parda25

SSH2 Ciphers from PAM 3.1.1

Blog Post created by parda25 Employee on Apr 3, 2018

1. Introduction

This article is providing cipher/hash details used in SSH connection from PAM 3.1.1

 

2. Environment

PAM 3.1.1

Centos 7 openSSH 7.4pl, OpenSSL 1.0.2k

 

3. SSH protocol

Below is the SSH key detail from PAM 3.1.1 server with raw network packet data for "Client:Key Exchange Init" from Wireshark.

 

3-1. SSH key detail

kex_algorithms string: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-
exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

encryption_algorithms_client_to_server string: aes128-ctr,arcfour128,aes128-cbc,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour

mac_algorithms_client_to_server string: hmac-sha2-256,hmac-sha2-512,hmac-sha256-2@ssh.com,hmac-sha256@ssh.com,hmac-sha512@ssh.com,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96

 

3-2. Network Pachet for SSH protocol

No. Time Source Destination Protocol Length Info
776 20.113065790 155.35.245.95 155.35.245.67 SSHv2 830 Client: Key Exchange Init

Frame 776: 830 bytes on wire (6640 bits), 830 bytes captured (6640 bits) on interface 0
Interface id: 0
Encapsulation type: Ethernet (1)
Arrival Time: Apr 3, 2018 10:29:13.645647008 AEST
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1522715353.645647008 seconds
[Time delta from previous captured frame: 0.001419457 seconds]
[Time delta from previous displayed frame: 0.001419457 seconds]
[Time since reference or first frame: 20.113065790 seconds]
Frame Number: 776
Frame Length: 830 bytes (6640 bits)
Capture Length: 830 bytes (6640 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ip:tcp:ssh]
[Coloring Rule Name: TCP]
[Coloring Rule String: tcp]
Ethernet II, Src: Vmware_94:60:8f (00:0c:29:94:60:8f), Dst: Vmware_25:82:47 (00:0c:29:25:82:47)
Destination: Vmware_25:82:47 (00:0c:29:25:82:47)
Address: Vmware_25:82:47 (00:0c:29:25:82:47)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: Vmware_94:60:8f (00:0c:29:94:60:8f)
Address: Vmware_94:60:8f (00:0c:29:94:60:8f)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IP (0x0800)
Internet Protocol Version 4, Src: 155.35.245.95 (155.35.245.95), Dst: 155.35.245.67 (155.35.245.67)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
Total Length: 816
Identification: 0xc780 (51072)
Flags: 0x02 (Don't Fragment)
0... .... = Reserved bit: Not set
.1.. .... = Don't fragment: Set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: TCP (6)
Header checksum: 0x4f5d [validation disabled]
[Good: False]
[Bad: False]
Source: 155.35.245.95 (155.35.245.95)
Destination: 155.35.245.67 (155.35.245.67)
Transmission Control Protocol, Src Port: 41755 (41755), Dst Port: ssh (22), Seq: 26, Ack: 22, Len: 776
Source port: 41755 (41755)
Destination port: ssh (22)
[Stream index: 2]
Sequence number: 26 (relative sequence number)
[Next sequence number: 802 (relative sequence number)]
Acknowledgment number: 22 (relative ack number)
Header length: 20 bytes
Flags: 0x018 (PSH, ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 1... = Push: Set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
Window size value: 29200
[Calculated window size: 29200]
[Window size scaling factor: -2 (no window scaling used)]
Checksum: 0x5672 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
[SEQ/ACK analysis]
[Bytes in flight: 776]
SSH Protocol
SSH Version 2 (encryption:aes128-ctr mac:hmac-sha2-256 compression:none)
Packet Length: 772
Padding Length: 9
Key Exchange
Message Code: Key Exchange Init (20)
Algorithms
Cookie: 3e283c08f9b4b5674f43bddfc2966648
kex_algorithms length: 183
kex_algorithms string: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
server_host_key_algorithms length: 75
server_host_key_algorithms string: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-dss,ssh-rsa
encryption_algorithms_client_to_server length: 84
encryption_algorithms_client_to_server string: aes128-ctr,arcfour128,aes128-cbc,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour
encryption_algorithms_server_to_client length: 84
encryption_algorithms_server_to_client string: aes128-ctr,arcfour128,aes128-cbc,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour
mac_algorithms_client_to_server length: 133
mac_algorithms_client_to_server string: hmac-sha2-256,hmac-sha2-512,hmac-sha256-2@ssh.com,hmac-sha256@ssh.com,hmac-sha512@ssh.com,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96
mac_algorithms_server_to_client length: 133
mac_algorithms_server_to_client string: hmac-sha2-256,hmac-sha2-512,hmac-sha256-2@ssh.com,hmac-sha256@ssh.com,hmac-sha512@ssh.com,hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96
compression_algorithms_client_to_server length: 4
compression_algorithms_client_to_server string: none
compression_algorithms_server_to_client length: 4
compression_algorithms_server_to_client string: none
languages_client_to_server length: 0
languages_server_to_client length: 0
KEX First Packet Follows: 0
Reserved: 00000000
Padding String: 0205070d0d171f2828

Outcomes