Category: Work Notes

SSH: No supported key exchange algorithms [preauth]

I’ve recently installed Solaris 11.4 on a VM and, as soon as I tried to log in remotely using SSH, my connection was refused straight away. First of all, I checked if the service was enabled:

$ svcs ssh
STATE          STIME    FMRI
online         13:23:15 svc:/network/ssh:default

I checked SSH directory under /etc and something was definitely not quite right with the auto-generated keys:

-rw-------   1 root     root         0 Jan  4 13:23 ssh_host_ed25519_key
-rw-r--r--   1 root     root         0 Jan  4 13:23 ssh_host_ed25519_key.pub
-rw-------   1 root     root         0 Jan  4 13:23 ssh_host_rsa_key
-rw-r--r--   1 root     root         0 Jan  4 13:23 ssh_host_rsa_key.pub

The keys were there… but truncated to zero.

Something, somewhere went wrong during the key generation (usually when OpenSSH is run for the first time) so I deleted the keys and restarted the service:

# svcadm restart ssh

The keys were re-generated and I was able to log in.

View a certificate fingerprint

It’s possible to check a certificate fingerprint using openssl:

  • SHA-1
openssl x509 -noout -fingerprint -sha1 -inform pem -in [cert-file]
  • SHA-256
openssl x509 -noout -fingerprint -sha256 -inform pem -in [cert-file]
  • MD5
openssl x509 -noout -fingerprint -md5 -inform pem -in [cert-file]

Iptables: block all traffic except SSH

I needed to update some servers and block traffic generated by a lot of services. Since I couldn’t block every single service neither disconnect the network, I used this simple iptables rule:

iptables -A INPUT -p tcp -m state --state NEW -m multiport ! --dports 22 -j REJECT

 

SSH tunneling

A SSH tunnel provides an encrypted tunnel using a SSH protocol connection. It can be used to exchange data over a network through an encrypted channel or to bypass some firewall restrictions.

To set up a SSH tunnel, a given port on a machine need to be forwarded. Ports can be forwarded in three ways: local, remote or dynamic.

Local

Say you’re on a private network which doesn’t allow connections to a specific server. To get around the problem, you can create a tunnel through a server which is not on your private network:

ssh -L [local-port]:[remote-host]:[remote-port] user@remoteserver

-L stands for local port forwarding; you’re forwarding local port 9000 to [remote-host]:[remote-port]

Remote

Say you need to give someone access to your client machine over an encrypted tunnel. Before establishing a connection your need to edit /etc/ssh/sshd_config, add GatewayPorts yes and restarting sshd.

ssh -R [remote-port]:localhost:[local-port] user@remoteserver

Dynamic

In this case, port forwarding turns your SSH client into a SOCKS proxy server. Every program need to be configured to use the proxy server. SOCKS is a protocol that redirects every Internet connection through a proxy server:

ssh -D 1080 [server]

1080 is the standard SOCKS port but you can use any port number; the SOCKS proxy will stop when you close your SSH session.

Solaris 11: DNS client configuration

In Solaris 11, /etc/resolv.conf is managed via SMF (Service Management Framework).

root@solaria:~# cat /etc/resolv.conf

#
# _AUTOGENERATED_FROM_SMF_V1_
#
# WARNING: THIS FILE GENERATED FROM SMF DATA.
# DO NOT EDIT THIS FILE. EDITS WILL BE LOST.
# See resolv.conf(4) for details.

nameserver 8.8.8.8

View existing DNS configuration

svccfg -s network/dns/client listprop config
config                      application        
config/value_authorization astring     solaris.smf.value.name-service.dns.client
config/nameserver          net_address 8.8.8.8

Update existing DNS configuration

svccfg -s network/dns/client setprop config/nameserver = net_address: "(208.67.222.222 208.67.220.220)"

Export DNS configuration

svcadm refresh dns/client

This command will build a new /etc/resolv.conf based on the new settings:

nscfg export svc:/network/dns/client:default