Enterprise Server 12 Service Pack 2 (SLES 12 SP2)
A system has been installed with (or upgraded to) SLES 12 SP2. At another system, putty (or another ssh/sftp client), which can connect to SLES 12 SP1 without an issue, gives cipher negotiation warnings when connection to SLES 12 SP2. For example, putty might give:
Note: The grammatical error is present in putty's message, so it is preserved here.
The recommended resolution is to update the ssh client. Popular clients usually have their supported cipher list updated from time to time as well. For example, putty v0.58 will fail with the above message, but putty 0.62 will not. (Versions in between were not tested by the author of this document.)
Another option (though NOT recommended, and not tested by the author of this document) is to explicitly define a list of ciphers (and possibly MACs) within /etc/ssh/sshd_config on the SLES 12 SP2 server, to expand the ciphers which openssh on SLES 12 SP2 will accept. (See the "Ciphers" and "MACs" options within "man sshd_config"). HOWEVER, this could introduce weak or unsafe ciphers, where vulnerabilities may have been publicly identified.
This document will not attempt to cover adding specific Ciphers or MACs for specific clients. This should only be done by someone with security encryption expertise. For lists of the Ciphers and MACs which are supported by default on different versions of openssh, see "man sshd_config" from those particular versions of openssh.
SLES 12 SP2 contains openssh v7.2p2, whereas SP1 contained v6.6p1. Between those releases, several ciphers which are considered to be less safe were dropped from the default list of supported ciphers.
To see the details of the change, one can access the openssh package changelog as follows:
rpm -q --changelog openssh | less
Then searching on the term "cipher" will show:
- OpenSSH 6.7
* sshd(8): The default set of ciphers and MACs has been
altered to remove unsafe algorithms. In particular, CBC
ciphers and arcfour* are disabled by default.
The full set of algorithms remains available if configured
explicitly via the Ciphers and MACs sshd_config options.
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.