Ssh – Legacy SSH clients on internal networks

encryptionnetworkingssh

I have a couple of legacy SSH clients on my internal network (think 2000's era Macintoshes and the like) that are wholly incompatible with newer ciphers and key algorithms used in modern SSH implementations.

Getting these clients to work required adding diffie-hellman-group1-sha1 to KexAlgorithms, and arcfour to Ciphers.

I understand that both of these are terribly, hopelessly broken from an encryption standpoint. Unfortunately, the host in question also has inbound access from the internet, and I really, really don't want to have these crap ciphers enabled if I can avoid it, but it was the fastest way to get my clients back online.

I've got a few questions about how to tighten this setup down:

  • Does sshd have a way to specify that certain addresses can use certain ciphers?

    • Regarding this question from 2011: did sshd learn how to use KexAlgorithms and Ciphers inside of a Match block in the last 5 years?

  • Is there some way to put a bastion/jump server in front of the clients requiring weak encryption, and then forward that connection on to the host with stronger encryption?

  • Am I missing some other obvious way around this problem?

Best Answer

Does sshd have a way to specify that certain addresses can use certain ciphers?

Yes. Simple examples are on the Legacy page of OpenSSH. In short:

Host legacy.example.org
    KexAlgorithms +diffie-hellman-group1-sha1
    Ciphers +arcfour

Is there some way to put a bastion/jump server in front of the clients requiring weak encryption, and then forward that connection on to the host with stronger encryption?

Yes. You can set the legacy server to accept connections only from the jumpbox server for example using /etc/hosts.allow (tcp_wrappers). For example:

sshd: <IP/hostname of bastion>

The users will then configure ProxyCommand to jump over the jumpbox, such as

Host legacy.example.com
  ProxyCommand ssh -W %h:%p proxy.example.com
Related Topic