At times, Larger enterprises (or others), wanting to run a tight security policy, may want to configure the use of a specific Cipher that confirms with their Security policies/Performance/Requirements, etc.
This article describes steps on how to configure RMM, to use a single/specific SSH Cipher (supported by RMM), for securely connecting/data transfer via SSH, example (aes128-ctr, aes192-ctr, aes256-ctr, etc.), to successfully connect/migrate the data.
This document uses the example of setting up aes128-ctr Cipher for SSH connectivity between RMM and Origin (Source) server. To suit your requirement, you can follow the same method to modify/use any of the Ciphers listed below.
Background/Use case:
RMM uses SSH (Secure Shell), a widely used protocol, for secure remote access and data transfer.
RMM doesn't necessitate particular ciphers and doesn't attempt to modify the choice of cipher(s) to be employed. RMM will simply adhere to the predefined SSH defaults. This deliberate approach ensures that if a site has specific prerequisites and has already set up their devices to utilize those ciphers, we will simply adhere to their existing configuration.
As a best practice guideline however, and subject to the RMM OS and/or the Target OS supporting, Rackware strongly recommends using ONLY from the below listed Standard Ciphers that are widely-accepted, secure/well-vetted encryption Ciphers/algorithms (and more importantly as supported in OpenSSH 7.3):
3des-cbc, aes128-cbc, aes192-cbc, aes256-cbc, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com, arcfour, arcfour128, arcfour256, blowfish-cbc, cast128-cbc, chacha20-poly1305@openssh.com
Symptom:
<NONE>
Before you Begin:
You will need to have 'root' level access to RMM CLI of a fully function RMM server
Applicable To:
a) RMM version 7.4.3.x and above
b) RMM on any supported Target environment
Preparation/Pre-Req:
RMM and Origin (Source) server must confirm to:
a) Latest Pre-Reqs as in - https://rackware.freshdesk.com/a/solutions/articles/5000859681
b) Cipher to be used for SSH config (aes128-ctr in this example) must be supported by the RMM OS and OS of the Origin (Source) server. Please confirm this with the OS vendor beforehand
c) RMM SSH key needs to be setup on Origin (Source) server for password-less SSH
Steps:
(the example below illustrates setting up aes128-ctr Cipher for SSH connectivity between RMM and Origin (Source) server - overriding the predefined ssh defaults)
From RMM CLI, as a 'root' user:
1) Backup and modify the following files on the RMM server:
/opt/rackware/utils/common/ssh_config
/opt/rackware/utils/common/ssh_config_fastfail
/opt/rackware/utils/common/ssh_config_transfer
to include the line:
"Ciphers aes128-ctr" (without quotes)
2) Save the changes to the 3 files
3) An RMM or SSHD service restart is NOT needed.
4) Test the SSH from RMM CLI, using the following command:
ssh -F /opt/rackware/utils/common/ssh_config user@OriginIPAddress -p <sshport>
example:
ssh -F /opt/rackware/utils/common/ssh_config rackware@10.10.10.10 -p 22
You should now be able to securely connect to the ORIGIN server, via SSH, using Cipher = aes128-ctr
Post Changes:
None in general. However, specifically on:
a) Oracle Cloud, it is recommended to use an MTU value of 1500 on the RMM server NIC.
b) Zadara Cloud, it is recommended to use an MTU value of 1450 on the RMM server NIC.
Important Note(s):
1) Adding "Ciphers aes128-ctr" to ssh_config would mean that the ssh client will ONLY use that single/specific cipher across the RMM, for connection to all the ORIGIN servers to be used. If a specific ORIGIN server doesn't support that cipher, then the client will not be able to connect via SSH.
2) The ssh_config man page has good detail about how that configuration option works.