Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 15989 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

unable to ssh to firewall from untrusted (external)

Justin Beeler

I am able to SSH into my firewall from internal networks, however I have one external IP range I want to be able to SSH in from while I'm away and I get connection closed when I try and SSH in.  It works fine with my previous firewall, but I cannot get the UTM 9 to allow the connection.  The subnet I want allowed is in the allowed entries for SSH under the management tab and I DO get connected initially and do get the key from the firewall placed in my known_hosts file, but then it immediately closes the connection after that.  I have loginuser with password enabled and root with certificate enabled and I've uploaded the SSH key in the GUI for my user.  What sucks is, I have nothing in the logs that show me what the issue is (packetfilter.log or sshd.log), so I can't troubleshoot the issue to figure out why it's not working.  Any other logs I should look in?  I've deleted the entries for my other firewall out of my local known_hosts file and I can login as loginuser and grab the entry for known_hosts from my UTM9 but right after it does that it immediately closes the connection.  I'm attaching an ssh -vvv output to the firewall below.

 

[blah@machine ~/.ssh]$ ssh -vvv loginuser@xx.xx.xx.xx -p 22
FIPS integrity verification test failed.
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to xx.xx.xx.xx [xx.xx.xx.xx] port 22.
debug1: Connection established.
debug3: Not a RSA1 key file /home/blah/.ssh/identity.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/blah/.ssh/identity type -1
debug1: identity file /home/blah/.ssh/identity-cert type -1
debug1: identity file /home/blah/.ssh/id_rsa type -1
debug1: identity file /home/blah/.ssh/id_rsa-cert type -1
debug3: Not a RSA1 key file /home/blah/.ssh/id_dsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/blah/.ssh/id_dsa type -1
debug1: identity file /home/blah/.ssh/id_dsa-cert type -1
debug1: identity file /home/blah/.ssh/id_ecdsa type -1
debug1: identity file /home/blah/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.6
debug1: match: OpenSSH_4.6 pat OpenSSH_4*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug3: Wrote 864 bytes for a total of 885
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96
debug2: kex_parse_kexinit: hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-dss,ssh-rsa
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour128,arcfour256,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour128,arcfour256,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-sha1
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug2: mac_setup: found hmac-sha1
debug1: kex: client->server aes128-ctr hmac-sha1 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<2048<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug3: Wrote 24 bytes for a total of 909
debug2: dh_gen_key: priv key bits set: 161/320
debug2: bits set: 1057/2048
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: Wrote 272 bytes for a total of 1181
debug3: check_host_in_hostfile: host xx.xx.xx.xx filename /home/blah/.ssh/known_hosts
debug3: check_host_in_hostfile: host xx.xx.xx.xx filename /home/blah/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 53
debug1: Host 'xx.xx.xx.xx' is known and matches the RSA host key.
debug1: Found key in /home/blah/.ssh/known_hosts:53
debug2: bits set: 1023/2048
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: Wrote 16 bytes for a total of 1197
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug3: Wrote 52 bytes for a total of 1249
Connection closed by xx.xx.xx.xx
[blah@machine ~/.ssh]$ pwd



This thread was automatically locked due to age.
  • 0

    Sooooo...I have a bit more information.  After examining my sshd.log I DO see entries that I believe are coming from the client which I have allowed to ssh to the firewall.  The machine is a RHEL 6.8 Enterprise Linux Server.  It appears that the client is not offering a "mac" that the UTM likes?  Does this mean I'm not offering it a cipher type it likes?  Please see log entries below.  If anyone has suggestions I'd greatly appreciate any.

     

    2017:06:27-09:07:38 myfirewall sshd[31206]: fatal: no matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 server umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512 [preauth]

    2017:06:27-09:07:50 myfirewall sshd[31241]: fatal: no matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 server umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512 [preauth]

    2017:06:27-09:19:57 myfirewall sshd[31729]: fatal: no matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 server umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512 [preauth]

  • 0 in reply to Justin Beeler

    It looks like you found the answer, Justin.  I bet you can install a newer version of the client and get some modern [;)] ciphers that the UTM likes.

