Troubleshooting
Problem
After patching AIX OS level or upgrading openssl and openssh versions, the following error is displayed when starting sshd daemon if a specific list of ciphers is added to sshd_config file:
# startsrc -s sshd
/etc/ssh/sshd_config line 99: Bad SSH2 cipher spec 'aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,arcfour,aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128'.
0513-059 The sshd Subsystem has been started. Subsystem PID is 12845094.
Diagnosing The Problem
1. By examining sshd_config file, the following cipher list was specified:
##Ciphers 'aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,arcfour,aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128
Even though the line was commented out, sshd daemon still read it when started. Commenting that line out doesn't disable that line.
2. The reason why this error is displayed is because some of the ciphers are either deprecated or mistyped. We can check with the following command to find out which ciphers have the issue:
# sshd -t -o Ciphers=aes128-cbc
# sshd -t -o Ciphers=aes192-cbc
# sshd -t -o Ciphers=aes256-cbc
# sshd -t -o Ciphers=blowfish-cbc
command-line line 0: Bad SSH2 cipher spec 'blowfish-cbc'.
# sshd -t -o Ciphers=arcfour
command-line line 0: Bad SSH2 cipher spec 'arcfour'.
# sshd -t -o Ciphers=aes128-ctr
# sshd -t -o Ciphers=aes192-ctr
# sshd -t -o Ciphers=aes256-ctr
# sshd -t -o Ciphers=arcfour256
command-line line 0: Bad SSH2 cipher spec 'arcfour256'.
# sshd -t -o Ciphers=arcfour128
command-line line 0: Bad SSH2 cipher spec 'arcfour128'.
Resolving The Problem
1. We can just remove the bad ciphers determined by the above command from the ciphers list in sshd_config file, but this solution might cause us to work with ciphers that are not the strongest.
2. The best practice is remove the ciphers line altogether from sshd_config file. Verify the new ciphers list as follows:
# ssh -Q cipher
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
rijndael-cbc@lysator.liu.se
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com
| SUPPORT |
|---|
|
If you require more assistance, use the following step-by-step instructions to contact IBM to open a case for software with an active and valid support contract. 1. Document (or collect screen captures of) all symptoms, errors, and messages related to your issue. 2. Capture any logs or data relevant to the situation. 3. Contact IBM to open a case: -For electronic support, see the IBM Support Community: 4. Provide a clear, concise description of the issue. |
Document Location
Worldwide
[{"Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"ARM Category":[{"code":"a8m0z000000cwO7AAI","label":"Communication Applications->SSH"}],"ARM Case Number":"TS004828571","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]
Was this topic helpful?
Document Information
Modified date:
20 January 2021
UID
ibm16406544