"Bad SSH2 cipher spec" with Protocol 2 ciphers and OpenSSH 7.1 Server

macos ssh openssh

I'm trying to determine which cipher(s) an OpenSSH 7.1 server finds offensive. The OpenSSH 7.1 server was built with OpenSSL 1.0.2d.

Below, I added the line breaks below for readability, but there are no spaces or breaks in the line (other than after Ciphers):

$ sudo /usr/local/sbin/sshd -t -f /usr/local/etc/sshd_config
/usr/local/etc/sshd_config line 28: Bad SSH2 cipher spec '[email protected],\
[email protected],[email protected],aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,\
aes192-cbc,aes256-cbc'.

Which cipher(s) does the OpenSSH 7.1 server finds offensive?

Most commented lines have been removed from sshd_config below.

$ cat /usr/local/etc/sshd_config
#   $OpenBSD: sshd_config,v 1.97 2015/08/06 14:53:21 deraadt Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.
...

# The default requires explicit activation of protocol 1
Protocol 2

# HostKeys for protocol version 2
HostKey /usr/local/etc/ssh_host_ed25519_key
HostKey /usr/local/etc/ssh_host_ecdsa_key
HostKey /usr/local/etc/ssh_host_dsa_key
HostKey /usr/local/etc/ssh_host_rsa_key

# Ciphers and keying
# Ciphers [email protected],[email protected],[email protected],aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc

RekeyLimit 1G 4h

# Authentication:

LoginGraceTime 2m

KbdInteractiveAuthentication yes
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no

# Check only .ssh/authorized_keys
AuthorizedKeysFile  .ssh/authorized_keys

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing.
#UsePAM no

# Use Apple's sandbox. On later versions of OS X, the sandbox is a stand alone
#   library and requires config'ing with --with-libs="-lsandbox"
UsePrivilegeSeparation sandbox

# override default of no subsystems
Subsystem   sftp    /usr/local/libexec/sftp-server

You have got typo in [email protected], which should be [email protected].

Basically you can find out really simply by dividing the list to the ciphers and try each of them with sshd:

echo '[email protected],[email protected],[email protected],aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc' | sed -e "s/,/ /g"
for c in [email protected] [email protected] [email protected] aes128-ctr aes192-ctr aes256-ctr aes128-cbc aes192-cbc aes256-cbc; do
  sshd -t -o Ciphers=$c
done

Related

TRIM Debate: Mac OS X El Capitan & Samsung 8xx EVO/PRO
Does M.2 SSD Card mess with PCI express?
Automatically check if a program is (still) running. If not, start it
Bash on Ubuntu on Windows (10) - Unable to connect to Upstart
Can't delete meters on htop with the delete key
RAID5 with on-board controller, is it possible to move the HDDs to a new server?
Disable Windows 10 Update Notification OSD
Disable only Excel previews in Windows 10 folder preview pane
How to color output columns of ls?
How to install the nano CLI editor on Windows 10?
Is the firewall in the wireless router enough?
Does subpixel rendering technology such as ClearType have any effect on CRT displays?