    Cheers - Bob

  • 0 in reply to BAlfson

    I'm getting super frustrated at this point.  I created a ~/.ssh/config file on the client side (I'm just ssh'ing from the RHEL6.8 Linux server to my home IP) to include the only FIPS compatible MAC I can find (I found an article stating that hmac-sha1 was the only compatible MAC for a FIPS enabled machine) and I still get the response below.  I would really like someone's assistance.  I downloaded a fresh copy of putty as well and tried it from a Windows box coming from that same allowed subnet, no go.  I can ssh internally all day long from my clients but I keep getting this crap when trying to initiate a connection from this site externally.  Any and all suggestions are appreciated.  This thing obviously has a VERY strict SSH config, but I what I'm getting below in the sshd.log doesn't tell me what I need to do and the ssh -vvv just ends up closing the connection.  Again, super frustrated.  I've never had this issue in the past with other firewalls including Sidewinder which I see to be one of the top firewalls available. 

     

    2017:06:29-07:35:35 jbeeler-fw-001 sshd[27759]: fatal: no matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 server umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512 [preauth]

    2017:06:29-07:35:37 jbeeler-fw-001 sshd[27781]: fatal: no matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 server umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512 [preauth]

    2017:06:29-07:35:38 jbeeler-fw-001 sshd[27803]: fatal: no matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 server umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512 [preauth]

    2017:06:29-07:35:51 jbeeler-fw-001 sshd[27828]: fatal: no matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 server umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512 [preauth]

    2017:06:29-07:46:58 jbeeler-fw-001 sshd[28211]: fatal: no matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 server umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512 [preauth]

    2017:06:29-07:47:26 jbeeler-fw-001 sshd[28283]: fatal: no matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 server umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512 [preauth]

    2017:06:29-07:49:48 jbeeler-fw-001 sshd[28353]: fatal: no matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 server umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512 [preauth]

    2017:06:29-08:13:50 jbeeler-fw-001 sshd[29498]: fatal: no matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 server umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512 [preauth]

    2017:06:29-08:18:15 jbeeler-fw-001 sshd[29733]: fatal: no matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 server umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512 [preauth]

    2017:06:29-12:44:15 jbeeler-fw-001 sshd[7940]: fatal: no matching mac found: client hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 server umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512 [preauth]

  • 0 in reply to Justin Beeler

    I wish I could help you, Justin, but I don't see which assumption I should challenge to help you do what everyone else here is doing.  That happens to me, too - I don't see something because I know what's there.

    Getting the latest version of putty worked for me, but I don 't think that's your issue.

    Cheers - Bob

  • 0 in reply to BAlfson

    Thanks Bob.  I think the issue may not be with the client I'm coming from, but the firewall "proxy" I'm going through which breaks the connection between my client connection and my firewall at home, and that I can't control.  However, I wish someone could tell me what I need to configure on my UTM 9 to allow based on my output in my ticket thread so that I can get connected from that IP.  Even if I have to downgrade the SSH MAC or Ciphers on the UTM firewall, I can't gather info from the logs what the hell I need to put in the sshd_config to allow connections from the distant end.  So damn frustrated!  I'm controlling the connection based on IP from the client. 

  • 0 in reply to Justin Beeler

    FYI Bob I'm going through a Sidewinder, which has a proxy for SSH, so my connection from my RHEL6.8 server is "broken" and is re-established from the Sidewinder.  So I can only offer what the Sidewinder offers to my UTM 9, but I just need someone to say (based on what I've provided) hey put this in your /etc/ssh/sshd_config or whatever, I just don't know what to put.  I was hoping my output would help.  Any ideas ?

  • 0 in reply to Justin Beeler

    Any MAC less than SHA2 has been discredited and should not be considered secure.

    You could have an incompatibility betwwen your client and your proxy, or between your proxy and UTM.   Most likely your proxy is obsolete and offering inferior cipher options, so UTM is protecting you from phony encryption.

    Obvious choice is to use VPN back to your main site and then use ssh, or bypass the proxy and use a recent version of putty.

  • 0 in reply to DouglasFoster

    DouglasFoster,

     

    I'm thinking it's an incompatibility between the proxy at the distant end that I am passing through which is actually what's connecting to my UTM, unfortunately I have no control over that, so I think I'll setup a DNAT to allow that subnet in to an internal host on my network and connect to the UTM that way.  Of course I'd use a VPN if that were an option, however I can't use a VPN from their either because it goes through a corporate firewall that doesn't allow many ports out (obviously for good reason and security practices).  Totally agree with your sentiments though regarding the MAC's less than SHA2.  Thank you for all of the information and feedback sir!

     

    Justin